Interview: Washington State CIO Bill Kehoe on infrastructure, cybersecurity and more

William “Bill” Kehoe, Washington State Chief Information Officer. (Photo from Washington state)

When William “Bill” Kehoe took up his current job as Washington State’s chief information officer last August, he came in with a slew of problems, from cybersecurity issues to gaps in broadband funding.

The Gonzaga University graduate recently sat down (virtually) with GeekWire editor Mike Lewis to discuss his priorities for 2022. Kehoe has years of experience managing information technology departments in state and local governments, including serving as CIO in Los Angeles and as King County Information Manager in Seattle.

This interview has been edited for length and clarity.

GW: The infrastructure bill will bring Washington state at least $100 million, likely much more, according to Senator Patty Murray’s office. One of the things it would fund is to improve broadband access. I want to hear your thoughts on broadband access in Washington State.

Kehoe: Before coming to Washington state, I led a digital equity and strategic planning exercise in LA County. So I have some experience in terms of what it takes to really help in the digital divide situation.

There are three pillars of the digital divide or digital justice that I think are really important. Broadband is one of them – and that is access to the Internet. This also includes the last mile. The solutions to this may vary from community to community depending on the needs.

Then the need for devices. If a household does not have broadband access, it may not have any devices. If they have devices, they may not understand how to use those devices. Digital competence and the availability of programs in the community also help here.

I think for broadband, our Department of Commerce will be working with us and other agencies in the state on what’s needed and I think they have some projects lined up. Then we’ll look at that kind of broader share of digital equity as well. But in terms of other uses for the (infrastructure) money, I know we’re considering if we might have some help in terms of cyber security and our needs there.

GW: That brings me to my next question on cybersecurity. Much has been written about Washington and What happened to occupational safety?. What do you think is the problem with Washington State and cybersecurity? And second, how do we solve it?

Keho: I think we’re seeing that across the country, in many ways, fraud and attacks are becoming more sophisticated, phishing emails are becoming more sophisticated and more difficult to detect.

One of the main problems we are trying to overcome is that traditionally in federated states each agency has its own IT shop and runs its own security controls [common] tools available. Some agencies did really well, others didn’t have the staff, funding, or maturity to really handle the sophistication of cyberattacks.

What we’re doing about it is that here in the state we’ve started a pretty aggressive corporate security program and we’re putting in place services — endpoint security — and other tools and controls.

We’re really trying to turn the tables and roll out an enterprise security program and also be more proactive in terms of detection, increasing our monitoring and also remediation. I think we’re starting to lay a good foundation. There is much more work that we need to do.

The Washington State Legislature in Olympia. (Flickr Photo / MathTeacherGuy)

GW: When your security chief looked at this particular data breach, what was that actual analysis? Was there something fundamentally wrong by the state? Or was it just one of those unexpected, super-sophisticated attacks that really couldn’t be prevented in any way?

Keho: Again, I don’t have specific details on this. But I can tell you what I heard and what investigations I did. It was quick as we tried to resolve the issue with our security office and agency working together. But with any breach or incident like this, you need to make sure you understand the issue.

There are some analyzes that need to take place. But from all the information I’ve gathered, that’s really what people focused on all the time. We’ve been working as a community to investigate the issue, put in additional controls, and that’s always the case, right? I think they did a good job of really focusing on it and making sure they understood the issue. The system owners put the controls in place as soon as possible to prevent further incidents.

GW: From the point of view of computer security, is it an outsourcing of the state or an internal contribution of the state or a mixture of both?

Keho: The tools come from private industry and security organizations. We have a mix of external organizations that assist us with monitoring and detection. We also have staff in our cybersecurity office who also work with these outside providers. So we have both. But in terms of the platforms and the tools, these are things that we procure by contract and subscription from outside organizations, security organizations. So it’s more of a hybrid environment.

GW: According to the governor – and in your opinion – what is your job as chief information officer? What should you keep in mind with all of this?

Keho: I need to lead the agencies around this movement towards enterprise services and make sure those services are performing well, that they are at a high level of excellence and quality, and that we’re moving towards that proactive security posture that I’ve been talking about. It’s a big responsibility. The governor did [me] During my entry into the position, I was very aware that security is a high expectation. the [state] Security officer reports to me. We work with all government agencies to work toward these corporate security services and programs.

GW: Does it surprise you that the job security hack took place in a state rich in technological talent? There has been some criticism in the tech community that Washington State, while having tremendous amounts of talent, is not very good at tech. How would you react to that?

“There is a tremendous opportunity for us to change that culture and shift to a more innovative mindset.”

Keho: I think we have talent. A lot of attention was paid to the existing legacy systems and their maintenance. One of my initiatives here is to really create a more innovative culture in Washington State where we can approach projects in a more agile manner and have funding mechanisms to enable high-impact but short-timescale projects. There’s a tremendous opportunity for us to change that culture and shift to a more innovative mindset so that we can move faster on some of these projects. But that is a culture change. And I’ve heard and seen some amazing things happening very quickly during COVID when it comes to quick applications.

GW: Give me an example of this. What particularly impressed you?

Keho: I’ve seen information about COVID go public [such as] available hospital beds. Also contact tracing info where the outbreaks were and where we had hotspots. All really important information, as well as where [residents] could be tested. And then information about vaccines. That was all very important. And that was really quick here.

And then in terms of the vaccine, the vaccine review, which came together pretty quickly. Our health authorities have worked with the private sector to make this happen. We used a common open source code from California that Oregon also used. This gives us confidence to look and see how we can apply this in other areas.

GW: Still happy you took the job?

Keho: Oh, absolutely. It’s my home state, so I’m going back to where I started and applying and bringing back all of the lessons learned from King County and LA County. I really enjoy the people here. I hope we can make a difference and put the state on the right track.


Comments are closed.