Best listening experience is on Chrome, Firefox or Safari. Subscribe to Ask the CIO’s audio interviews on Apple Podcasts or PodcastOne.
Jerry Davis took a big risk when he publicly called out the Veterans Affairs Department in 2013 for major cybersecurity shortcomings.
Five years later as the NASA Ames chief information officer leaves federal service, Davis said that decision was part of the reason why he became a senior executive service member.
“SES requires you to have some traits or characteristics, the executive core qualifications is what we like to call them. There are five of them,” Davis said during an exit interview on Ask the CIO. “What I know in my career and what I thought about at that time, and I still think about still to this day, none of those core qualifications have to do with self-preservation. I think executives or anyone in the government that becomes a kind of a tenet. They get into this idea of self-preservation. That is not in my DNA when it comes to what I saw what was potentially taking place at VA. I felt that if I’m going to keep anything at the end of the day, I’m going to keep my integrity.”
Davis said the risk to veterans and risk to VA far exceeded the risk he was going to face.
“At the end of the day, there was no way I could look myself in the mirror if some major issue had happen if I hadn’t taken the steps to bring attention to this issue,” he said. “My advice, suggestion to anyone who is out there, whether you are an executive or a leader or just a General Schedule employee, at the end of the day you always have to keep your integrity in check.”
Davis made that same point in his retirement letter to his employees, writing integrity is doing the right thing when no one is looking.
Davis retired from NASA Ames in early July after more than 20 years in government. Davis couldn’t yet name the private sector company he is joining, but said he would continue to work in the cybersecurity sector and not directly with federal or state government agencies.
The decision five years ago to go to Congress and testify about VA’s push to “rubber stamp” agency security authorizations and other then-systemic cyber problems came from Davis’s background as a Marine serving in the first Desert Storm war.
Davis said he never seriously considered not coming forward given the potential risk and personal consequences.
“It’s an individual decision. Everyone has to deal with something like that at some time in their career and life, even outside their workplace,” he said. “It’s got to be part of your DNA. In the workplace, I’m always going through this risk management exercise in my head. No matter what I’m doing, in a meeting with folks and the conversation going a certain way and I have different opinions, I’m going these short risk management exercises. My life is largely an effort to manage risk every second of the day. In the end, you have to live with yourself, and there was no way I could live with myself by doing something that I knew was just wrong.”
As Davis transitions to a new role, he leaves five-years of accomplishments and a big to-do list for the next Ames CIO.
Among his three focus areas of cloud, workforce and cybersecurity, Davis said he’s made progress, but there still is a lot more that needs to be done.
Building out NASA security operations center a priority
One of the biggest goals is the continued further build out the NASA security operations center. He said Ames took over managing the SOC in 2008.
“We are moving now to what we call SOC 2.0. Mike Witt, who is the newly minted chief information security officer for NASA, is pushing for more integration with intelligence to create a more security intelligence center. He wants to bring in other areas outside traditional cybersecurity like the Office of Protective Services and cyber intelligence, counter intelligence, fusion center, high-fidelity information around threats, vulnerabilities into the SOC and getting more into the mission space and operational technology. It’s a heavy lift.”
He added the progress with the SOC is one of the things he’s most proud of during his time at NASA Ames.
Davis also made progress to get a cybersecurity concept, called Gryphon X, off the ground.
He introduced the concept in 2016 as a training and fusion center platform.
“The idea was to be able to do applied research and development, test and evaluation around cybersecurity technologies for commodity IT and space platforms. And you could do training and information sharing around what we find in the R&D of cybersecurity,” Davis said. “Gryphon X was tough. I had to sell it to the agency. Cybersecurity is not an agency core competency. It took three years of pushing a wet noodle up the hill. The agency finally started to grasp on it and we finally got a little seed money and starting building out a lab. We started dealing with operational technology and cybersecurity impact on operational technology.”
Recently, Davis said NASA used the Gryphon X lab to look at a particular manufacturer of drones used across the Defense Department, NASA and other agencies. These drones had vulnerabilities requiring agencies to stop using them.
“We figured out how to mitigate the vulnerabilities in these drones and continue to fly them without losing any data or having an external entity taking control of these drones,” Davis said. “We were really proud of that. It was a lot of work with a lot of smart people we had at Ames and not just the cybersecurity side of the house, but with our scientists, engineers and researchers working with us who actually fly these platforms. That was one of the tenets of Gryphon X was that we would use in-house resources to solve what we see as intractable problems from a cybersecurity perspective.”
Ames was one of the first centers to get its drones flying again and then shared the solution with other agencies.
As Davis ends his federal service, the biggest lesson he learned during his career is to take care of the people around him.
“When I look at big government and all the things we are responsible for, you get these scorecards with a bunch of metrics. What I tell people is we need to stop managing metrics and manage culture and performance. A lot of that is take care of the people and the people will definitely take care of you,” he said. “Any successes I’ve had is largely on the backs of the people that I’ve worked with over the last 20 years or so I’ve been in the government. Leaders should accept the failures, but the successes need to be spread out among the people.”