This is a story of institutionalized incompetence, the reality is, it could have happened to anyone who was dumb enough to run for a lot of public offices that have no business being elected positions.

Most voters can’t tell you what the treasurer, auditor, recorder actually do, never mind who they are. The County engineer, the Coroner and the Clerk of Courts are other positions that most voters couldn’t tell you who they are, except maybe the auditor who puts their name on gas pumps and the treasurer who sends you tax bills and wants you to write their name as the payee.

In terms of having some kind of qualifications to run for office- Judges have to be lawyers, the County Engineer has to be an engineer, and the Coroner needs to be an M.D. The rest, don’t even have to have a high school diploma.

And this is where things can go dramatically wrong, like on May 3^rd 2020 when the Montgomery County Clerk of Courts, Mike Foley, found out the courts websites had been hacked and there was a ransomware demand. Now, this isn’t anything new. Lots of businesses have had this problem, and many government sites as well. Cybersecurity is only as safe as the people running your IT make it.

I’ve already questioned why we have so many court websites in Montgomery County and did a little research on this starting three years ago when I launched Reconstructing Dayton, a 501(c)(4) dedicated to pushing for reducing government waste and overlap in Montgomery County. We did public records requests to determine the costs of developing each courts website and we found an expensive mess of less than adequate municipal courts websites.

When it came to the county, there is yet another layer of sites, including separate ones for the Common Pleas, Probate, Juvenile and then the 2^nd District Court of Appeals.  We looked at Franklin Country, in Columbus- where they have a single site for all courts and instantly realized there is an advantage to uni-gov, not only from cost savings, but from ease of use for both the citizens and the clients of the courts- the legal profession. Add in, doing background checks is much easier when you don’t have to check 7 different sites in one county.

But, wait, there’s more. Some enlightened states like Wisconsin actually have a unified, state-wide clerk of courts online system. Ohio, is studying the matter. In the meantime, there are a whole lot of vendors feeding campaign coffers to keep their proprietary software/website systems the choice of Clerk of Courts across all 88 counties in Ohio.

There are somethings government can simplify, and this is clearly one.

Mike Foley ran for clerk of courts to fill the unexpired 4-year term of Greg Brush, a Democrat, who for some odd personal reason, resigned just after he was re-elected Clerk. The way things work, the party gets to put a person in to the job, with the caveat that at the next County wide election they have to defend the seat. The local Dems went to the consummate party insider, Russ Joseph. Russ had been diligently putting his time in as second banana to Mark Owens, party chair and Dayton Municipal Clerk of Courts. Russ actually had experience running a court filing system, albeit, not the same one the county uses. Mike Foley had something more important to the voters- he had the last name Foley. That’s all.

He spent almost nothing on his campaign, he just put up signs that looked almost identical to those of Dan Foley- the long-term local politician who had been a County Commissioner after he’d been clerk of courts before Brush. Oh, and Dan Foley was the son of Judge Foley, who sat on the bench until he was petrified and put out to pasture. Voters thought they were voting for Dan, and Russ was out of a job, but, only for a minute, because then Carolyn Rice got elected, and he got to be her replacement as treasurer. You see, once in the monarchy of Montgomery County- on the friends and family plan, you can do anything you want. Even if it means hiring your convicted rapist brother to a job at the board of elections without even a job posting (yes- this happened).

Whew. A lot of background. Now, here’s the thing. Right after Foley got elected, he fired Mohamed Al-Hamdani from the best paying job he ever had- chief of the legal division. Mohamed is on the school board, and is currently the board president. He, like Russ Joseph is in the club- headed by Queen of pay-to-play, Dayton Mayor Nan Whaley. Who better to pick to replace Mohamed to rub it in, out-going school board member, John McManus.

Full disclosure- I first met McManus when he ran for School board, I printed his signs, and started to other campaign work for him. I’ve considered him a close personal friend for a long time.

McManus, a newcomer to the Dayton political fiefdom, showed up as a UD Law student after working in DC and in the Tennessee state house. He’s literally born into politics, his father and mother have both been elected to various offices. He grew up in it. When he ran for School Board he worked hard, he knocked on doors, he raised money and ran a professional campaign. He should have been the next school board president, but was made to sit second fiddle to the absolutely incompetent Dr. William Harris, thanks to Mohamed and his “slate” of Karen Wick Gagnet and the party faithful. Jocelyn Spencer Rhynard, the wild card candidate who knocked out Paul Bradly as the fourth guaranteed party vote, went along with this mess- as did Sheila Taylor who insisted that we needed an African American to lead the board (as racist as this sounds- I was running my video camera when it happened)

https://esrati.com/apparently-skin-color-is-still-how-we-judge-people/15988

McManus ran for State Rep against Jim Butler in OH 41, and worked really hard and might have won, had Butler not been propped up by Larry Householder with big donations and lots of political pressure. The Dem party did nothing to help. McManus did better than any previous candidate in the district that scores at least +5 R thanks to the grand master Gerry Mander who rules Ohio. He was now, out of office, and still working his regular job- 2^nd shift worker at the Franklin County Clerk of Courts. That’s right- not wanting to tarnish himself by being an insider here, he commuted 60+ miles each way daily to work in Columbus. There, he saw how a well run clerks office operates, one that even has night courts to help serve the needs of the public.

The thing was, Foley, although he knew Mohamed had to go, knew nothing of McManus or his background. I was the one who suggested he hire someone who knew something about working in a clerk of courts office that wasn’t a cesspool for patronage jobs (or at least not our cesspool). Note, McManus’ “friend” on the school board, Sheila “the racist” Taylor- also worked in the Dayton Municipal Clerk’s office for Dem Party Chair Mark Owens. Our cesspool stinks, but, it’s a pretty small one. When I told him that McManus had Clerk’s experience, and a law degree and an interest in working locally, McManus became his new Chief of the legal division.

Foley’s other hires weren’t so stellar. He hired political operator and former Butler Township Trustee Nick Brusky, a tea-party republican operator to run the auto title division. Brusky, still short of a college degree, seems to do quite well as a Trump supporter with connections to former Republican Party Chair Rob Scott, who is now the regional SBA Director after being one of the top campaign officials for Trump in Ohio. Foley also hired Herb Davis, the former director of the Montgomery County Veterans Service Office, where he spent almost a decade making sure most of the money targeted to helping veterans didn’t get spent- so it could come back into the county coffers.

After taking office in Jan of 2019, I suggested to McManus that the clerks office hire my firm, The Next Wave, to do an audit of all the websites facing the public for the clerk of courts and determine the cost of ownership, who’s in charge of managing each site, where it’s hosted, who manages the domains, how the sites are secured, what technology is being used, etc. with the plan being you could then have a roadmap for a modernization and standardization.

I was told to revise my bid about 7 times, to add pictures, to better explain what we were providing, to cut out sites that weren’t under the clerk’s office (but should have been). The goal was to provide some kind of basis for going out to bid to create something better- which in our minds meant the following:

Secure. Mobile Friendly. ADA compliant. Cost effective. Easy to use.

Our total bid was $25,000. Which was a crazy low price. Which also happened, by accident, to be the amount that Foley could authorize to spend without going to the county Dataprocessing board for approval (I was told this later).

After getting absolutely nowhere, we asked for a chance to come in and present and explain what we, as web developers and user interface experts saw as problems that needed addressing, especially with the PRO site. PRO- stands for Public Records Online, and it’s the primary portal into the Common pleas courts. Unlike, other systems, this one was home cooked and most lawyers actually like it better than many other clerk sites despite it still looking like something done in 1995. My developer and I went down to the basement of the courts building on July 2^nd at 10:30 in the morning to present a quickly thrown together deck- outlining how we look at a site and dissect it. In the room were two young ladies who worked under Foley, Herb Davis, McManus and Foley. We spent about an hour going through the deck. 14 slides.

You might note that on slide 12, bullet 4:

Risk of hacking/ransomware is exponentially higher due to current architecture. Study will provide roadmap to plug leaks

Bingo!

Foley was itching to leave the meeting so he could get on the road to Columbus to see his girlfriend. McManus pulled me aside and said “That was the best presentation I’ve ever seen” which made me laugh. This was dumbed down and down and dirty. In my business, presentations for work can go for hours, be incredibly well planned and be filled with primary research and presented by people who have practiced for weeks. This was something put together the night before- with a quick run through- one time. Of course, after being fed a constant stream of dreck at DPS board meetings, where people should have been fired on the spot…. (seriously, watch this presentation for a $400K project, where the DPS staffer still has “My perfect title slide” and “Lorem Ipsum” greeked text in her deck.)

At this point, over 4 months of jerking around had passed, and Foley wasn’t interested. Instead, we did a project for some banner stands for his “public outreach” efforts. Instead of fixing the sites and working on making the clerks office look like it’s in this century- he was more interested in campaigning by going out to the voters and doing face time.

When the hackers hit May of this year, the courts were already in virtual shut down thanks to the Coronavirus. While the legal community realized that the site was down, the general public didn’t, and the “newspaper of record” in Dayton, the Dayton Day-old snooze, had no clue. Every story was Covid. This story is the result of the second public records request on the subject I asked for and was filled Friday night- after everyone had gone home. It’s enough for me to whet your whistle for more and give you the background. The real meat will come when they finally turn over the big pile of info on how the clerk’s office reacted to the attack.

How long it will take the prosecutors office to redact and purify the results is anyone’s guess.

For now, the most damning document I have is the 2-page letter sent via Certified mail from chief administrative Judge Gregory F. Singer to Foley demanding that the clerk provide for a tech audit- to uncover who, what and when caused this mess and how do we avoid it in the future.

There was an ad posted in the Dayton Daily “Notice to Bid” section at a cost of $189  on Friday 10 July, 2020 with instructions to go to the county purchasing site to find out more. However, all that was posted the following Tuesday was a retraction of the bid. It’s not clear of how any of this came to be out of what they sent- other than questions of if this is something that’s covered under the county’s insurance policy and if they should choose to trigger a claim. The out of pocket on a claim is $100K- and my guess is, they solved the problem for less after two weeks of round the clock work internally.

There’s a rumor that Foley wanted to pay the ransom with some other funds, but, until I have those documents, I know nothing.

The insurance company rep said this:

Just to clarify, an audit of your cyber security is generally a review of your normal cyber security posture. An audit is unfortunately not covered under the policy. However, the forensic investigation to determine the nature and scope of the cyber incident is covered, which I believe is what you are requesting. Please correct me if I am mistaken.

It is difficult to say what the cost might be for the forensic investigation as it depends on the systems impacted. I can only give you a really rough ball park estimate. It can range between $5OK to several hundred thousand. There is really no way for me to accurately provide you the cost since each matter can be very different. If you ultimately decide to reach out to a forensic investigator, they can provide you with a Statement of Work detailing an estimated budget.

One of the benefits of consulting with the breach coach is that they can provide some guidance. And if the breach coach is ultimately engaged, they can assist our Insured in obtaining quotes for the forensics investigator.

As far as I know, they’ve not gone down this route. It all makes our $25K contract look both cheap and prescient.

However, we don’t elect people for their smarts or their qualifications.
Nor, do we do what’s in the best interest of the taxpayers.

The insurance company repeatedly asked the following questions, which we all hope I’ll be able to explain when I get my first public records request filled:

1. 1. What is the Ransomware variant?
   2. Demand amount, if known?
   3. Status of your back ups {local backups, cloud based backups, offline backups etc.)
   4. Any vendors retained to date to assist with the response?
   5. Operational Impact

For now, you, me, Judge Singer and the rest of us in Montgomery County wait for the rest of the story and the answers to these questions.