An Open Letter To the State of Washington Cannabis Industry
October 26, 2017
Dear Washington Cannabis Industry,
I write to you today with the sincere hope that I can cut through much of the noise and rumor of the last few days with some transparency so you can make informed decisions as business owners and so we can come together for the forward progress of the industry.
Before I write anything else, I want to emphasize the fact that Washington’s cannabis industry is incredibly important to BioTrack. It was our first government contract. TJ Ferraro – BioTrack’s founder – and I lived in Washington for the three months it took to customize and implement the original traceability system. More licensees use our business platform in Washington than in any other state. We have an office in Olympia, and nine BioTrack employees call Washington home. Many of you are our friends. If you take away nothing else from this letter, please know that you are important to us and we remain committed to doing everything in our power to make you successful.
Rather than ask you to blindly believe my narrative over someone else’s, the actual emails sent from me to the WSLCB are attached to the end of this letter so you can verify the facts and judge for yourself. These emails are available via public records request so I am not sharing anything that wouldn’t already be available for public inspection.
What Is Going On?
BioTrackTHC’s traceability system contract with the WSLCB expires on October 31st, 2017 unless it is extended. A more detailed chain of events is provided later, but the short story is that the WSLCB initially chose to not extend our contract beyond October 31, 2017, and MJ Freeway was selected to provide a replacement system that was to take over by the time our system is to be decommissioned, at midnight on October 31st. It was recently announced by the WSLCB that the replacement system will not be operational in time, and licensees will have to report their seed-to-sale traceability data via manual spreadsheets for two months until the replacement system’s updated go-live date of January 2, 2018 assuming everything moving forward remains on schedule. These manual spreadsheets are to be used for tracking all plant, harvest, inventory, conversion, sample, laboratory testing, transportation/chain-of-custody, and sales data for as long as the WSLCB’s contingency plan is in place.
Is There Currently A Contract Extension On The Table Between The WSLCB And BioTrackTHC?
The WSLCB sent to BioTrack terms for an extension last Tuesday, October 17th. This was the first offer for an extension that the WSLCB has offered BioTrack since MJ Freeway was awarded their contract in July, and remains as the current offer on the table.
The WSLCB offered BioTrack a four month extension for $125,000, or $31,250 per month.
To put this offer in context, over the four-year life of the contract, BioTrack did not earn maintenance and support fees for the first two years and earned $180,000 per year ($15,000 per month) for the past two years. The WSLCB’s extension offer is a $16,000 per month premium over the standard rate.
The WSLCB’s contract with the new vendor is $600,000 per year, or $50,000 per month.
Per my email to the WSLCB on Thursday, October 19th(see “Exhibit 2”), BioTrack did NOT decline the WSLCB’s offer for extension. However, BioTrack requires resolution on security concerns that were previously brought to the WSLCB’s attention before the other components of any offer, such as financial and timing components, can even be considered. BioTrack is still actively seeking to resolve these security concerns prior to the expiration of the contract.
The final paragraph in my last email to the WSLCB on this matter, dated October 19th, reads as follows:
“When we first spoke last Monday about the possibility of extension, you assured me multiple times that the current project is running on schedule and that the extension was being offered to us for the benefit of the third-party software providers, and for that we are grateful for the WSLCB’s consideration. I want to be clear that we are not saying “no” to the extension. We just cannot consider any other factors until we can resolve these concerns and they have not yet been resolved. However, we don’t want our security concerns to cause a burden on the WSLCB if everything is indeed running on time. We have done our best to be partners with the WSLCB since the beginning so we hope that we can resolve our concerns before next week’s transition.”
What Is The Security Concern That Needs To Be Resolved Before BioTrack Can Feel Comfortable In Accepting The Extension?
On Monday October 9th, the WSLCB and I connected for the first time in nearly six months to discuss a possible extension. I was informed that the WSLCB remained confident that the new system was on time, but that an extension would allow the business seed-to-sale software providers more time to integrate with the new government system. I then informed the WSLCB that BioTrack has serious concerns related to security.
After MJ Freeway was awarded the contract, beginning the week of August 21, 2017, BioTrack began providing a “data dump” of the entire traceability system database to the WSLCB on a weekly basis so that the entire dataset could be mapped and migrated to the replacement system. However, many Washington licensees received an email in mid-September alleging to sell databases described as “WA DATABASE,” “NV PROD DATABASE,” and “PA PROD DATABASE,” among others (see “Exhibit 6”). These presumably are to mean the Washington database, the Nevada database, and the Pennsylvania database. The emails also provided unencrypted sample data files as a kind of “proof of life.” Some business seed-to-sale software providers took it upon themselves to investigate the sample data and it was reported that the sample data not only appeared legitimate, but that it included sensitive data that is not publicly available: data that is contained within the full un-redacted traceability dataset. I am sure that many of my peers contributed to the industry’s investigation, but I specifically want to recognize David Busby, CEO of WeedTraQR, for his tireless efforts in this regard.
To BioTrack, other third-party software providers, and many Washington licensees, this is a serious concern. BioTrack currently operates six state-level government cannabis traceability systems and has managed Washington’s traceability system for four years without any security breaches. We then find ourselves in a situation where both our reputation and our security are co-mingled with another company’s; and then a few months later, credible reports surface that Washington-specific data not otherwise available to the public is found outside of the chain of custody.
I conveyed to the WSLCB our concern that this situation where we “share space” with their new vendor puts us in jeopardy. I memorialized those concerns in writing within my follow-up email dated October 16th (see “Exhibit 1”).
“The current status quo has already harmed both our reputation and our peace of mind with respect to security risk. Please understand that we have continued to provide our traceability technology, support, and weekly data dumps of the entirety of the database because we remain contractually obligated to do so, not because the new status quo is in any way comfortable for us. Every passing day in which we find our reputation and security co-mingled with another vendor without any assurances that our technology—and therefore our livelihoods—are safe within this new co-mingled environment compounds our anxiety and intensifies our desire to exit the unsafe situation.”
Our technology is how we make our living. If the security of our technology becomes compromised, at least sixty people lose their jobs and all of our customers who depend on us also become compromised. It would be irresponsible of us to ignore credible threats to technology security.
Now I am not saying that we know for certain that the WSLCB’s or MJ Freeway’s security was breached. Maybe there was no security breach of any kind. Maybe there was a security breach and it has since been remedied. Maybe there was a security breach and it’s still there. What we do know is that there is enough smoke that we are not comfortable moving forward without a reasonable level of assurance that the fire has been addressed.
The WSLCB’s position at the time was that the email was a “spoof” and that it was “fake news”, and BioTrack respects their prerogative to believe that no security issues exist. However, we respectfully disagreed with that position and said we needed some type of meaningful assurances that the alleged breach either did not happen or did happen and has since been remedied, since without that we have no solid footing in understanding our current risk exposure.
What Has BioTrack Obtained So Far To Address The Security Concerns?
To emphasize BioTrack’s sincere interest in a possible extension and to ensure that BioTrack’s concern regarding the possible security issue was not misunderstood, I had a member of BioTrack’s board of directors join me on a call with the WSLCB on Friday, October 13th. I also had the CEO of one of our competitors join the call to show what he had uncovered from the “spoof” email that licensees had received. At one point, we suggested that a third-party security audit providing a “clean bill of health” may go a long way in allaying our concerns. The WSLCB reassured us that a security audit had been performed by the Washington State Office of the Chief Information Officer (OCIO), but that none of the contents of the audit report could be provided to us. The WSLCB offered to obtain a statement from the OCIO that could address our concerns. We agreed to incorporate it into our overall evaluation, but could not promise that it would allay our concerns since we had not yet seen it.
To expedite the process in good faith, immediately after that call concluded, BioTrack submitted a records request to the OCIO for any security audit documentation that is available to the public. As of the writing of this letter we have received one response from the OCIO’s office dated October 19th stating that they estimate, “it will require no more than thirty days to provide you a response,” (see “Exhibit 3”).
On October 17th, I received an email from the WSLCB stating that BioTrack’s “concerns were addressed already.” Up to that point, we had received only verbal assertions and nothing in writing. One part of my October 19th email (see “Exhibit 2”) contained the following response:
“We appreciate the fact that the WSLCB is leaning on a review performed by the OCIO that found no adverse security concerns, but we have not seen any documentation with our own eyes or even a document stating that we are prohibited from seeing such documentation. No offense, but we cannot just take your verbal word on something that could have far reaching consequences for our livelihoods and our customers.
I am an accountant by training. If someone withdraws $1,000 from the company bank account, that person would have to show me a receipt proving where it went. A response of, “I have the receipt, but I cannot produce it for you,” is not one than anyone could reasonably accept.
I’m not trying to make light of the situation, but please appreciate the position we’re in in that nothing that we can rely on has been provided to us.”
Later that day, the WSLCB sent to me a letter from the State of Washington Office of Cyber Security (see “Exhibit 4”). The letter states, “We have completed our security design review on the new cannabis traceability system provided by Leaf Data Systems vendor MJ Freeway… the project, as proposed, uses appropriate security controls and methods to meet OCIO IT security standards at the time of review.” Though we greatly appreciate the efforts of the WSLCB staff to obtain this letter, it does not provide much information or the peace of mind that we are seeking.
1. The letter does not provide a date for when the review was performed. No review can provide any assurances about current system security if it was performed before the “spoof” email was sent to licensees.
2. The letter states that it was the security design that was reviewed; the system itself did not undergo generally accepted security audit testing. That is like the difference between, “Patrick, we reviewed the airplane design you drew on paper and the design should fly,” versus, “Patrick we tested the actual plane you built and it successfully flew.”
3. Finally, the OCIO’s online project dashboard’s OCIO Assessment reads, “user authentication requirements and Security Design Review increase risk due to imminent project implementation deadline” (emphasis mine) for 07/13/2017, 07/27/2017, 08/22/017, and 09/15/2017. Now, I don’t know what this means, and to be fair I only just found this today and have not given the WSLCB an opportunity to help me understand what this comment means, but my current interpretation is that on each of those dates, the Security Design Review continued to increase the risk that the project would not be completed on time because the review remained ongoing as the system was being developed (see “Exhibit 5”).
(http://waocio.force.com/ProjectDetail?id=a060P00000ezEk1QAE)
The WSLCB has been quoted recently in the media saying, “We’ve given them everything that we have and every assurance.” Now I understand that this is likely true; that the WSLCB has given to us what they are allowed to give us. However, everything they have given us thus far has been verbal and one brief letter on which we cannot place a great deal of reliance. Again, we have a responsibility to our other government clients, to the licensees who depend on our business software, and our staff to take every reasonable precaution to protect our technology from security risks. Accepting any extension of the current situation without reasonable assurances, regardless of the amount of money offered, would be irresponsible.
Again, we did not decline the WSLCB’s extension request. We just cannot move forward until these concerns are dealt with. We are still actively searching for alternative means to help us determine how sensitive non-public data came to be found within the “spoof” email sent to the industry and welcome any assistance from any other party, WSLCB or otherwise.
Can BioTrack Accept The Extension After October 31st If The Security Issue Is Addressed Shortly After?
I am not sure as I am not an attorney that specializes in Washington’s government contract law. However, I do not believe either the WSLCB or BioTrack can “extend” a contract that is no longer in effect. There may be a way to justify a sole-source procurement where the WSLCB can offer a new contract should the current contract expire, but we would have to consult an attorney.
What Is BioTrack’s Plan If The Contract Expires on October 31st?
We learned about the WSLCB’s “contingency plan” from the same announcement that many others in the industry received on Thursday, October 19th, and we learned on Tuesday October 24th, with everyone else that the manual spreadsheet era is expected to last at least through January 1st… so many of our plans are rapidly evolving and still solidifying. That being said, here is our game plan for now.
First, BioTrack is committed to its direct commercial customers: those who rely on BioTrack’s business system for inventory management and point-of-sale. It is our intent that in every way possible, your BioTrack business system will automatically generate the spreadsheets necessary for submission to the WSLCB so that there is a reduced impact to your business. Please have patience with us as we are working with a moving target.
Secondly, the success of Washington’s industry as a whole – and therefore the success of every licensee in Washington whether you use our business platform or not — is important to us. We have no intention of giving the federal government any reason to give this industry a hard time. BioTrack understands that even with manual spreadsheets, there needs to be some method of communication and data exchange between licensees regardless of which third-party commercial system you use. One common denominator for every third-party commercial software system in Washington is that it successfully integrates with our API. Because BioTrack owns its traceability technology and licenses it to state governments for use, we can create a private-sector version of our traceability system that would mirror the current traceability system. It would even include a web-interface for the licensees who have relied on the freely-provided MJ Traceability website, and it would have the current version of the Washington API so every current business seed-to-sale provider will already be integrated with it. Though we are still working on the specific mechanics, all it would take is for everyone to point their systems to the new URL (website); all functions and all data that is currently coordinated and exchanged between licensees would be nearly identical, if not perfectly identical, to the way things presently work. This private-sector “clone” of BioTrack’s traceability system could continue to operate for as long as we need it to, even if a worst-case scenario were to happen and the WSLCB’s system is unable to go-live by January 1, 2018 as planned. We have yet to figure out the economics, but our goal is to just get the job done first and worry about the rest later.
Please remember that we are attempting to surf a wave in the wild here, so I can guarantee you that there will be turbulence as we go; however, my team and I believe that this is our best option to avoid industry Armageddon and we will all band together to navigate these unpredictable waters as best we can. We have already received an outpouring of support from the other third-party software systems and in spite of the fact that we’re competitors and have our differences, I know that we can continue to use this challenge as an opportunity to bring the industry together for everyone’s success.
Highest Regards,
Patrick Vo
President and CEO
BioTrackTHC
Original source: PDF