Creating a Volunteer Cyber Department

and my name is Ray Davidson I've sort of been doing security and computer stuff since since they were invented I went to Georgia Tech for my undergraduate school go jackets to hell with Georgia and I went to Purdue for my graduate degree in chemical engineering there was no you know we used we actually used computers back then and I wrote my PhD thesis in word processor that you probably don't know it's called VI so that was because I had to have my Master's typed on a typewriter so so I've been around for a little while I was the I taught at Purdue a regional campus at Purdue for a little while any of you have heard of

sans one of the sponsors of this this event I was the Dean of the Graduate School there right now I'm a contractor for the state of Michigan the great state of Michigan of which you all have a map in your built into your body almost you know except if you've had an accident but I live in Kalamazoo Michigan which is right here on your map it's halfway between Chicago and Detroit and I worked for the state of Michigan I'm going to tell you a little bit about the Michigan cyber civilian Corps and because of the timing of this I Georgia gets it do you get a new governor this year okay is he like term limited or you

just don't like him see what he's already had - okay so same same in Michigan Rick Snyder is not going to be our governor anymore the Michigan cyber civilian Corps has been a project of his and I've been leading it for the past couple of years and we're gonna get a new governor so I'm doing what I can to get outside of Michigan to talk about the Michigan cyber civilian course so you'll all think it's cool and you'll go to the new Michigan governor and say can you come tell us about this well I will still have a job next year so this is all selfish so the Michigan cyber civilian Corps is it was conceived in

2011 as a group and this is I believe this is the official wording a group of trained cyber security experts who volunteered to assist the state in rapid resolution of officially declared cyber of urgencies does anybody not buy into that anybody think that's not a cool idea right nobody's gonna vote against that it sounds cool this six years later we now have the Michigan cyber civilian Act and I'm not complaining that it took this long this is how long it takes to do stuff like this we actually went from getting it introduced in the legislature to getting it passed in the legislature in in the course of about ten months which is pretty pretty good and so it is a work

in progress and I'll tell you about it and I'll tell you about what I really want to share some of the some of the experiences some of the lessons learned that we all do lessons learned right after every incident okay so not but I'm trying to do lessons learned so I'm trying to spread this idea when I I haven't I've been doing this since 2000 fifteen or sixteen I don't remember exactly when but so when I went to look at for history I had to do open source intelligence gathering and I found in 2013 there is a YouTube video of Governor Rick Snyder talking at the North American International cyber summit which happens every year or has

happened every year under Governor Rick Snyder it's held in Detroit and Detroit I don't if you've never been to Michigan Detroit is on the border of the United States and if you look across the lake you can see Windsor Ontario and so it's an international cyber conference because I think people drive across the bridge to come come to it so the North American international cyber summit in 2013 he announced we were going to have a cyber civility core and he sort of had a vague idea about what it was going to be and it was probably the language you see here experts who volunteered to assist the state and officially declared cyber emergencies blah blah blah it was

formed it started off as a partnership between the state of Michigan merit merit is a nonprofit organization in in Michigan that was one of the original providers of Internet service in the country they they they believed they provided it to Purdue when I was in graduate school many many many years ago they were part of the North American network operating group and they at the time of this we're trying to get more into cyber security so they volunteered to the governor to take on the role of building this cyber civility Corps they also have a cyber range that they're they're working on in 2015 for various reasons the state of Michigan decided to take this back under its own wing and as

it happened we had not a politician or not a what do you call the people that always work for the government you know there wasn't a bureaucrat or technocrat it was the our CSO whose name is Dan Morman and you may see he writes for security magazines and things like that now he's a consultant but he quit working for the state of Michigan and consumers energy which is one of the major utility companies in Michigan loaned the state one of their executives to be the seaso for a year this guy was also at the time a member of mi C 3 the michigan cyber civilian core and so he took some of his feelings about the mi c 3 and what does she be

doing into the role of the corporate information security officer or chief information support ever it stands for for the stake and he did some things and i'll talk about that and then he that was temporary and now I'm the no I'm the big guy the guy to blame in last year I gotta watch my time the governor set the goal of expanding mi c3 to 200 members and we back we we backed off on that a little bit because if you're gonna have 200 members you have to have some other things we have a hundred members on the roster now it's just pretty cool and I'll tell you more about that so this is a picture it's a picture a lot of the

people in here are members of the Michigan cyber civilian Corps I'm even hiding in there somewhere probably on the back row I try to stay out of sight but we do it you could see we do have a few females not not enough we have we do partner with the Michigan State Police and the Michigan National Guard we have air guard and army guard in Michigan and I'll talk a little bit more about that but I that that partnership is awesome because we're all civilians we're not cleared we're not sworn nothing like that so that gives us advantages and disadvantages but we have people in uniforms and with guns and things if we need them I mean not that we need guns

but if we need official help so you all see how pretty these people are and it makes you want to be one right this picture was taken at the mc3 not the mi c3 you run out of acronyms right so we are the mi c3 in the MC 3 which is the Michigan cyber command center this is the State Police's cyber command center kind of like the in kick if you've ever been the end kick so now that you're all thinking I wish I lived in Michigan and I could be a member of the Michigan cyber civilian Corps what would I have to do to be a member of this August organization you have to have two years

of information security incident response to digital or network forensics so we're not hiring beginners we're not direct training people we want people that can there already know how to respond in the event of a declared cyber emergency remember that phrase we'll talk about that you have to have one foundational security certification now I'm not going to go into the arguments about certification okay we can I know they're all right but I have to put a bar you know I have to put some bar I can't take just everybody so and I said it you know security plus ethical hacker cissp or any any GX cert and if somebody comes in and says I think we probably

have let people with with Cisco CCNA or CCNP on basically you have but you have to know what you're doing you have to type of the command line we asked for employer support for up to 10 days of participation and the way that works out is on the fourth bullet point we we have for the past three years done five or six days of training we do one or two one-day exercises maybe on a Saturday where we ask people to to leave their home Michigan remember it's a it's a big State there's even though there's an Upper Peninsula to that I'm not gonna try and you know and shadow-puppet but if you look up on Wikipedia you can see

how how Michigan is and we have three members I think in the Upper Peninsula up there where the snow we have half of the Upper Peninsula on the M I see three there's more than six people it's like New Zealand right has more sheep than people we have I think the U P the Upper Peninsula has more mosquitoes than people so we do one or two exercises and we encourage people to do community volunteering any members of cyber anybody work with CyberPatriot here oh isn't that an awesome program just just say yes because you know and because it's defensive I love it it's not just breaking stuff so this is the the participation we asked for we asked

for employers to say you can be gone for ten days but after all we're giving them five days of training so you know I haven't had to had haven't had to have that discussion with employers yeah so this is the the process this is the process that actually was started by by merit we've tweaked it a little bit don't know can you read that as much as you want to it'll be on YouTube but basically that's the website if you're bored and you want a google and you trust the Wi-Fi here and you want to go to mi cybercorps org it's cybercorps not cyber corpse even those an S because corpse means a dead body and it has an e on the end so

it's cyber courts pronounced core just like the Marine Corps but anyway so you go and you register you give us your name address phone number credit card information a lock of your hair on the website and that's that's all it happens there you register and we send you a link to the first test and that was a requirement I don't think that goes in here right I didn't have applicants must pass four out of five tests also should be the last bullet point so the first test is a basic security it's pretty much ports and protocols is ten sorry 20 questions ten minutes to take the test so it's not like giuk you can't it's not open book

stuff you have to know off the top of your head I believe you have to get 80 I don't remember what I said it at if you pass the basic security test you then get a congratulations email that says here are your next two tests and there's a basic ir and a basic forensics it's mostly disk forensics tests and if you pass if you pass the basic forensics test you get a congratulations email that says here's the advanced forensics test and if you pass the basic ir test you get an email that says congratulations here's the advanced ir test take it and you have to you have to pass four of the five and there is one

that most people don't pad like I'm not surprised when people don't pass it but so anyway most people I think we've got probably an unjust ballparking this I I could have gotten the data I'm guessing we get like a 50 percent pass rate of all four tests so 50 percent of the people that try pass the test and that's not counting the one guy that tried to brute force the exams and took it seven times I can see that but you know we have it we have us of web application let's we see that so once once they pass four of the five tests they send we send another congratulations email that actually as human has human intervention

I have to do it because I have to send copies of the the volunteer agreement which includes a confidential disclosure agree or an NDA that was written by our Attorney General and the employer agreement we don't act we don't require the employer agreement because it's not a legally binding thing if we we have an emergency and Ford Motor Company want to release their they are MSE three members there's nothing we can do you know I can't go sue for it or anything like that but it's but but we believe we provide enough of a value that employers are going to do that we do a criminal background check talk to that once this is after it completes the criminal

background check I've got a I've got to change that because the criminal background check is a black box to us basically once I submit that to the State Police I order a michigan.gov email account and if they don't pass we do something on the back end but it's it's unusual for people not to pass it's not unheard of though if you ever have to have a criminal background check be aware that it goes into things that have gotten expunged from your record if you did something stupid in high school it's gonna it's gonna bite you so that said I I know I have friends that worked in state police who wanted to hire a guy

who had excellent forensic skills and I have no idea I don't want to know what he did when he was a kid but they can't hire him because of this so anyway currently we are as far as I know the only state-sponsored all-volunteer force of cyber defenders if anybody knows was somebody else please talk to me because I'd love to collaborate with them because we're making mistakes all our own right now and I do have other states asking about this I've been we had Montana we had Hawaii come visit us we wanted to go visit them but I couldn't get you know couldn't swing that Indiana Wisconsin like up in the Midwest region FEMA Region five we have a lot of people

half the people meet DOD directive 8570 which i guess has been replaced by something at something else and this is not all that cool except that in Michigan I get to say half our members of milspec so assuming we have members what do we actually do the Michigan has a cyber disruption response plan which is in the event of a cyber emergency what's going to happen and it puts into place an operating environment emergency operations are led by a member of the state police so in the event of a cyber emergency we would be under the authority of the state police okay the the issue with this and I sort of alluded to this is can anybody tell me

what's the cyber emergency right no of course not I mean that was my first question okay I'm gonna get a hundred people to respond in the event of cyber emergency what the hell is that no but exactly exactly but you can get funding to have an organization by saying we're gonna respond to a cyber emergency without defining the terms right that's your project charter now you need a project manager to go out figure out business requirements and technical specifications right all of you with your P and PS you know this so here's what we have for low lower level incidents and this is why we have the Michigan cyber civilian Act in place is for these lower level incidents for a

governor declared cyber emergency if you look in the Michigan's cyber disruption response plan which is online I don't know if this section is online but but it has different like DEFCON levels you know and you get to DEFCON five is the governor declared cyber emergency and basically for that to happen lives have to be at stake it's like when a nation-state has hacked two of the power supplies up in the Upper Peninsula where it snows all the time in December or January and people are we're gonna be without power there for three months and people are gonna die that's the governor declares cyber emergency and I'm not sure you know the cyber core I'm not sure what we're gonna

do is chop wood and build fires you know because people are gonna die I'm making fun we could do some things but basically if you try to recruit a hundred people to do to be prepared for a cyber emergency like that they're gonna be bored all right I mean imagine this and and this is frankly what happened up to about 2015 there were people recruited for the organization but there wasn't anything to do because you can't you can do a tabletop exercise everybody been to tabletop exercises anybody been to one that's really exciting yeah I mean there are good ones but most of the ones that I've been to have been a bunch of middle managers sitting

around assuring each other that they have processes that will handle this and we'll be fine don't worry and I again I don't mean to completely make fun but they they could be more useful so I've been working with the State Police and the state of Michigan's sock and in the National Guard to try and lower our threshold for activation and in fact Tuesday I'm going to be getting together with some of the members of the MHC three we're going to go to the state sock and review a couple of their incidents and talk about how they handle things and how we volunteers might handle things and I'm gonna have a handful of em I see three volunteers who

work at different companies and so this is going to give us some information exchange which didn't happen before we're not responding to a cyber emergency but we are raising the level of security culture in the state so this is if something were to come in at some lower level we would the cyber incident would go to let me see if I could do this are there we go we go to the Michigan cyber command center and they would vet that for any criminality because we don't want to you know walk through the blood like LJ Simpson or you know we don't want to mess up any evidence so once they once they clear under what conditions we can

be involved they call it they call me and I get in touch with our volunteers and that's another thing we could talk about offline which is how do you communicate with your volunteers during an incident we don't have a good good way yet but we're working on some things so if there is criminality then we have to be careful if not we can go out and just help people it's a partnership this is the slide iOS show because I think this is really important we have the Army and Air National Guard in Michigan as well as the State Police and the Michigan cyber civilian Corps we our activities are normal activities besides responding to incidents and because

you're going to ask right there has not been an official deployment of mi c3 yet we just got the the legal the the Michigan cyber civilian Act provides us indemnification you know if we do something stupid we have now processes in place and basically if we follow our own processes then whoever on our team does something stupid are protected by by Good Samaritan kind of legislation so that's important if you're gonna do something like this we have quarterly we try to have a face-to-face meeting that includes the training that's a face-to-face meeting and then the North American international cyber summit which is October 29th this year it's always in October but you know with the

new governor I don't know we're going to keep doing that we have a conference call every month which a lot of times it's just me saying hey I'm gonna go talk it besides Augusta about what we're doing and publicized this but again before 2015 there was no regular engagement with members and it's amazing to me how much of a phone call I mean how many of us like meetings right no no we don't like unassuming we don't but anyway if we have a monthly meeting it really helps engage the membership we also have slack and again we're not reacting to incidents but the level of engagement and the level of information sharing that we've gotten across the

state and remember I've got so down here is Detroit that's where most of the cybersecurity stuff is the i-94 runs across the bottom of the of the state from like Kalamazoo to Detroit but that's where that's the corridor I mean geographically if you look I'm not sure how it would be in Georgia but you're gonna have pockets of Industry and knowledge cyber knowledge and then you're gonna have vast swaths where you think there are nobody there there's nobody there but what we found is like I thought I was the only person in Kalamazoo Michigan there was an intersect person well you know duh are you kind of know theoretically that there are people but maybe they're not

interested because I never see him at DEFCON or anything like that we started talking about these things and people come out of the woodwork and we have I now have a group of about two dozen people that meet monthly in Kalamazoo and drink I mean we do drink beer but all this not even going I like beer but anyway so there are more people out there doing security than you think and a lot of the tools that are available like slack that it's just amazing to see this and so I actually have there are hundred people on the roster I will admit that we probably have thirty or forty people that are actually active but these are

3040 people that know each other now if they show up in a room and that doesn't include the Army and Air Guard and the State Police people that we have now interacted with and capture the flag adventures and we all know the constraints on us and so we you know but you go and you get dumped into a fire the last thing you want to do is be saying hi I'm so-and-so right so we've all worked together before it's amazing so these are our events benefits I've been talking about we've once and awards and recognition including them are really excited about the one on the bottom the war on the rocks if you do we're on the rocks as a blog that's run

by the University of Texas NASA's Security Center and I Estonia has a cyber civilian defence league I'm gonna go to Estonia next year I certainly hope we should have a blog entry on the law fair blog for anybody that reads that and this month I've been working with my friend at Hewlett Foundation to come up with that so in the future we're thinking about a proactive component because you know detection detection and defense is harder than prevention and we want to hit it as they say left of boom here lessons learned which is really what I want to get to is that you have to do something like this you have to build it meaning like constructed but

you also have to allow it to grow and the thing that was happening when I took over and this is not a criticism even though it sounds like it of where it had been before it's just that it hadn't gotten to that point there was a lot of stuff being built there were there were processes and the application for testing the test questions were already written but there wasn't a lot of allowing allowing people to find out about it and to choose to be part of it and people weren't they were responding to a request somebody would come up to you like coming up to your door and say hi and maybe had this skill

would you please help and who can say no to this but what happens did you get in your name and a roster and you don't actually do anything so we had to provide you know polls for people to be to be part of this and the thing that my friend who was the temporary seaso did was get funding for a sans class and by golly you know if you tell people will give you a five-day sans class the the other side of that was you have to pass the test and if you if you have a SAN cert you know those are not trivial people when I was in the Graduate School we did research you people study 20 to

40 hours outside of the class to be able to take the test so people again have to be serious but it's a serious benefit also a sans class we did for those of you you know we did 504 basic ethical hacking we did network network monitoring the 5-11 was the second class that we just did Network forensics and that's the one I'm calling people you know reminding them I think I've got 20 people who have passed the test now I want to get more passed before the national north american international cyber summit so you have to build and grow you have to have top down and bottom up and for this one I really looked there is a slide there's a

picture available and I couldn't figure out how to Google it but you know when the when the Transcontinental Railroad got put together they drove the Golden Spike and I think it was Provo Utah I wasn't there a mold I'm not that old but there somebody put together a graphic where you know there's the railroad track coming from one side and the railroad track coming from the other and they're gonna put the Golden Spike in it set they meet like this right top down and bottom up you have to have the government in my case I've got the governor which is awesome I mean I don't think we could have done it without that and the

legislators bought in we also have bottom-up which is about an opportunity for people to be part of it you know providing the opportunity and sometimes they don't match up and you know sometimes that's okay I I would love for them to match up because I'm OCD and and all of those other things that all of us geeks are but this is a challenge for somebody doing something like this is you have to accept that sometimes they're not going to match up and you know to continue the train analogy if you're not going to run a train on those tracks you know who cares as long as it looks good because we're trying to get public you know we have to

have public acceptance and public support that sort of thing the other thing is there's multiple messages and audiences and this leads into my question I have surprises to give out these are multiple the multiple audiences that I have to talk about and I was clued into this because I did an interview on perceptions of cyber security and information security and information security professionals and there is some concern as prot if you any of you read Twitter or Facebook or anything about info sack there are questions about how do we get more minorities into the into the field how do we deal with lots of drama you know it's a we need what 300 thousand people

and we can't all be cool people who watched mr. robot and can quote all the Monty Python movies from memory right I mean we were talking at dinner last night about the cannon and so not a we got to open it up so I have my time is up so I'm gonna take all of these fabulous prizes home with me I'm really sorry I didn't get a chance to come out so but speaking of messaging so this is a question I was asked by the survey people and I thought I'd bring it to you so are there any types of like ice this is the question I got in the interview and I'm only keeping you from lunch so

if you need to go at lunch fine so I sent him a picture of my my laptop right all of you many of you have stickers on your laptops I don't know that that's the sort of visual but there are any visuals in the cybersecurity space that inspire you or do you think work and what am I bid for this is prize number one is an an alpha wireless adapter that can be used for sniffing I'm sure it's compatible with Kali so and in fact that was one of the things I sent them was the Kali logo you know because it's ninja it's quiet it appeals to us for that reason so when you when

you see a visual obviously you all seem like mr. robot hook hook erse hoodies hoodies not hooker tonight hookers with hoodies maybe I don't know but hoodies are but you know a common one what else what works for you and particularly something that's working that you're surprised the quiet right right that's the that's not a visual though it's words yeah skull why why skull

do you celebrate the day of the death okay so would you like this okay use it use it use your powers for good so the question was for the people at home or the the contribution was a skull because skull means that you've actually survived to death because skulls do survive death bonus heart and it reminds me that I've seen the lo the day of the dead it's actually a celebration you know and some of the some of the symbols for that are skulls and they look like they would be scary kids you know little kids would probably be scary but what Oh a Phoenix a Phoenix would be this that's an a good idea can you think of

something that well let's see so who doesn't have done Murdock's excellent vol.1 a blue team handbook and has an idea of a visual that works for them what yep so what what's your visual give a suggestion

okay we give points for bravery okay I'll keep the set you can come down here and get this it because they're going to run me off the stage how about volume 2 of the Yano think you're getting the hook so who has yes sir

yep the dog Callie out of them yeah

yep

I think John strand won't actually run Metasploit until he gets to a singular logo odd that's what I that's what I think I remember yeah so I'm gonna I'm not gonna walk up there because if I do they're not gonna let me back on the stage before before I take your I want to tell you what kind of fabulous prize you're competing for this is a gig of fast Wi-Fi router an off alpha AC 1200 art and I'll bet it's flashable with open work so now do you want to you do you want to rethink your answer sir oh damn okay okay okay I'm I I was a member at the time and I had scored well on the

exams and I also had experience spinning up a master's program I had sort of leadership experience and information security and I was just I was vocally dissatisfied with how things were happening in the mi c3 and they said you're so smart you do it so I ha I was hired in as a contract I'm a contractor for the state but I do it because I love it so they pay me you know I am a contractor are not an FTE this is my job if the if the governor decides he does or if the next governor incites we're not going to do this the state actually has something called C so as a service that they're doing is more the proactive

thing where they'll go around and help small organizations do you know put together processes and plans that doesn't interest me and if they asked me to do that I probably won't so that I don't I don't get paid full-time and it certainly doesn't take me full time because if you've worked for either academia or government you know that you'll kick something off and then you go take a two-week vacation so I put in usually fewer than 10 hours a week but I love it I mean that's actually on the organization I do some 1099 work for sands my whole life is living in packets so you know what's working what's not but I get I I get health insurance which

at my age is the thing yes sir you what target and crosshairs um okay I so the the question was am I volunteer and my voluntold is it my assignment and that was the answer about then I'm a contract the suggestion for visual is targeted crosshairs which is a little threatening perhaps but you know the Unicorn what's so somebody has suggested a unicorn it would tell me about why the unicorn is

yeah you should look look for an animated jiff that says I'm a I'm an effing unicorn I do unicorn things I always wanted to do that as my performance review yeah anybody else have suggestions for positive yes sir yeah bs iLab

ah

right

yeah

yeah Kimber bet has been MS bat well what's the name of the first Twitter account you said I want to make sure it makes it onto the YouTube into the audio be I a se Aiye la B is a young person who is who has some good visuals yeah cool okay anybody else okay come to Michigan come to be part of my Michigan cyber civilian Corps and if you want to do it in Georgia or some other state please talk to me that's how to you can find me online I am like promiscuous on LinkedIn and Facebook and a few Google Ray davidson I'm not the fashion photographer unfortunately I'm not the track coach at the University of Houston

but I'm probably the only security person okay thanks for coming enjoy your lunch