BSidesSF 2023 - Community Cyber Defense: How to be a Local Cyber Hero (Sarah Powazek)

hello good morning everyone um welcome to the shortest talk at B-side San Francisco it's good to be here today I'm going to be talking about Community cyber defense um how everyday people are stepping up to help their communities and how you can get involved but first a little bit about myself my name is Sarah pawazik I direct the public interest cyber security program at the UC Berkeley Center for long-term cyber security which is a very long-winded way of saying that I spend my time investigating and promoting different ways to help organizations that are under resourced with cyber security and help them bolster their defenses there's a few different components of public interest cyber security but I'll

keep it brief one is that it's focused on community cyber security so we hear the term National Security thrown around a lot but really there are lots of instances where something might not qualify as a national security risk but really has a profound impact on local folks so for example like a food bank being hit with ransomware maybe not a national security risk but really profoundly felt by folks who get their meals from that food bank quite immediately so that's what my program is focused on and we also look at a population level instead of a an asset level so we're not thinking about what we're trying to defend we're thinking about what people were trying to defend

um who are the most vulnerable in our communities and what services do those folks rely on that if they were taken away those those folks would struggle the most so that's what we're trying to concentrate our resources so why is this work important um you folks all already know this but I'll say it again um the most at risk organizations in the country right now are some of the least prepared to deal with cyber security threats I'm talking about cities for example right even the city of Oakland where many of us live and work just last month was hit with ransomware it's becoming really a weekly occurrence and they're really real impacts for these sorts of organizations getting hit um

cities provide marriage licenses they provide 9-1-1 and other Emergency Services housing and eviction Services non-profits I mentioned food banks institutions of Faith folks providing free legal services and Refugee assistance and public infrastructure so not just the large ICS institutions but also small isps small water providers all of these folks are very very low resource some of them might not even have a single cyber security staff many of them don't even have a single it person uh at their institution so they're really really struggling and they need more assistance than we're able to provide and before I jump into why you should volunteer I'll say that there are a lot of folks at the federal level doing absolutely incredible work

to try and make this problem better we're Prosecuting ransomware actors they're making more funding available for local institutions lots of really great work but the reality is that almost every organization is affected by cyber security and it's just not going to be enough unless all of us get involved and try and help exactly where we live and work and if that hasn't convinced you already here's a bunch of good reasons why you should consider volunteering you get to see the direct impact of your work you get to hang out with in my opinion the coolest people in cyber security the ones who are trying to do it for free in their spare time what little may be

and you might make a real difference so you might be the difference between a small business shutting down and being able to stay afloat because you helps them bolster their cyber defenses so in my remaining time I'm trying to get through three major groups of volunteering organizations what sorts of programs they've started up and how you can get involved Academia local government and private sector individual volunteers who are working out of non-profits so we'll start with Academia you may not know this but Academia actually has a really rich history of training students to do public service so you see this in medical school clinics where Med students work in clinics to give out free health care you see it with law

students who are spending time in a pro bono Clinic to give out free legal services and so in 2018 a number of academic institutions wondered why aren't we doing this for cyber security we have all these students who need Real World Experience they they don't know how to break into the industry and we have all these organizations like right next door that need our help and so they thought what if we created a cyber security Clinic we'll take these students not just computer science students but law students people from political science um you know folks folks in human rights will bring them all in and we'll teach them to do a basic cyber risk assessment

provide some basic recommendations to these organizations and we'll do it all for free we'll give them course credit or internship paid internship experience and they did it um so UC Berkeley and MIT led the charge but we're now up to nine institutions across the country that are providing these free services I help organize the Consortium and we've trained over 730 students to perform these assessments to get to get better jobs in the field um we've served over 120 Community organizations for free so this includes now I mentioned MIT and UC Berkeley a number of Institutions from the University of Texas University of Alabama University of Georgia Indiana University in Colombia local governments so now we're talking

about local government creating programs to help organizations within their state borders they are creating incident response core programs you might have heard of mic3 before the Michigan cyber Corps program but there are also more proactive programs where they're providing risk assessments and threat intelligence and other sorts of resources and this doesn't sound very voluntary until I tell you that many of these programs are actually training recruiting and certifying folks from the Private Industry to act as sort of a cyber Reserve Corps and are called in to help respond to Major cyber incidents within the state so mic3 is one Ohio and Wisconsin have also started up these programs where they're able to leverage folks in the private sector again in

their spare time to help respond particularly to those sorts of incidents where they wouldn't be able to contact a professional incident response firm particularly cities and municipalities so um only a few states that started up these programs as you can see from this map from the national Governors Association but it has caught on in recent years and there's a lot of different services that these folks provide sometimes they operate year round so if there aren't incidents they're trying to do proactive Outreach and other things um really really interesting program and really catching on very quickly and finally trying to leave some room for questions um there are non-profit programs so these may be familiar to already I'll go

over a few of them these are mainly folks from the community starting up programs and trying to fill these gaps in service when they're seeing these organizations that just don't have the resources that they need that the CTI league is a big one it was founded by a group of hackers in 2020 during the covid-19 pandemic when they saw that Healthcare infrastructure in hospitals in particular were really vulnerable to cyber threats because of how overwhelmed they were with the pandemic and so they did things like um in 2020 this is a release some threat indicators they ticked those indicators they actually identified some C2 infrastructure they helped with lawful takedowns and they were able to track and try and

proactively notify victims of those attacks I'm the Cavalry is also an incredible program they've been around for a decade now they started up in 2013 also by a group of hackers they have a really broad scope of work um on policy and on hacking and identifying vulnerabilities particularly in the automotive industry and in um like healthcare and and Healthcare tools and they also run an incredible program called hackers on the hill where they bring in folks like you to give technical input into public policy right in Congress and I'll round it out with a cyberpiece Builders this is an initiative from the Cyber peace Institute their non-profit based in uh Switzerland the city is escaping me

um they're great so this program they match volunteers with discrete tasks so say I'm an organization that needs help configuring my firewall rules they will pair one or two volunteers with that organization they complete that task then they're done it's a really ingenious idea of helping move the needle a little bit for a lot of organizations while understanding that a lot of folks in Private Industry really only have like an extra hour to a week if that maybe a month um so they they're training hundreds of folks I think they have 300 volunteers and over 700 hours that folks have put into this um oh no I've been on the wrong slide you guys okay here is this slide I'll leave

it up very briefly so that you can see these programs that I've been talking about with no slide behind me okay um in conclusion um so I hope if you take something away from this presentation um it's that people really need you and you can make a difference with Knowledge and Skills that you already have um there are lots of programs that I mentioned today that would love your help you should check out if your state has one of those volunteer cyber core programs if there's a cyber clinic in your state that you could offer services to if one of those non-profit programs you'd be interested in joining or start something yourself we're really not at

the point where we can go to bed and not worry about something really critical falling victim to ransomware um and and in the meantime we're all going to need to to play a role in helping in particular the low resource folks who really don't have the money or the knowledge to protect themselves in advance and I'll end with a quote from the Wisconsin CIO talking about one of the Cyber Corps programs one of these people show UPS on site during an incident they stop the bleeding and they fix problems so I hope you'll all join me in stopping the bleeding and fixing problems until one day hopefully we don't have any more problems to fix

anymore thank you

I think I have a couple minutes for questions if folks have any

like a volunteer organization unfortunately no the NGA site is a good place to start if you want to learn more about the cybercore programs for those non-profits you'll have to look up their websites individually and they have more information

uh I would say that the folks that you want to talk to really differ depending on the state each of them tries to house their cyber activities in a different department I'd say the office of emergency management or the National Guard are generally where those programs are hosted and if you look at the NGA study that I referenced they have a section on authorities sometimes they've actually needed to pass legislation to give them the authority to to pull in private folks to respond to these so I'd say if you could get in touch with someone um in in the the office of emergency management and see where that cyber activity is concentrated those are the

folks you'll want to talk to about those programs mm-hmm any other questions all right happy to chat more after this talk and I'll say if you like the idea of community cyber defense UC Berkeley's hosting a conference this June 14th in DC called the Cyber civil defense Summit we'll be having panels with the folks who are running these programs to talk about them how they can collaborate and scale and so I hope to see you there thanks so much