CyberPeace Builders and the Fight for Nonprofit Security

so uh just before introducing uh our last talk and keynote at the end and I'll I'll I'll show the room to Adin so you can see some of you around uh to notes one Pata just arrived but uh we'll start serving them and you can then go uh eat them I think there's enough so that you can uh after we we'll probably do a small break before doing the the closing uh session after after the J talk um also regarding the badge competition um let me okay so does the just this is the final uh list uh we have closed the the competition so no more points to be obtained and so whoever is on the three

first places will win prizes and then we'll do the ruffle with everyone else as as as we said having said that so let's go into our uh keynote let me just show him a little bit off the room I'm not sure if you see prob not oh wow hi everyone so again thank you very much Edan for for doing this um and so everyone Adrian will be speaking about the his work also with the Cyber peace Institute and cyberp Builders and it will be our final keynote and thank you very much and we'll have anyway questions and answers I'll have to repeat them after to Adrian because he doesn't have the the audio from the room uh but we we'll do it if

if there are any questions so aan please go ahead I'll try to also put this in full screen and so on but go ahead thank you Bruno um so hi everyone um first of all I'm really sorry not to be there in the room with you I I had my flights everything was prepared I was literally almost on the way to the airport and one of my three kids got sick had to be transferred to the hospital um he was discharged today so you know at the end of the days he's okay but it was a very stressful period And I have two other kids and it was just not manageable but I'm really bumed because I was very

excited to come and see you all I was very excited to come and see some of my staff that are based in uh in Portugal uh I even have family in Portugal so I was really bummed not to be able to be there but uh thanks a lot to the organizers to Bruno to J for for accommodating this talk even remotely uh thanks a lot for your flexibility guys really appreciate it and next year you can count me already I will be there um without questions so um I'm Adrian I'm the chief oper ation officer of the C peace Institute I'll just say a few words by about who I am and then I'll jump right

into the the presentation um but just as way of introduction so I'm a um telecommunication engineer by trade I'm French originally I studied Global Security as well in the UK and more recently um did an MBA so I have a bit of technical background a policy background and and a business background which I try to merge into what I what I do um so I started my career working for a um big defense company in Brussels called Talis dealing with their cice Security Contracts with the EU and NATO I switched to the French government I work for Ani which is the French cice Security Agency um and went a couple of times to to Portugal to meet my

counterparts there and then I switched over to Ana the European cyber security agency and and came back to Portugal quite a few times uh for several meetings there on Cyber exercises crisis response discussions uh so I have a few professional contacts as well um where you guys are now and then I came to Switzerland to work for the wock mic Forum which was setting up a center for cyber security at the time and then quickly switched over to the Cyber peace Institute where I am now as it was founded and was a this this fantastic opportunity for me to apply well Business technical background and policy background in in in one organization so um let me try and connect my

my slides sorry just a sec right I suppose that you can see this so what I want to talk to you a little bit about today knowing that you had a keynote from a good friend of mine Josh earlier about his own walk at I am the Cavalry was to tell you a little bit more about our program which looks at taking the Goodwill in our industry and channeling it to a good cause which is something that Josh has done extremely well for the the last 10 years and I hope for the next 10 as well I wasn't able to see his presentation because I was in there so I'm done but I I I think

I have an idea of what what he um discussed with you guys but I wanted to Echo a little bit his his own keynote and tell you a little bit what has been our own journey into into that space and taking a step there or leap you know uh and and calling it an an activist movement right um it's a it's a debate that we can have during the during the or after but um we feel confident at The Institute to connect our walk to the world of activism I don't know if how Josh feels about that so I'm not going to label the I Cavalry as a activist group but I think it's looking at uh you

know having an impact social impact political impact so in that in in in that frame of mind I think that it fits that narrative but anyway the presentation today is supposed to give you some tips and tricks and so you can learn from my mistakes mistakes from others as well into venturing into that space and basically doing even more good than I hope you guys already doing so as I was mentioning activism if you look at the definition and I had to look for a couple of definitions because a lot of them had very negative connotations but I found this one that I liked a little bit more than the others which is essentially the use of

computer-based techniques to promote the political agenda or social change right and the term was coined um by an organization called the called of the dead car that's based in Texas I haven't been there I don't know them you know I'm not an expert in their activities but I I I know that they con that term in 1994 they were set up 10 years before the year I was born so was definitely not you know involved in those activities but they are the ones who in initiated that that whole activist U movement they created the activism um Manifesto and a number of other activities that really make them prominent that space and I'm sure you know if you don't know the C of Deco you

will definitely know weaky legs that is an offshoot of of the C of Deco and some folks walked in one and the other Etc and is a lot more famous obviously and has has led to profound political changes but also profound trauma if I dare say for their their Founders and folks that have are associated with them um and then link to that or you know following that Anonymous is obviously the the biggest of all and most famous of all um activist collectives the two latter groups The Cult of dead code doesn't have a negative connotation as far as like I I know as far as I could tell as well in my research but definitely Wikileaks and

and Anonymous are portrayed in you know several States and news outlets as as folks that engage in illegal activities to uh further their their own um social agendas I think it's on a spectrum and I'm I'm not here to um you know say that it is or it's not illegal it's not a point of this this presentation I'm just saying that activist um activities fall on the spectrum of of impact of social motivation of legality and certainly many of the things that the C of De code is you know recognized organization did 20 30 years ago could have been considered a little bit um over the top or a little bit I don't want to say

legal but a little bit um different than what you know yeah um very uh conservative people would do let's put it this way but now if you think about other groups right and I me I did mention the Cavalry earlier and you think about the the I hope the war that Josh told you about he's he's been doing with numerous hackers on the other side of the Atlantic and pretty much all over the world right if you think about that definition of using computer techniques to push for a social agenda to push for a better you know a better tomorrow I do think that there are parallels to be run there and and Josh please text me if

you're unhappy with that definition but I do feel that I am the Cavalry and other groups for instance like the citizen lab that is operating out of Canada looking into um the activities of groups like ano helping journalists that are um um surveilled by their states um talk about that understand better and try and drive policy change right you know they're also using computer-based techniques to try and further um particular social and political agenda right trying to Build a Better World at least as far as I hope all of us are concerned in terms of getting rid of civilians getting you know protecting encryption and things like that right think about bellink cat also it's an NGO

based in Foundation based in the Netherlands if you don't know them they do collaborative crowdsourced oent work so they take um pictures and investigations led by by you know normal citizens and their own staff and they use that to report on war war crimes and human rights abuse and things like that right so they're also using computer based techniques to promote and further a better a better future so are they activists what about access now that has a digital helpl line that's helping journalists and human right Defenders and at risk individuals defend against repressive regimes and and Espionage and all stuff right are they activist collec they they have also political you know agenda they do advocacy work they push

things to try and change the status quo right so I hope this you know I'm not offending anyone with with that and and I have a very open mind around activist collectives but I do see that there are parallels between groups that have gone a little bit above what's you know what the law or beyond what the law says is is legal and groups that are definitely sticking within legal boundary but also trying to touch the edges and and and and yeah F further a social agenda that's hopefully going to either protect the good that we have in this world today or or get rid of the evil that we have the Cyber peace Institute is is a

young organization first of all right we don't have the history of these these folks we we were we're nonprofit founded in 2019 we're based in Switzerland so I'm not trying to compare any of the work that we are doing with with those that um H have been around for decades and doing amazing work but there are certainly models that we look up to in terms of changing the world and making the world a better place so we've grown in that period to about 40 people with a simple mission that is to protect vulner the most vulnerable in cyberspace the way in which we are doing this is through a um well in three parts that's really is

first we dispatch assistant digital assistance for free to vulnerable communities and I'll spend a lot of time explaining you exactly what we do in the next time I'm not going to tell tell you more but just remember that we do walk on the field trying to understand what is happening to vulnerable communities and and provide them the right help right so in doing so we're also able to understand better how V these vulnerable communities suffer because of cyber attacks because of digital Technologies we've created because of lws that we've passed or have not passed and so in understanding better this human suffering we we are trying to also document it so that's the second core

activity of the Institute is to bring all of that suffering essentially to the public domain so that everyone can understand what digital Technologies are fermenting when it comes to V vulnerabilities right so we we've we've done we've reported on attacks in the healthcare sector for instance during the pandemic we've got an open platform that you can check that that are obviously open where we talked about attacks against Healthcare and you know lots of well some parallels with the work that I I'm I guess Josh told you about for the last year and a half now since basically the war in Ukraine started we've been tracking all of the threat actors in that space looking at

all of the so over 100 of them we've been tracking over 3,000 cber attacks associated with those actors that are having an impact on civilian populations right so again an open platform that you can consult um you can download the data sets and you can engage with us if you're interested of course but essentially trying to put it put out there how people are being attacked um through through the internet and then the third core activity of the Institute is to take all of these learnings take all of these documents that we make public and drive advocacy right so advocacy is what we call in the nonprofit sector lobbying but if you work for a private company lobbing is

essentially the same you're trying to influence decision makers to for your own agenda and then in the nonprofit sector we talk about advocacy which is essentially providing these materials to decision makers at the UN so we contribute to un negotiations through the open-ended walking group so I have colleagues that are flying all the time to either Vienna or New York uh we were at the Paris peace Forum last week talking about uh cever meronies we're um engaging with Diplomat and cyber Diplomat all over the world obviously in Switzerland we're talking a lot to them also because there's a number of NGS and international organizations here in Geneva but we also doing walk in the he

we're doing walk in the US trying to engage all of the decision makers in the international organizations in the public sector so heads of states and know all of these diplomats but also very much private companies that are creating technologies that are you know good or not good or not creating technologies that would be good for NGS and trying to tell them hey this is how people suffer online this is what we think can be done to change that and for us it's almost an existential threat to the future of our community of the cyber community but also just like how how the world is evolving right if you think about it we've created a A

Beautiful Beast right with the internet um and 20 30 years ago when it was appearing everyone was thinking it was great connect a lot of people you know the benefits far away the the risks but now the we've gone you know 20 30 years in the future and we've seen how what it does and and The Institute reports on that what it does to vulnerable communities we realize that there's a huge part of the population that's that's suffering because of those those Technologies so if we're not able to protect those that shouldn't be attacked then what does it say about the internet right it's a technology that we've created that's allowing States and folks to pray even further on those that are

already vulnerable like is that something that we are comfortable with as I mentioned I have three kids and you know I don't want them to hop online like I'm I'm I'm scared my eldest is 10 I don't think I want him to have a mobile phone and so you know there's discussions at home about this because his friends have and stuff but I'm concerned like legitimately concerned that the internet is a place that could be dangerous for him he's well educated his dad is in cyber you know I can put a lot of protections so what about the the kids whose parents don't know about that living in in countries where the states is after those um their parents or you

know all those kids like how they're going to protect themselves so I feel that we in this community have a responsibility to protect them and that's essentially what the Institute is trying to do okay moving on I want to tell you first a little bit more about the Walk of NGO together I don't know if all of you are familiar with nonprofit organizations non-governmental organizations Charities you there many names for these organizations but at the end of the day what they do is they provide services to over a billion people in the world who are not getting those services from either the state or corporations so think about us living I suppose most of us here live in the western world or Le

in Europe and in the US then we get our health care we get our shelter we get our food we get our energy you know through public or private services but it's it's fairly easy for us to get those right there's a lot of people in the world a billion and that's that's even growing that depend critically on NGS for shelter for food for uh education for energy for water basic basic needs and that is increasing because of conflicts in in yeah in Ukraine in Palestine and other places in the world because of rising social tensions Even in our own democracies in our own countries because of external factors like climate change that's that's leading to displacements and

migrations there's more and more people that are depending on the Walk of of NGS and un fortunately cyber attacks against them are under R so I want to tell you more a bit more about some of these stories that you know we we've taken a part in and we've tried to help sometimes successfully sometimes less successfully but couple of months back a an NGO that runs orphanages around the world reached out because they were being ransomed right typical ransomware attack so we advised the CEO and started to help them basically face that that situation and when the CEO had started negotiating with the with the criminals what the criminals revealed was very interesting first they didn't

know it was an NGO right they had no clue so that's that's a first lesson right it tells you that I suppose you know that but it tells you that those um criminals are attacking anything they can and just by virtue of getting being connected having a vulnerability somewhere you you can be Ransom right so it's not because you walk in an NGO and you're helping kids and doing good in the world that you may not be ransomed right but what's interesting is that when the CEO said to the criminals hey you know we walk for an NGO we protect kids the data that you have encrypted is actually kids medical records and pictures like you know we don't have

money to throw away we're running on on a nickel here we we do not have a budget to pay to by you know you so the criminals responded oh yeah sorry we didn't know we didn't know you you guys were an NGO but don't worry we've got an NGO discount so as funny and sad as that is it also tells you that NOS are now legitimate targets for criminals and they institutionalized the fact that they can hit NGS so that's that's a um it's a really unfortunate uh story that the CEO had to press on to further negotiate and and this story didn't end as as well as we we wanted another um story that you may

have heard of um is um roots of Peace it's a nonprofit American nonprofit that's helping Farmers that have been affected by conflict and have lost as this gentleman you know limbs because of Mines so they're helping them transform minefields into Vineyards so they're trying to Foster the emergence of Agriculture again and and clean you know clean the country and of of Mine Mine Mine Fields so this NGO got hit by a CEO fraud attack and um the story is public so it's fairly well documented you can find more about it I can tell you more if you're interested I can send you the link but basically they lost over 1.2 million US dollars in three different um

um wires that were essentially the directed by a criminal that inserted himself in the conversation between the CEO and the CFO impersonating the CEO knowing the CE was in trouble so the you know the criminal reused a password that had leaked um I guess a couple of years back and it's not a very complex attack but the amount of money that was stolen 1.2 million is significant um if you haven't heard of that story I suppose you've heard of colonial pipeline this oil uh and gas Transport company in the on the east coast of the US that got hit by rans Sumer attack about the same at about the same time um and the attackers of you

know Colonial pipeline ended up making out with I think two million US dollar I think they had rans some of four but the FBI recouped some of that of that Ransom and um the FBI was all over the case um you know these criminals are never Trav in again um Biden and Putin back when they were talking came to Geneva to meet and discuss this particular attack was all over the news is a huge thing right um and if you think of the amount of money that was stolen is not that far off compared to the one that was stolen from Roots of Peace but you think of the risks that criminals have taken sorry to go after

Colonial Pipeline and the risk they've taken to go after roots of PE nowhere near the same nowhere near the same all right and the last attack I hope you've heard about it it was a it's all over the news this one it was last year here in Geneva against the international Committee of the Red Cross it's a huge organization with three billion US dollars in a annual budget that um manages very sensitive data and they got um hit by what they claim was State actors or state Affiliated actors that went after a database containing the personal records of 500 15,000 migrants so think of those folks as potentially um people that are fleeing their countries because of rapy

regimes people are trying to find a safe heaven and have all of their data where they are where their you know um relatives are located currently in Europe or back home potentially accessed by the regimes that are after them so that's yeah it it it tells you that even those bigger International organizations are also targeted by somewhat more sophisticated attacks just by virtue of having access to sensitive data so why indeed go after these organizations I gave you a couple of pointers the first is money right that was the case in the first and second attack and you don't think of NOS as you know wealthy entities and for the most part they're not but collectively they

raise over a trillion US dollars in funding that's massive economy and those funds at the end of the day they move a lot right so there's a lot of transfers between one organization and the next and the other and so they're at risk if they're not if those entities are not um upping their level of cyber security many NOS operate in sensitive contacts contacts sorry and have very sensitive data at hand it could be data about migrants could be data about people that are mediating conflict it could be um data about you know Healthcare data about about kid or about journalists that are reporting on on on particular States so they hold sensitive data that again if not well protected

can be stolen by people that are politically motivated or can be monetized by intermediary groups that can resell those to those State actors after and then many NGS lead sensitive operations on the ground um you know when they're active in humanitarian context in conflict zones they end up offering critical services that um if disrupted can not obviously have an impact on the beneficiaries they're serving but they can also help those who are against the work of those NGS achieve a political political gain so that makes for quite a lot of reasons and if you think about it um those organizations are Target Rich right it's a term that's trending now um on the other side of the the Atlantic but it

essentially means that a lot of entities can go after after those um organizations if you think ofes for instance the likelihood of a large State actor going after anme a small or medium Enterprise is fairly limited right but NGS have the cyber security capabilities of smmes yet they can be targeted by very powerful State actors right they can also be targeted by very powerful criminals that are just interested in their money so it makes for quite an asymmetric relationship between their capability to to defend and the resources of those attacking them NOS in general are cyber poor meaning that they have poor cyber security standards um they have rushed their digital transformation in the last

decade mainly because they're beneficiaries the people underground that they're serving you the migrants and and folks that NGS are helping they're having smartphones they're on Twitter they're on on Instagram they are asking those organizations to be a lot more connected to engage with them so those organizations have rushed and are adopting lots of new technologies that they don't really master and because it is still often times considered an overhead in those organizations very much like in hospitals you have Hospital leadership is generally coming from Healthcare and so it spendings are never as much of a priority as Healthcare spending well you have the same same phenomenon in Theo sector where most of NGO ngo's leaders don't have an at Cyber

background and so more reluctant to spend on on on on that on top of that donors those that are funding those organizations also you know are somewhat living in the in in in the past when it comes to digital Technologies because they themselves haven't really had to uh transform digitally so fast and so they're not really considering cyber it as a priority and still consider it an overhead so it makes it very difficult for NGS to to um to invest in cyber I mentioned it earlier but there's very limited risks for criminals going after those organizations you know we've had the police I'm not going to name the country but invited the police for a

session with NGS and the police literally told the NOS like if you've got a problem call The Institute but don't don't call us because they're you know they're swamped they've got millions of things to do and and engers are operating where governments and corporations are not operating or they're doing what governments and corporations are not doing so the interest for public author authorities to help NGS has been in the past generally limited and because you get access to potential large amounts of funds you get access to sensitive data you can get get you know political gains like the payoff to go after those organizations can be really high so that makes for quite a dark recipe and quite a woring uh quite

woring thought for the future because who's going to help those organizations right I mentioned public authorities it's not their DNA right those organizations exist because public authorities are failing you know in a way like there wouldn't be an NGO providing shelter to a part of your community if the state was providing that right so the relationship with NGS and public authorities is often dense I know democracies it gets a lot better but in in in other countries um ends up more often than not in violence and so seeking help from public authorities is generally out of the question private companies are eager to help but you know when they got to choose between a high paying client and

a low paying client then you know there's only so much that they can do so unfortunately the current price structure in the cyber security sector makes it really really hard for NGS to have cyber security contractors to have those experts um at hand and inh house Talent is the same um I think the shortage of talent by 2025 will rise to 3.5 million jobs worldwide and you know cyber Security Experts like us they're all holded by the private sector or the public sector so it's unlikely that the needs of those two sectors are going to be met by 2025 or 2030 or God knows when and so they're just going to continue to hold that

talent and make it really hard for NGS to attract and retain cyber Talent so what do you do right well there's a couple of of folks that have tried to do things that are still trying um and basically trying to leverage the rise in cyber volunteering so security Without Borders no longer exists but essentially it's the precursor of the Cyber peace Builders it's inspired us a lot they um created a group of volunteers meant to help at risk individuals um journalists human rights Defenders with cyber security advice right so it was created a couple of years back um but without budget um without you know a clear operational structure and so gradually failed to vet

who was coming in that that Network and ended up having a couple of folks that you know shouldn't have been there and so they had to yeah they lost the trust of the community and and and had to close down um but they were really precursor in that space CTI leue I'm sure many of you will have heard of group of volunteers that um got created a couple of years back I think when the pandemic hit looking at sharing thread Intel uh trying to take down um bot Nets and leas with the FBI law enforcement agencies around the world to mostly take down activities using uh CTI data and they're still they're still there still

doing amazing work and really tapping on the Goodwill of uh CTI analysts the Consortium of cyber security clinics I'm not sure if you've heard of them but essentially those are it's a network of universities in the US there's a couple in Europe that are appearing as well that run cyal clinics so they take students uh with a professor for a semester and they go and help an organization more often than not nonprofit organization but sometimes even public organizations or ormes um and so Berkeley has been a leading force behind that Consortium Google is now helping them scale that up to 20 different universities across the the US and there's some universities as well in Europe we're working with eth Z that's

helping an nger that we knew as well so this is basically tapping into the the the student walk Force and and allowing them and the time you know with the time that they have at hand to give back a little bit to the community uh innocent lives Foundation I'm not sure if you know them they're essentially running on volunteers to chase pedophiles online so it's you know it's a difficult topic and they have incredible processes to help you know those folks that are volunteering their time looking at those ugly images trying to track down pedopiles but last time I talked to them they had um they had provided data of over 350 pedopiles to the FBI which had led to rests so there

you know Ma massive impact the Michigan cyber um civilian core is a public sector group of volunteers so those are um they've got all sorts of statuses in Michigan basically trying to have this these volunteers that're working for industry and and other groups um help the government and small you know City Halls when they get defaced to Ransom and whatnot and so it's a it's a one of the first public sector initiatives with the the Estonian cyber Defense League as well I don't think I have on the slide but to Tru to really try and tap into your local community to help help the uh public sector the Cyber hel line in the UK is doing great work supporting

victims individual victims um of cyber crimes with taking volunteers to support you if you're facing you know scams or bullying or things like that EU cybernet you guys are European check them out they do a lot of work in cyber capacity building outside of the EU so they take experts from the EU and dispatch them Beyond with loads of volunteering opportunities and then there's another one which still is a volunteering you know opportunity um they're not necessarily just defend defending networks I they're also doing conducting offensive operations so but the at army of Ukraine is is by far the biggest volunteer cyber volunteer group out there right I just checked their telegram group it's a picture from

yesterday they have 150,000 members I don't have those numbers in the side these Builders and none of these organizations has those numbers right um but it's a risky move right uh actually the International Community Red Cross just issued some rules of engagements for civilian hackers because of that because if you're if you're hack in in Portugal and you you know you want to help Ukraine defend against Russia or the opposite like you whatever your views um and then you engage in in in cyber activity that leads to cyber damage or even kinetic damage and one of the two parties decides that you're now a beler you're not part of the conflict and Portugal has entered the conflict

you're essentially putting yourself you know your see your country at risk so it's a tough one I'm not saying that they they shouldn't be doing that but it legally speaking and you know ethically speaking it's it's a it's a tough it's a tough one when it comes to cyber volunteerism but I could not not mention them it's the biggest group out there and it shows a trend so one of the reflections around this is that the for me the barriers into entry into H activist Collective if you think of anonymous you know getting into anonymous was not that simple uh quite hard and quite dangerous and quite risky it's invested you know with FBI agents andar enforcement agents and you

wanted to be part of that group you know you you had to be ready to face J time and a lot of them did right think of Julian ason now in the last 13 years of his life leading Wikileaks you know like I don't wish that on anyone I don't think that he's happy even though he believes in I guess in in in the mission of weeks but the the cost he's had to pay is massive right so these volunteering groups are essentially lowering in my mind the um entries of the barriers of entry into those uh groups that are trying to provoke change trying to do good but are not you know willing to risk their careers or risk

their personal lives over over a cost so that's essentially what we've been trying to do at The Institute with the Cyber peace Builders we've been to trying to mainstream activism to provide digital assistance at scale and for free um so the Cyber peace Builders is an a network of cyber Security Experts that are working all for private companies now volunteering their time to help NGS right so the volunteers do pretty much anything that you can think of all the way from uh security assessments they will do awareness raising sessions to train staff on basic things they will run fishing simulations with tools that we provide they can check for leak credentials on the dark web to inform an

NGO that they they have potential vulnerabilities they can do vulnerability scans as well to find open ports and ways in which criminals or States could get in in um they can even Provide support during incident response we've got volunteers that did amazing work last month helping an NGO that got coding the conflict in Palestine um negotiate its way out of a ransom so we've got yeah a a large variety of stuff and I wanted to show you actually the platform l so you understand that how it works and it's not just a slide so this is our mission board so we're running on mados let me start with that we're running on mados which is an open

source platform it's like slack if you know slack but mad most is more secure we host it on a server in Switzerland we've secured it ourselves um so we've you know it has zero trust features we forced to fa obviously on all accounts um it's got great account granularity so it's it's really um wait Alex is text texting me I'm running on over time oh I have five minutes to go wow thank you Alexis um all right so that okay that that that's the platform essentially this is matchmaking mechanism where um ngos advertise their needs you can see here an NGO in Germany who needs help with a web vulnerability scan this one is a fishing exercise and

as a volunteer if you're interested you just slide the car to the right and then we'll match you up with the NGO will bring you to a separate Channel where you can engage with them directly you know you can have a zoom call whatever they need like you can run an ex size use the tools that we got and then help them out right it's it's as simple as that I could tell you a lot more but because I'm running the time let me go back to let me go back to my presentation uh sorry okay I have a few things more that I want to tell you this is our impact um in the last two years so we've

helped over close to 200 NGS you can see some of their logos on the left and you recognize some family names but we also help very small ngos like you know we helped an NGO in Mexico that um supports pregnant women in slums uh to educate them on their pregnancies you know if they get like weird sicknesses they don't know how to ask a doctor whatever so we' helped them secure their code so a volunteer did a full secure um audit of their code basically and rewrote the entire code and and that app has now been approved by the Mexican Government uh so it's you know it's top- notot standards um so they we we're helping

the Swiss de mining foundation for instance right quite active in Ukraine trying to get rid of Mines over there trying to help them with their cyber security as you expect you know they're getting hit quite a lot so there's two almost 200 of the NGS that are doing amazing one those you know they are the real heroes like we're just the intermediary here between you guys they're using your skills to help these guys that are doing really really impressive work so far we've LED uh over 600 missions done 1,200 hours of volunteering and we're working with volunteers coming from 45 companies and you can see some of them on the right here walking also with big groups and

smaller groups we have small companies as well um because we've created that position of trust with those NOS there's more that we can do than just match matching them with Talent right um we process we get access basically to free CTI coming from companies like bside kadu or Microsoft and others and now we have the ability to raise the awareness of NGS that are targeted that are you know facing incidents that are vulnerable that don't even know about it or don't care about about it right Microsoft like knows a lot of stuff about those NGS and they're trying to tell them but all of them like don't have the time you know don't bother me with this alert whatever so

they want somebody us and volunteers to put the Highlight on those things and let those organizations know when something needs to change right example here is a service that we run that's going to send emails to um NOS when we find credentials that you know belong to them that have need other things that we can do is based on the trust that we have those organizations tell us where there are gaps you know where technologies that they use fail them or where they're missing stuff and so we can develop free things like we have developed a sort of a Wei transfer that's a lot more secure that files are not stored forever Etc that they can use

when they want to exchange files with others we're partnering with Cloud flare as well to provide a fishing solution for them and the upside for us is that we get a view on all of the fishing emails so that we can inform the the whole community and we make that available obviously for free um to ngos so they're not not paying anything not to us obviously but neither to GL there um and going back to the mission of The Institute and activist trying to Foster policy change um we're talking to the UN for instance about how to better protect humanitarian organizations inside Space we've um been able to launch a program with the city of the to

get all of their local companies to help all of their local NOS right it's called cyber secur the H and it launched at a one conference two month ago um so it's essentially running the Cyber peace builders in a local chapter locally because there's loads of NOS in the he um I don't know if you've heard about this but Caesar the American cyber security agency has also launched an initiative this year to start looking at NGS and how to better protect them right they're doing this in coordination with a couple of other states UK Estonia notably but it shows you that some governments are starting to pick up on the fact that it's no longer enough to

just protect critical infrastructure operators and you know big government agencies you also got to attend to that part of the population that you know it does doesn't get served by those organizations right so it's very positive changes and it's showing that um policy makers are starting to get uh get up to grasp with the topic now before closing I did want to give you a couple of Tricks uh and tips and you know my own journey into this space and basically how to how to yeah forance some activist collectives and run them them for the long run um so Fabian in my team um just shared this meme a couple of days ago which made me laugh a lot

and if you've been working in a nonprofit then it will make you laugh a lot because yeah it gets hard and if it's not because you're running in a not for-profit organization and trying to do good that you don't have to think about money actually money is a big part of what you got to think of and certainly my my job involves a lot of thinking about money and how to pay the salaries of folks that working for us right because we're not we are not volunteers right we're spending our days walking on this and we've got we've got families to feed so how do you make that run well the first thing I wanted to tell you

about is learn about social entrepreneurship if you don't know about it is the basic idea that there's a spectrum of organization types in between full for-profit organizations like eBay or Amazon or Microsoft and full not for-profit organizations like the UN or the EU or you know all like um small NGS or big NGS you've got organizations that are in the middle that do run on profit making mechanisms but are driven by impact and those organizations are doing amazing walk when it comes to positive externalities and and improving the world and there's a lot to be learned for us in the cyber security Community from them so do read that book if you can uh it's going to

tell you all about um the the basics of social entrepreneurship and when it started 30 40 years ago and and don't there's not many cybercity examples in there but it's certainly like humbling to read about those stories there's a followup to that book it's not written by the same people but I like to see it as a followup which was written by Christian clay um Christensen sorry Clayton Christensen yeah I got Clayton Christensen who's the father of the Innovations dilemma uh brilliant Business book if you haven't read it do read it it's really interesting and is's applying those principles of disruptive innovation to the world of social entrepreneurship so it's allowing you to break out of you know those stories that

are quite local and hard to scale and how do you essentially change the course of nation states tapping on purpose and meaning and not just profit mechanism right so it's really um this idea that the two are not incompatible that you you need to look for unmet needs so play this author Christensen calls them job to be done and match them up with idle resources the typical example and this is not you know in that book but you think of uber um you've got cars sitting around and then you've got people are trying to get from one place to the other so if you can bring the two together then you find synergies that allow you to keep your expenses you know

within control right so if you're able to find like we did um people that are interesting interested to give back and you have people that are needing uh some help then there you go you've got the beginning of a of a Synergy right um good example of that is isc2 um is their new name not I Square I think I got the old logo um but they are connecting um um students well people that are interested in growing in our cyber security students and teaching material and they're not not for-profit organization and they run I think on 40 million US dollars a year same with techup if you don't know Tech what they do is they match Technologies developed

by companies like Microsoft and MasterCard and whatnot they match them up with NGS that are not able to pay for them right so they basically take those Technologies and provide them for free pro bono or under certain conditions but again like they found they found a niche an unmet need and and and and idle resources so you know software that could be used without creating much expenses and I brought the to and again it's it's an organization that's quite successful they have not not mistaken 40 or 50 million US dollars in ual revenue and they're doing tremendous work that's really Purpose Driven all right the last lesson is to create an experience and you know maybe

not the best picture but at least it it captures your captures the mind right when you see that guy folks mask and of course with the hood it's even clearer but you immediately think of of activism you immediately think of anonymous and it it participated to the popularity I think uh for good and for you know for Worse of an of anonymous and so when you're trying to scale your activist Collective or your activities thinking about that experience and thinking about how you're going to um unite your community around around an idea around an image around a concept is really important and one way to think about this is really to look at the Lean

Startup now the book If you if you don't have them by the way I have all these books here uh in front of me um to run your activist Collective pretty much like a startup right come up with an idea build right start building start creating start coding measure how this is going right so get a lot of data on how things are going try and improve and and then and then learn from your mistakes and improve your ideas and so thinking of your activist collectives or thinking of your own associations or whatever you guys are engaged in your you know do good initiatives it's not because it's you know a do good initiative or a nice initiative that it

doesn't need to be well-run right if you want it to scale if you want it to be in the long term and you got to take those good ideas from the business World from you know operations and and all of that and marketing and whatnot and try and extract the the the juice that matches what you're trying to achieve and and do it right it's not going to run by itself a lot of these organizations that have been built on purpose but without the operations behind have struggled and most of them have have um have yeah they they've stopped so to close I just wanted to tell you a little bit more about the niche that we've found

and hopefully that you can also reuse you can either partner with us you can open your own chapters like you know do it the way you want like all all we do is open source and the more people can volunteer to help NGS or other vulnerable organizations like the better the sooner I can retire you know the the better uh but essentially what we're trying to to do here is to mainstream uh activism and to make you realize that it's the fact that you're going to be an activist or a social entrepreneur is not defined by your ability or inability to make money it's defined by your mission simple as that and so we've looked at at

this uh in the context of the cyberp builders and the history of the Institute as well that was created by a combination of private and philanthropic actors and we said we want to tap into corporate volunteering and so over the years we've we've been able to fine tune the synergies and understand more precisely how they run but essentially a lot of companies are facing pressure to increase their Corporate social responsibility efforts the new term now is environmental and sust sustainable goals um but so they're they're pressured to do a lot more for their Community right stakeholder ISM and actually the world economic Forum was founded on this idea of stolder ism um but they're facing backlash right

increasingly when they go too far either is green washing or you know they they position themselves on a political topic that is not theirs and so a part of their custom base essentially fights back so they're worried about this and one way to get away from this backlash is to align your social impact with your business mission right if you're walking doing good on things that you're also you know making money for like cyber security then you're not going to face a risk of backlash and so skills based volunteering is a trendy term now the last yeah five six years a lot of a lot of companies are looking at how can they make sure that their staff are using

their skills to do good right when you take a cyber security expert and and you ask that expert to go clean a beach that's that's you know it's great for the beach it's great for the environment but if your company has nothing to do with climate change actually it's you know it's it's contaminating the environment then this is greenwashing you know you're not helping but if you're taking your service security staff to do cice security activities to help climate change organizations then it's it's a different story so companies are buying into that and by buying also I'm also saying they're willing to put money right there increased increased uh budgets for C s r and and ESG activities

they've also seen that volunteering boosts the motivation of Staff um which has been an issu since the pandemic a lot of you know drop in moral helps with Talent retention which is an issue in our industry with you know a lot of volatility and people changing jobs um there's a lot of pressure as well in our industry so when people can take a breather they can do something that you know rain invigorates their their soul it's it's good to it's good to keep them um volunteering also helps with upskilling so companies are eager to project their their volunteers on you know new grounds to test new ideas to learn new things talking to people in

different countries in different constructs uh with different budgets so it helps them put themselves in questions and and continue learning essentially and becoming better at their craft the volunteering that we do at The cyberp Institute is All Digital based it's remote right so you get rid of all of the hassle that you know organiz used to have when they wanted their staff to go and volunteer like you have to go somewhere you have to waste you know an entire day you have the logistics to arrange for lunch or whatever like the missions that we do they're all one to four hours all of them are remote I mean if you want to go to the NGO like nework

City you can but you can do them remotely so companies buy to that they really um appreciate that kind of bite-sized uh um activities they actually call it snackable pro bono right it's a trendy term now um and then yeah a lot of the those companies are eager to um report back on their social impact activities and because the activities that we do generate data right we know how many hours of volunteering people do we know on what topics in what regions we know the the genders of the volunteers and Theo so we have a lot of information that we can then give back to companies to help them report on their on their on

their good on their social good which means that they're eager to walk with us and they're eager to sustain us and that's the the the essentially the way in which we found a way to bring about sustainability is that not only are we asking the companies to provide Talent provide us with volunteers but we're asking them to pay right in full transparency we ask the big companies 25,000 Swiss France Euros or dollars you more or less the same um for a year and they can bring as many volunteers as they want now if you think about it if we sign 40 companies that brings us to a million with a million euros you can employ you know couple of people you can

have a software engineer I have a product manager we have a communication specialist who's actually in the room Alexis so going have a picture of her later she doesn't new but if you haven't met her you should absolutely meet her uh so you you can start doing you know some some things so that's yeah anyway that's our recipe that's what we've done um to close on how to basically apply The Lean Startup um ideas obviously when you're engaging with corporations you get to you get to give them stuff so typically this is an impact board demonstration like for social impact managers in those companies that's what they see um so you know figures that are

really valuable to them and obviously they give us feedback and we keep on improving this we have a humanitarian training course to help skill their volunteers so volunteers that know nothing about NGS can go through a couple of hours of training to understand better their world their language their preoccupation difference between Global n North Global South importance of Do no harm and things like that um you get to do social media Media stuff we put the spotlight on volunteers we obviously have collaterals we have newsletters we have regular engagement points we have brand guidelines we have marketing strategy you know it's like running a business at the end of the day except that you're not making a profit

back to the back to the first picture right but if you got to sustain those activities in the long run that's that's what it takes and I wish all of my days were spent on helping NGS and putting a smile on people's faces I do it from time to time just because I love it but the reality is that to run those activities is like you got to do all these things okay if you're interested in knowing more you can scan this QR code um you can check cyberp builders.org check the rest of our activities as well on the cyberp Institute website and if you haven't met Alexis please go and see her she's a very happy person as you can

tell um she's based actually in Portugal and um yeah please ask her anything I'm staying here guys Bruno if you want um relay any question I'm sorry if I run crazily all the time I lost a little bit of track but thank you everyone for your attention and again sorry I wasn't there I hope to meet you next [Applause]

year