Bob Pardee - What is the Ohio Cyber Reserve?

hi and welcome to this session on the ohio cyber reserve this will give you a chance to get to know a little bit about what the ohio cyber reserve is uh where it came from what we're doing now and uh where we plan to go in the future this uh will be a good session if you have interest in the cyber reserve and what it is what you can do for the reserve what the reserve can do for you and maybe if you're already involved and you just want to know a little bit more about how we got here um this uh this session should cover a little bit of all that

all right so some history you really can't talk about the history of the ohio cyber reserve without talking about the oc-3 the ohio cyber collaboration committee and this is a group that was formed by the governor's office back in the kasich administration when the governor's office and some of the legislature were really concerned about the growing cyber threat and what it would mean to the state uh we we certainly had people doing uh cyber protection within the state for for state and local governments um and uh for our critical infrastructure providers but the the people doing it the the number of people we had was uh insufficient uh for a large uh cyber attack if we ever came

under that kind of attack and some of the smaller local government units really didn't have the expertise that they needed to respond so we really need to think about that and that was one of the the components of the oc3 as it was originally conceived a second component of that was how do we develop a cyber savvy workforce and a third component is where did uh where do these these members of this group that we're we're trying to come up with that can help us respond to to cyber incidents how would they train where would they train um and when we talk about building a workforce that is able to respond to cyber incidents how do we build a group like that and

how do we uh provide them with a place to train and how we teach uh the in the k-12 and uh the higher education level how do we teach cyber security we need a a place that that we can do that and so a third of the the major initiatives of the oc3 was the ohio cyber range now when when they first formed the ohio cyber collaboration committee uh it was actually the directors of multiple organizations within the state so like the director of public safety for the state the the chief information security officer for the state um the adjutant general who you know commands the national guard um was uh was a member of that group and

and uh people from uh otech which is uh the parent organization of a number of uh of computing related uh organizations for the state and for higher ed in the state like the ohio super computing center and ornette that provides network connectivity for higher ed in the state so they got all these these director level people together and said this is a major problem we're gonna solve this problem figure it out um and of course those folks are are busy and this was one of their many competing uh priorities so they appointed uh people that worked for them to to work on it and uh i was one of those folks uh i was working for the state cso at

the time and was appointed to continue working on oc-3 stuff as we tried to to move it forward but even at that level really none of us were dedicated uh in any large-scale meaningful way to advancing the work of oc3 we did make a little progress here and there we we succeeded in some internal training and exercises kind of things uh and better cooperation among our our constituents but really in terms of uh advancing the the major part of parts of the oc3 mission we we were just very slow and that continued until the adjutant general's office hired a a civilian outreach coordinator whose full-time job it was to push this thing forward and after that happened more and more

civilians and other individuals both within state government but also from uh from industry started becoming involved with oc3 and there were more people to work on things and so we we really were able to start pushing forward with the effort one of the things that we did was to divide into subcommittees that would each take one of those problems a workforce development subcommittee a cyber incident response committee and uh an ohio cyber range committee and each of those um did their own work and then came back and and met together with the oc3 as a whole and oc3 is still continuing to do more of its missions um you know as as the other components that

it was tasked with like this incident civilian incident response and the ohio cyber range are spun off into their own entities so one of these subcommittees was the incident response subcommittee and initially that was how we viewed it how are we going to respond to a major cyber incident it would later come to be seen as the preparedness and response committee because we realized that that was uh that was a far better more holistic approach to the the issue at hand so in 2016 the committee reviewed several possible forms of organization for the the whatever these responses the civilian response teams would turn out to be and the the proposals included things like organizing them like community certs

under the the ohio ema or organizing them under the ohio homeland securities cyber center that they were building um or you know just different places that they that it could be housed um but each of those had uh had issues whether it was uh you know a lack of cyber security um you know practice within that particular organization um or you know in the case of the state cso's office we also looked at organizing that under there um you know the fact that they were already spread very thin just uh protecting state government without uh without really pushing down to responsibility for the local governments and critical infrastructure across ohio um or you know in terms of ohio homeland

there's a law enforcement tie-in with them and uh there there was concern that maybe if we formed these in such a way that there was a law enforcement tie-in some especially some of the private uh organizations might not want to open their doors in the middle of an incident to uh to these folks and say sure come in and you know have a look at exactly what happened uh because you know some things would become public and some things might become uh a part of uh uh a legal investigation against them and you know they they might not agree to allow the organization into their systems so uh ultimately the the proposal that was chosen by the

the subcommittee and proposed back to oc3 was a committee or was a organization where we would form an ohio cyber reserve modeled on the ohio military reserve the ohio military reserve is also housed within the adjutant general's office um they are uh the descendant uh i guess of uh ohio's uh militia um they are one descendant of that the ohio national guard is another descendant of uh that that early militia as is the ohio naval militia for those of you who didn't know that we had a navy because we were afraid we might get attacked by canada at any point well uh we we do um although uh that's not primarily their their role anymore but

uh the point being there there were these other groups uh the the state's self-defense forces under the adjutant general's office and this seemed like a good place for us to put the cyber reserve so over the next year we we thought through the idea we uh we put it through multiple rounds of review with uh experts from around the state uh various participants within oc3 and uh and continued to refine the proposal and we got that to the adjutant general's office into their legislative affairs office and they started pitching it out to uh legislators um so by the uh the mid to end of 2018 the first bill proposing the ohio cyber reserve actually was

posted in the ohio legislature it came in during lame duck session we didn't really think that it was going to pass before the everybody's terms expired and we had to start over but it was a great opportunity to build awareness of the bill and of the proposal for our cyber reserve and to to drum up support so that once we uh we started out in the new session uh that we would have a much better chance to uh to hit the ground running and get a new bill through more quickly it was reintroduced in 2019 had very significant support right out of the gate uh obviously that uh that bill was uh eventually signed um by the governor and

uh we were we were good to go now if you look in this picture i don't know if you can see my um my my pointer here okay so this guy this guy this guy this guy is okay so some somewhere over here about three or four inches off the the left side of your screen you will you'll see me standing there well you probably can't see me but i i was i was in the room uh for the signing uh it was a great uh great day for for all of us uh who had uh worked a long time on this so one of the things about this that that just seemed so unprecedented to me was uh

if you look this is senate bill 52 this was the actual bill and here's the voting records right zero nay votes nobody voted against this how how often do you get that many politicians in a room and nobody votes against it everybody understood just how important this was and everybody voted for it so it's a great thing so as it was as it passed uh it took took effect on january 24th of uh this year and it adds section 5922 to ohio revised code and that section actually is sort of nestled in with the sections on the military reserve and the ohio national guard and that kind of thing and it specifically clarifies that uh that this is a a state

specific unit and uh can't be called into federal service it appropriated some funds for us to get started and then it addressed a number of issues uh about exactly what it was we were talking about here and where it fit so it places us as part of the the state self-defense forces and it addressed a number of issues that we were concerned about because other states had tried to stand up civilian incident response capabilities before but none of them at the time that we were drafting all this none of them had ever been used and the reason that that was was they were missing significant pieces of what we built into this bill so the first thing was liability

none of those other units had been structured in such a way that when people were acting as part of this civilian incident response corps for their state that they were acting as agents of the state they were all acting as individuals coming to the state's aid but where that left them was from the standpoint of liability if anything went wrong if they made any mistakes if anything happened as a result of of their duties they were personally liable uh and that that really uh caused some concern for them and for the organizations not really wanting to uh deploy them because uh nobody wanted to expose their members to to personal liability so our bill actually clarified that that

when called the state active duty we are actually acting as agents of the state and we have the same protections from personal liability that that state employees do when they're acting in the scope of their duties it also provides employment protection and this was another reason that people might be sometimes afraid to call these units out we do our best to work with employers to structure people's duties around their their work responsibilities we try to be very employer friendly as an organization and and show the the employers the benefits that they will get in terms of training and exposure for their people um as opposed to uh you know well we're just gonna take your people whenever we

want them and and all that but uh ultimately if the the governor's office does call people up and says you are mandated to go someplace to respond to some major incident they are protected in the same way that national guard are protected their jobs are protected they have a job to go back to when it's over so on january 25th shortly after the the law actually went into effect members met for a symposium uh and this is the i'm sorry these were these were the people who had expressed the desire to become members and gone through a uh a whole qualification process to determine their fitness for membership those folks were called into this symposium they were

given presentations on what was going on and where this all fit into uh the efforts of uh of the state government and public safety and other other areas uh and also uh even within the context of uh of efforts of this sort nationally and then we were all given uh a stack of papers to sign uh with ndas and code of conduct and permission to uh to perform background checks and uh responsibility for uh taking care of any equipment we were assigned and all kinds of uh uh things that we had to sign and then at the end of the day um the first round of members uh were signed in or sworn in uh

in an official ceremony uh to be the first set of members of the ohio cyber reserve all right so a little bit about the structure so the ohio cyber reserve is actually composed of small teams um anywhere from 10 to 12 individuals uh per team and uh these individuals are are selected to teams or will be selected to teams uh based on specific skills needed in each team so this the teams are each going to have a set of complementary skills uh within them so that we don't have uh somebody going out to respond to a website defacement when everybody on the team are hardcore network people uh you you need a set of skills so uh

we're going to have uh teams like this all around the state eventually and each team is going to have um 10 to 12 members with complementary skills and each team will probably have some strengths and and so on that they can bring to bear and teams will support one another with with special strengths that that a given team might have so it's not as if because an incident is happening in cleveland and that team is uh is on it and it's a hospital and we have somebody in columbus who happens to be an expert in medical device technology uh it's not like that cleveland team can't get access to that expertise uh that is that's kind of built into our

our thinking and the way we're structuring things but in terms of who actually goes out to a response that initial set of responders that will be a local team um for now we're uh we're a little more limited because we we were just standing up but uh eventually we will have one to two in each of uh a number of regional geographic areas so again most of the members are going to have highly experience are going to be highly experienced technical operators in cyber security and you know have these deep cyber backgrounds but there are some other skill sets um that we need and we we will definitely be considering people who bring those skill sets with

them so one is a type of individual that we we have definitely already brought one of those on board these are individuals with deep ties and influence in a broad geographic or professional community so this might be somebody who would have a regional um you know coalition kind of focus and and really be well known in that region and uh no you know know all the people that that you need to talk to knows how to grease the wheels those people are extremely valuable same way um if we had somebody uh you know in a professional association uh where we thought we might be uh doing something with that uh with that area so if there was some

professional association of uh wastewater treatment people and uh you know the person who was president of that association and knew everybody in wastewater treatment across the state decided they wanted to be part of the the cyber reserve even though they didn't really have cyber skills that's another type of person that we might be looking for to to help us in in gaining penetration into those areas that we will be working with second type of individual we're looking at are people who may not be working in cyber per se but they may have uh deep expertise in a particular area that we're likely to work with um especially like the on the industrial control side or the medical operations side

voting infrastructure um you know some other form of critical infrastructure operations uh you know pipeline operations or uh power transmission operations uh telecom you know people that that may understand how the guts of our infrastructure work they may not necessarily have the cyber background but they want to bring that expertise and you know they will gain cyber skills and we will gain skills in the critical infrastructure you know and how the guts of that work that's uh that's another type of person that we're looking for even if they don't have that that deep cyber uh you know security background and then the third type of individual we're looking at would be educators and professional technical trainers

individuals that can stand in front of groups of people and talk this this is partly to help us with one of our missions which includes going out and helping schools set up cyber clubs and partly in just that general education and bringing the cyber security uh level of the community up uh so it may be speaking engagements for uh for community organizations and that kind of thing that want somebody to come in and talk about cyber talk about protecting themselves online and that kind of thing but another area that having the educators in there would be really helpful from is if we have k-12 educators who want to become involved and want to help us start seeding these cyber clubs

in schools they can talk you know k-12 educator to k-12 educator to the people in those other schools and uh help them with their uh you know ability to to push these clubs out and we want to get that down there's there's a template uh called the the cyber club in a box that ohio department of education has uh has developed and there are components to that that uh that we have reviewed and commented on and we will be uh helping to implement that with schools uh and so having uh educators uh that that might have an interest in being being involved with us is another area that we're really interested in getting you know some some people

outside our traditional realm involved and then another type of membership so up until now we've been talking about the regular members of the reserve but there's another type of membership that we always recognized was probably going to be a um an area that we wanted to become involved in and that's the what we call the associate member program so associate members are individuals who either don't have not had the opportunity to get the experience but they have um a background that might help them um or or they've they've got a background but it's not quite where they need to be in terms of cyber to be involved with the reserve so what were what we were thinking was

you got these students in cyber security programs degree programs um who are coming out and they're being told by the the employers this is an entry level position and we want two years of experience how somebody for an entry-level job is supposed to get two years of experience i'm not sure when nobody will hire them until they have two years of experience but one of the thoughts with the associate membership program is we can get these people working side by side with really highly experienced cyber security professionals doing useful work in their community and they can build that up and they can put that on their resume and look we have this uh you know practical

hands-on experience that we've built up by being involved with the ohio cyber reserve the another really good way that we uh think that uh some of these folks might be uh used is that many of the associate members um being you know college level or or just out of college um are probably maybe more relatable to uh some of the the k-12 students in the cyber clubs uh than some of our members uh will be not that not that we're not all relatable just uh you know that it provides another touch point that we might be able to uh reach out to some of these kids and uh and get them interested in cyber and then the last group of um

and these are not members but this is a another group is affiliates or friends of the ohio cyber reserve so these are people who have expressed an interest in helping us but they are not for whatever reason they're not uh willing not able uh you know cannot make a uh a commitment a service commitment to becoming a member of the reserve so uh these are folks who have some some specific expertise that they would like to share and uh they are willing to take a phone call and watch somebody through things or maybe come out and uh teach a seminar for the members on a particular topic that is uh really in demand things like

uh you know some of the uh specifics of manufacturing environments or uh industrial controls uh or uh um you know running a a gas pipeline or an electric company or something like that some of these folks who really understand that but can't quite make that service commitment can express interest in becoming an affiliate and what they what they will do is consult over the phone with members and and possibly provide some training opportunities for members and this is a way to become involved even even if uh like your employer is just dead set against having you join or something like that uh or you uh you have other reasons that you that you know that you can't uh

you know go out to to the scene of the of an incident response okay so our short term structure is uh we we built the the first set of teams with just experienced individuals and we we wanted to take the most experienced folks and put everybody else into the affiliate program for now uh because there there aren't processes and procedures built uh everything is brand new uh and we needed people who could sail the ship while we were building it uh and that's that's what we've got in the reserve right now uh we have three teams uh cleveland columbus and cincinnati um and we've got a lot of interest in dayton and uh so that is likely to be the next full team

that we established and over time we're going to grow that out to reasons all around the state and each region having probably more than one team in in the region so that we can uh respond to multiple events or we can respond to an event and then refresh people as uh as people have been on duty uh working an event for a long period of time um excuse me yeah true true story here um i uh went out uh yesterday for uh for code testing um and have not heard uh back yet but i'm sure everything's fine and and i am recording this on a mac and max don't get viruses so you you're safe anyway um

back to the presentation yes so uh uh over time we're going to build this out and people with with good cyber security skills uh that that need to be trained more into some of the roles are going to be brought in and we're going to grow our numbers out uh considerably from here so one of the things people ask about is uniforms because you know they they know we're uh we're organized under the adjutant general and you know people are trying to figure out are we going to be like in army-looking uniforms or what but no our uniform is a polo shirt like this with the ohio cyber reserve logo on it and a lanyard with your badge on it and

khakis so very similar to what many of the people that we will be going out and visiting with uh might be wearing on a on a daily basis and that was uh that was another kind of part of the decision to go this route okay so uh we are investing money in the membership uh it takes uh cash to do uh background checks takes cash to uh create credentials and uh purchase equipment to assign to people and it takes a lot of money to do training so that kind of money requires that we should make some kind of an annual service commitment to the reserve what we what we're trying to to show is that the

money that is being poured into members is coming back in terms of service uh what we don't want is to send somebody through some certification pathway or you know to to send them someplace for a special training and then have them leave right after or have them uh not actually spend any time on the reserve for the rest of the year um so we're asking for a minimum annual service commitment uh there's no minimum uh commitment in terms of enlistment term you know term of years uh that may eventually come as we figure out what uh what is needed to kind of uh show value for for the amount of uh stuff that we put in but uh this is

entirely voluntary and before people uh before we start training and doing the more costly things with the current membership you know there they will be led to understand what that that entails in terms of uh future commitment uh and uh their uh um association is at will uh even you know if uh if we do end up uh training people and they have to leave for some other reason um there there will be options like uh you know buying out the cost of training that you were uh you know given or something like that um or uh you know if it's for some disability reason that you uh that is out of your control uh you know the the those those kinds of

things they're going to make accommodation for but we're going to uh expect a level of uh output from the what the reserve actually invests in people so how does somebody uh become involved or express their interest in the cyber reserve um well the first thing i would do is check out the first two links here one is just new some general news about it uh it talks about the the legislation that was passed and what it's all about and the second is the actual section of the ohio uh reserve uh ohio revised code that that forms the ohio cyber reserve [Music] so you can see all of ohio's laws on codes.ohio.gov and this one happens to be the ohio

revised code section 5922 so go out and check that out and if that still sounds uh potentially interesting to you then the next step is to sign up for an account in apan this is an external partner network run by dod that allows people to sign up for a free account and then be able to interact with the dod or with the national guard for uh for various purposes and uh once you sign up for a free account there then you will connect back in with uh to following this link and that will take you to a survey and an opportunity to express interest and don't worry that slide is going to be reported repeated at the end of the

the deck and the deck is going to be available um from uh from the b sides uh so that you you'll be able to to get a hold of that uh and easily find the uh the sign up link so what happens after you express interest well then there's a whole intake process once somebody expresses an interest in becoming a member um there's a whole series of things that happens the individual is sent a questionnaire and this is to gather information about your your strengths uh things that you know uh or believe that you you could prove that uh you know that you're able to do it also is a quick very uh very high level quiz

just to show that you have some background uh in cyber security and uh or i t you know that kind of thing um those get reviewed and uh if you pass sort of that that quick sniff test kind of uh quiz and survey then you'll be referred to uh actually getting a test uh the testing is uh done after uh after an evaluation of how you did on that survey because the testing's not free uh we we actually pay a third party testing organization to provide uh testing for uh cyber security talent and we don't want to spend that money for people that are clearly not not really ready for for it and wouldn't do well so

[Music] assuming that you do well enough on that then you will be sent for this test the test [Music] there there are multiple versions of the test that measure your your capabilities in various areas so uh you may choose a test uh that is oriented towards something specific so if you're you know primarily involved in application security you might take the application security test if you're primarily involved in industrial control security you might take that test um but that that's uh that's where where it goes and then uh when a group of members has taken that um the uh there's a review board and these review boards meet periodically so it's not like it will happen immediately

after you take your test um the review board looks through all these testing results um and we'll also look at the ones that didn't proceed to testing and see who they we want to offer membership or associate membership to because even some of the people that might not uh it might be clear from their survey results that they're not ready for regular membership may may be good for the the affiliate program or i'm sorry for the associate membership program um and after that there's a forum that's han that's held multiple times a year where the candidate the candidates get an introduction to the reserve meet a bunch of members uh they'll sign all their paperwork and

then get sworn in so our current activity um some provisional team leads uh and assistant leads have been appointed for each of the regional teams so we have leadership within the national guard that is uh actually kind of overseeing the effort although they are really edging the cyber reserve in the direction of as much self-governance as as we can can take on um so the master handbook has been developed and it is undergoing ongoing refinement uh it provides a high level outline of how the reserve is structured and and some of our operations our missions that kind of thing um these provisional team leaders um have been appointed by the uh the um commander of the ohio self-defense

forces which is the my my perception of it is that's everybody outside of the national guard within the adjutant general's office that is you know so that's us and it's the ohio military reserve and ohio naval militia uh those folks uh so appointed they appointed uh individuals for the term of one year um so that we can start getting a feeling for who really wants to do what in the long term um each of the teams was appointed two co-leads and two co-uh leads and so so four leads in each region to help start kick-starting this whole effort the provisional team leads have been meeting uh weekly uh every other week uh the whole state team uh so all the

team leads from all the regions meet and then on the off weeks then the individual teams uh their leadership needs uh each region um has also connected at least one town hall uh to meet with all of the members in the region and uh start giving them a feeling for where we're at what uh what we need their help with what efforts are underway and so on and get their questions answered and there is a plan for a a statewide town hall to be coming up here soon it may have happened by the time uh by the time you see this so our current effort is massive we are essentially standing up a whole new arm of state government

from scratch um we don't have any of the charter or or [Music] documented standards policies procedures that any of the other uh pieces of state government have you know from their years of existence so we have to develop all of that we do have some stuff that the guard is able to share with us we have some stuff that the ohio military reserve has been able to share with us some things that the state ciso's office has been able to share with us but for the most part we are uh defining our own standard operating procedures our own policies our own hr policies everything that you have to do to uh to create a mid-sized organization we

are doing that from scratch right now and so one of the main areas that our membership is involved with at the moment is actually developing our standard operating procedures we have a number of work groups that are spinning up to uh to uh do a lot of this uh policy and procedure development um and this is really important um to uh to get all this finalized and formalized so that we can actually show people that we have uh operating procedures we have standards that we follow and so on before we can even start to consider ourselves operationally capable and then once we actually have the the team structure uh finalized as part of you know the stuff

that we're doing we are saying these are the skills that must be on a team a lot of that is laid out in the master handbook but we are reviewing revising based on what we know that we're going to need and once we have that then we can start to slot individual members into individual positions and assess their readiness to perform that job that doesn't mean oh you don't get the job if you're not ready means we need we know then what we need to do so once we have clear criteria that we can measure folks against then we can start to measure the individuals and the teams as a whole and address any training needs

certifications required and so on so that we can show that our members are ready and that's that's important because when we go to an entity and say we are going to help you respond to this incident or we are going to help you build a cyber security program if we cannot show that our people are qualified and the standards that they're qualified against um how can we uh get people to trust us that that yes we are qualified to help them uh either through a disaster or help them build their security program um leadership's also starting to talk about the need to practice uh begin practicing things as a team because even for those individuals who

are highly qualified and uh and even the ones that are highly qualified in incident response which is uh another thing because many of the folks that we're bringing in um are experienced cyber security pros but not necessarily an incident response so if if you're a career red teamer and you come into the reserve you will get trained into an a response into a blue team role that you will carry out in the midst of a uh of a major cyber incident that that we get called out to uh because at that point we're not looking to to perform red team activities we are looking to help the organization with their blue team stuff so we need to make sure that that everybody

is in a role that is useful in the particular response that we're in um and that they have been assessed but then also that we've been assessed as a team uh because as we start to work together even the people who are highly uh capable in incident response to start out with probably haven't worked together and have not worked under the standard operating procedures that we are developing so we need to start doing that and we are working with the ohio cyber range which is one of those other oc-3 efforts and looking to build out exercises there uh red on blue exercises and uh you know capture the flags that we can take with us to

uh the um the the k-12s when we do our uh our cyber clubs um you know stand-up stuff but this is also stuff that can help build the skills of uh of our associate members and uh can help us build skills particular skills in individual members okay so to recap uh how do you express interest in the ohio cyber reserve follow uh these links kind of in order and create your apan account and then follow the signup link and i'm leaving a little bit of time left for folks to ask questions so full disclosure i could be on vacation when this happens and depending on my family's uh um attitudes towards homicide should i decide to hop on

a uh a conference chat in the middle of our vacation i may or may not be on the question and answer but somebody from the cyber reserve will be on the question in the answer period thank you and appreciate you coming to learn a little bit more about the ohio cyber reserve