IATC - We're not from the government, but we're here to help them help you
Show transcript [en]
um so this is the i am the cavalry uh b-sides las vegas thanks to our sponsors so our diamond sponsors lastpass and palo alto gold sponsors amazon invisium plextrac and all of our other sponsors donors volunteers that made today possible and thank you for coming back and joining us in person we're so happy to see your faces courtesy please make sure that your cell phones are turned off into silent mode this is being live streamed live if there's questions online you can put them in the chat if you do have questions there will be a microphone here you may come up and ask your questions there will be time at the end as well to ask your questions
and then just a friendly reminder about photos making sure that you have permission before you take photos of anybody that's in that photo so with that i am going to pass it off to ray and audrian and they're just left my screen um they're not from the government but they're here to help you help them so thank you thanks for thank you very much and if anybody for some reason wants to take my picture you have my permission just um i want to speak to the people that are watching online i'm assuming this is going to be recorded okay um so this webcast was recorded at 303 pm pacific standard time things may have changed since that time but i will
still be giving my talk that's from if you ever listen to npr on the radio they do these time stamps so so we are not from the government we are here to help you uh this is my new best friend uh adrian jay ojay who's going to talk about the cyber peace institute but in the meantime i'm going to tell you about the michigan cyber civilian corps we're going to talk a little bit about civilian cyber defense in general so i want to tell you a little bit of sort of who i am why i'm interested in cyber security i started my career in cyber security back when al gore invented the internet i was in graduate
school at purdue in the early 80s and the undergraduates went away i think it was in 1982 the undergraduates went away in the summer and when they came back all of us graduate students had been playing with the 3270 terminals that had appeared sprouted up all around campus and we ran we read thousands of man thousand pages of man pages and learned how to use unix so that's how long i've been around um computers i i only use it as a tool i wasn't in cyber security back then because the the kind of cyber security we practiced was making sure to lock your terminal before you went to the bathroom because somebody was going to
come back and put horrible ascii art in your dot profile so next time you logged on it would there would be i mean for as obscene as ascii art can be that that would be on your your terminal um so i got my i got my graduate degree i started working in industry for a company called syntax you probably haven't heard of it but you've heard of the sexual revolution they were the first market of oral contraceptives and some of you may know a company that is now at their home address anybody know who is at 3401 hill view avenue in palo alto it's now the home address of vmware so syntax doesn't live there anymore
vmware is there and xerox palo alto research center is right across the street so it was an amazing time to be learning about computers but syntax is no more i was a pharmaceutical scientist for about 20 years i worked for pfizer some of you have probably heard of pfizer they've been in the news in the past couple of years so i lived in kalamazoo michigan that's where there's a there's a vaccine plant in kalamazoo so i worked for them for 20 years i saw the value in the dark side and i went over to it i participated in a project to take away admin privileges from 18 000 r d employees of pfizer globally and you might notice i don't work for
pfizer anymore uh that's not why but so i was i was very interested in cyber security as i got as i tried to say started taking sans courses when i assisted my employer with our downsizing activities we had a retraining allowance and i fell in with a group of people at sands and started doing facilitation i got a bunch of certifications that sort of thing i even got hired at sands helped him spin up a master's degree so i i was around security for for sort of a long time and it was exciting but you know these days things are changing and we have covid we have ransomware we have all kinds of other uncertainty and this
really is my my motto these days i am a dancer or i started dancing again um the love like you've never been hurt you know if if you've never been hurt in love you know bless your heart but um the credits up there i i don't like to use uh pictures without credit so poetic boredom i think is is where i got that and i think the the soundtrack should be life during wartime burned all my notebooks right so things are kind of depressing i mean you heard the thank you for for joining us back in back here in person it's been a very long time i went to shmukan in march and it was really weird because
everybody has masks on and you know you see the same people every year but i'm not used to looking at their eyes and bless i you all have beautiful eyes and and i remember you but you know it's really difficult to know who to give a big hug to so just give big hugs to everybody okay that actually is uh pretty good advice so what do we how do we knowing that everything is going to hell in a handbasket what are we going to do and my my person one of my personal heroes is mr rogers i think mr rogers is a badass mr rogers figured out there was a need to be met and he petitioned a large organization
to make a change in their policy so that he could build a team to address that need some of you know the story his thing was children and uh he thought that tv was the way to to minister to children or communicate with them but he established a program to help children uh specifically and he had to get a large organization the presbyterian church of the united states to to change their policies not i don't want to talk about religion or anything like that but the fact is you know he's a pretty badass guy for being mr rogers i think the the thing that we do in the mic-3 the michigan cyber civilian court is we
help the helpers we interoperate with the national guard law enforcement other people cyber defenders we also do some training we train the trade trainers and the the bottom line message here something that i have learned in the past couple of years or you know i knew this but it's been brought home is that feelings drive behavior i would love to think that i have a phd in engineering okay i i think about things very logically i'm sure all of us in this room think we do but the fact is that feelings drive behavior we're not as rational as we think so we have to we do still have to use rational facts all that sort of
thing but remember as we approach people the feelings matter a lot so there's a problem we look around in michigan who needs help if we're going to help public entities how big is the problem in michigan we have 2500 plus public entities and i have been told that about 500 of them have a contract within with an msp so that leaves 2 000 entities that are all on their own these are counties cities so any municipal division of government plus we have school districts and we have other districts that have technology in them so we'll have an intermediate school district or an educational district where you have a group of people that are responsible for uh supporting the
technology it's also true that sometimes like an intermediate school district the boundaries will overlap that of a county so trying to organize a response in a situation like that is a real challenge so we have 2500 plus public entities and a lot of overlap we have done and i think this is more than many states have done we recently did a multi-agency statewide exercise to test the response of all of the agencies in the state to see how well we would do and does anybody want to venture a guess at how well we did anybody ever seen the keystone cops like i was not in the in the emergency ops center but you could tell there were
people that probably had some notebooks on their on their uh on their shelf and they were pulling them down and opening them for the first time in a very long time so we had the way that worked was we had our state emergency op center folks working and we we had had some personal change personnel changes in the upper management uh level uh but as we got the third entity affected you could just see things falling apart and i i would say don't tell anybody but you know if there's an estate around in the united states that that wouldn't happen to i i'll be surprised i mean this is just normal kind of stuff so we're
trying to figure out how to prioritize where to put our energies and how to organize helping people who are who are in trouble we talk one of the themes that's been talked about here is the cyberpoor and this is a a list not of all michigan counties because i can't find them all in in this list but if you look along there this is the the shape of that curve is fairly typical we have i think ten counties that are over a hundred thousand and then it drops off very precipitously you see my my county kalamazoo county is number five we have a couple hundred thousand people um so there are some folks wayne wayne county on the far left
that's detroit so you can see this is detroit flint kalamazoo lansing are the other ones those are those are the folks that you know they have a full i.t staff but the folks you get out past about the 10th one they may have one person and if you get way far out to the right and some of you know the geography of michigan we have you know we have one hand here and then we have this one and up here that's the upper peninsula and we we all make fun jokes about our our yupers that live up there but there's not a lot of people there's way more mosquitoes than people and so finding cyber health up there is
really difficult we have as an example in the mic-3 we are fairly typical typically distributed like the normal population we have three members in the in the u.p in the upper peninsula so we really do have some folks that need help often you'll you'll have the you know the i.t person there if they have one is the kid that was really good in the math class in high school right and that's like i i say that fondly you know because bless their hearts they got to change passwords they got to make sure that everything works and at the same time think about being secure it's not going to happen so we had exceptionally uh technically oriented government
officials for a while and they came up with an idea to to utilize the cyber defense resources that we had in michigan because back when the michigan cyber civilian corps was organized around 2010 2012 the in the main industry in michigan well i just asked if you think of michigan you probably don't think of computers you think of the auto industry probably and the auto industry has had its ups and downs and so when rick snyder whose twitter handle by the way is one tough nerd so he thinks of himself as a techie guy governor snyder works with our chief technology officer our chief information officer who and i get them mixed up i think cio is dan
lorman who now writes for in from infosec magazine i think he's a he writes some pretty good stuff um david bien was the cto he now works for lazy boy i believe so we had we had a cadre of high level government officials who thought this would be a good idea to organize a cyber defense group so they created it in 2013 i actually found the youtube video where he announced this at we used to have the governor's cyber summit it was the north american international cyber security summit it was held in detroit it was international because you could see canada across the it wasn't like seeing russia from alaska but we could at least
see canada so they he announced that we would have we would form this this group of volunteers and it was in collaboration with something called the merit networks merit is a non-profit in the united states they were one of the first uh participants in creating the internet and distributing the internet across the united states and i'm pretty sure when i went to purdue in graduate school merit was providing our our internet service i don't know that for sure but they've been around for forever and they had they had hired a guy named joe adams from the national defense university to come to michigan move back to michigan and start their cyber range and this you know there are people that
have cyber ranges these days and the idea is to use the cyber range cyber ranges for training people so they had the idea that they would take the the cyber defense level of expertise that we have in michigan and use the cyber range to provide training to those folks and then they'd be able to use those those people to respond in the event of a governor declared cyber emergency governor declared cyber emergency in michigan we have a cyber cyber disruption response plan that lists five levels of activation the last level is when the governor declares a state of of cyber emergency and the conditions for that are that life and limb are at stake like people might die
and around this time we're talking about 2013 it took them actually a few years to get that started so i don't know if you remember around 2007 i think the department of energy got an electron an electric generator took it to idaho and blew it up using using packets and that caused a lot of uh consternation got a lot of publicity and people it was not that long i don't remember which happened first but there was this the squirrel that took out the northeastern seaboard so we knew about the uh the fragility of the electrical grid so the idea was the the fear that we articulated as members was okay so a nation state takes out two power
plants in the upper peninsula that's that's the one up here where it gets really cold and people are going to die okay cool we are the michigan cyber civilian corps we're going to respond to this now imagine so you're you're a normal cyber defense person and you get a call that a power plant has gone down and you have to go help like what are you gonna do i it's you know i don't know this for sure we never really went through a tabletop exercise on this but it seemed to me that the what we would mostly be doing would be handing out water bottles and you know making sure medical care got to where it needed to be and that sort of
thing wouldn't do the thing you really need at that point is not people looking at packets and anyway you're probably not going to have a bunch of people you've never seen before come look on your network as a member of the the mic 3 i i joined in 2015 i think 2014 2015 was after i left sans they got accreditation for their master's degree and they didn't need as many people as they had and so i assisted them with their downsizing activities and volunteered to work for this group we were the members were fairly frustrated because we didn't know what what we were supposed to be doing and we agitated we got really lucky one of our members
got seconded to the state to be the chief information security officer and he got a budget so the next year we had sans training so if you want a hint on how you can make this happen it's offer something valuable and somehow that rfp never got out of the procurement system i have no idea how procurement works at the state but somebody did something we got some sands training so in 2015 we negotiated with merritt to take over responsibility because the original vision we had people already in the core that were more qualified than the training that mayor was offering they were doing sort of beginner security which is totally great very happy that they are
doing it but for our members it didn't didn't work so the state assumed responsibility we gave for those of you that are familiar with sans training we did security 504 which is sort of the entry level ethical hacking course it also teaches you an incident response framework they use prevent identify contain eradicate pickerel restore and lessons learned i know this has a has different words but it's the same same thing so um so we gave 504 the next year we did monitoring network monitoring which we figured would teach people how to understand what a normal network looks like the year after that we did network forensics because i this is personal prejudice we have members that would love to do
memory forensics we'd love to go take a disc image and see what the malware looks like but in terms of our job is to get public services back online when a local government goes down people may not be able to get their child support checks they may not be able to file their marriage certificates they can't they sell their house they can't file the title that sort of thing you know this is what we're trying to i um i don't want to say i don't care what the malware looks like but i want to get people back that i want to get people back online so that they can live their lives so um so we did network
forensics which is the way that you can determine where the infection is and get rid of it not so much about endpoint forensics though i do have some members that would like to do that and um wisconsin has a program that i'm hoping we can collaborate with and help some of our members get trained talk about that more in 2017 the cso the state of michigan was a guy named christa russia chris is now the federal cso is in the white house and he had come from the the white house of the 44th president so he had some contacts in the federal government to get some language around legislation and in 2017 we got legislation passed called the michigan
cyber civilian act and you should look it up if you're if you're interested in doing something like this you should look it up i never thought i would be thankful to legislators but they wrote it in a in a very flexible way we have to have we have to have technical standards for our members we have to have them background checked but that's pretty much and we have to have an advisory board that sets our processes and of course we have to follow the processes that our advisory board sets but our advisory board is people that are friendly to us and i i don't want to give anybody an impression that we're trying to manipulate anything but it is it is
it is just a really crafted piece of legislation and to support that i will say that texas stole or borrowed copy pasted some of our language they have a group called a volunteer incident response team and they used some of the language in their legislation that created that so it's pretty good legislation it was amended in 2019 so if you look at it online you'll see two dates there's a 2018 effective date 2020 effective date the original legislation required that we do federal background checks including fbi criminal background checks and just as a heads up an fbi criminal background check will flag youthful offender stuff so if you were 13 and you pled guilty because
and were assured that the record would be expunged expunged doesn't mean it goes away for forever so we have it the way our situation works we have the state police review whatever comes up and they get to say whether somebody passes their background check or not i don't know what would flag somebody fail in their background check and i don't want to know because i don't you know i don't want to have that conversation but it happens that when the legislation when the first legislation got signed you know when the the chief executive signs a bill they like to have a photo op so we wanted to have some of our members come sit behind governor snyder while he
signed the the legislation and it was it was short notice and the only person we could get was one guy who had been with the organization since merit so he was there and there were a bunch of secretaries if you look at the photo op it's not really people at the mic-3 don't tell anybody so we had one member there and you can see what's coming this is a member who when he was young was involved in something he keeps trying to tell me about it i don't want to know but he got he couldn't be a member so it's the the thing that happened in 2019 is brett's amendment so brett can now be
an advisor he can't go out and type in the keyboard but he can give advice he can know things so i'm very proud that we were able to make that happen for him and you know we try and take care of our members i talked to my i talked to our members for about an hour a couple of times a year i make a point to to do that to help understand their needs so we we went through all the uh the logistics to make that happen the benefits we are now the mic-3 is now included officially in the state cyber response plan and exercises of the plan that multi-agency tabletop i was a participant we didn't
have members participate because we kind of knew we wouldn't be doing much response but we're officially included now the members receive regular training and professional development i sometimes say that the reason you want to form a community like this is so that you'll have somebody to laugh at your jokes you know if you like who else are you gonna tell that you got a udp joke but they might not get it right people in this room about yeah okay maybe we won't tell that one again but it i mean like i said feeling stride behavior and if you can make people feel comfortable they know they can pick up the phone and and talk to somebody and
check something out it makes them feel a lot more comfortable we also have had i told you i talked to my members over 80 percent of my members have changed jobs in the past year and a lot of that is because they know people right they get they get a clue about a job that's getting being posted we're trying to get involved in k-12 it is more difficult to corrupt the youth than it should be but i'm working on it my my 12 year old neighbor is watching my dog this time and i left all my lock picking stuff out and deviant's book and a link to a youtube video about picking locks so you
know we're trying to do this uh we're also going to go out we have a grant from dhs to to work with a marketing company in michigan to put together some stuff for election security and i'm hoping some of my members are going to be able to go out and sit with clerks as they present this information so basically to provide a some um competence and be another person to stand up like they know something there's a fair amount of value you can provide just by doing that i think so we have members have to have two years of experience they have to have a certificate uh a certification and i'm not going to argue about certifications okay i have i
have many so i know what they're worth you don't have to convince me um we do ask them to go to their employer to get support for 10 days of participation that counts training and we're going to see how well that works we have a face-to-face exercise coming up on august 26th which is our first face-to-face in a couple of years so i'm hoping people will wake up we use we have not done sans training in a while we're using a company called rangeforce which i like a lot i'll be happy to talk to you i don't get anything from them i don't get anything from anybody i'm a public servant the application process i'll go this
through this fairly quickly the member applies at our website you have to give us your name and address and now you have to register with a statewide identification system which is called my login everything in michigan starts with mi because michigan and it's pronounced my so you may think in your state you have stuff it's all my stuff so you fill that you give us your name address you get a my login um and you you give us your personal information no credit cards then you take tests do we have four tests which i'll admit need to be changed they've they haven't changed um in too long we have beginning and advanced incident response and forensics there's an
initial test that's pretty much ports and protocols uh basic networking so if you pass that one you get access to the basic ir and basic forensics if you pass the basic one of either of those you get access to the advanced one okay five tests total you have to pass four and um i have i have enough history that i know which one people are going to fail we we know which questions are bad i just don't have a test writer to uh change the test i'd love to go to something like maybe security plus and have somebody else administer this but we are where we are i i should say that the michigan cyber civilian corps
is at a point of minimum viable product for those of you that are familiar with entrepreneurial stuff it's it's good enough to show people it's not perfect totally got problems and you're welcome to tell me what the problems are but it's good enough to to throw out there and let people get ideas from it so you have to pass four of the five tests if you do that like i don't care about your documentation if you can't pass the test with all due respect if you pass the test then you send me a resume you have to fill out a volunteer agreement which includes non-disclosure um the employer agreement which is not a legally binding document it's a piece of
paper that you take into your manager and say hey i want to do this the reason it's not legally binding is well that would be a pain but general motors is look as as an example is located in michigan and i have people i have members that work for general motors general motors legal counsel is never going to let them their manager sign a document like this so we just blow it off if if people don't show up for activities for a period of time we can declare them inactive and they won't get access to training that sort of thing so it's it's not a perfect solution but it works and once once we have all the mandatory
documentation then we do the background check because we don't want to for obvious reasons costs money that kind of thing when we operate this is how we operate if somebody gets whacked they call the state police we are not um law enforcement so they call the state police and the state police vets the the call maybe there's no criminal element or maybe there is they they do the evidence thing but law enforcement as you know doesn't help people recover so we have a very good work in relation michigan has i don't know all the other states michigan has a really good cyber command department the guy that runs it lieutenant first lieutenant jim ellis is always out of
town going to other states talking about it i love working with these guys because they're the ones that actually do their memory forensics and they run ida pro and things like that and they will come to our meetings and talk to our members occasionally so that to whet their appetite you know because we are going to do that one day so the the michigan cyber command center vets uh that's the the incident if the affected victim wants help there are a series of legally legally significant documents that go go by we the person that the victim has to ask for help we have to say yes we can provide help if you are authorized to accept the help
reply in the affirmative and if they do then they've said they're the one to you know because we we need to have a throat to choke at the at the victim organization um as it were so that's how we operate i hope that i have given you a lot of information that will prompt questions because i'm going to turn it over to to adrian in just a second but the the bottom line this is like when when kovitz started everything shut down and we had been doing cyber defense for a long time and we couldn't do that like we had done it and so a lot of us were looking around for ways to be
to learn about serving the public we in the executive branch of the state of michigan we all took a 10 pay cut temporarily well it was going to be temporarily it hasn't come back yet but you know i i'm not working for the government to get rich i went like i said i live in kalamazoo michigan there's a pfizer plant there we produce the vaccines and when the trucks started rolling from the plant it was people in kalamazoo we were like in tears because it's our family you know we can save we can help save the world so after a while they started doing vaccine clinics and the kalamazoo health department called for volunteers and this there's a lot of other stuff
going on and i needed to do something so i volunteered to help with the with giving people vaccines and i ended up working as you see this is a the front page the incident response plan for for one week of doing uh vaccine uh clinics so i ended up working like a ten tenth of a year for the health department but it was it was hugely valuable i it is very difficult for me to describe how it was valuable but to go down there and stand for three or four hours with regular human beings who were coming in afraid they were gonna die i mean this is cyber this is defense you know it's not cyber defense but working
with people who were really concerned about the pretty bottom line you know it's an existential issue so this this is meeting people where they are i got to meet a lot of regular people i also got some contacts with the local emergency operations folks kalamazoo has an international airport the faa requires as you might expect people to test their incident response plan in an airport incident response is a mass casualty event so during the course of this i also participated with the the faa um test of the kalamazoo battle creek international airport there were like 50 of us the people that got there early got to get makeup and crawl up on top of the
school buses that they were using as the airplane fuselage so this gave i mean it was a lot of fun certainly but it gave me an end with another emergency operations group we said somebody said earlier that the reason people are not careful is because they don't think cyber is part of life right well cyber is part of life and life is part of cyber and the well you know that sounds stupid right but but still there is tons of overlap we have to get people thinking um about it like brushing their teeth right so so getting involved in this way is a way to get your get your hands dirty get your your brain working um
so you can find me on twitter and linkedin you go looking me up i'm not the fashion photographer that's eric ray davidson i've offered to do a job switch with him for a day but he hasn't responded you can write to me at davidson r5 michigan.gov that's our website and if you are looking for something to do locally your state doesn't have a program and some states are a little slow there are about a dozen states that are doing programming like this but if you want to do something and there's not something in your state you can do something globally and adriana oger is going to parlay with you about it [Applause] hi everyone adrian here our agent can call me agent
walks to um i'm the ceo of the cyberpeace institute an ngo based out of geneva in switzerland it's an honor for me to be here so thanks for coming thanks for watching yeah all right better yeah okay thanks sorry did you hear that though okay all right um so i'm going to talk to you about a similar program that we've launched about two years ago um that's operating globally it's open to to you i guess as well called the cyber peace builders program run by the cyber peace institute which is where i walk and i'll tell you more about these uh in a second um but first i want to tell you a little bit about the threats that
non-governmental organizations in the last three years we've seen a massive increase in the number of attacks against them in particular the attacks being reported against them um we track incidents against ngos as far back as 20 years ago and um ngos are unfortunately um quite an interesting target for both state actors and cyber criminals um a lot of people depend on on them around the world very critically the same way that you and me and ray depend on critical services offered by critical infrastructure operators right but if you think of emerging countries where the state is not necessarily protecting its citizens and the private sector is now really as active as it should be then you've got a
lot of people that depend critically on on these services and actually if you go outside in the streets right here in vegas it took a walk yesterday night it's a lot of people on the streets that depend critically on ngos in developed economies as well um just a couple of incidents maybe you haven't heard of these roots of these actually ngo based um in the us that got money from usaid um and i was attacked by cyber criminals and we helped them investigate the the incident they lost over a million funding that was destined to afghan farmers so that is money that was not provided to vulnerable a vulnerable community because some criminals thought it was a good idea to steal it we're not
able to retrieve the money maybe you've heard of the international committee of the red cross that got hacked earlier this year half a million um refugees and all the people at risk that were whose personal data was was stolen and and potentially monetized and also just uh another attack that maybe you haven't heard of actually right here philadelphia ransomware attack over a million dollars that were um stolen and so i want you to compare that against what happened to colonial pipeline which i'm sure you've heard about um that led to at the end of the day um two million dollars being taken by the by criminals after the fbi recruit some of the other ransom
um i want you to consider that actually for criminals um ngos still mean high payout right when you can make out with over a million dollars it's it's for criminals it's enough it's i don't want to say it's enough money i don't know what you know dependencies are about what their objectives are but but it's certainly comparable to some of the amount that they can steal from much more much more um protected targets in particular critical infrastructure in developed countries which enjoy some if not all of the benefits of the protections that can offer organizations like caesar or ansi were french cyber security agency where i used to walk um other such organizations right ngos do not enjoy any of the
benefits of of these organizations and for for criminals they don't need to use complex zero days they don't need to burn their zero days on end use they can use a password that leaked 10 years ago which is what happened in some of the incidents that we've we've investigated and the big problem is that most of the ngos have started to operate their digital transformation only recently in the last decade more or less but they do not invest in cyber security right so they need help they need help now um that's why we created a volunteer led program called the cyber peace builders that basically takes cyber security professionals and presents them with a very short-term
engagement opportunity so they can go and help ngos so it's literally as simple as this job board where you as a cyber security professional can connect you can see opportunities that we list we create relationship with ngos and then we create those missions there if i had internet i could actually show you but basically it's you can it's a canvas you can browse the opportunities on the left and see all right this ngo needs advice on 2fa it's going to take me one hour i'm have you know one hour my time next week next month or whatever let me say that i'm interested then we know that we match you up with the ngo and then you
can deliver that help so remote help right it's short term um and like i guess what you guys did i am ic3 where it's a longer term engagement um obviously it falls outside its curve of incident response right because if an ngo is being ransomed they're not going to call you and to ask you to you know stop everything you're doing in the middle of the night so it's mostly pre and post incident um stuff right um just briefly we have over 70 ngos right now that are in our network most of them operate in the humanitarian context peace development things like that um we have over 200 um volunteer led missions in the platform after a little
bit more than a year year of launch but that's that's just where we are today by the end of the year i want us to get to about 100 ngos by 2025 to a thousand ngos so we can get closer to that one billion people that all of these engineers support um just a couple of highlights in terms of missions maybe to make it more concrete uh for you guys and i'm happy to show you the ball after it's it's live you know on the internet so if you wanna pass by but just a couple of examples of what our volunteers did so one volunteer for instance spent well we had you know scoped it to four hours
ended up spending 16 hours but not all jobs are like that most jobs are like one or two hours but doing a code review for an app developed by a mexican ngo to help um pregnant women in empower rich villages to tell them you know if you have this symptom that symptom this is what it means when they cannot consult doctors so they're looking to secure that code before launching it and so volunteers were able to do that um volunteer scan of websites of um fsd which is a foundational stream the diminished swiss demanding uh ngo um we had um um various one hour security assessments that basically help ngos understand where they're at so it gives them a
one-page report with a three by three matrix uh with red you know orange and green tends to be red but it's really visual and helps them convince their leadership that their cyber security is not at the right level and they should invest you know in those basically nine pillars like authentication disaster recovery planning things like that um we supported an ngo implementing um pgp another one some of them come without requests like we were not expecting that but they came asking for insurance advice which is good you know in terms of maturity maybe not so great because maybe they're trying to just outsource all their risk but still you know they're asking themselves some interesting questions
this is an example as well to tell you that our volunteers are not all technical folks so we have people that are yes forensic investigators that are incident responders that are you know people walking in in red teams and stuff but we also have people that are have a background in low background data protection even a background in communication like we have people who help ngos with their christ comes sometimes or maybe can even design a poster to raise awareness on two-factor authentication such things so it's not just technical advice um yeah we ran an ar um a wellness raising session in arabic so one of our volunteers that is actually um i don't know if he's
here today but he's coming at defcon working for linkedin translated the presentation in arabic and delivered that to to an ngo and voila and that basically helped us to surface some of the most record needs that ngos have and temp templatize i think sign english uh the the jobs the missions so that other ngos that start you know from the bottom and really don't even know what to do couldn't have an idea in terms of all right maybe you know i can get a training for my stuff maybe i could do a pen test all right what is it pen tester let me let me do that with one of the volunteers etc so it helps them you know um advance in the
journey and our hopes is to standardize that all the way up to trying to bring them to iso 27.1 and other you know nist frameworks for instance in the us or the frameworks in other parts of the world to to help them have a more structured approach just in terms of setting up that volunteer initiative um a couple of the you know the benefits and the incentives i think ray talked a little bit about that so let me do the same for the builders um what we try and do is foster you human-centric approach you talked about the importance of feelings and i talk about the importance of face to face you know seeing people and through
the through the cypress builders you actually get to put a smile on people's faces you know no one helps these ngos so they're really happy when somebody comes and takes time and so it's really that human connection right seeing who you're helping having the ability for them to speak to someone rather than you know read a guideline or download the document or go to a conference but not engaged directly right having that personalized approach it's uh flexible for for the ngos as well because they can come up with whatever needs they have they can really ask us anything they want of course if you know it's internet response we'd say telescope if it takes you know 100 hours
we tell them we cannot do that but but it's still flexible like they can ask what they what they want gives them access to industry great expertise right all of our volunteers have jobs right so they they they they come with that without experience big incentive right free of course um and back to some of the points you mentioned ray it's also the community approach allows cyber security staff or infosec staff and ngos to know each other and to start helping each other and building a sense of a cyber security committee within that within that humanitarian sector i dropped some of the some of the comments that folks have left in the surveys we do after every
engagement in terms of volunteer incentives so if people you know like you who may want to join such a thing um of course you know it's a purpose-driven activity so it's something that sometimes you don't get to do in your day job and i think that most and i hope all of us in the cybersecurity industry have this kind of innate sense of helping of protecting and sometimes cyber security jobs can can you know stray a little bit away from that initial mission and so volunteering whether it's with a michigan uh with your state at the international level or through other initiatives right we're not the only one um it kind of appeals to that kind of
sense of purpose that many of us have um it's beneficiary facing so you actually get to see the impact of what you what you do what you provide in terms of advice it's flexible as well right it adds to your schedule you don't have to do things when you cannot uh gives you mentoring opportunities or shadowing opportunities because you can partner up with other volunteers and learn from them learn their techniques uh it's a good way as well to upskill right we provide a training actually i think you have it here on the right where we give you some of the skills that you may need to enter into that kind of humanitarian context so what is international you
know humanitarian action and humanitarian law um what is you know give you a sense of victimology and trauma communication a bit of diversity and inclusion in cyber security so it's a course that we made specifically for cyber security professionals but to introduce or develop some of the soft skills they may need for that that um volunteering opportunity basically and and yeah it's it's a good way to train us um train um more junior staff which is something that companies in general are interested in we walk a lot with companies so we try and do outreach directly at companies so we can get access to volunteers from their cybersecurity workforce which which helps with uh recruiting rather
than you know going one by one we do both but uh but it helps for companies so in terms of incentives um it's obviously corporate social responsibility the pledge one percent and all the such movements take holarism etc uh it helps with talent retention back to the point i was making earlier on purpose right it helps because it helps align the values of the companies with that of the of the employees it helps train the junior staff right through shattering opportunities um it helps with soft skills developments as i mentioned obviously there's a visibility component associating um the company's um brand and you know name with that of the cyber peace institute and there's because we we do
random donations so if companies are willing to help there's also of course fiscal advantages um just a small thing that ray didn't talk about but i'm maybe some something to come up in the questions it costs to run these initiatives i have a full team that's that's behind me and there's actually a bigger institute so we're 30 people out of geneva um walking on three different pillars this is one of our three pillars right providing assistance um we then analyze all of the um information that we gather so that we are able to influence these issues go back to decision makers at united nations level in the different capitals around the world and tell them look this
is how people are suffering online this is what we need to change right um but this is to say that there's a cost a cost to running all this and and it's not that simple i think there's more information online about you know what it costs for other states but it's roughly between half a million and a million us dollars i think a year to run these initiatives um yeah so very briefly if you if anyone is interested you come and talk to me um just to tell you that um if you would want to do something something like this and you'd want to do it with during your walking hours you're going to talk with
your employer so we actually have an agreement with employers we do struggle with legal counsels but we have been able to get some to join um and so once we get a corporate agreement sign it's much easier for us to be able to get employees um and then what we're finding out is that it takes time to go through legal counsel so we're also opening a route to um for volunteers who want to join without necessarily having a legal counsel you know involved in their whole company like uh signing off to this but we need we need to be able to do some kind of verification so we're leveraging background checks done by um organizations that provide security
certifications like isa square so if you have such a certification and you went through such a background check then you know you can sign a standalone agreement send that to us and then we would be able to bring you in okay that's a new thing that we've started to do so that's it those are some of the organizations that we've been partnering with and stop here i have a bit of time for questions thank you thank you very much [Applause] any questions i i will confirm that that number that cost is about right half a million dollars we have you can do sans training for about if you if you work with them you can do a
sans class for 65 people for about a quarter million um if you negotiate work with them i believe that i heard that the wisconsin um cyber their i forget what they call it their cyber team is has a budget of around half a million and maybe six hundred thousand ours is like four hundred thousand i think ish like i i shouldn't give away definite numbers but that's a reasonable number
for michigan are you doing proactive engagements or only ir and second part of the question are you um in addition to assessing skills are you in any way determining the ethics of the people that you're engaging with so can can you repeat the first question or do it sure do you do proactive engagements where you help people like clean up things and do firewall audits and yeah we so the the way it happened in michigan was that when we perceived that there was a need they prioritized the response part as we started doing response we obviously knew that you know we will get overwhelmed if we have to do a lot of this we have to do proactive things
there is now a program there used to be a program called cso as a service in michigan it ran for about a year and and stopped they resurrected that and expanded it to a program called cyber partners which is a community of a lot of the people that work for the state and do cyber and it's similar to the mic-3 only it is more proactive we've got agreements with people to do assessments cisa assessments and that sort of thing so the the reactive component spawned at the proactive component and yes we are doing that um but thank you both um if you're free we'd love for the two of you to join our brainstorming session which is moving
it's one hour from now it's moving upstairs to the higher ground track but we one of the open-ended questions is as the cavalry expands and evolves its mission should we go down and across to the state or even county level with initiatives like yours and or should we go globally and we don't want to reinvent the wheel so in some cases we might want to partner with you in some cases we might want to do direct copies of michigan in some areas we might want to have parallel experimentation with variants to compare notes and see what's working what's not and to his point i'm a huge fan of crisis simulations and lightweight tabletop exercises left to
boom because uh uh to quote the late great dan kavinsky of the many things that hackers smash perhaps the most important is assumptions and uh i'd rather people figure out what to do in a fake crisis than a real one but we don't want to reinvent the wheel um and we'd love to hear what would be the best compliment or even partnerships as we had in the next nine years of this thing i think he told me the answer to that when we were walking in and i just don't remember it but he's gonna answer that thanks ray um [Music] i do think that there's a lot of lots of synergies that that can be found and
must be fun i we both were saying earlier even if you don't remember that this kind of volunteer activities is brewing up and we see that increasingly i'm sure you've read what's happening in ukraine with the i.t volunteer i.t army over there so there's there's this this um interest from people to give back which is to me a sign that our industry is maturing and that we're now in a position to to give back where perhaps 10 20 30 years ago not everyone was i know that i am the cavalry has been has been there for a while but it's not been the case in every other country um civilian and military reserves are popping up in different parts of the
world as well and i i do think that there's there's a way to unite all of that and to create some kind of a of a league or some kind of a network you think of b-sides even you know with b-sides here but there's also b-sides in brussels there's b-sides in in lisbon there's b-sides in athens and you need to have that kind of local element right if you walk with sltts i don't think that you can get by with the agreements that we have because there's just some protections that you're gonna need that the government's gonna want if you look at uh ngos that basically have nothing else it's an underserved market they're a little bit
more forgiving when it comes to certain legal legal protections and you can do a lot more right so there will be differences and there's still a need i think to connect locally right it's it's uh even in our approach i didn't get into that but we use regional advisors people who know the region well we're able to make connections that make sense right and i think that if you want things to last you need to have this kind of you need to know each other so it's i hate to use this this world um but it's like this glocal it's global and local at the same time so yeah i'm i'm also very eager to give
back all the things that we're doing you know all of this is like we will share the intellectual property we help people like set up their own things if if we can grow grow this so that more and more people can can receive the help right if not like think of the organizations that ray is protecting and that the southeast builders aren't protecting if you think of the the people that they themselves are walking with right what internet are we going to leave to our kids if it's a place where you know the the the data from children in schools in kalamazoo get stolen by pedophiles if the data from refugees fleeing ukraine gets stolen by russia
like what kind of internet did we create and are we living to our kids so i think that we have we have a window now to create what you're talking about josh to fix these things at a scale that we haven't been able to do before so let's just do it [Applause]
Related talks
51:51
32:48
33:48
54:33
31:06
20:51