>> MODERATOR: Please welcome Craig Newmark, Kiersten Todt, and Vivian Schiller.
>> VIVIAN SCHILLER: Okay. Hello, everybody. Thank you so much for joining us. We're really glad that you're here. We're going to talk with some serious stuff and we’re also undoubtedly going to have a little fun this morning. So, my name is Vivian Schiller, I'm the Executive Director of Aspen Digital. We’re a program of the Aspen Institute that focuses on the intersection of technology and democracy with a big focus on cybersecurity.
So this program, right now we are calling Cyber Civil Defense, a coalition to protect our digital future. So we live in a time of heightened risk, and this is the bad news and it is well known to everybody in this room. Nobody at this conference is unaware of that. But the good news is that many individuals and many institutions are heeding the call to protect our digital future. So the federal government, state governments, private industry, researchers, academics, Civil Society, even philanthropy – though not enough of them. And all other groups of many stripes are focusing on this heightened risk.
So the challenge now, and what we're going to talk about today, is how do we harness the incredible power of all of these disparate groups, all of this firepower so that the sum is greater than the – sorry. So that the whole is greater than the sum of the parts. That's the expression. So that we can better protect and defend everything from national security to business interests, and of course, the public itself.
So, luckily our two panelists today are both working in different ways, together and separately, towards such an aim with new approaches to ensuring that all sectors of society do play a part in protecting our digital future. So, Craig Newmark, who probably doesn't need any introduction, but I'm going to introduce him anyway, is the Founder of Craig's List, of course, and Craig Newmark Philanthropies. His really extraordinary philanthropic support is for a range of issues: ethical and trustworthy journalism, information integrity, veterans and military families, groups feeding the hungry, organizations that advance women and technology and media, and of course what we're here to talk about today which is cybersecurity. And even though I've known Craig very well for years, I can't – I can never help myself from reading these two lines from his official biography, this is part of his official biography, “Craig lives in New York City and enjoys bird watching, science fiction, and television. Craig is not as funny as he thinks he is.” I actually beg to differ, I think Craig is pretty funny but you'll be to judge.
Kiersten Todt is the Chief of Staff at CISA, where best I can tell, honestly she does a little bit of everything which seeing the – observing the activity coming out of CISA, is a lot. Prior to her role at CISA, Kiersten served as managing Director of the Cyber Readiness Institute. CEO of Liberty Group Ventures. She served in Obama administration as Executive Director of the independent bipartisan commission on enhancing national security, and then her bio goes on and on and on from there. So with roles both in and out of government, so you don't look like you're 102 years old, but you’ve certainly have had a lifetime.
>> KIERSTEN TODT: And I'm not as funny as Craig.
>> VIVIAN SCHILLER: Yeah, none of us are as funny as Craig. Okay. So let's get started. We’re going to have a conversation and then with our remaining time we'll open it up because we'd love to hear your questions. So Craig, earlier this spring you made a big announcement, a commitment of more than $50 million. I know you originally said $50 million, but I see you’ve exceeded the $50 million dollars in support to a coalition of organizations focused on educating and protecting Americans amid escalating cybersecurity threats. You call it Cyber Civil Defense. So, yeah. So tell us about your inspiration for this concept.
>> CRAIG NEWMARK: My deal is that I'm of an age which was the duck-and-cover generation. I was in elementary school where they made us go through that, and it sunk in but there, you know, fortunately wasn't much in the way of nuclear war. But in recent years I'm supporting a lot of veterans and military familie’s groups, for perspective among other things, and wondering if I should have served in Vietnam. They tell me I wouldn't have survived my first day in the jungle because my own troops would have fragged me because I'm that kind of tough military guy. But they also tell me that cybersecurity, that kind of thing, that's my war, that's what they want me doing and that's what they want me to help them find careers doing. So that's my initial motivation. I'm following through now. I've been lucky enough work-wise to fall backasswards (ph) on to a pile of money so I've giving it away for things like this.
>> VIVIAN SCHILLER: But let me just follow up and say why a commitment? You know, you have a range of interests. Why specifically cybersecurity?
>> CRAIG NEWMARK: In our country, we're being attacked on our own soil in ways that never happened before. This is true for democracies across the world, so people who got lucky should stand up for everyone else in a bunch of ways. Cybersecurity, I did mention vets and military families and there are other areas in which I support as useful journalism and pigeon rescue.
>> VIVIAN SCHILLER: That's serious by the way, pigeon rescue is one of his missions. Kiersten, so part of Cyber Civil Defense’s mission is to create a coalition of aligned stakeholders across sectors. Of course, CISO is doing this as well in many, many ways including the Joint’s Cyber Defense Collaborative, JCDC. So what is the relevance – talk specifically about the relevance of the cybersecurity nonprofit space and how does that sits relative to government, private sector, and other sectors?
>> KIERSTEN TODT: Thank you, Vivian. And I have to start off by just commending what Craig is doing because we're certainly in a city where in technology – where there’s lot of money but it takes a very different type of person to take that money, to give it back. And to truly invest in where our challenges are and you continue to do that in an extraordinary way. So it's tremendous just to be with you and to be in this mission together because there is a lot to be done.
So when we look at CISA and what we're doing – for those that saw Director Easterly’s, Chris Inglis, Rob Joyce’s panel yesterday. You heard Jen Easterly talk about the Joint Cyber Defense Collaborative and for those of us that have been in the space for a really long time, we know the term of public-private partnership lost the meaning a while ago because it was about discussion – maybe a monthly meeting.
And the JCDC is about operational collaboration and what that means is real-time engagement between industry and government. And for better or for worse, we saw this in real action over the last 9 months – 10 months with the ‘log4j’ incident, and importantly with the Russian invasion of Ukraine. Industry and government partners convened by the JCDC came together to put together a plan, to exercise the plan, to execute it. But importantly, when the invasion – after the invasion happened, there was real-time exchange of information via a Slack channel that talked about data points. And it's this idea of how do we collect the data points to be able to see a broader understanding of the threat picture. We know SolarWinds – it’s no secret that it wasn't discovered by the government, it was industry. And we don't want government on private sector networks nor should they be, but if the private sector can share what they're seeing with government and intelligence in real-time, we have the ability to see the greater threat picture.
But to answer your question, if we take this down a couple of notches, somebody said to me a while ago, “People don't trust institutions, they trust people.” And the JCDC is really about building that trust between industry and government, but it's through people. And I think, you know, when Craig talks about his mission and the Cyber Civil Defense, it breaks it down to the people. And as we're looking at cyber it can be a very nuanced term and it can be something that almost feels esoteric. But at the end of the day we have to rely on people to understand the accountability and responsibility that they have for cybersecurity, and what their role is both as citizens but importantly parts of companies and broader organizations.
>> VIVIAN SCHILLER: But when we hear, you know, the expression public/private partnership, generally we're thinking about government and specifically the private industry. So what about the role of, sort of, NGOs and Civil Society organizations, and the kinds of groups that Craig is supporting? What is that – how do they fit into the mix? How do you look at it from the CISA perspectives of role of the other institutions?
>> KIERSTEN TODT: There’s a huge opportunity because what nonprofits/NGOs are doing is they’re actually in the communities with the stakeholders. And we talked about this in the commission in 2016, how do we bring the philanthropic world into cyber and it's been this evolution. And where we are now I think – you know, I worked on this NIST framework back in 2013/2014, and we talked about the power of government to convene. And I think something as similar as we're looking from the nonprofit sector, government doesn't have to be the author. We don't have to have pride of authorship on the work out there but we can be a platform for visibility. And when you look at the texture, or the quilt of all of the efforts with nonprofit.NGOs that are out there, government can play a role in threading those together, creating that platform for engagement and integration so that we can actually get into the communities where we're trying to reach people – underserved communities, whatever the mission is. And I think that is how this integration will be most effective.
>> VIVIAN SCHILLER: Yeah, it reminds me of the expression which I'm sure I'm about to mangle which is, “Nothing is impossible for the person that doesn't need the credit.” I know I've gotten that wrong but it's just absolutely, it's absolutely so true. So Craig, your Cyber Civil Defense initiative really focuses on three priorities: cyber tools and services, cyber education, and cybersecurity workforce development. So why those three areas?
>> CRAIG NEWMARK: Well, our country, and again all democracies, need hundreds of thousands of more professionals who can help protect us all. But we all need a little protection when it comes to our own systems, our homes, businesses, and that kind of thing. So that means we need a lot more education which can be figured out and, you know used, seriously used, by anyone who is any good with computers. Like in World War II, if you can play a part, if you can play a role, you should. And that means that we need some education for civilians so that they can at least protect themselves.
The education should also lead up to a point that if you're good at it, and a lot of people will be good at it, that might be the next step towards an actual – oh, towards an actual career in cybersecurity. So we need a spectrum of education, civilian education that all of us could use, I think – one way or other – leading to cybersecurity career education. And it's really important that this become – well from the very beginning, that this be fair to everyone. You want to treat people like you want to be treated, meaning everyone has equal opportunity to get this kind of education, and actual jobs and careers.
Now, this involves, like social skills to figure this all out, and when it comes to social skills – well, like have you met me? For that reason, I've engaged the Aspen Institute to help me out, specifically Katie, and I recommend that everyone get a Katie because she can handle all of that for you.
>> VIVIAN SCHILLER: Katie Brooks.
>> CRAIG NEWMARK: All those, you know, all those icky human and social matters, she can do that for me. But then, civilians, we need the kind of tools that will allow us to protect our systems, our phones, our home networks, and stuff like that. So what I'm doing there is I've engaged Consumer Reports to look at a lot of the tools that we can use, like password managers and so on, so they can curate and recommend tools. The deal is that Consumer Reports has been in this business for 85 years, from when washing machines were in high tech. So what I've done is asked Ben – and everyone could use a Ben – his job is to do things like getting password managers –
>> VIVIAN SCHILLER: Ben Moskowitz.
>> CRAIG NEWMARK: - for other people to look at. But beyond that, Consumer Reports has traditional strengths in things like product safety. So the idea is to put cybersecurity nutrition labels on anything that could be connected to the net like your car. I don't know about you but I would be really irritated if my car was hacked and suddenly took a left turn from the right-hand lane. That would be very frustrating.
Also, and here is a more complicated way, a few years ago Eileen – that's Mrs. Newmark, she joined an Nespresso cult. She likes their coffee machines, which look a lot like the Terminator character, the robot itself. Now the new generations of Nespresso machines are Wi-Fi connected and I want Ben – you know, from Consumer Reports – to assure me that they don't have the spark of cautiousness. Because once you start hooking them all up, they'll start thinking for themselves and they'll decide that they're going to force all of humanity to be either coffee producers or coffee consumers. And what that means is that Eileen – you know, Mrs. Newmark is going to have to send me back in time since I have that Schwarzenegger thing going on, and then I have to stop all of that from happening.
Of course, a lot of people think we are all – in the U.S. at least, a nation of coffee consumers so it's probably a little too late. But we need a lot of other tools, too. I'm working with the Global Cyber Alliance, they've developed QUAD9, a protective DNS system because we need to be stopped sometimes – even if we're smart about it – we need to be stopped from going to a system that's actually a phishing site. There’s a lot of areas – they run honey pots to lure people looking for Internet of Things-things that could be corrupted.
I'm working with Shadowserver – and that's a big deal right now for the net – they run servers and systems which actually go through the entire internet looking for trouble like exposed database systems, exposed industrial control systems because if you left a programmable controller exposed on the net and it's controlling chemical processes using toxic gases, you really don't want someone releasing them.
A lot of organizations are building these tools and services – that's a really big deal. I'm also working with the Ransomware Task Force and even in today's Washington Post there’s an editorial talking about them because they actually sent out a list of recommendations to help us all deal with ransomware, which is a problem for all of us. For example, in our personnel files at work, and even at home we have sensitive stuff that we don't want people fooling around with. And again, I haven't worked with them, well seriously for as many as 12 hours. The idea is that all of these services are real and people who can step up to fund them, need to do so.
>> VIVIAN SCHILLER: So you've talked about a number of your grantees, the organizations that you're supporting in the category of cyber tools and services. Again, the other two categories around education and also workforce development. Just talk about a couple of the other institutions that you're supporting in those categories.
>> CRAIG NEWMARK: Yes. Thank you for reminding me that I needed to do that.
>> VIVIAN SCHILLER: That's why I'm here.
>> CRAIG NEWMARK: Since I support a lot of vet’s organizations and cyber organizations, there is something called VetsinTech. Their deal is to introduce vets and their spouses to the tech industry, and in my case specifically, I'm funding them to train vets, and their spouses as they want, for cybersecurity careers. They use a number of sources, a number of institutions to help them out, but the deal is that when they're through training, they can actually do something like an internship or apprenticeship, at a firm getting that kind of work.
And frankly, I got a pleasant surprise at the Fortinet booth yesterday. One of the guys involved with this, now has an actual, real job doing this kind of thing. So that's, you know, that's the deal with VetsinTech.
I'm also supporting a number of groups that are doing coding at the high school level like I've worked with Girls who Code for some time, and now I'm supporting the Girl Scouts. They actually have a merit badge program going down into the Brownie program. And I have a seven and a half year old neighbor here in San Francisco who now has her first cyber merit badges, and she's seven and a half – the half is very important. And I’ve raised this with her parents and the national cyber director who is interested in an internship for her because if you're seven and a half you can probably pass a background check.
>> VIVIAN SCHILLER: So Kiersten, talk about this wide range of these Civil Society groups that Craig is supporting. How do they fold into – how do you think about them relative to your efforts across your JCDC – yeah, the JCDC. I just have to get the acronym right.
>> KIERSTEN TODT: Craig talked about Girls who Code and I think, you know when we were dealing with the – and continue to deal with Russia's invasion of Ukraine. We worked a lot with stakeholder groups and that about resilience and protecting and defending. But what's been important is we’re looking at the issues, and the third issue, Craig, that you're dealing with on workforce develop, I think this is the greatest example right now, of how we're working with communities. Because at the Federal Government level can you only actually understand what's at the community level to a certain degree. And so it's our responsibility to go into the communities to work, to go to where the talent is, to where the needs are to be able to bring them into government. And so, these organizations like the ones that you're working with who are developing partnerships with Girls who Code, with the Girl Scouts, Empower, other organizations, and community-based organizations through colleges, universities, community colleges, vocational schools. To truly understand the communities themselves, and how do we attract the talent from there.
I think from the workforce side, this is one of the greatest pieces, but it's also understanding, you know, as we're looking at CISA as American's cyber defense agency, how are we helping citizens defend themselves? So the nutrition label is one we talked about the in the commission, and it's wonderful to see the work that's come of it because I think how are we going to educate people in accessible ways. And the work that you've done to move that along is pretty extraordinary because it's this idea that sort of like the energy guide, consumer reports or nutrition label. If I'm looking at a piece of chocolate cake and I learn the number of calories or fat, whatever – and this may not be healthy, I can still choose to eat it. But it's going in eyes wide open, and I think when we're talking about cybersecurity it's these ways to make the education accessible.
So as we look at what CISA can do in government, it's about weaving together these organizations to truly give us an understanding of how the communities are operating and how we can reach into them to be more effective.
>> VIVIAN SCHILLER: Let's talk about now how to widen the aperture a little bit to engage in all of the same categories we’ve talked about: tools and services, education, workforce development. To include, for example, two categories I want to talk about. Sort of big tech, and the role that they have to play in these efforts. We'll start there and then I'll bring up the other one.
>> CRAIG NEWMARK: I'm being looked at now, so my deal is that a number of big tech companies: IBM, Google, Microsoft, Amazon are offering training and job placement to a lot of people. You know, they're talking about thousands, tens of thousands of training opportunities and jobs. And I've already started chatting with them about how we make that real because we only make that real if they provide the resources and that people like us here keep reminding people in the public, “Hey, this is real and go ahead and do it, and then go ahead and do it some more.” Because sometimes people create good programs but if no one champions them, then maybe they're not as effective as they should be.
And, you know, I'm independent. I have different rules of engagement, and so I have the opportunity to repeat things and throw branding on, let's say a weekly or biweekly basis. My challenge is to be annoying, but only mildly annoying and that seems to be working. For that matter, these companies have good technology as well and the idea is to keep pushing that. And that includes like multi-factor authentication and the trend towards password-less authentication. So the idea is to keep pushing, and to keep pushing, and to not stop. Like I'll probably give it another 20 years or so, only as long as I live. After that, well I'm making plans.
>> VIVIAN SCHILLER: Yeah. You know, one thing that I know is important, certainly it's important to us at Aspen Digital and I know is important to you, Craig. Is that when we look at workforce development and the role that big tech can play. To particularly focus on underrepresented communities, people of color, women, and to try to sort of widen the aperture on the kind of workforce that goes into cybersecurity which as we know traditionally has been white and male. And so, a lot of the work that you're doing I know is focused on black communities, Latinas, and others, really to try to broaden the diversity of the talent pool.
>> CRAIG NEWMARK: Yeah. There is a number of really good groups doing this work, like I've met already with the ShareTheMicInCyber folks and there is a meeting coming up in a couple of hours to that effect. I mentioned already Girl Scouts and Girls Who Code. There is Girl Security, there is a whole bunch of groups involved with this. The deal is to commit from the beginning, and part of my job will be to remind people to treat people like you want to be treated, and then to keep saying that over and over, and then delegate the actual doing of that – you know, to Katie because Katie is the one making sure she understands the landscape of all of this. That is Katie Brooks at the Aspen Institute –
>> VIVIAN SCHILLER: Yeah, yeah.
>> CRAIG NEWMARK: - and the idea is to follow through with all of this and make sure it happened. Frankly, I'm spending more time on the tech tool side as I turn 70, this is my delusional – delusional approach to thinking that I'm still technical. Don't let that bother you, just please humor me.
>> VIVIAN SCHILLER: Yeah, we will continue to humor you.
>> KIERSTEN TODT: Vivian, if I can weigh in on the workforce piece because I think it's important and when you talk about government and nonprofits and NGO’s can work together. You know, one of the the mission for CISA is to build out diversity in the workforce and this really is about diversity of thinking and so it goes beyond racial, gender, socioeconomic diversity. But really thinking about how do we pull in talent across multiple sectors because when we think about cybersecurity, it's an interdisciplinary issues, it requires solution sets, and so we need experts in sociology, psychology.
So when we're talking about training and getting into the elementary schools something – I know, Craig you've done a lot of great work with. I think government then has a role to help set the broad messaging around what we're looking for, is very broad. It’s interdisciplinary so that girls can see themselves as cyber experts even if they're not interested in math and science in that moment. And I think this is where we weave together the work of the broader messaging piece of what does it mean to build out a diverse workforce to be able to then bring that into schools, bring that to curriculum, bring that into colleges and universities so that we can do a better job to truly attack – attract talent that represents the nation and, quite frankly the planet.
>> CRAIG NEWMARK: Yeah. The deal is that I also work with the Gina Davis Institute, which is about the representation of everyone in media, but the principle is that if you can see it, if you can visualize it, something real can happen. And at the risk of repeating myself, we all, I think, want to treat people like we want to be treated, and you take it from there.
>> VIVIAN SCHILLER: You know, and I want to commend CISA on a lot of the way that you approach of the messaging about these issues. You know, and maybe appealing to young people but a lot of the ways you talk about, like the Shields Up, and a lot of the other sort of branding and the avatars. How much of that is about trying to sort of have, whether it's girls or young women or others to sort of see themselves as that they can be part of this, that they can be a role in cybersecurity. That it's not some sort of obscure highly technical thing that is out of reach for them?
>> KIERSTEN TODT: The branding and accessibility is so critical and I think this is one of the things that Director Easterly has done tremendously well which is really not seeing us as a bureaucratic agency, kind of burdened by how we talk in messaging. But really trying to make this current and accessible. And I think this piece is so critical. It’s, how we're getting into the communities, what's going to attract? So we just launched this week the ‘More Than a Password’ campaign which is an MFA campaign, and that’s all based on, “How we make this cool when we look at it.” I mean, if some of you saw Jen's tweet from earlier this week, she was on stage doing it to More Than a Feeling from Boston. It’s, how do we create the music, the accessibility for kids to understand this space.
I mean I was having another conversation with somebody about just even the terms cyber and cybersecurity can be very resistant. So, how are we looking at this? And this is where I think CISA can play such a critical role because it is about the platform for visibility. We can look at how we're getting into communities and create a language that makes it easy for children and individuals of all ages, and across all communities, to understand that they have a role if they want one.
>> CRAIG NEWMARK: Yeah. The CISA multi-factor authentication campaign is a big deal. It’s something I’ve already started to support, which I'm grateful for because Eileen – you know, Mrs. Newmark, tells me I'm not going to be able to get her to use a key unless I can assure her she won't have to use it every time she logs in. So what happened is that she sent me back in time last week when I helped them with the campaign. The last part was partly a lie.
>> VIVIAN SCHILLER: So in terms of sort of expanding, broadening the big tent. Craig, you have been as a philanthropist, you were one of the earliest movers in recognizing that cybersecurity must be an area of focus. I would say Craig Newmark Philanthropies and The Hewlett Foundation were really the first. But even now, you've been in the space what for 10 plus years in terms of funding cybersecurity. Even now, there has not been a great expansion of philanthropic organizations recognizing the necessity of cyber security. Now in addition to you and in addition to Hewlett we have, you know a mediocre networks just starting in get into the space, Ron Gula(ph), but I can really count on one hand. How do we expand, how do we get other philanthropic organization – and I have the same question to you – to recognize that this cybersecurity, to your point is not some sort of niche thing over here that's highly technical that nobody can possibly understand. To understand why this is such a core part, and needing philanthropic support?
>> CRAIG NEWMARK: I'm not all that smart and I'm not a leader type. All I know how to do is to do something that's real, to talk about it, and then to be mildly annoying to the people who have real serious money, and then to keep talking with them about that. The idea is that I just have to repeat that to talk with them about the importance of this, and for that matter, what it means to their companies because if you're not paying enough attention to cybersecurity in your company at some point I'm guessing, there is going to be a massive liability issue and you may get sued.
So the deal is that, I don't know how to lead from the top I can only lead by example and I just have to keep doing it only as long as I live. After that, I'm beginning to make some plans.
>> VIVIAN SCHILLER: Okay. That will be the subject for our next session.
>> CRAIG NEWMARK: Yeah.
>> VIVIAN SCHILLER: Join us later for drinks to hear about this.
>> CRAIG NEWMARK: Yeah.
>> KIERSTEN TODT: Well, I think the piece as we look at this cyber is critical to the mission of every organization regardless of what the mission is, and you know, this goes back to every individual having a responsibility and an accountability in cybersecurity. Which is why, you know a lot of the efforts, and Craig has been a tremendous partner and supporter around cyber hygiene, what are the basics that everybody can do. But I think one of the things that's been interesting over the last year is how cybersecurity is slowly becoming much more of a kitchen table issue. You know, when we saw Colonial Pipeline from the Commonwealth of Virginia, we saw people in long lines waiting for gas, not because there was a shortage for gas but because there was the psychological fear of the potential for a shortage. When you saw the JBS food supply – this concern about, “Am I going to be able to bring food to the table?”
And this appreciation that I may not know exactly how this is done, but I understand that there is a role for me to play. And I think this is a huge opportunity for industry to step in. I mean, you start to see some industry, some companies have philanthropic arms. Others that have – we have tremendous wealth and resources in this country and the hope is that there is this prioritization and understanding that cybersecurity underpins our national security in such a significant way. And that everybody, regardless of where you stand, has a responsibility. And so, I'd love to see more companies take this on in a philanthropic way and certainly those that are not in this space but are doing it – and you have led the way I mean, you are leading this. It is so critical to where we are but importantly where we're going.
>> CRAIG NEWMARK: That gives me too much credit. I get a lot of it, well the literature of my people – my people being the nerds. It’s science fiction and that's been preparing me emotionally for all of this for some time. Now I'd like to commission my fellows. I love old war posters, like World War II posters, and this morning I was thinking, “Loose lips sink ships,” and since I'm not very creative the best I can do is “Loose phones sink drones.” We need to do better than that.
>> KIERSTEN TODT: We have a job for you at CISA in messaging.
>> VIVIAN SCHILLER: You heard it here first.
>> CRAIG NEWMARK: That's right. I'm so good at social nuance and social skills.
>> VIVIAN SCHILLER: Well, you're leading into my last line of questioning that I want to talk about, and then we're going to please get your questions ready because we really want to hear them. Which is, how do we reach the broader public? I mean, we've talked – so far we've talked very specifically about reaching, you know, kids to try to get them interested. But you know, in careers and cybersecurity and reaching sort of niche groups. But how – I mean I struggle with this as well, so how do we think about cybersecurity being something that people can rally around? And is there a public messaging campaign in the same way that, you know, that there was successful campaigns around smoking – antismoking or seatbelts? And what is that – so maybe now we have our tagline, “Loose phones sink drones,” I love that. But is there – how do you think about, sort of, really reaching the public in a way that's accessible? I'll start with you.
>> KIERSTEN TODT: So one of the things we talked about a public awareness campaign, again, when we were working on the commission six years ago, and somebody – one of the commissioners made a really interesting point because everyone says, “Why can't we have ‘a don't do drugs’, a smoky the bear, don't litter,” all of these things and the commissioner said those are all binaries. You to something or you don't do something. The challenge with cybersecurity is that it's not a binary. It's don't succumb to phishing, don’t use USBs, you know, use multifactor authentication, make sure you’re using encryption, back up your data.
And so, can you have this umbrella campaign that then really feeds into all of this. And this – we actually, CISA is going to be launching a public awareness campaign to look at this – we don't have it all strategized yet or the content. But the idea is that have this umbrella messaging that is accessible and, you know, we all think back to different messaging that has resonated with us over the years and how do we create that type of messaging – schoolhouse rock. How many different people learned, you know, for different generations how government works? There are ways to do this that break it down. I think, you know, somebody said about six years ago, cyber hygiene was almost insulting because everyone does the basics. Everyone doesn't do the basics.
>> VIVIAN SCHILLER: No, they do not.
>> KIERSTEN TODT: And so, we’ve got to be able to get this to the basic building blocks, that's why CISA launched a MFA campaign because if we can just get everybody to do MFA and help them. They don't have to understand the why, but just how to do it and make it accessible. That takes us very far. So this public awareness campaign, how do we reach citizens because that's one of the key elements to CISA mission's is as America's cyber defense agency really raising the bar for individuals. And it is a public awareness campaign but it’s going to take – it's not just one done by government, it's done in collaboration with organizations, nonprofits, NGOs, and industries to get that messaging right.
>> CRAIG NEWMARK: Yeah. The deal is that there is a lot of good work going on in these areas, like with the Ransomware taskforce, Shadowserver, Girl Scouts. And I seriously am not a sophisticated, messaging person, all I know is that announcing something one day and not following through doesn't help. So that's why I will on a regular basis retweet stuff from CISA. I will bug the people at the Girl Scouts and VetsinTech to give me something to tweet on a near daily basis. Again, just short of spamming, just short of being worse than mildly annoying.
The idea is that we do need ways of catching people's attention. Jen Easterly's Shield's Up is a good thing but in my case that means I started watching the original Star Trek when I was 13 which led to my personality development delay of about 40 years. The thing is that works for a large segment of the population, particularly a large segment of the population that works with computers. We need more of that. And again my gut tells me that posters based on the World War II style, might be part of that that can get into our heads like the British ‘Keep Calm and Carry On’. I think there are promotional materials along those lines which we can do and then repeat just short of being annoying.
>> KIERSTEN TODT: I could add on to that because Craig mentioned Shield's Up which was that CISA put out in November in anticipation of potential invasion of Ukraine. And what’s been interesting is – you know, the key elements were lowering the threshold for reporting, empowering CISOs. What's interesting through the time is industry raised the bar for security in a way. And so Jen and Chris Inglis had Op-ed earlier this week to talk about what is this new normal? And the analogy I make is post-9/11. I was in DC, I was working in the senate – working on the national planning commission and there were all of these temporary efforts putting blockades around the monuments, shutting down Pennsylvania Avenue, protecting the capital. But then there became bollards, then there became more permanent structures to raise that level of security which people just elevated and understood and accepted. And I think what's been interesting from a human behavior and cultural perspective when you talk about how do we access this. There has been this movement because of messaging where industry raised the bar, accepted it, and worked with their CEOs, and others, to say, “Okay, we can to do better.” And now they understand that this is where we are.
And I make that point because I think so much of that was messaging. We were talking to thousands of stakeholders to talk about the Shield’s Up. We were working with community groups, infrastructure groups. And if you take that model to just basic messaging around cyber hygiene and just what we have today, I think it can work very effectively. But it's getting into the communities, it's the constant communication, it's that ability to understand where the issues are and what, again, every individual has as far as the responsibility and the accountability.
>> VIVIAN SCHILLER: But it strikes me one of the challenges is to really connect the dots between my own personal behavior – am I using MFA – and national security. Like, how do you bridge that divide? You know, using your 9/11 analogy, you know, there was the campaign of ‘See Something, Say Something’ but that was more sort of everybody sort of being alert and it backfired in certain ways as well.
But how do you connect people's personal behavior, how do you incentivize them to think about it not just in terms of protecting their own data and privacy, but for national security?
>> KIERSTEN TODT: It's an interesting question because I don't know that you need for people to understand their role in national security. Although, we have seen plenty of examples where an individual's computer that’s accessed then becomes the gateway to a breach into a larger big event. But I think that it's much more about what is the social contract that you have now when you have a phone, you have a laptop, you have a device that you're connected to the internet, what is your responsibility? And it's the analogy that we often make to cars, right? You don't need to be a car mechanic, but you need to know to put air in your tires, to make sure your oil is okay – now we have airbags in part of cars that you're not buying them – which I'll get to in a moment. But this idea that to drive safely on the road, you do these things. And it's not necessarily because you have to have this broader understanding of your role, but that's the right thing to do.
And I think we're evolving into this space where if you are an individual connected to the internet, the right thing to do is to take that responsibility. And I think that messaging is easier than your impact on national security. I will just say that we've got to do a better job working with industry to bake security into the products. Because we can't always expect the end user to be educated, we have to sometimes move security away from the end user when we're talking about industry. That’s a huge step forward if we're not making security an option that people have to pay for. It absolutely should be a part of it.
>> VIVIAN SCHILLER: Exactly the airbag. Okay. We want to go to your questions. I believe there are mics set up on both sides. I can't see. Oh, there is one over there and one over there. I would ask you to please say your name, your affiliation, and this is for questions – concise questions only with the exception of if you have a great idea for a poster slogan, we will hear those, too. Okay. Over here?
>> DR. KELLY MASATA: Hi, my name is Dr. Kelly Masata with Sightline Security. Recently, critical infrastructure has been in the news with cybersecurity. When disasters happen nonprofits are typically the first on the scene. Can we start to consider them as the other critical infrastructure? And if so, how would you suggest elevating them in the security conversation?
>> KIERSTEN TODT: So it's a great question and I think Craig is doing some great work in looking at this already. When we look at the communities, you think about 911 and you think about the people that are on the other ends. And I think there is a huge opportunity and it’s something that we're starting to explore of this town gown engagement of universities with communities to build out that first line of response because to your point, being able to build that out in communities can go such a long way, and we're already seeing interest from industry to partner in the communities where industry is to help support that type of effort.
>> CRAIG NEWMARK: Yeah. The deal is there are already volunteer organizations in place, like there is the Cyber Peace Institute, the Center for Long-Term Cybersecurity out of Berkeley I think, and they're already beginning to create a network of people who can train the trainers in nonprofit organizations. These things are beginning to happen and I'm talking with them right now about my commitment to them.
>> VIVIAN SCHILLER: Great, thank you. Over here.
>> GARY BERMAN: Hi, my name is Gary Berman. I’m the host of the Cyberhero Adventure Show and the creator of Cyberhero Comics. And the first thing I wanted to say is thank you for who you are and what you do and most importantly why all three of you do it. I've had the privilege of listening and learning to hundreds of cybersecurity leaders, and you know God bless you for what you do. It's relentless and difficult and stressful, you know sort of mission that you're on so thank you for doing it.
My quick question is about a way to kind of open up the aperture to young people, especially 4th and 5th graders because research shows that's about where they kind of opt out of the kinds of careers that we're talking about. And according to NIST, there are actually about 53 different work roles within the cybersecurity ecosystem. Maybe you can opine about that a little bit and maybe people don't have to be only technical and maybe marketing and communications or things like that.
>> VIVIAN SCHILLER: Yeah, we did talk a little about that. How do you not – make sure kids don't get intimidated by something being too technical because the range of jobs in cyber security, of course is vast.
>> KIERSTEN TODT: I think this goes to the interdisciplinary nature of the subject matter, if you can show and demonstrate that when we talk about human behavior from messaging, that's about a sociology interest, that’s psychology. And how we can show that there is so many aptitudes in the space that are relevant and critical to, not just where we are, but the future of security.
>> VIVIAN SCHILLER: Yeah, and I go back to the Girl Scouts and their merit badges. Over here.
>> JACOB LUNA: Yeah. I would like to echo that. I appreciate your service. My name is Jacob Luna, board chair for the DFW chapter of NextGen Cyber. And our mission is to help those that are underprivileged, undereducated to find careers in cybersecurity. Our number one challenge is job placement after the cohort graduates. So you know throughout RSA we've heard 4 million open jobs globally in cyber. We’ve heard that 500,000 of those are in the U.S., and we've heard that one-third of jobs are unfilled in cyber here in the U.S. And so my question is, how can we better advocate for entry-level positions to cyber leaders?
>> VIVIAN SCHILLER: That's a great question. There is obviously a disconnect with all of those open positions if people aren't able to connect to the open positions.
>> CRAIG NEWMARK: What I've been talking about with people doing this kind of training is my fantasy that when somebody graduates – let's say from the high school efforts from the Girl Scouts or Girls Who Code or anything – that they be ready to be taken on as interns or apprentices in serious companies, for example the big tech firms. That's where I'm starting to push. At this point it's just talk because there are some skills that they really need to learn that will be difficult, so among the ideas is that the graduation for any of these should involve building and defending a network, and then also then attacking a network.
So that's the deal there. Right now that's just talk. Beyond that, the folks at VetsinTech have had a lot more success in training and then placing people in jobs. So far it's around 90%, and we have to hear after the end of this year there will be another 900 trained, or 1,000, and we need to get people in place at that higher rate. That's my fragmentary answer to the problem because after which I'll just have to refer you to, you know, Katie.
>> KIERSTEN TODT: Thank you for the work that your organization is doing. It's definitely filling a necessary gap. I think this is where government can model opportunities, you know, one of the missions that we have is how do we bring in more entry-level cyber talent. We have these engagements with universities, with vocational schools, community colleges. We go to job fairs and we've got to bring them in and create the mentorship and the retention skill – the retention capacity within the organization to model that. And I do think it's a gap, but it's something that, you know, I can speak from where we are at CISA right now that it's a priority and we have to do a better job, but if we can start to do that and model how it works, then I think we start to hopefully set the standard and create templates for it. But it's a huge issue about bringing in entry-level individuals who have the skills and have the potential and how do we nurture them?
>> VIVIAN SCHILLER: Great. Thank you. It was a great question. Over here?
>> ANN CLEAVELAND: Hi. Ann Cleaveland from the Center of Long-Term Cybersecurity at UC Berkeley.
>> CRAIG NEWMARK: I didn't plant this.
>> ANN CLEAVELAND: It's true. He didn't.
>> CRAIG NEWMARK: I should have.
>> ANN CLEAVELAND: Echo my thanks for all of the work that you and each of your organizations is doing. Craig, you mentioned the literature of your people, and we know that recent science fiction, especially when it comes to cybersecurity can be somewhat dystopic. So my question is for each of you, what gives you the most hope right now? One thing that gives you the most hope that we will have wrapped our arms around this problem of cyber resilience in five years better than we are doing today?
>> VIVIAN SCHILLER: I love that question.
>> CRAIG NEWMARK: What gives me hope is the ability to act on this relentlessly to support the people who are doing the real work, and just to keep supporting them and then keep reminding them to get the word out because unless people are talking about what you're doing, you might as well not be doing it. And then just to not stop. My deal is that as odd as it seems, a nerd's got to do what a nerd's got to do.
>> VIVIAN SCHILLER: Also in Craig's official bio.
>> KIERSTEN TODT: Well, I'll just say Craig gives me hope but also the thousands of people I serve alongside every day who have chosen to make this their mission in what they're doing. And then when you talk to young people and their interest in this space and how creative they are and how innovative they are and how they're looking at this. And that's the other piece is we’ve got to bring in younger voices. It goes to the earlier question about entry-level talent. The valued entry-level talent isn't just about helping them but we learn so much from perspectives that haven't been in the space. And I think when you talk and go out into communities through nonprofits and NGOs that are supporting those Girls who Code, Empower, and others – you hear the creativity and the innovation in what they’re looking at. And so, as this workforce is building up through elementary and middle school and high school, I'm very encouraged by that vision, but importantly also by the people who take action today.
>> VIVIAN SCHILLER: Well, I can't think of a better note to end on than by talking about hope, so I'm sorry that is all the time we have but I just want to thank Craig and Kiersten for a really great conversation. And thank you for all of your fantastic questions and for being here with us today. So thanks very much.
Share With Your Community