Small organizations — such as non-governmental organizations (NGOs); state, local, tribal, and territorial government organizations (SLTTs); and small and medium-sized enterprises (SMEs) — often struggle to protect themselves and their beneficiaries in cyberspace. Meanwhile, startups and technology companies have unique expertise that can help the smaller organizations address some of the key challenges they face.
On August 16, 2022, CLTC co-sponsored and participated in a panel discussion on how Silicon Valley institutions can help the most vulnerable protect themselves online, understanding that our common safe future, physically and in cyberspace, ultimately depends on our ability to protect everyone. The event was co-sponsored and hosted by Swissnex at their Pier 17 office in San Francisco.
Moderated by Yannick Heiniger, Interim CEO of Swissnex in San Francisco, the panel featured public, private, academic, and civil society leaders who are working on the front lines of cyber peace: Ann Cleaveland, Executive Director of CLTC; Michael Makstman, Chief Information Security Officer for the City and County of San Francisco; Adrien Ogée, Chief Operations Officer of the CyberPeace Institute; and Adam Rosenzweig, Director of Okta for Good.
Heiniger’s first question to the panelists asked them to consider how they define who is the ‘most vulnerable.’
“My main goal is to protect the city, and it’s easier than ever to be a cyber criminal right now,” Makstman said. He noted that the democratization of cyber crime has hit San Francisco “like a wave,” straining resources available to the approximately 50 agencies that the city supports to help communities protect themselves. “The COVID-19 pandemic has also really upped the expectations for digital services that local governments like ours need to provide. Every community is expecting to be able to consume government services through digital means. This increase in demand, coupled with not enough supply, is exposing a lot of critical services to the wave of cyber crime. It’s a full-time job.”
Rosenzweig explained that Okta celebrates the trend that every organization is becoming a tech organization, “but the flipside of the coin is that it means every organization is vulnerable to tech-based threats,” and “no one is immune from this.” He added that corporate funders only provide about four percent of philanthropy in the U.S. — “a drop in the bucket” to address these growing threats.
In June 2022, Okta announced the launch of a Nonprofit Cybersecurity Portfolio and $1,020,000 in grants to support six different organizations and projects — including CLTC and the CyberPeace Institute — aimed at providing better security across the social sector. “When we think about supporting civil society actors, Okta is not the difference maker, but we operate with less scrutiny and oversight, so we can take more risks and help shed light on the path for other potential funders who are less comfortable with funding cyber projects,” Rosenzweig said.
Ogée explained that the NGO sector is more vulnerable than ever, as organizations are exposed to threats that were foreign to them in the past. “Criminals see an opportunity to attack organizations with low resources to protect themselves, because the payout is big and the police just don’t care as much,” he said. Ogée noted that the key is to channel resources from academia and and industry level to help organizations with emerging needs. He shared how the CyberPeace Institute — through its CyberPeace Builders program — enables humanitarian NGOs to build cybersecurity capabilities quickly, for free, by matching them with corporate-sector cyber experts who volunteer their cybersecurity support.
CLTC’s Ann Cleaveland discussed the work the Consortium of Cybersecurity Clinics is doing to generate change and offer solutions toward cyber civil defense. “At the Citizen Clinic, we quickly realized that to make a dent, we need a whole network of cybersecurity clinics,” Cleaveland said. “We began the Consortium with the goal to establish or expand a university-, college-, or community college-based cyber clinic in every region of every state serving their communities.”
The panelists discussed how establishing and nurturing relationships with people in their local communities is paramount to shaping the future of cyber peace. “The power and success of how San Francisco handled COVID was due to our engagement with non-profits and community-based organizations to deliver services,” Makstman said. “We also realized through the nature of this engagement that these organizations collect and maintain a lot of sensitive data, but don’t necessarily have the staffing or experience to manage their cybersecurity.”
Makstman explained that San Francisco formed a steering committee to connect local cyber professionals to help local non-profits, as well as look into new funding sources, contracting processes, and performance measures around cybersecurity. “We want to maintain the trust of our communities through the services we provide,” he said. “Research out of CLTC shows that vulnerable populations are more likely to be victimized, but also have the lowest levels of trust in government services. We know local government isn’t the answer — we have to work with our non-profit partners.”
Rosenzweig also cited the COVID response of Silicon Valley as a model for how companies can come together to collaborate with their peers and competitors in the marketplace as part of a pre-competitive strategy. “When we’re in a situation talking about threats to civil society, we can often make connections focused on solving problems and helping people,” he said. “There’s an understanding among these companies about the greater need.”
Piggybacking on the idea of multisectoral collaboration, Cleaveland shared how CLTC is connected to each of the co-panelists’ organizations in different ways, offering a “pantry of solutions” toward cyber civil defense. “Adrien and I have a vision that some day, the alumni of our cybersecurity clinics will enter the workforce and become CyberPeace Builder volunteers,” Cleaveland said. “The Citizen Clinic is working with the City of San Francisco to see how our clinic services can fit in their grander strategy. In the Consortium, we’re seeing more and more university-based clinics in formal collaborations with city governments and municipalities. There’s something special about the scale of both entitites that make it possible to work together.”
Makstman referenced a program launched in 2015 called Civic Bridge, which matches civic challenges with skilled volunteers across the private sector to co-create solutions for the City and County of San Francisco. “We haven’t really applied this program to cybersecurity, so here is an opportunity for Silicon Valley to come in and provide professionals and innovative models to help the community,” he said. “We need more pro-bono models like the Clinics and CyberPeace Builders. It’s not about access to technology or licenses; it’s about bringing the right people together to help solve cybersecurity challenges.”