On June 14, the Center for Long-Term Cybersecurity (CLTC) hosted the inaugural Cyber Civil Defense Summit, a daylong conference focused on exploring novel solutions to help non-profits, local governments, hospitals, small businesses, and other community-based organizations defend themselves online.
The sold-out event drew more than 100 participants, including high-level cyber professionals, academics, government officials, and journalists, who convened to discuss creative programs aimed at bolstering the cyber resilience of public interest organizations.
“The group that’s here today represents communities that are rising up across the country to protect the institutions that uphold public life,” said Ann Cleaveland, Executive Director of CLTC, in her opening remarks. “No one is alone in scaling local and regional cyber defense. We wanted to celebrate that, and make sure we’re all learning from each other and the incredible things that each of you is doing in the field.”
“There is a tremendous amount of work going on at the local level to protect vulnerable organizations, and we’ve brought the leaders into this room,” added Sarah Powazek, Director of CLTC’s Public Interest Cybersecurity Program. “We aren’t here just to learn about what programs exist. We are here to analyze and to collaborate…. Our sincere hope is that each of you comes away from today having made one new connection or discovered one new innovation that will help you amplify your work.”
Working to Protect the Technology Ecosystem
In the day’s first keynote presentation, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), focused on the need for collective action against cyber threats. “Cybersecurity is an area that truly takes teamwork to protect the nation from cyber threats,” Easterly said. “We are a community of cyber defenders, working to protect the technology ecosystem.”
Easterly also stressed the importance of continuing to raise awareness around cybersecurity issues, including by integrating cybersecurity into K-12 education and strengthening infrastructure across the country, particularly in rural areas. She emphasized how it is “important we do everything we can to not leave anyone behind in the digital revolution.”
She lauded some of the cyber civil defense initiatives already underway across the country, including cybersecurity clinics involved in the Consortium of Cybersecurity Clinics, and the Institute for Security and Technology’s Ransomware Task Force. She also noted that CISA has its own efforts under way: the agency has hired over 1,100 people to create a “nationwide connective tissue for cyber defense,” and launched the Pre-Ransomware Notification Initiative, which has already sent nearly 300 notifications this year to warn entities of impending cyber attacks.
She reiterated the importance of addressing the needs of “target-rich, cyber-poor” institutions such as schools, utilities, and election entities, and underscored the need for “even greater emphasis on cyber education and best practices to implement cyber hygiene, so civilians have the resources they need to protect themselves.”
Shifting the Cyber Poverty Line
In the Summit’s second keynote, Wendy Nather, Head of Advisory CISOs at Cisco, talked about the challenges in balancing safety and privacy in security, and highlighted how even those who don’t use any technology are affected by cybersecurity practices. “We need to democratize security,” she said. “We need to think about how cybersecurity can work for you, not your company or some authoritarian figure.”
She noted that local cyber clinics and universities are important to our collective future when it comes to cyber defense as they are helping to build organizations’ capacity to defend themselves while training a diverse cybersecurity workforce. “We want to give people expertise, not just awareness,” she said.
Nather also called for the “need to push for great diverse talent at the top, not just the bottom,” as well as expanding who participates in cybersecurity. “We need to include other organizations at the table that are not just banks and big institutions,” she said. “We need to invite the mom-and-pop shops and small organizations, and let them have a seat at the table.”
A Champion for Cyber Civil Defense
The day’s third keynote talk featured Craig Newmark, founder of craigslist and Craig Newmark Philanthropies. Newmark coined the term “cyber civil defense” and has been a major supporter of the public interest cybersecurity field, including through his pledge of $100M for the Cyber Civil Defense Initiative, a set of grants to promote a whole-of-nation response to cyber attacks.
“Cyber Civil Defense is my nerdy attempt at saying something that might mean something to people,” Newmark said. “We need people to champion these efforts through the nation, the world, and in their enterprises. What this requires is trust.”
Newmark explained that he was compelled to focus his philanthropy on cyber civil defense because he “drifted into this notion that I should help out people to defend and protect people in this country,” as similar to “life during wartime, people are under attack and people need to work together to make things happen.” He noted that success comes from “efforts like this [Summit], where people are starting to work together and talk together.”
Newmark also discussed areas that he considers ripe for innovation, including more widespread adoption of passkey-based authentication, as well as new consumer-grade technologies that can “run in our houses that go around looking for things that might go wrong.” He expressed hope that, in the future, it will become a social norm for people to help each other out with cybersecurity literacy. “One thing we’ve learned with [large language models] and artificial intelligence is that things are changing faster and more unpredictably than we thought,” he said. “Democratizing computer literacy will help so everyone knows what is going on, rather than a small number of bad actors.”
Panels and Fireside Chats
The Summit included a series of panel discussions and “fireside chats” throughout the day. In one conversation, Sarah Powazek talked with Joel Todoroff, Special Counsel for Cybersecurity in the Office of the National Cyber Director (ONCD), and Matt P. from the Internet Fire Brigade Society, about initiatives focused on garnering volunteers to assist ransomware victims with recovery and defense against future attacks.
Todoroff stressed the importance of the 2016 Presidential Policy Directive (PPD 41), which has helped the Department of Homeland Security (DHS) and CISA in their efforts to reduce the harms of ransomware. While noting the important role of government agencies, Todoroff also encouraged audience members to engage with volunteers from the private sector. He explained that ransomware calls for a “whole-of-government policy response” that is coordinated by the ONCD, which has a role to “coordinate everyone to ensure that people are working off the same sheet of music.”
In another panel, Ann Cleaveland led a conversation with representatives from members of the Consortium of Cybersecurity Clinics. The panel featured Dr. Kevin Harris, Program Chair, Computational and Information Sciences at Stillman College; Steve Zuromski, Vice President for Information Technology and Chief Information Officer at Bridgewater State University; Dr. Yoohwan Kim, Professor of Computer Science at the University of Nevada Las Vegas (UNLV); and Scott Shackleford, Provost Professor of Business Law and Ethics at the Indiana University Kelley School of Business.
The panelists discussed the day-to-day challenges of running cybersecurity clinics, including the importance of connecting with the needs of the local community. In establishing Stillman College’s cybersecurity clinic, for example, Dr. Harris explained that he looked to the model of UC Berkeley’s Citizen Clinic, but focused his efforts on the needs of Stillman’s community. “Being in Alabama, we are in the state with the most historically black colleges and universities (HBCUs),” Harris said. “That should be our focus — working with minority-owned small businesses.”
Shackleford explained that Indiana University’s cybersecurity clinic is focused on helping local governments, as teams of students will provide help in conducting 342 cybersecurity assessments of local governments across Indiana over the next four years. “It takes a lot of relationship building to establish a successful clinic,” he said. “When bringing new programs off the ground, the biggest key to success is involving multiple constituent groups, in particular, the state government.”
Zuromski and Kim agreed that cybersecurity clinics are playing an important role in developing a pipeline for experienced professionals. “What we heard from industry is that they are tired of having students coming to them with degrees in cyber security without hands-on practical experience, and these cybersecurity centers give students that experience,” Zuromski said.
One panel focused on scaling cyber defense for state and local partnerships. The panel featured Mikki Munson, Wyoming Cybersecurity Advisor at CISA; Eric Franco, Cybersecurity Preparedness Coordinator at the Wisconsin Department of Emergency Management; Max Fathy, Ecosystem Program Manager at the MassCyberCenter at MassTech; and Mikyung Kim-Molina, Regional Project Manager at the Bay Area UASI. The panel was moderated by Monica Ruiz, Program Manager, Digital Diplomacy at Microsoft.
And another talk focused on expanding the adoption of free resources designed to help organizations improve their cybersecurity posture. Moderated by Katie Nickels, Director of Intelligence at Red Canary, the panel featured Sandy Radesky, Associate Director for Vulnerability Management at CISA; Victor Cordon, Senior Manager of Social Impact at Okta; Amira Dhalla, Director, Impact Partnerships and Programs at Consumer Reports; and Phil Rettinger, President and CEO at Global Cyber Alliance.
In their conversation, the panelists encouraged organizations to take advantage of their existing resources, including the Global Cyber Alliance’s Cybersecurity Toolkit, Consumer Reports’ Security Planner (“a platform where you click on concerns you’re worried about, and it lists the steps to take based on the issue you’re facing,” Dhalla explained), and a variety of cybersecurity services and tools offered by CISA.
Policies, People, Partnerships
A scheduled panel with Congresswoman and Yvette Clarke and Congressman Eric Swalwell had to be cancelled due to a pending floor vote in the House of Representatives, but Swalwell sent a pre-recorded video in which he discussed the importance of broadening public defenses against cyber threats, drawing on his experience serving on the House Permanent Select Committee on Intelligence.
“I’ve seen cybercriminals and our foreign adversaries become more sophisticated in their efforts to infiltrate our critical infrastructure — from attacking our hospitals to our schools to state and local governments,” Swalwell said.
Swalwell cited the efforts of the Biden Administration and Congress in providing authorities and resources to detect and disrupt cyber attacks, particularly for state and local governments, and he talked about the National Cybersecurity Strategy, which he said is “is working to realign responsibility for cyber risk from end users, like hospitals and local governments, to those better positioned to reduce risk, while encouraging the adoption of better security practices for technology providers and critical infrastructure owners and operators.”
However, Swalwell acknowledged that “more needed to be done,” especially in improving cybersecurity for the most vulnerable communities. He emphasized the importance of focusing on three key areas — policies, people, and partnerships — and he expressed his confidence in the collective ability of Republicans, Democrats, state and local governments, and the private sector to reduce risk and build resilience. He specifically mentioned his interest in codifying and enhancing the capabilities of the CISA’s Joint Cyber Defense Collaborative (JCDC) to improve public-private operational collaboration.
Additionally, Swalwell discussed the potential of the cyber insurance market to drive better cybersecurity practices, reward good behavior, and provide support to cyber victims. “I’m encouraged that the Biden Administration is working to understand the impacts of cyber attacks with systemic consequences and exploring the possibility of a catastrophic event so that there’s a backstop to stabilize the insurance markets,” he said.
A Local Lens of the National Cyber Strategy
The day’s final panel focused on implementing the National Cybersecurity Strategy (NCS) at the state, local and tribal (SLT) levels. Moderated by Katie Brooks, Director of Cyber Partnerships at Aspen Digital, the panel featured Drenan Dudley, Assistant National Cyber Director for Budget Review and Assessment at the Office of the National Cyber Director (ONCD), and Caitlin Clarke, Assistant National Cyber Director for Planning and Operations at the ONCD.
The panelists discussed the strategy’s focus on rebalancing and how its success would benefit SLT organizations. They emphasized the importance of reducing the burden on those least able to bear it and ensuring cybersecurity contributes to economic prosperity. “Because critical services happen at the local level, and not at the federal level, public-private partnerships are crucial to implementing this strategy,” Clarke said.
The panelists also highlighted the value of information sharing and operational collaboration. Dudley encouraged individuals in the room to contribute to the strategy’s goals by following the roadmap outlined in the implementation plan, and by sharing the plan with their networks.
The average person should care about this National Strategy because “it’s really about the people it’s protecting and the economy,” Dudley said. “Cybersecurity enables innovation and advances along with other modern economies (or maybe even better).”
Clarke emphasized the importance of creating a digital environment that is secure for everyone. “It is our duty to make an ecosystem that makes everyday activities more secure and safe.” Clarke said. “We will never reduce risk to zero, but if we can get to a place where it is greatly lessened, that is a success.”
This article was produced with the support of Glen Echo, CLTC’s public relations partner.
Watch an Explainer Video about Public Interest Cybersecurity
Check out the Cyber Civil
Defense Summit photo gallery