This summer, the UC Berkeley Center for Long-Term Cybersecurity (CLTC) convened the second-annual Civil Cyber Defense Summit, a one-day conference that brought together cyber defenders, academics, and policymakers with a shared mission of protecting our most vulnerable public infrastructure against cybersecurity threats.
Held at the International Spy Museum, in Washington, DC, the Summit featured keynotes and panels focused on how organizations across sectors can work together to protect vulnerable community organizations like hospitals, cities, school districts, and nonprofits from ransomware and other digital threats.
This year’s event drew twice as many registrants as the inaugural 2023 event, which was “emblematic of this growing movement and how important these conversations are,” said Ann Cleaveland, Executive Director of CLTC, in her opening remarks. “These conversations about community cyber defense are talked about at other cybersecurity conferences, but are not always front and center.”
Cleaveland noted that last year’s event spawned diverse new initiatives, such as the Partnership to Advance Cybersecurity and Education (PACE), a joint effort between CLTC and the U.S. Department of Education to improve the defensibility and resilience of K-12 digital infrastructure, as well as growing interest and adoption of university-based cybersecurity clinics at diverse academic institutions in over 20 U.S. states.
“So many things get born out of the Cyber Civil Defense Summit because of the connections that you all make while you’re here,” Cleaveland told the audience. “No one is alone in scaling local, regional, and tribal cybersecurity defense.”
Data-Driven Resilience
The theme of this year’s Cyber Civil Defense Summit was “data-driven resilience,” a concept aimed at centering the importance of using evidence-based approaches to improve the security of public interest organizations.
“We’re asking some big questions,” said Sarah Powazek, Program Manager for Public Interest Cybersecurity at CLTC. “What works and why? How can we serve more organizations and help more people? What are the right long-term solutions for community cyber defense, and how can we measure them?”
Powazek noted that while there have been positive developments from the federal government over the past year, such as the National Cyber Workforce and Education Strategy, CISA’s High-Risk Communities initiative, and the National Security Memorandum on Critical Infrastructure Security and Resilience, more work needs to be done at all levels to help protect civil infrastructure across the U.S.
“This is still a historically under-prioritized issue, and the communities that we care about are still struggling to defend themselves,” Powazek said. “It’s not enough for us to just highlight these programs. It’s actually crucial that we study them, that we benchmark them, and that we begin to scale and coordinate between different programs to find the most effective combination of solutions for community cyber defense.”
“There’s no one-size-fits-all solution,” Powazek said. “Every single one of you is part of the solution, which is exactly why we convene this gathering every year — to further connect members of this community with the policymakers and changemakers in D.C. helping to scale these solutions.”
Key Takeaways
The Summit’s panels and presentations surfaced a range of valuable insights.
- Collaboration is essential for success.
- Preparing in advance for cyberattacks is essential and challenging, requiring broad engagement (and ego management).
- Cyber is inherently a social challenge — and expanding awareness should be a priority.
- Cybersecurity needs to be made accessible and understandable.
- Evidence-based solutions are needed to shape a cyber-secure future.
- Volunteer-based programs like cybersecurity clinics are essential — but more must be done to provide incentives and fill the talent pipeline.
- High-level coordination and scalable solutions will achieve greater results.
- Funding from the public, private, and philanthropic sectors is badly needed to bolster the cyber defense of the most critical organizations in our communities — and must support equitable participation and representation of the communities served.
1) Collaboration is essential for success.
A recurring theme echoed repeatedly during the Summit is the vital importance of collaboration and broad engagement — whether through partnerships between public- and private-sector organizations, improved coordination between local and state agencies, or engagement of the individuals within any organization.
This idea was reinforced in a keynote presentation by Paula Starr, who leads technology delivery for the 460,000 citizens of the Cherokee Nation, the United States’ largest federally recognized tribe. Starr stressed that the Cherokee tribal nation does not always receive the support it needs from the state or federal government, but it has benefited from relationships with federal agencies such as the White House Office of Science and Technology Policy and CISA.
“We really need to get the rest of our workforce more involved in cyber,” Starr said. “We need to make it less clinical, more human. It needs to be more about the things that we’re protecting […] We need to get to that place where we have our employees join in the fight with us, instead of them just being the most vulnerable part of our cyber protections.”
Starr shared a Cherokee value — “In the mind and heart, always have the thought of working together” — as a reminder that collaboration is essential. “This value is the key to everything going forward,” she said. “If we work together, we share what we know, we share our knowledge, or we make connections like we’re making today, that’s how we get to the place where we’re protecting tribal nations in the way that we need to protect them. Or we’re protecting non-profits in the way that we need to protect them. It all comes down to working together.”
2) Preparing in advance for cyberattacks is essential and challenging, requiring broad engagement (and ego management).
How can organizations with limited resources best prepare for cyber incidents? One of the Summit’s panels focused on a commonly used approach: simulations and exercises. The panel, “Strategic Preparedness Simulating Attacks and Closing Vulnerabilities in Critical Infrastructure,” drew perspectives from individuals from different sectors, including elections, healthcare, and energy grids.
The panel featured Michael Moore, CISO at the Arizona Secretary of State’s Office; Jesse Sythe, GridEx Program Manager at E-ISAC; Aaron Weismann, CISO at Main Line Health; and Danielle Jablanski, OT/ICS Strategy Lead at Nozomi Networks. The panel was moderated by Safa Shahwan Edwards, Director, Capacity Building & Communities at Atlantic Council’s Cyber Statecraft Initiative.
Among the takeaways is the importance of customizing exercises to suit the specific context of each organization. “The scenario matters very much,” Jablanski said. “There’s a lot of work you can do before an incident or an exercise to tailor and use contextual information about your organization to really get the scenario right, so that you’re not just preparing for something on a shelf and preparing for your best-case scenario.”
It’s also important to engage a broad range of stakeholders, and conduct exercises on a regular basis. “Practice makes permanent,” Moore said. “It’s important to get as many drills under folks’ belts as possible, especially for the folks that are new.”
“We actually crowdsource the scenario information every time we generate an exercise,” Sythe said. “We’ll bring in subject matter experts from across North America, and from industry and government. We effectively ask the question, ‘what are the most concerning threats that are impacting our grid, today and in the future?’[…] And then, of course, whatever they answer, we put it into the exercise.”
It’s also important to get executives involved, in part to anticipate the “ego management” needed to solve problems in the face of a crisis. “I won’t say I don’t derive a little bit of pleasure from making a room full of CEOs freak out and go, ‘Wait, we don’t have a plan for that?’” Sythe said. “What it leads to is real action, real policy and strategy changes. […] That can be sweeping and make us more resilient as an industry as a whole.”
3) Cyber is inherently a social challenge — and expanding awareness should be a priority.
Several of the panels highlighted the importance of clear, accessible communication in helping to generate awareness and buy-in about cybersecurity as a common challenge.
In a fireside chat with Ann Cleaveland, Craig Newmark, founder of craigslist and Craig Newmark Philanthropies — and the lead sponsor of the Summit — emphasized this point. “This is a social phenomenon,” Newmark said. “We need to work in a constructive and respectful role with regards to everyone, getting them to defend their systems and getting them to prepare for resilience.”
Newmark stressed the need for public awareness campaigns to make sure more Americans understand their role in protecting digital networks. “We need folks like Consumer Reports to rapidly accelerate toward ‘cyber trust marks’ [and] nutrition labels that will tell you if that product you’re about to bring into your home network has been tested in good faith,” Newmark said, joking that we need a new version of Smokey Bear. “What we need is this marketing or advertising campaign to tell everyone, ‘Hey, we’ve got a problem, but only you can prevent forest fires.’”
4) Cybersecurity needs to be made accessible and understandable.
Explaining concepts to business leaders in a way that is relevant to their mission is also part of the solution. “The businesses do not care if you cannot interpret your results,” said Aisha Ali-Gombe, Associate Professor at LSU and Director of the LSU Cybersecurity Clinic. “They want to know how you can take those results and interpret it into their business mission, their objectives, and their obligations.”
“We have to remember that not everyone’s going to understand what we’re talking about,” said Ameerreia Rollins Campbell, a student in the Cybersecurity Diversity, Equity, and Inclusion Clinic at Stillman College. Stillman’s clinic provides cyber support to minority-owned small businesses in Tuscaloosa, AL and its surrounding areas. “You have to always remember to […] make it easier for [clients] to understand what they’re needing and what you’re presenting to them.”
5) Evidence-based solutions are needed to shape a cyber-secure future.
Cybersecurity researchers and practitioners cannot blindly assume their practices are working, but rather should use evidence and data to verify and test their methods.
In a panel on “Academia’s Role in Cyber Defense,” Jeffrey Tully, Co-Director of the Center for Healthcare Cybersecurity at UC San Diego, explained that his organization conducted a randomized, controlled trial on the effectiveness of training employees to detect and avoid phishing scams. The conclusion: “At the end of the day, after we analyzed the data, phishing training probably doesn’t work,” Tully said. “You’re probably just as likely to fall for a phishing scam after you’ve had a couple of webinar trainings as you were beforehand.”
Academia can play an important role in providing this evidence. “Part of the role of academia is bringing our skill set… to move cybersecurity toward evidence-based practice,”said Craig Jackson, Deputy Director, Center for Applied Cybersecurity Research at Indiana University, who helped shape the Trusted CI Framework. “Too many standards are the result of a few people getting together in a room, and a new standard or baseline control set gets spit out. We just can’t accept that anymore.”
6) Volunteer-based programs like cybersecurity clinics are essential — but more must be done to provide incentives and fill the talent pipeline.
Volunteer-based programs fill a major gap in supporting public interest cybersecurity, and the growth of the Consortium of Cybersecurity Clinics, and platforms like the Cyber Peace Institute’s CyberPeace Builders represent a major step forward. But volunteers can only do so much, and more incentives and investments are needed to continue to fill the gap.
“Are volunteers the right and fair solution to help the most vulnerable? Of course not,” said Adrien Ogée, Chief Operating Officer at CyberPeace Institute. “It should be that the private sector helps them and that the government fills the gap. But it’s just not the case today […] I don’t think that volunteer networks are going to disappear anytime soon just because there are so many organizations to help.”
“In an ideal world, CISA could put out guidance and there would be an IT professional in every organization across the country to be able to implement that guidance and to understand it. But that’s not the world we live in,” said Emily Skahill, Cyber Operations Planner, Joint Cyber Defense Collaborative (JCDC) at CISA. “Until we see that change in labor market incentives and in the way that grants are structured and things of that nature, cyber volunteer programs really do play a very critical role in helping to educate people within those organizations, as well as provide that hands-on support right at that moment where they’re needed.”
In a panel on “Congressional Actions to Defend Vulnerable Organizations,” Congressman Marc Veasey, who represents Texas’ 33rd district, and Congressman Eric Swalwell, who represents California’s 14th district, talked about the need for long-term investment in “schools and clinics, community colleges, and technical schools” in order to build “a healthy domestic supply” of cybersecurity practitioners.
“Congress needs to take a really close look at things like tax incentives […] to get people on board,” Veasey said. “As the technology advances, this is only going to get more challenging for us. […] For a lot of these lower-income communities in particular, you see a lot of them continuing to be left behind. At what point can we be realistic about their ability to be able to catch up? So we have to do more now.”
Swalwell encouraged audience members to engage in advocacy. “Don’t be afraid to call your member of Congress, even if you don’t like them,” he said. “And never miss the opportunity to have an ask. You wouldn’t believe how many meetings I take a day where there’s no ask. If you end up not being able to meet with your Congress member because they’re voting or in a committee hearing, don’t miss the chance to get really close with the staff […] really recognize and appreciate the role that the staffer can play. And finally, we love show and tell. If you have some demonstrative, especially in tech or cyber, bring your tablet, have a deck, walk us through something fun and engaging, where we can learn something.”
7) High-level coordination and scalable solutions will achieve greater results.
More coordination is needed to help the thousands of cities, hospitals, non-profits, and other civil institutions to implement cybersecurity practices. The government and others can support collective efforts by providing training resources and coordination.
Nick Leiserson, Assistant National Cyber Director for Cyber Policy and Programs at the Office of the National Cyber Director (ONCD), noted that “the government needs to take more of a role stepping in” because “cybersecurity is a shared responsibility […] We need to shift responsibility to more capable actors. Sometimes that’s government, sometimes it’s technology providers. We need to incentivize more investments in long-term resilience.”
“Scalability is the bread and butter of how ONCD thinks about challenges,” Leiserson said. “How do we think about how we are going to effectuate any of the goals that we have? They have to be scalable.”
“We’ve all got to be steering in the same direction because otherwise, we’re not going to be doing our jobs the best we can,” said Michael Klein, Senior Advisor for Cybersecurity at the U.S. Department of Education. Klein noted that his office has been disseminating training resources and sharing best practices to help school districts across the country.
“Everybody has a role. They should be doing basic things like helping to implement multifactor [authentication] in the district, making sure that anything that touches the internet is patched, and helping with phishing training. But beyond that, it’s very hard for most school districts to do much more around cyber. And so what does that mean? It means that we need to leverage the power of all the different levels of government and the private sector. And so that’s what we’ve been trying to do.”
8) Funding from the public, private, and philanthropic sectors is badly needed to bolster the cyber defense of the most critical organizations in our communities — and must support equitable participation and representation of the communities served.
Throughout the Summit, a lack of funding was highlighted as a key barrier to bolstering organizations’ cyber defenses. While some speakers named recently introduced government programs and grants that are helping to fill the funding gap, many shared that more needed to be done.
During the Congressional panel, moderator Nicole Tisdale, Senior Advisor to the Aspen Institute’s Cyber Program, asked both representatives, “Do you think Congress is appropriately funding not just our critical infrastructure owners and operators, but the backbone, the nonprofits that support those communities as well?” in response to which each congressmanCongressmen delivered an emphatic “no.”
“Funding is increasing, but obviously, we need more of it,” said Tully. “For policymakers, if there’s a way to encourage states to list cyber clinics as approved sources for funding, that would be particularly helpful.”
Speakers from the public sector also spoke about establishing partnerships with small and large businesses in the private sector to help them see the value of public interest cybersecurity and the role each sector must play in the cyber civil defense ecosystem.
On several occasions, the need both for greater funding and greater equity in both access to resources and representation in the field of cyber was underscored. “Lack of funding is a problem,” said Starr. “And to me, it’s also a lack of equitable funding. I’ll be honest and tell you that had it not been for [American Rescue Plan Act] funds, I’m not sure that we would have the greatest cybersecurity posture right now. It’s a little sad that it took a global pandemic for us to get the funding we needed to get there.”
“We have to have that funding and people that look like me,” said Rollins Campbell. “Representation matters.”
At a pragmatic level, Tisdale astutely summarized that the summit included “a roomful of advocates” and that a goal of the gathering was to spotlight that “We don’t just need fire alarms when we talk about protecting vulnerable populations. We need fire trucks.”
Planning is already underway for the Cyber Civil Defense Summit 2025, made possible with the support of Craig Newmark Philanthropies. Event sponsorship opportunities are available and inquiries as well as suggestions for speakers and topics are welcomed at cltc@berkeley.edu.
