Join Sean Martin and guests, Phil Reitinger and Josh Corman, as they shed light on the pressing need for structured, financially-backed efforts to secure the internet's critical infrastructure. Tune in to gain insights on their collaborative work with the Common Good Cyber initiative and how you can become an active participant in this critical mission.
Guests:
Phil Reitinger, President and CEO, Global Cyber Alliance [@GlobalCyberAlln]
On Linkedin | https://www.linkedin.com/in/philipreitinger/
On Twitter | https://twitter.com/CarpeDiemCyber
Joshua Corman, Founder, I am The Cavalry [@joshcorman]
On Twitter | https://twitter.com/joshcorman
On LinkedIn | https://www.linkedin.com/in/joshcorman/
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________
This Episode’s Sponsors
Imperva | https://itspm.ag/imperva277117988
Devo | https://itspm.ag/itspdvweb
___________________________
Episode Notes
In this episode of the Redefining CyberSecurity Podcast, host Sean Martin engages with guests Phil Reitinger and Josh Corman to discuss the importance of financial backing and coordinated efforts in maintaining the security of the internet's infrastructure. Both guests emphasize the necessity for systemic approaches to sustain critical online operations, and the need to move from a reliance on generous volunteers towards more strategic, financially supported initiatives.
Reitinger and Corman cite several initiatives and organizations they've been involved with, such as Global Cyber Alliance, I Am The Cavalry, and others, illuminating their efforts to address cybersecurity issues. They also express the hope that the collaboration they've begun with the Common Good Cyber initiative, will lead to broad systemic solutions. The podcast brings to light key industry players, from large corporations to governments, and non-profits. The episode serves as a solid call to action, urging everyone to be part of a 'coalition of the willing' to secure the common good of the internet.
The Common Good Cyber initiative kicks off with a workshop in Washington DC. The workshop exists as a platform to gather diverse perspectives from cybersecurity stakeholders ranging from government representatives, corporations, to non-profit organizations. It is designed as a three-part effort, starting with understanding the urgency and identifying existing solutions, followed by brainstorming new solutions, and finally merging into a joint action plan to address the identified problems. The entire idea is to transition from simple plans to concrete action, which is the most challenging step. Moreover, the workshop is not just a one-off event but a launchpad for the Common Good Cyber initiative. It aims to understand the most viable solutions from the community, develop coherent strategies, and work on implementation beyond just the initial event.
Key insights discussed:
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllRWnxWBBf8E2rGm4AaELu1Y
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
About Common Good Cyber: https://commongoodcyber.org/
Workshop Overview: https://commongoodcyber.org/events/
Workshop Agenda: https://commongoodcyber.org/wp-content/uploads/2024/02/Common-Good-Cyber-February-Workshop-Agenda.pdf
Wendy Nather's Cyber Poverty Post: https://www.linkedin.com/posts/wendynather_securitypovertyline-cyberpoverty-cybercivildefense-activity-7165733967113957376-80jy
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
From Ad-hoc Solutions to Systemic Approaches to Securing the Internet's Infrastructure: Introducing The Common Good Cyber Initiative | A Conversation with Phil Reitinger, Josh Corman | Redefining CyberSecurity Podcast with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Sean Martin: [00:00:00] Hello, everybody. This is Sean Martin, a host of Redefining Cybersecurity podcast. You're all very welcome to a new episode today, where I typically get to talk about all things, uh, operationalizing security and often focuses on programs and people and processes and how all that fits into an org to, to make them, uh, operate more securely too.
Protect the revenue they generate and hopefully even help generate some revenue in a safe way. Um, it's easy to forget that there are people behind all this stuff and uh, they they make it all work and we need to support those folks in a in a good way and there are a number of initiatives around that uh, that try to help with this and I came across one the other day that's uh, Common Good Security is the name of it and I was like, I want to learn more about this.
There's a lot of logos attached to it. Some names that I'm familiar with [00:01:00] as well, folks that I've spoken with in the past. Um, I want to learn more and hopefully my audience does as well. So I'm thrilled to have Phil and Josh on the show today. Thanks guys for being here.
Phil Reitinger: Glad to be here, Sean.
Josh Corman: Thank you.
Sean Martin: It's good. Good to meet you and see you as well. And you have a big event coming up in a couple of days. I get, I get some fun to, uh, to produce this on, uh, on rapid pace after we're done recording, which I'm thrilled to do and happy to do. Uh, it's a workshop in, in, uh, DC, February 26th and 27th. So folks who can make that, of course, we'll make a call to action at the end as well.
It makes. No sense unless you know what it is. And that's what we're here to talk about today. So, uh, before we get into those nuts and bolts, a few words from each of you about who you are, what you're up to and why you are part of what we're talking about today. And Phil, I'll lead off with you.
Phil Reitinger: Sure, Sean.
Thank you. My name's Phil Reitinger. Um, I'm the [00:02:00] president and CEO of the Global Cyber Alliance, which is a global nonprofit that works on cybersecurity implementation. Why I'm involved in this is I've I've been doing cyber security for over 30 years now, roughly, uh, and, you know, a lot of the problems have stayed the same part of the challenge is that, you know, in other infrastructures, right in the highways, governments are essentially responsible for going around and fixing potholes, um, in.
The power lines, it's public utilities or commercial utilities. And everybody's got a funding model and a set of roles and responsibilities that go with it. So we get the services we need. That's not how the internet works. Um, the Internet works to a very large degree. Companies do some things, government do some things.
The number of volunteers or non profits out there who go around and fix potholes, or, you [00:03:00] know, build highways, or keep the Internet running, By analogy, is really quite shocking, and the level of support for those people is, you know, it is at best, at best razor thin. Um, and so we need to do something to solve that, and I'm not suggesting we move away from the multi stakeholder model.
The Internet's given us a lot because of that, but we've got to find ways to support the people who are doing the work. So, the answer to the question is, will the Internet be there tomorrow, or can I surf the web, is not. Probably.
Sean Martin: Nice one. Nice one. Good intro. And Josh, I am the Calvary, huge fan of what you do there. One of many things you're involved with. What's going on?
Josh Corman: Um, when I saw that this, uh, initiative was being launched to kind of look across, Myriad nonprofits, all doing different pieces of the, of the big, bigger picture.[00:04:00]
I kind of felt like I had to, uh, get involved myself. Um, so I was happy to see this happening and I bring a pretty different perspective. Um, I'm in Calvary, never took any funding. So we turned a decade old on August 1st. We've done a lot of this just through sheer grit and stubbornness and trying to do the right thing the right way and build trust, meet people where they are identified by down risk.
Sometimes we've bobbed in and out of. Other nonprofits, like I did a stint at the Atlantic Council running the cyber state craft initiative for a couple of years or congressional task force. And then during the pandemic, I went into CISA to design and implement Cisco task force. But I think we've gotten our hands dirty and we've tried to be the ones that try to bring some urgency and pragmatism and find something that sucks and make it suck less.
And we've got a pretty. Good track record at the same time. When I saw this initiative start, I said, we've got some good things going on, but the world's getting worse faster. And, um, we have to find some way to [00:05:00] talk amongst ourselves and pick the right targets and make sure that we don't have. Maybe funding or maybe support or maybe alignment, but conscious, deliberate, common cause, common purpose and common impact.
So I'm, um, cautiously optimistic to meet with all these other groups, um, and really find a more sustainable model too, because we don't want something that the cavalry didn't want to find problems and own them. We wanted to find things that fell between the cracks of the public private partnership where the private sector, you know, public sector can't do it, but the private sector won't do it.
We wanted to catch those. drop balls, make sure we reduce harm, but eventually you want to get those integrated into the system. So they're owned and funded properly going forward. But too much of this, uh, internet and critical infrastructure depends on volunteers with bubble gum, bailing wire, duct tape, a little statue of Mary, maybe a prayer.
Uh, and, and that's not gonna, gonna cut it going forward. So
Sean Martin: I can see the, I can see the candle burning.
Josh Corman: Josh. That's right. [00:06:00] And also we're aging out to some, some people, you know, we're losing some of our best, um, altruistic, you know, pillars of industry to either age retirement to death. Um, and, uh, we, we need a more comprehensive aligned and strategic sustainable plan.
So I'm really eager to see what we come up with, at least for the beginning of an initiative. Did I answer your question? It does.
Sean Martin: It does eloquently as always, Josh. And, um, And meaningful, too. It's not just, uh, not just smoke. This is important stuff, and, and Phil, I, I want to, I want to get your view on what, so you gave a nice analogy of, of the, the, I'll call it the road infrastructure, if you will, um, can you maybe shed a little more light on some of the real things that, that you see happening, you see coming, uh, that this, this initiative is really aimed at, you [00:07:00]
Phil Reitinger: Sure, Sean.
So, um, this all started about a year and a half ago when we had a meeting in Europe that included a bunch of nonprofits, and it was super interesting because all of the nonprofits around the table, and this is a bunch of entities that do. Mission critical stuff for the internet. Things that ordinary people would, although they don't know it, miss if it were not there.
Um, and their story was essentially this. Cybersecurity funding for us to do what we do is, you know, is almost non existent. And if it's there It's to build the new thing, not to make sure that the old thing that everybody depends on continues to work. Uh, and so we started a group getting together and we had a, we had a planning meeting for what we might do about this at the Canadian Embassy in D.
C. last year. We had about 30 people involved, about. [00:08:00] remote, about 15 in person, four from governments, people from industry and nonprofits and everybody wanted to do something more sustainable. You know, Josh talked before in his comments about, you know, we've really got to get serious about this, right? You, you see people stand up and say, Hey, you know, I do critical stuff and I don't have funding.
Um, or a group of non profits will say, Hey, we need funding, but nothing gets done about it. So Common Good Cyber is an effort to try and address that. To actually move from plans to action, which is always the hardest step. So, uh, we're kicking off the work. It's, it's actually intended not to just be, uh, an event or a conference, but a workshop to kick off an initiative.
Um, to move us from ideas to action. So, you know, it's three half days. Essentially, the first half day is on getting everybody on the same page. The second half day is on brainstorming solutions. And then the third half day, the morning [00:09:00] of the 27th is about what do we actually do? What are the action plans? How do we move forward? So that, you know, by a year from now, let's say we want a cyber united way that we actually got it working cyber united way.
Maybe we need a joint fund. Um, maybe we need joint fundraising. Um, those are the sorts of ideas we want to move forward on. And we've got a really good collection of people to kick off the work, uh, early
next
Sean Martin: week. If I may, Phil, because what, if I'm understanding this correctly, is it, we're saying there will always be, kind of to Josh's point, places in the gaps.
One, one side, however many sides there are, will never pick up a note. And so we need to, we need to find a way. Presumably through this initiative to identify and fill
those holes.
Phil Reitinger: I think we're [00:10:00] identifying and filling the holes. This initiative is about making sure we have the funding models for people who are doing that identification and filling those holes.
And yes, to specifically answer your question, those holes will always exist because the Internet is unique, um, it is run by a multiple set of stakeholders, and it is global, right? Almost everything else rolls up somewhere, whether it's a government, or, you know, a particular set of private collector players that do everything.
The internet is never going to be that way, um, you know, it's not Even as much as the US or the UK or Germany or France or Singapore contribute to the Internet, it's never going to be just their responsibility. There's always going to be cracks. There's always going to be, you know, a couple of people writing a piece of open source software [00:11:00] that's going to become critical and used by everybody.
And it's not going to get funded. The upkeep's not going to happen unless we've got a mechanism to. To identify how do we fund those people and how we help
Josh Corman: there's, um, and the world is changing too, right? So when some of these excellent initiatives were started, even if they were funded, um, you know, we should be paying attention to evolutions in how dependent societies are on this connected technology, what the adversaries are doing, how aggressively they're doing it.
And the funding cycles and the the caloric effort to make to stand up an effort to staff an effort to keep fundraising for that effort to keep executing for that effort. It's non trivial. So how do we make sure that? There's a strategic plan across these different funders and funding sources and [00:12:00] projects that pay attention to which things are rising, which are falling, which are evergreen, you know, more, more conscious, deliberate and planful, um, that maybe just scattershot with anything in cyber security, you go to RSA conference or blackhead or def con.
There's always the new hotness, so it's easier to get conversations about the new hotness. It doesn't necessarily mean those are the most important things. Or the most, um, or the ones that we can draw attention away from. So for me, like, for example, I think a lot of the public private partnerships, um, tend to be focused by accident or maybe on purpose for the haves, not the have nots.
So when I was during the doing the Cisco task force, we saw 85 percent of the owners and operators of hospitals or water and wastewater or electrical municipal grids or food supply. They're target rich, but cyber poor. And that's an area where Phil's organization has cared about the cyber poor a lot more than say public private partnerships have.[00:13:00]
You know, the poor don't have the lobbyists, they don't spend time in DC, they don't end up on the news. And when we talk about best practices or volunteer y things, these are things that are the privilege of very wealthy, well funded, larger critical infrastructure operators. But zoom out, you know, believe your own eyes, we've had successful cyber disruption of the water we drink, the food supply we put on our table, oil and gas pipelines that fuel our cars, homes, supply chains, municipalities, the schools your kids go to, timely access to patient care.
With mortal consequences, stuff's on fire and this can't all be volunteer fire brigades, right? So we're doing some good things in the government. The White House is taking more attention. CIS is getting more involved, but for the foreseeable future, they're very dependent on civil society and volunteers.
And it's got to scale, especially as the frequency, duration and impact of the disruptions continue. So I hope we can not just organically grow these efforts and scattershot them, but make [00:14:00] sure we really know what's too important to fail. Who's on task, where the gaps are and how to ensure that, um, we, uh, we have a sustainable model of catching these errors, finding the proper homes for them and knowing when something doesn't belong in either the public or the private sector.
Sean Martin: And is that the, so the. It's not just you. I know there's a couple other organizers we were hoping to bring on for this conversation But then there's also a number of other entities involved like I am the Calvary's one of them was a handful of logos or so on the page is the idea that this consortium of entities leads the way and finds more volunteers brings more entities in kind of describe What do you see happening over the next year or two with this?
Phil Reitinger: Well, the, the goal is implementation, right? So, you know, this is a workshop, as I said before, to go from thought to [00:15:00] action, right? So we want to come out of Tuesday with an idea of some particular models that may make sense. And then, you know, it's the, it's the, it is all of the partners in the initiative working.
To move forward on implementation of those models, and some people will have different or bigger roles than others, right? It's in that sense. It is a coalition of the willing, you know, my organization, the Global Cyber Alliance is sort of, you know, serving as the hub. to organize these kinds of things, but there's a secretariat, if you will, of a lot of organizations, including the Forum of Incident Response and Security Teams, the Cyber Peace Institute, um, the Shadow Server Foundation, um, there's a lot of folks, um, Chris Painter from the GFCE, the Global Forum on Cyber Expertise is involved.
There's a [00:16:00] lot of people that are there. Um, involved in the effort and you know, our plan is to is to see what the art of the possible is. It is the start to initiative. There's going to be, um, a. We'll do, continue to do outreach events. So there'll be a panel at RSA. So you won't just hear AI at RSA, right?
You're most every panel and things you're going to hear at RSA will be about AI. The way it used to be about blockchain, right? That's the, that's the point that, that Josh was making, but we're going to sit there and talk about common good cyber at RSA that we're expecting another followup workshop to sort of keep people involved and in the loop, um, probably in Europe and around October.
Um, and you know, The goal is to move forward and I think we'll have, you know, we'll have players that are super interested. The keynote on Monday is being given by Kimba Walden, who you probably know. I know Josh does the former acting national cyber director and has now started a new [00:17:00] sort of Kind of a think tanky, but very implementation focused cyber security entity at Paladin Capital, right?
So more and more organizations, right? That's venture capital starting to say, Hey, we got to solve this problem, right? We just need. We need the people to put the mindshare and the dedicated work into moving forward. So it's not ad hoc. You know, I think that's what Josh was saying in so much of his comments.
It's, it's, we've got to get away from some of the ad hoc ery, and get to some strategy and some systemic approaches that are sustainable. Without losing The value that the multi stakeholder model and approach on the Internet have given us, you know, nobody wants the government or one company to tell them how to behave on the Internet for the most part.
So we've got to, we've got to find the right way to move forward in that regard.
Josh Corman: Yeah, and, uh, it is a play in three [00:18:00] acts with some intermissions and whatnot. I'm most keenly focused on the prep for The one I'm involved in the first of the three, , although everyone's gonna be in the chorus for all of it, um, so I'll maybe illustrate What the very first block is, and then maybe Phil can add about the other two, but in the first block, we're kind of illustrating the problem or the efforts thus far, like, what were the potholes or missing pieces in the Internet or critical infrastructure or civil society that some of us tried to fill, um, pardon the pun, Phil Ranger, but, um, the, uh, so I'm gonna, I'm the weirdest one, I think, but there's the shadow server group.
That's really helped make sure the internet continued to work for all this time with a bunch of gray beards, um, doing thankless work, we're going to have someone from the MITRE attack framework R and D that was, you know. Done because something needed to be done. Not because it had a funded project and everyone's benefiting from attack framework, uh, but it, you know, to make it grow and last, um, can't be done forever, uh, unfunded and, um, and then with the, I and [00:19:00] the cavalry were a bit anomalous in that we've done this for 10 years.
I didn't think it was going to be a 10 year initiative. I was hoping it didn't need to be a 10 year initiative and it's really tough for people to have a. almost a full time day job on top of their day job to do this forever. So perhaps we would have benefited from paid staff or organizational operational back end.
Um, and as the world gets more dangerous, we shouldn't just always rely on the backs of 100 percent volunteers all the time. So as we look at our future, what's that going to be? So this is kind of reminding people things they might not even have known about how much you of their safety and continuity of service has depended on the backs of idiot altruists trying to Uh, play catcher in their eye and find and fix problems.
So we are not representative of everybody that's kept things going, but I'm hoping Kemba bring some fire and some urgency. Uh, and I hope we can show the things that have been done, but we're going to be followed by breakout rooms and then two other topics. So Phil, you want to take it from here?
Phil Reitinger: Sure. And let me [00:20:00] just drop before I forget about it, Sean, that while we were limited to 120 people in person, there is a webcast of all the plenary stuff.
So if people go to commongoodcyber. org, um, You'll find the YouTube link to the webcast so you can watch all the plenary stuff on Monday and Tuesday, and there'll even be some opportunities to vote. So, coming out of the session Josh talked about on the morning of the first day, making sure everybody is on the same page, understands the urgency.
We're going to move to Uh, a set of breakouts and discussion bringing in some models from other industry and from cyber security about what we might do about this. That's sort of like, do we want a cyber united way? Do we want to be core type approach? Some other certification approach? So we'll hear from a bunch of things.
What's happened elsewhere and what's been used? Um, in cyber security, like even, you know, how is, how is the cyber security support for the Ukraine being handled as a part of this? [00:21:00] Um, and then we'll do some voting, we'll do some talking, and we'll break for the evening, have a reception, get every chance for everybody to come together, and then on Tuesday, it's about Diving into the things that look like they have the most promise.
What is the, you know, a lot of pinhead II stuff like what is the governance need to be? But who needs to be involved? What are the strengths and weaknesses? How do we move forward? What are the next next action steps? And so we'll bring we'll have a bunch of breakouts diving into those, and then we'll bring everybody together at the end.
Hear about that. Have a discussion involve the people in the audience. And then from that, it's great. You know, we've done the slaunch now. We know what the idea is that the community seems To like the most, how do we move forward on implementation? Who wants to be a player? Who wants to be in the coalition of the willing?
Um, or one of the thousand points of play? Pick your, your George Bush analogy.
Josh Corman: Um, [00:22:00] Phil, for those who don't know what United Way is, what would a cyber United Way be, you know? What's your best elevator pitch for a united way for cyber?
Phil Reitinger: Well, there's a couple of different things. You know, one is do we want a joint fund, right?
Like, um, do we want something that people could contribute to entities could contribute to? And then that could go out to some of the most critical things that need to happen, right? So that could be governments, corporations, groups like that, you know. Sometimes there are, you know, it's kind of like with United Way, people say, well, I want to do good, right?
But I don't know what good is, so I'll give the money to United Way and I know it'll go to the right places. So should there be some sort of joint fund? The other piece of that is sort of federated giving and joint fundraising, which could be a part of that could be something different. So maybe it's 20 nonprofits go together and they say.
You know, we'd like some additional money, U. S. government, or we'd like some additional money, you know, big [00:23:00] internet corporation, um, could you give it to us and we'll parcel it out among us and we can do reports. So there's some efficiencies there. Those are a couple of examples that you might try to work to, um, to get more funding to support the most critical parts of the internet.
Josh Corman: And this is an area I hope gets a lot of discussion in the breakouts because when I. You know, took a pause from my career and went into, uh, the Atlantic Council, uh, you know, nonpartisan international nonprofit, quite a few people were wondering why we were doing so much work without funding. And like, you know, you should wait, you should get the funding, you know, once, once it's funded.
And, and I think if you think of, uh, in the private sector, we have. the bell curve of adoption, like the early innovators, right? The pre chasm and then the post chasm, you know, the majority, you know, once it crosses the chasm and then the laggard minority at the end, um, I was trying to do things that weren't Known to be funded yet, but we're [00:24:00] trying to show establish a need, show progress, show it was worth funding.
And sometimes you can be ahead of the funding cycles. Um, we need that kind of work, but it's really tough to get those things attention and traction, uh, in the current way funding's done. Perhaps if we looked at this as a normal tech startup or a tech company, you know, you want 20 percent of your already on speculative Office of the CTO, mad chemist projects, some of which turn into iPhones, some of which change in industry.
So are we really being thoughtful and planful about where the money goes for either stuff that's speculative and might not work or, you know, stable, but maybe crowded. And then when is it time to say something's a laggard and move money from those things to other. Areas that have higher levels of need.
And I just, uh, I'd like to see more of a unified discussion and unified plan so that we don't orphan critical evergreen projects. But we also don't fail to meet [00:25:00] the threat and meet the adversary and meet the urgency just because funding cycles are slow. Um, so I like this notion that instead of every single non profit spending a ton of caloric energy, redundantly fundraising, is there a way to fundraise more efficiently and put more time on progress?
Sean Martin: Ah, so many things swirling in my head here. So, I'll start with this. Because, Josh, you pointed specifically to people giving their time. to take action. We're talking here about raising money to fund people. Fun, well fun initiatives to do some of that work. I, I look at everything like a project. That's just how my brain works.
So you have the people and the money, but then there's the ops. Yeah. To get it to work. And if you're building something, there are, you have to define what you're trying to accomplish, how you're going to get from A to B to C to Z, who's responsible for what, [00:26:00] what's more important than something else. Um, uh, how are you planning?
Because this sounds like an odd initiative, bringing multiple people together to connect, put a process in place to get the funding, connect the volunteers and supplement them with more action and other entities, venture capital, government funding, commercial funding. But in the middle is where it all comes together.
How do you kind of see that being managed?
Phil Reitinger: Well, I can start with that while Josh thinks a little bit more, Sean. I'd say In some sense, that's a little premature. Um, and what I mean by that is we don't know what the community wants for solutions yet. Uh, I have some ideas on what might work. Josh, as you saw, has some ideas on what might work.
Um, but once we know what those are, we can build a plan around that. And so, um, I don't want to sort of say this is the way we're going to go forward. Until we have a [00:27:00] chance to hear from everybody. The second thing is we then have to build those work plans with a big tent. Right. It can't be, you know, somebody big footing.
This is how we're going to go, how we're going to do it. Everybody's going to come along. If it's going to be a multi stakeholder initiative, then we've got to have joint governance. And so we have to start with building that community. Um, and I can tell you, you know, Let's say we decide we need a joint fund, but it's going to be a bunch of neat things too.
There's going to need to be legal work. It's going to need to be a home. There's going to need to be a governance structure. You're going to figure out how the money comes in. Is it going to be a part of one organization or a new organization? Um, how's the money going to be allocated? What does that governance look like?
So nobody, so there's no conflict of interest. You can get into a lot of detail pretty easily and you, I've done that kind of stuff before. Josh has done that kind of stuff before. You've probably done that kind of stuff before. There's a lot of people in the industry can do that. It's, it's bringing, getting that, you know, co creation piece right [00:28:00] at the start, and then having the, the secretariat support that'll drive action.
You know, if we don't have, Um, really concrete action plans coming together after the initiative and sort of brought by into them by, say, October, then we're behind. That's the goal.
Josh Corman: And, uh, you know, such a structure. I mean, I have two divergent answers. One is all these initiatives have the full stack, right?
They're doing their fundraising. They're doing their project management. They're writing their papers. They're doing their do tank, you know, field work for whatever their mission scope has right now. We're just redundantly doing those in silos to some level of effect and impact with some level of scarce funding support.
Um, so theoretically, you can get some horizontal efficiencies. If we combine forces so that people buy a source action can spend less time on fundraising and logistics. People that are good logistics can share that not [00:29:00] just for 1 organization for more. So there's ways there's already work being done redundantly and then silos within our individual missions.
Additionally, though, like, I just don't feel like we've had that. Battlefield strategy that's looking across these initiatives to say, what are the, what's where the world changed? What are the gaps? Where are we strong? Where are we redundant? Where do we see current funding? Where's that funding running out?
You know, a lot of us benefited from the generosity from the Hewlett Foundation and their fund and Eli Sugarman and his successors and, and whatnot, as that fund sunsets, where's the next sources, you know, we get, we have had a lot of, um, support and involvement from say, Craig Newmark and others from corporations from governments, um, and the world is getting worse.
Right? So it's, it's, it's worth our time to stop, pump the brakes, not stop, but, uh, pump the brakes. Thanks. Catch our breath, rise above the fray and ensure we're doing this. And, and what I'm curious to see is based on what focus and scope emerges here, [00:30:00] you know, there may need to be parallel other initiatives.
So I I've been more in the hacker community and more in the volunteer community and less funded. Um, but I want to see what the appetite is here so we can do more things better, um, and know what the, the remaining gaps might look like. And we can make intelligent decisions in light of that. So I don't even know that this will be one thing that comes out of it.
It might be, um, several. So, uh, it's important that we're talking because, uh, we gotta be better and go faster. And, uh, start having more impact.
Sean Martin: Absolutely. And a lot of, a lot of talking and action is planned for the workshop. And I want to touch on the community for a moment because just the roster of people speaking is both impressive and extremely well rounded from what I can glean, just looking at the agenda from venture to [00:31:00] products, to government, to research, to hackers, to.
I don't know. I can't go through the whole list. There's a lot of, a lot of people coming together to present or share their thoughts and ideas as part of the discussion. And then there's the, if you want to call it the audience or the non, non presenting participants, I presume will be a good mix of that as well.
Josh Corman: Oh, everybody's got a job. There's no, there's no spectators in that room.
Sean Martin: No spectators. You're either presenting your thoughts or you're conversing with them in the audience. Um, but So talk to me a little about a little bit about who all the folks are. You don't have to go by name of who's speaking on what, but just kind of the idea of how you pulled all those folks together and what you expect to come from having such a wide variety of folks being part of this.
Phil Reitinger: I'd like to say that it, you know, it was super easy, uh, um, but it wasn't, you know, when you try to pull these pieces together. I [00:32:00] will say the response has been amazing. You know, our, our notion when we had that meeting at the Canadian embassy last year is that we probably try to get maybe up to 100 people, you know, 50 people who are deeply involved in 50 people who are not.
And, um, You know, the in person component is up to 120 and we just had to say no more registrants because there's no more space for them. Can't feed them. We don't have chairs for them and stuff like that. So the response has been really big. Um, it's a, it's a broad collection of people. Um, you know, we've got five different governments attending.
Um, a number of big companies, you know, Microsoft will be there, Google. org. We'll be there. Um, lots of other folks that you would have heard of. Um, a really broad cross section of the nonprofit community ways that you first like the form of instant response and security teams. Um, uh, we have a couple of moderators.
So I'm [00:33:00] moderating the 3rd day just to identify 2 other people. Kirsten Todd, um, is moderating the morning of the 1st day. She started the cyber readiness Institute. Um, and then was the chief of staff at CISA. Um, so she's been in the space for a long time. Megan Stiefel is moderating the afternoon. Megan, um, is at the Institute for Security and Technology.
Um, she's another non profit. Um, We've got someone coming from the Swiss government, um, who's going to be talking about data, um, and building the business case, um, Michael Daniel from C. T. A. The Cyber Threat Alliance and the former. Cyber czar for the U. S. Himself is going to talk about the work done with the Ukraine.
Um, and, um, furthering their cyber defensive capabilities. Um, you know, that's it's a it's just a really broad collection. I'd say, you [00:34:00] know, a good chunk of nonprofits people from foundations. people from companies, people from government, um, and a really diverse collection, um, of people too. So we're, we're super excited.
One of the panels you saw involves Camille Stewart, um, who's from the Office of the National Cyber Director and, um, leads a lot of their partnership and outreach activities. So very pleased with the response and the breadth of people who are coming.
Josh Corman: And don't worry, we're going to bring the snark. We got, you know, some of your favorites like Wendy Nather and
Phil Reitinger: Yeah, Wendy will be there.
Craig Newmark, Ron Gula, um, you know, on a funders panel. So, uh, um, you know, shout out to Wendy for a second. Um, you know, Wendy really started a lot of this long ago, and she started talking about the cybersecurity poverty line, um, and kind of, you know, what I'd say we've discovered, and Josh was kind of talking about this [00:35:00] before, you know, cybersecurity poverty line, actually, because of some of the market failures here, really includes everybody, you know, their market failures for the biggest companies in the world.
But we certainly need to pay attention to that. And it's not even an 80 20, right? You know, the cybersecurity poverty line somewhere around 95 percent to 99 percent of all entities are sort of without help here. If you know, if it weren't, why would there be an all volunteer organization like I am the cavalry that's helping hospitals, not, you know, not some dry cleaner somewhere hospitals, How does that make sense?
Josh Corman: I almost said this earlier. I'll say it now, since we're showing some love to Wendy, Wendy and I worked together at the four, five, one group when she coined that and, uh, to her credit, it really infected a lot of the things I did during the Cisco taskforce.
So this notion of sysadat gov, bad practices, this notion of get your stuff off showdown, this [00:36:00] notion of target rich, but cyber poor is really trying to take that into the public policy arena. And I think. What nobody paid attention to is there's that old Willie Sutton quote. Why do you rob banks? Well, that's where the money is.
And I think prior to ransomware, attackers and defenders were focused on the fortune 500. Why? That's where the money is. And when I say defenders, I mean everyone selling products that are say, right, everybody. Um, when ransomware was an economic innovation, it basically realized that the unavailability of anyone can be monetized.
So attackers have figured out how to monetize everybody else down the pyramid. The cyber poor defenders have not yet figured out how to monetize the cyber poor. So it's an unmitigated feeding frenzy. And this is one of the reasons you see just such Unchecked aggression on water, on food, on hospitals, on manufacturing, on oil and gas in less than until we figure that out.
A lot of our nonprofits started before [00:37:00] this ransomware revolution in less than until we figure this out. Um, we are quite prone on the bulk of the civilian owned and operated critical infrastructure, and this disproportionately hits poor communities, black and brown communities, rural America. We, we have got to figure this out.
And that's why I'm so excited that we're pulling together such great minds and such great volunteers. And, um, maybe we'll have some enhanced priorities coming out of this.
Sean Martin: And I was just like, I, I, I recall a post from Wendy in the past few days, I think about the cyber poverty line and it may be connected to this event. In fact, I don't know. I'll have to go look for it. And if I find it, I'll, I'll link to it. And if it's relevant, of course, I'll put it in the show notes for people to read that.
Yeah. Wendy, Wendy's amazing, but she's part of, part of the getting this going as well. Um, I'm super sad I'm not going to be there. You can watch. I can watch. [00:38:00] I can watch. I should have gotten ahead of the curve on this one. Um, perhaps I'll have a chance to join you at a future, uh, future session in person.
Regardless, I am going to watch. I want to encourage everybody else to watch. More importantly, as you said, Josh, no spectators. You gotta, you gotta jump in. You've been doing it for a decade now. And, uh, hopefully the rest of us in the community can And the community is large. We talked about that, right?
It's not just the research, not just the vendors, not just people sitting in a, in a security seat in the company. It's far and wide reaching. So, uh, participate. You can observe as well, but participate is more important. Um, any, any final thoughts before we wrap here? Phil, Josh.
Phil Reitinger: Just to repeat for folks, you know, go to common good cyber org the you know Signing up for further information as possible and the [00:39:00] link for the webcast.
It'll be on YouTube is available There'll be opportunities to participate. We hope during the workshop, even if you're not physically in the room And the works gonna continue right? It's it's an initiative. It's not a not a one off It's not ad hockery, so just, you know, coalition of the willing, love everybody to come.
Josh Corman: The calvalry isn't coming, so what are you willing and able to do? I'm talking to the audience here, right? Uh, what are you willing and able to do? We get the world that we, uh, deserve. Let's, let's, let's be better.
Sean Martin: Everybody should read Josh's handle there. And, and not, not portray that as Josh is. Oh, no. It's red.
Read it yourself. I am the Calvary. I'm reading it myself. All right. Uh, thank you both for the work you're doing here and that you've been doing for such a long time. Appreciate it. As, as somebody who relies [00:40:00] on this stuff for, for pretty much everything we, we do in life and, uh, look forward to seeing you online and, uh, I hope people enjoy the in person as well, and you're very welcome anytime as you have updates, uh, milestones reached, help needed, uh, the platform here on ITSP Magazine is yours to, uh, spread the word and, and to get participants to, to get involved.
So, thank you both and, uh, good luck with the events and we'll see you both very soon.
Phil Reitinger: Thanks, Sean.