Redefining CyberSecurity

National Guard as a Cyber Defense Organization | A Conversation With Dr. Hunter LaCroix and Marco Ciappelli | Redefining CyberSecurity Podcast With Sean Martin

Episode Summary

In this episode of the Redefining CyberSecurity Podcast, Sean Martin is joined by Dr. Hunter LaCroix and Marco Ciappelli to discuss the intersection of emergency management and cybersecurity. Dr. LaCroix argues that there is a significant disconnect between the two areas, with emergency management professionals not considering cyber attacks as a true area of disaster.

Episode Notes

Guests: Dr. Hunter LaCroix, Adjunct Professor, University of Maryland Global Campus [@umdglobalcampus] and EMT Firefighter Rescue Technician Hazmat Specialist, State of Maryland [@StateMaryland]

On LinkedIn | https://www.linkedin.com/in/hunter-l-035498234/

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Pentera | https://itspm.ag/penteri67a

___________________________

Episode Notes

In this episode of the Redefining CyberSecurity Podcast, Sean Martin is joined by Dr. Hunter LaCroix and Marco Ciappelli to discuss the intersection of emergency management and cybersecurity. Dr. LaCroix argues that there is a significant disconnect between the two areas, with emergency management professionals not considering cyber attacks as a true area of disaster. This is despite increasing cybercriminal activity targeting local and state governments and their supporting critical infrastructure. The conversation points out that there is a need for a cyber capability that develops around the physical disaster response framework, similar to the response we often see when a natural disaster occurs.

States such as Ohio and California have implemented cybersecurity volunteer reserves and cybersecurity watch centers, respectively. The National Guard units also assist local entities during cyber incidents and play a vital role in emergency management relationships. Pre-existing relationships with the National Guard can be leveraged and building public-private partnerships is critical in cybersecurity incident response. The private sector and cybersecurity professionals trust the National Guard to be a leader in local and state cybersecurity incident response. Still, there is a widespread problem at the local and state level of operations and a lack of broader implementation and utilization of these services.

Dr. LaCroix has written about this topic, with a book being published shortly. You can read the abstract for the book below.

Book Abstract

Cybersecurity is a national priority for the Homeland Security enterprise. Yet, despite a prioritization at the federal level, municipal and state governments have struggled to incorporate the National Guard in cyber incident response. Cyber incidents strain municipalities and states, which have spent significant resources to mitigate cyber threats. The glaring gap in the National Guard’s role in municipal and state cyber incident response warrants two key questions as to why the National Guard isn’t more readily used. “Is it cost prohibitive to use National Guard assets when compared to private entities?” Or “is there an underlying sociological disconnect regarding the National Guard’s role in cyber disaster when compared to physical disasters.”? Both questions and the National Guard’s role have largely been under-examined by Homeland Security professionals and academia requires additional examination.

This dissertation seeks to study via a sequential mixed method approach answers to both questions. First, using a quantitive analysis method examining case studies this study seeks to examine if “it is less expensive for municipal and state governments to use the National Guard instead of private sector assistance for cyber incident responses?" Sequentially if it is less expensive, this dissertation seeks to utilize a survey-based questionnaire from associations of National Guard and Emergency response personal to answer, “is there and underlying sociological misperceptions that contribute to National Guard’s underutilization for cyber disasters when compared to their role in traditional disaster response?” 

This study achieved complimenting results: with quantitative testing affirming the initial hypothesis regarding the National Guard’s cost effectiveness versus private sector entities in case studies examined. This led to qualitative studies using surveys to examine possible misperceptions of the National Guard’s role in cyber incident response for municipal and state level operations. Surveys revealed both a lack of understanding and disconnect between the National Guard’s role in cyber incident response when compared it is normal role in physical disasters. This research creates opportunity and future growth for homeland Security professionals to prioritize the understanding and growing role of the National Guard for public and private enterprise at the municipal and state level of cyber incident response.

____________________________

Resources

Book: Coming (Date: TBD)

____________________________

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast

Watch the webcast version on-demand on YouTube: https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq

Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network

Episode Transcription

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.

_________________________________________

SUMMARY KEYWORDS

guard, cyber, state, local, disaster, national guard, folks, cyber incidents, ransomware, network, cyber incident response, people, emergency management, awareness, cybersecurity, private sector, role, maryland, physical, disaster response

SPEAKERS

Sean Martin, Marco Ciappelli, Hunter LaCroix, Voiceover

 

Voiceover00:09

Welcome to the intersection of technology, cybersecurity, and society. Welcome to itsp magazine. Knowledge is power now, more than ever.

 

Sean Martin00:40

Marco, Sean, you know what, all of our tax money going to the right place we don't even use.

 

Marco Ciappelli00:51

Really? Is that a virtual place though? The one that we're in the virtual place?

 

Sean Martin00:55

Yeah, it's in the metaverse, all our money goes there, which is a completely different place.

 

Marco Ciappelli00:59

I mean, digital society, cyber society, reality is still different world. They don't interconnect at all.

 

Sean Martin01:09

Exactly, exactly. And that's kind of like the public domain and the private domain. Never Never saw the to meet right. Policies are written without the citizens in mind all the time that I know an understanding of how things work a lot of times. Now, we're playing a little bit a little bit of fun here. But this is an important topic because cyberthreats obviously, this is Sean Martin. I'm joined by Marco capelli. As a guest today and we have Hunter the quarry on with this Hunter, it's good, good to have you on. We're obviously we're we're on redefining cybersecurity. We're all about operationalizing technology in a way to protect the business and government entities as well, which includes state and local and federal agencies. And you've done some work hunter that suggests that perhaps worse, we're investing and spending money on things and then not getting the most out of them in return. And I'm excited to have this conversation. I'm gonna leave it there and get let people wonder what the heck we're talking about. I'm going to pass the best the mic to you and give you a few moments to share a few words about who Hunter is and what you're up to.

 

Hunter LaCroix02:27

Yeah, so I'm Dr. Hunter Lacroix. I'm a professor at the University System of Maryland, where I teach at the University of Maryland global campus as well as other systems within the Maryland system. Previously, I taught at the University of Pittsburgh for graduate school, taught cybercrime, Homeland Security fairs, emergency management courses, as well as information security courses. In addition to that, my background is for emergency management perspective have worked is a firefighter EMT, rescue specialists for various local and state agencies and organizations as well as the contractor for those same types of services for both athletic teams, as well as state, federal and local contracts for emergency management services, so little, little bit of a little bit of everything, kind of a technical background, as well as a physical disaster and emergency response background. And that's kind of what inspired gelling these two topics, bringing that physical and digital world together. And specifically with the topic of cybercrime, ransomware, and cyber disaster. In the emergency management community. We don't we don't really look at cyber, as a true mechanism of disaster. It's something that doesn't really hit us from an emergency management perspective. But it really is becoming a critical component for emergency management professionals to to really have to start planning and thinking about in a traditional aspect. Great example is there's a cybercrime every 39 seconds, there's, you know, a increasingly aggressive cyber criminal activity targeting local and state governments. And what inspired our original research was a ransomware strike against a large municipality a couple of years ago, where the municipality ended up having to take millions of dollars out of various city accounts to respond to a crippling ransomware strike where the ransom was really only several $1,000. But they lacked the IT infrastructure on hand to respond. And when we were going there to talk to several folks in the municipal offices and local leadership. We were asking them, you know what, you know, what led you to spend 1820 $40 million for this type of cyber incident response, instead of using the local National Guard unit, 10 minutes down the road. And, you know, the folks on staff just kind of stared at us and deer in the headlight, you know, you know, looked at us and said, Well, we didn't even know the guard had a cyber mission. So, let alone that there was, you know, cyber defense Squadron and an IT Information Security squadron Right, right down the street, you know, 15 minutes away. So that was a major inspiration for our research to see how widespread that disconnect and problem was at the local and state level of operations.

 

Sean Martin05:19

Yeah, when you when you say emergency response or emergency management, and widespread disaster, the first thing that comes to mind are natural disasters, driven by weather and Mother Nature, hurricanes and tornadoes and earthquakes and things like that, where it seems we've we've gotten our act together to the for the most part in providing initial emergency responders and then mid near term emergency response and longer term emergency management. Are you saying that, and National Guard is part of all of those things at some point?

 

Hunter LaCroix06:03

So you're saying that the cyber realm already has this in place with the National Guard, and several states that does and several states that we were examining, there was a very robust cyber capability that had developed around the physical Disaster Response Framework. in several places we asked folks, you know, what happens when there's a flood? It's Oh, we call local sheriff's office we call FEMA and we call the guard need sandbags. Okay, what happens when there's a fire? Oh, well, we call, you know, the fire department, we call the fires the Forest Service, and we call the guard. Okay, well, what happens if there's a crippling ransomware strike that takes out, you know, your city's network?

 

Sean Martin06:35

The FBI calls you?

 

Marco Ciappelli06:38

You unplug the computer?

 

Hunter LaCroix06:41

That'sexactly unplug the computer. And that's it. You just don't have a computer anymore? Well, no, actually, the standard, a lot of folks said, Oh, well, we'll just call the FBI. But when we started talking to folks, you know, previous federal agents within the FBI, as you know, Criminal Investigation services, I read investigation services, they're not really staff to respond to a widespread municipal cyber attack, like we've seen. They're really for post incident investigation support. They're there for forensics, and for imaging computers to help identify a culprit and attribute it, but they're not really there to stem the bleeding. You know, that's, that's that first scale of emergency response you're mentioning, you know, the fire is still raging in the city, the buildings are going to burn down, it doesn't really matter how we rebuild afterwards, we got to put the fire out. First, its threat mitigation at its source. And you know, when we started asking folks, why wouldn't you call the guard, a lot of them immediately in the emergency management community said, Well, I just, I never really thought of cyber disaster the same way as a psychological, you know, connection. And so that's that's actually what we were really examining. And we ended up serving hundreds of National Guard officers, law enforcement, emergency management, community, folks, local state government officials, and there was an overall distinct difference in how cyber incidents were viewed than physical disasters, as well as the guards role in them. You know, we asked folks, 1200 respondents across those various organizations, you know, is the guard a trusted partner in physical disaster response? 94%? Yes, you know, very strong 100 Oh, yeah, of course, when we ask, what's the guard's role in a cyber incident response? Do they? Do they have a role? The answer has dropped dramatically to 50% saying, Well, I don't know.

 

Marco Ciappelli08:35

So Hunter late, let me ask you this. And then of course, I'm here to ask more of a maybe sociological question psychological about this integration between the virtual digital world and the real society. Real with quotes for the people on the podcast, I'm doing air quotes. But my first question here is, Whose fault is this? Is it the company and apart from myself? Of course, I haven't done but is it been provided the information to the company that actually the national guard does this because I gotta be honest, I apart from certain local example that we were talking about, like here in LA, there is an headquarter for support small businesses and so forth. In an overall control of cybersecurity response. I didn't know that the National Guard had that role, you know, guilty.

 

Hunter LaCroix09:35

So it's,it's, it's a little bit of everything. In the emergency management training curriculums when we started talking to you know, that the hundreds of emergency management personnel at local state and federal levels, you know, all the way up to to very senior folks down to very, very frontline responders. It's not in any training curriculum really emphasized as a mechanism of disaster, because you know, there's a disconnect, I'll just unplug my computer. It's not going to harm anybody. But a great example of that is we started asking folks, you know what happens a great example a year ago, a ransomware strike hit a hospital where an infant died because they infected their Wi Fi connected breathing equipment. Or in Germany, an individual died because he had to be rerouted from a Cardiac Center where he was supposed to be delivered as a patient to a separate one, because they were in the midst of a ransomware strike. In effect, the the cyber disaster was a cascading effect and ended up killing those people because they couldn't intake those patients. So it's it's a little bit of a lack of understanding and awareness of the guards role. That was something we did survey and ask, and the predominant answer was, I don't know their capabilities, lack of training, of implementing that mentality within our folks, a lack of sociological background, a great theorist Matt Trebek does a great work on sociology of disaster. And it's fantastic. It's a great piece of work. He talks about technical disasters in that but he doesn't talk about it from a cyber perspective. He talks about it from you know, a physical technical disaster angle. If a Levee Breaks, you know, it's it's because there was stress and it floods, you know, a city, not what happens if a cyber attack freezes the mechanisms that allow us to channel water from point A to point B, and that overflows the water, they're not talked about in the same vein. So it's, it's more of a sociological framework gap. There was a practitioner gap. And then there's also a true real world policy legal gap. Some states locally, have addressed this issue with their state legislatures, where they have really affirmed and structured up their role for the guard in local cyber incident response. But that's that's really haphazard, not every state is equal. And the US federal government is currently there's two bills, one in the house and one in the Senate, that that really gone very, very far. That would codify the guards role in cyber ins response at local and state level across the nation for the National Guard Bureau to kind of push out as this is the actual federal interpretation of what's called Title 32 status, the guards state status to respond to incidents. So it's a little bit of everything I'll the gap and the sociological framework for how we look at cyber incidents and how they affect us in the real world. Two, lack of training for some of our emergency management personnel where we train them that this is a disaster, you know, fire, get the Fire Fire Department, you know, flood get the guard, cyber incident. It's always a question mark. And when we did ask folks, you know, great, but varied example, we asked folks to cyber has the capacity to disrupt life, in our daily daily functions like a disaster. 97% said, Yes. And of 1100 personnel, when we asked them, you know, doesn't have the same ability to threaten life, potentially, it was still pretty high about 90%. And when we asked, folks, is there a reason why cyber isn't planned as aggressively, you know, is it because nobody dies? Nobody cares. You know, still about 66% said yes. So it's it's a several incident, several, several avenues that kind of come together that kind of prevent a holistic look at it. And that's that was what the initial point of the research we were conducting was to try to open up is, from a sociological perspective, from an emergency management perspective, as well as from a sociological framework perspective and a policy perspective.

 

Sean Martin13:41

No morning, I don't know if you have insight into this Hunter, but kind of the organization of the organization, if you will, who see talks about a gap in staffing and skills. But but some places like California having a program ready to roll. Was that defined clearly by the state? Right. So that's a state level guard program. I'm just wondering are is it? Is it there? Is it then missing at the federal level? And so it's kind of funded by the federal and then the states are left to do what they feel is important. That's one fire in California and might be more important than in? I don't know Alaska.

 

Hunter LaCroix14:30

Fires Alaska tax, actually, the Echelon that's a great point. That's actually one of the most contentious issues in any any disaster response. It's not responding, it's who's going to pay for the response. How are we going to fund it? And when we originally started asking folks these questions, you know, that was a major concern. There's two types of statuses for the National Guard. They are both a local and a federal asset. When they are under the federal jurisdiction of the United States Department of the Army department, the Air Force President United States They're under what's called Title 10 authorities which is federally, you know, directed they are federalized as federal troops as part of their bigger branches. When they are under local control for the state governor and state emergency management organization or the local governments, they're under what's called Title 32, state activated duty status. And with those statuses comes funding. And that also goes back to how we define an emergency in a disaster. When you have a federal declaration of a disaster zone, there is a major flood in Ellicott City, Maryland, there's a major fire up in California. It allows additional infusions of funds for emergency response, five $10 million, with a much more streamlined approval process from the President of the United States to the governor, to those local and state emergency response agencies. We don't have a very good definition of that process for a wide scale cyber incident. When there is a cyber attack threatening the national security the United States, there is a very well defined role for the federal government cybersecurity agencies, the Department of Defense System, the Cybersecurity Information Security Agency, the Federal Bureau of Investigation, the NSA, the Cyber Command, these are these are very well defined organizations with very, very clearly defined roles for national security. When you broke it down to the local and state level, it gets murky very fast. The US Army War College did a study in 2018, where they actually looked at state cybersecurity local state cybersecurity strategy. And they actually said, we've got this at the federal level, there's a huge gap at the local and state level, and we'll figure it out later. And it was, it was, it was a great, it was a great study, it wasn't on the army to figure out how to do it at a state level. But it was at least something where the community has had that gap for quite some time. And states have had to kind of step in lacking national legislation clarifying their role, when we started talking to folks in different states that were drastically different opinions on the legal interpretation of what their guard units could or could not do. Some were way better than others. A great example would be Ohio, Ohio has both codified their National Guard's role in local and state cyber response with their title 32 status. They've also got a cybersecurity volunteer reserve to go out with these National Guard units, kind of like volunteer firefighters go on with, you know, the the career guys out to the cyber incidents and local and state levels. They're called the Ohio volunteer cyber reserve, I think off the top my head or HIO cyber cyber force, and, you know, very, very proactive. One of the state Adjutant General's General Mark Bateman was was very instrumental in pushing that as well. As you know, University of Cincinnati has a very robust cybersecurity program with a lot of professionals, deep, deep experience. And then California, another great example. They have 40 National Guardsmen on state activated duty, meaning their deployment is to their guard cybersecurity watch Center in California, and they're on orders there as a full time National Guard person as their day job for nine to five, you know, 24/7 for the duration of their deployment,

 

Sean Martin18:21

Specifically for response, not for monitoring, and not not for not us, they do monitoring as well.

 

Hunter LaCroix18:28

Well monitoring as well. You have to you have to fund it. So it's a cybersecurity watch Center as well as an Incident Response Command. And it's one of those things where it's it's a focal point, right. So if there's an incident in LA and LA city manager needs something, you know, it's somewhere to get the governor's office, you know, an answer from what does the guard have, from a cybersecurity perspective, let's call the watch Center. In addition to using it as a focal point for response, a lot of states use their joint state headquarters, the headquarters, the National Guard to kind of quarterback a cyber incident response. A great example we saw of that was the state of Texas and Louisiana as well, in 2019. They had statewide cyber ransomware strikes, Texas was a great example. They actually sent out teams from their joint states joint state headquarters all over the state to respond to the cyber ransomware strikes. And they were able to mitigate that incident in about a week, week and a half with their guard units going out and assisting local entities. So it's it's a very key thing in cyber in the guard, cyber especially not every guard unit is created equal. Not every state is created equal. And that's that's a problem. There is kind of a have and have nots. And that's something where we also want to emphasize that, you know, with awareness will come additional resource and training and also additional conversations of how we spread out that coverage.

 

Sean Martin20:01

And so one thing that I'm thinking about is it isn't, you kind of clarify this for me. But what I would think is it isn't just, we're under attack, let's call the guard, I presume you have to be prepared and ready to have the guard assist. sponsor, perhaps some some relationship beforehand, or at least at least a plan internally to say, here's how, if it reaches this point, we're going to call the guard. And you have any insight into that point?

 

Hunter LaCroix20:34

Absolutely, actually, that's a great point, every network is different, it's configured differently. It's like going into somebody's neighborhood or somebody's house, it's gonna look different every time, having local knowledge is incredibly important. And also, building pre existing relationships is incredibly important. The Maryland National Guard has a very forward leaning set of officers who go out. And it's their security team, their critical infrastructure and knowledge resource team, they go out to, you know, the local water company, and they put a National Guard body in front of you as the manager of the local water utility saying, I am Colonel so and so I am Major. So and so, you know, this is me, if you have a problem, you call me, you know, we'll work our way through, get you through the state process to get resources or get get get help out there. As with every other part of emergency management, and information security, and even just private and public sector relations, it's all about building those public private partnerships, before the incident, getting as far to the left as possible, but you have to know that they exist to call them or at least know when they show up that they're there to talk about that. We did ask several folks, including in our survey, you know, do you trust the guard to to be a lead role in cyber incident response. And it was interesting up most of the participants, majority wanted the guard to be a leader in local and state Cyber Incident Response, including the private sector personnel we surveyed, that was really surprising. When we asked cybersecurity professionals in the private sector, the couple 100 Beat we got, you know, do you think the private sector or the guard should have more of a lead role, not the elite role, but more of a liberal, most of them actually said the guard, a lot of that came down to also trust there, there, there is a little more trust at times with the notion of the local National Guard unit, because these people are local, they're not federally, you know, federally mandated troops or assets, they generally live in the same neighborhoods live in the same states. And that's the same with our emergency management relationships for fiscal disaster response people know them. And then also, it's not from a competing private sector entity, you know, the the public sector, and the private sector, there's usually not a competition for, you know, IPS and things like that, and any sort of, you know, information property. So, really it comes down to, can you protect my proprietary company information, if I bring you in, and you helped me secure my network? Can you, you know, guarantee that if I give you any sensitive but unclassified information to protect your network, you're not going to blast it on your Facebook page, because we don't want it. You know, that's, that's, that's where really that relationship comes in. And it's a huge cornerstone of any emergency response, but especially here in the technical realm. And that was a that was a, that was a big area of growth for a lot of our participants.

 

Sean Martin23:37

So I'm going to stick with the cyber, cyber the the public private relationship, and, and the cyber boots that the guard were, how, how far can they take steps in because what I'm picturing is municipality that perhaps runs a lot of their systems in the data center that's in a private sector. Place. How far in can a guard go to help resolve? Right? situation?

 

Hunter LaCroix24:09

So that's a great question. That goes all the way back to the legal authority structure we were talking about, what does their state activated duty title 32 status when they are working for the governor and working for the State of Wyoming, the state of California say they can do and how and how does that state interpret their guards role? And how have they codified that in their legal structure? So a large majority of the additional Guard personnel we spoke to were jag officers, Judge Advocate General Officers, military lawyers, and one of the primary questions, you know, we asked folks was Do you believe that the guard has the legal authority to do this? Again, predominantly, most folks agree, they said, Yeah, it just came down to they just didn't know exactly where, where can I send that guard officer to go sit there and put hands on keyboard. In some states? They can't. They haven't gotten that level of granularity where Hunter you know, Sean, and Marco, the guard team that shows up to assist with this crippling ransomware striking go in and help both find the bug, find the malware in the network, mitigate it, isolate it, and then you know, send in the IT squadron to help read reimage all the computers and fix everything, and everybody has a great day, there's different levels of interpretation, that national legislation would absolutely help. Because right now, it's pushing it through 50 state legislatures with different levels of enthusiasm. And you have a lot of fantastic Guard personnel doing a lot with what they can at a local level, you know, where they can put hands on keyboard where they can, advising where they where they can, and then also being very mindful of where their authorities end and where they need to work more directly as consultants and assistance to that private sector. Participation point, so so that's really where I think that national legislation would make a major difference in saying this is what title 32 means. This is what you can do with the guard as a state activated entity. And this is how we protect them like any other emergency responder when they go and defend the networks that they are asked to go defend at the local and state level.

 

Marco Ciappelli26:12

Sometimes I I witnessed this conversation Sean's brings me in and coming from more of a physiological and perspective, I feel like these are like cybersecurity is embedded testing still, you know, like, it gets my point here is like, you know, people don't haven't figured it out yet. The politician is not completely all in agreement, then the federal level, the state level, the city level, whatever it is, and you just said sometimes yes, there is the tools but they can use is almost like to say Look, dear, you know, fire squad Fire Department squad yet you can go there, but you cannot enter the building with or break a door to say people because now we don't know how to handle that from a, you know, legislative level. So it sounds to me that that's where the big issue is right now there is the capability there is the technology, there is the resource and the individual that can do it. But there's no clarity.

 

Hunter LaCroix27:21

That's it, that's a big part of it. A lot of it also comes down to we're still trying to grasp, how does cyber affect the real world, I think it became more prevalent with the Colonial Pipeline ransomware strike when half the eastern seaboard couldn't get their gas for two, three weeks, you know, that all of a sudden, you know, my mom, my, my grandma, my, my sister, my brother, everybody had a sudden awareness of how cyber strikes can actually affect their real lives. And, and we're still we're still coming to terms with that, both from the emergency management community, but also the wider public. You know, just just general awareness. You know, I grew up in Florida, everybody could tell you Hurricanes were a natural part of life, it was embedded in our psychology, you know, there are Floridians who would look at a type three hurricane and be like, Am I really gonna worry until it's a four or five and like, and maybe a five, I'll put up some shutters and, you know, for I'll just write out the storm and call it a day. You know, there's there's a sort of understanding of traditional disasters and where they're placed sits in our psyche of you know, this is a problem now, or this is an emergency, we have not even begin to touch that from a cyber perspective. And as our as our world becomes more interconnected, from physical to to network infrastructure, it is going to start having major effects. A great example there are there are third party hacktivist groups that for proof of concept of hacked vehicles, shut them out, shut them off mid driving, you know, there are folks who can do things like manipulate Wi Fi enabled hospital equipment. Great example was the the child who was killed because of the interference with the PICU NICU, Wi Fi enabled equipment in their hospital, you know, not directly but indirectly, you know, patient care makes a difference. I was a provider for a decade, and that one hour when you're having an emergency with that patient to stabilize them, that makes a difference every minute. So if you're sitting there for 45 minutes, trying to regain network connectivity to get you know, that patient into the critical care they need. It starts really affecting physical, physical, physical world very quickly. And I think it's drawing that connection, which which is, you know, a big part of our study, is we need to start looking at cyber incidents, not just as disasters from the most simplest terms of you know, oh, we'll just fix it because there's still a very nuanced technical aspect to them. But disasters nonetheless.

 

Marco Ciappelli29:49

Well, look, I'm gonna add to that because with the pandemic, for example, I mean, we have seen how the, the infrastructure of the internet the global economy, It's all connected, right? But we're still kind of drawing the line. And you're you mentioned this few times in this conversation where like, the moment that it goes from a technical digital computer issue into it bleeds into reality, there is still too much, in my opinion, and all the conversation I have or redefining society have a have a line, you know, between reality real society in cyber society. And the point is, it's blurry, it's not there anymore. And so here's a question for you. You, you mentioned that many times the National Guard, are people in your neighborhood, they're ready to go, they leave there. So I'm wondering, in the preventive aspect of this, how much could they actually help to go into schools, go to library go to the business, so to help doing some sort of a public service announcement, to educate the public, and also say, as I mentioned at the beginning, we're here to help if things actually happen, you can call us. So it's kind of like a double service that they will do education and awarness at the same time.

 

Hunter LaCroix31:21

I mean, that's, that's a great, that's a great point. That's actually something that was brought up numerous times over the 100, hundreds of participants that said, you know, if I had known this, I would have had a much deeper conversation. Actually, in Orange County, we had a participant say, you know, I've worked in the Orange County Emergency Management Agency for 20, you know, five years, I never even knew the guard had a full time active cybersecurity watch center until you told me and then I looked it up. And lo and behold, I started talking to him, I think, you know, it is a combination of awareness and outreach. And part of it part of it is on the guard to better to better articulate their cybersecurity role. I mean, the guard, like the the larger military still is facing a recruitment crisis, they still need to hit their goals. And it's getting harder and harder to define, you know, what we need from the technical workforce, both within the private sector, the public sector, the active duty military, and the National Guard, and these reserve forces, but better awareness, you know, increases both recruitment drives, collaboration opportunities, training opportunities, and networking opportunities. There were several people, both from InfraGard, and different networking events, when we were chatting with them, they actually reached out to the state contacts in the guard units we chatted to, and form that connection and invited them to start participating in their exercises. You know, it's a matter of both getting our folks out into the field, so the people can see proof of concept, can you actually help me, and then awareness so they can start implementing them into their plans. A great example of that was in Louisiana, they had a ransomware strike on a Friday, the guard was called out over the weekend, schools were reinstated their networks by Monday, much to probably everybody who goes to those schools, you know, jargon, you know, like, if I was a 30 year old kid, I'd be like, No, the guard. But you know, I think that's, that's a very big part of the conversation. And I think he grew up, Martin, that's a great point. That's, that's building a cyber mindset, you know, for tomorrow today. And it does come down to understanding that we do live in the beginning of the era of cyber disaster. And it's it's just a matter of time before there is such a major cataclysmic event at a state level, not federal, where it does affect a widespread group of folks. And I do want to clarify that because I've had folks ask, you know, well, we have all this great awareness at the federal level, Is this really necessary? Again, absolutely, it is necessary, because when you think somebody hacking the Pentagon, there are seven agencies that are going to respond to that, who helps Jackson County, Georgia, you know, who helps Howard County, Maryland, when we asked local and state officials most affected by it, and who would get the most benefit almost every single one of the local and state personnel, you know, set immediately municipalities, folks who lack the firepower, the IT department, you know, departments are still paying, you know, 75% of their operating budget for ransomware strikes that they can't afford. One county got hit twice within a six month period by the same actor, and they paid almost the entirety of their operating budget because they lacked cyber insurance. They lack these resources that the federal government and state government have.

 

Sean Martin34:38

I wanted to think no, no, no, I know we're coming up on the close to the end of time here. I was just wondering, this must be so much knowledge as as the these guardsmen interact with these municipalities and and help them respond and resolve these issues. They know The amount of knowledge that they're gaining is tremendous. Right? Here's how the actors work. Here's how they move, laterally move. Here's the information they're gathering, here's all the exfiltrated. Here's how the ransomware is conducted. Yes, there is a key, there isn't a key should patient, just tons of stuff there that that's tribal knowledge now, is that this may be forward thinking. But is that something that the guard is looking at as well to kind of help kind of maybe back to Marco's point a little bit, reinforce the preventive measures based on what they're learning in the responsible part of it.

 

Hunter LaCroix35:34

So that is an area of growth for both the guard public and private sector, because most private entities are wary about proprietary information going out there as well as proprietary vulnerabilities. That goes back to the establishment of trust in those networks, you know, have my people help you, you represent a private sector entity that has, you know, a critical infrastructure mission. We have a national security, local and state level interest in getting that information out there. They've been doing that through local and state intelligence fusion cells, a lot of them have been, you know, based off of the counterterrorism intelligence fusion cells from the global war on terror, you know, Homeland Security, push, post 911, where the structures have just been repurposed a little bit for some of the more forward leaning states. But there's still that agreement of exactly where we need to disseminate this knowledge. And that's, you know, that's a very, that's a very nuanced area, both for intelligence production at a local level for local and state resources that don't normally do an intelligence function like that network intelligence, security, intelligence, you know, business intelligence for a vulnerability perspective. So the guard still has, I think, an area to grow with that. And I think that comes down to better awareness. I think the Department Homeland Security, the FBI, NSA, Cyber Command, those big federal agencies, they put out network defense bulletins all the time. And they've been much more forward leaning than they have in the past. If you go on their website. Now, you will see joint bulletins from all five agencies and sometimes other agencies from different countries. They're, you know, it's a matter of transitioning that network awareness down to a more state local level, using that type of model that I think we really that's an area where I think would be a great place for future growth.

 

Sean Martin37:19

Marketing.

 

Hunter LaCroix37:24

Marketing and awareness, it's all people know your product exists, they can buy it, you know, they don't know it exists. They can't buy it. 

 

Marco Ciappelli37:30

Well,yeah. That's how we started. I mean, we started this conversation. So if you if you don't know, that's exactly marketing and branding, if you don't know this product exist, it doesn't exist. I don't care how good it is, if I don't know is there, right. But the other thing that I think is talking about marketing and branding, I mean, Shana heard me say this a lot of time, but there is also kind of like a lack of real good branding from an ephah security perspective, because I'm thinking like, well, we go back to I'm not talking about marketing campaign in terms of TV, although a public service announcement will be cool, but I'm still thinking about the National Guard going to the school, right? Like the fire department goes and say, you know, something happened, this is what we're going to do. And then the kid looks at the fire, you know, the fire department, and people are like, wow, I want to be laid down when I grew up. You know, cybersecurity is cool. I don't know how many times I've said it is but we don't we don't act like it. Right. I mean, he should be something that a career of a kid say, Wow, these guys are making a difference out there. So it could be something that resolve also, I don't know, the gap in the industry that we talk a lot about. And

 

Hunter LaCroix38:46

I think I think that's a great point. I mean, there is even even just an awareness level, you know, we had to explain to some local state task force, you know, this is your guard POC, and it's a matter of awareness, seeing, you know, the fact that the guard has a cyber unit, if you're going to a stem, you know, coding class in high school is a great way to drive up that awareness for local STEM talent. I mean, it's, it's another reason why you see such such disparities and some guard units, because locally, they've got the talent. And once they know that the missions there that they'll get it. I mean, Silicon Valley's is a big portion. That's why the California Guard has such a robust cyber presence with with technical talent ready to go on the East Coast, you know, us in the Maryland, Virginia DC corridor, you know, pick a tech company, telco, they're here, and they're not just here in the boardrooms and the private sector and the public sector spaces. They're also in the local universities, people know, okay, I could, you know, I could go and join the guard and be, you know, a threat intel analyst or a, you know, network intrusion analyst or et cetera, et cetera. And what is unique about the guard from that marketing perspective is it's a little different than the traditional armed forces. is where you know, the job you're gonna get when you join. And it is generally codified into your contract. There's, you know, I'm sure there are folks who, you know, will say, my contract was different and fairness, caveats aside, generally you apply to the skill field in position, and that is what you're being actively recruited for, from a human resource perspective, I need an infantry officer, I need this, which is different than the Federal Reserve and military forces at the active duty level, which is you join the army and then branch into a specialty, you join the Navy and do that, whereas the guard has 20 jobs, and they're, they're putting in that job, and then you're joining the army, you know, it's, it's kind of a different way they do it. So, you know, that's, that's a very good point. And that comes down to looking at our cyber defenders as emergency responders, because that's what they are, you know, and that's, that's another portion of our studies. You know, we're sitting there saying, back to the original example, you know, what happens when there's a fire call the fire department, what happens when there's, you know, a flood, you know, call the guard, what happens when there's a cyber incident, you can call the guard to, and even just getting folks to say, that was a big, big, big, big win for us in some states, and in some some of our survey participants as well.

 

Marco Ciappelli41:11

Whether there are ghosts, who do you call?

 

Sean Martin41:16

Who doesn't want to be a fireman or policeman? Police person? Yeah, I, firemen, woman, you know, I don't know, but the gender on a bit? Who doesn't want to be in one of those roles add cyber to that? How cool is it? 

 

Hunter LaCroix41:29

All right. I love that. And I think especially when we start framing it, as you know, tomorrow's digital, digital disaster and physical disaster intertwined. You know, it's not just, it is a fourth dimensional battlefield and disaster zone. Now, it's not just the physical part, I need a network defender to, I need somebody who can not only, you know, deal with the physical side of that disaster, I need people to watch what's happening digitally. Last plug for that is we're especially more vulnerable now than ever before, because our first responders have a lot of interlinked network devices and communication pieces. And, you know, some of the some of the best targets are local responders. One great example Baltimore City, one of their major ransomware, strikes a couple of years ago was their 911 Call Center. It was their ability to take 911 calls, if there is nothing more horrifying at a sociological level for a population as if you are having an emergency pick up the phone and call 911. There's no one there. That's, you know, that's that's something where now we've been trying to tell folks, you have your physical security aspects, but you're gonna have to make sure that they are running in parallel with your network wants to. And that's where there's a place for a network defender.

 

Sean Martin42:42

Yep. Disruption is disruption. I think it's hard to figure all the scenarios out. Why why is both challenging, right? You just that one in itself is pretty powerful. And there are a gazillion of them. And it may not immediately result in a patient on a hospital did passing. But it could have ultimately impact a lot of societies and I don't know, I don't we can go for hours on scenario. Yeah, I don't want to do that. I would what I do want to cover as we wrap here, though, Hunter is. So hopefully we get some more National Guard folks listening to the show now saying it and cyber. But a lot of lot of the audience are practitioners and security leaders and executive level security managers. And so maybe a note to that audience, specifically in the municipality, and those that work with them, how they might take a first step to, to take action on some of the things you've presented here today.

 

Hunter LaCroix43:49

A lot a lot of it starts at the local and county level. Usually like any other disaster response, the request for assistant goes up from the lowest level, local, municipal and county level government emergency management agencies are a great place to start. If nothing else, they have contacts within their local state it agencies as well as their guard units. One particular example of that is we had a local local private public sector folks reach out to us saying you know, who do I even contact and we set them up with their local state emergency management agency at the county level and explained you know, this is the process so just having a network to start, I would, I would look at your local emergency management agency. Nothing else as well. Local guard makes a difference to most of these units have geographically based personnel, as well as a guard office. National Guard Bureau generally has stayed and General's Offices within ever every single state government. There are generally POCs there as well to reach out to but usually we recommend the local state emergency county level to start. If they don't have the personnel integrated there, then we usually recommend reaching out To the guard, Maryland is a great example, I'm gonna keep using them because they were they were pretty proactive when we were doing some of our initial survey work. They have that secret team of six or seven people, and they are the point of contact for, you know, the water industry, the the local power industry, if you're an executive that's running, you know, a utility company, knowing that I've got at least somebody I can call and we think we're having a problem goes back to that reassurance of you pick up the phone and dial 911 Someone's going to be on the other end that you know, versus no one. There's no, you know, one of the most powerful things in a disaster is the feeling of being alone or not knowing who to talk to. So if nothing else, building those networks and connections now, I think is the most important. And those are usually where we recommend folks start.

 

Sean Martin45:48

Perfect. Perfect. Well, I'm, I'm super glad you brought this to our attention. And I'm grateful we're able to have this conversation with you to, to bring it to two more folks and hopefully, hopefully raise that awareness. And help people understand that this service is there, if they need it. And Marco is great to have you on with me as well.

 

Marco Ciappelli46:12

Thanks for having me, I learned a lot of things today. And there you go.

 

Hunter LaCroix46:17

Thank you guys very much for the invitation.

 

Sean Martin46:21

That's good stuff. And Hunter, perhaps you'll send a few links over that we can include in the show notes, got another specific cyber guard links, or maybe your study if that's available for people read. 

 

Hunter LaCroix46:35

It should be available very shortly. And we're I'm waiting on the final publication now. But it will be actually openly available. We didn't put it behind the paywall or anything we we threw it out on the open Internet. Once the copyright piece is done, St. John's University is working on the last parts of the publishing now but it will be available to anybody to see it if they want to read.

 

Sean Martin46:56

Perfect,perfect, good stuff. We'll keep up the good work and pleasure meeting a pleasure chatting with you. And thanks everybody for listening to episode of redefining cybersecurity here on itsp magazine.

 

Voiceover47:13

We hope you enjoyed this conversation. If you learn something new, and the story and share itsp magazine with your friends, family and colleagues. If you represent a company wish to associate your brand without conversations, sponsor one or more of our columns. We hope you will come back for more stories and follow us on our journey. You can always find us at the intersection of technology, cybersecurity, and society