GET CYBER-INFORMED, ARKANSAS!
When you’re chased by a bear,
it’s not always the bear you need to outrun
Scott Anderson, Chief External Affairs Officer, Forge Institute
IT’S ONE THING to be “cyber aware,” to recognize—intellectually—that you need to be careful in your online dealings. But just knowing that “bad things” can happen does nothing to help you prevent those bad things from happening. It’s something else, however, to be “cyber informed.” When you’re cyber-informed, you understand how your online activities apply both to your work as a professional and to your personal life. You know which actions you can take to be more secure, more resilient, to protect your organization, protect yourself, and protect your family.
These are anxious times all over the world, and cybercrime is booming. But it’s not just the unorganized cybercriminals we have to worry about. Look at the armed and unarmed conflicts we’re seeing in various parts of the globe. There used to be a specific delineation between what nation states were doing and what criminals were doing, but those lines aren’t so separate anymore. Think about Russia hiring a bunch of criminals to get money to support their nation-state activities, or terrorist organizations using criminals to fund their global-scale terrorism. And what’s even worse is the thought that multiple nation states could be working together, utilizing their government experts and the criminals that support them all directed toward us.
I just listened to a podcast about the new “axis of evil.” Back in the 1990s, it was collusion between North Korea and Iran that concerned the world, and now it’s Russia, China, Iran, and North Korea. Arguably any expert, in any field, will tell you that our biggest threats are those four countries. If they start collaborating on efforts, where does that put us? That may sound alarmist, but take it from someone who spent decades in the military: It’s something to be concerned about.
So where and how do we begin to prepare a defense against four nation-state adversaries and an abundance of cyber criminals? People don’t know what they don’t know, and almost everything in our lives is technology based today. We have immediate access to information on our phones and everything in our homes is connected to WiFi. Smart TVs, thermostats, home virtual assistants, kitchen appliances, and cameras on our doors are just a few examples. This is all wonderfully convenient and the intent is to make life easier and more enjoyable. But to be truly cyber informed, we also need to understand the risks associated with some of that.
We need to read the policies and the acceptance agreement when we install a new app so we know what permissions we’re giving that app. Does the agreement say that by clicking, we agree for it to have access to our contact list that might have the names, addresses, emails, birth dates, phone numbers, and other sensitive information of all our friends and family members? Do you give it permission to track you across multiple devices and multiple different applications? If so, does it really need that in order to do its job? I would argue that your social media app does not need access to your bank app or to know what’s in your Google search history. When was the last time you “cleaned out” your phone? The apps we no longer use should be deleted so they don’t still have access to any of our information.
The broadband initiative around the country, and specifically in Arkansas, has some risks associated with it. People, both adults and children, are getting online for the first time ever, and they’re sharing information about themselves and their families. Have parents talked to their kids about how to be safe online, about what information they can and shouldn’t share? Maybe they don’t even know how to talk to their kids about that, but there are resources out there. Whenever I give talks about being cyber-safe and cyber-resilient, I make the point that you don’t have to be an expert; you just need to leverage the many resources available to you. There are true experts, like the FBI or the Department of Homeland Security, who do the research and compile it into easy-to-understand awareness materials. And there are so many more groups and agencies who put out best practices about being more secure personally. You take advantage of these resources and it’s going to transfer into the workplace. And vice versa—when we implement good security procedures at work, those tend to follow us home.
I WANT ARKANSAS to have a cyber-informed workforce. Idaho National Labs has created a curriculum for cyber-informed engineers, and they’ve established various certifications for that field. I believe that we at Forge Institute need to take that to the next level to make all of Arkansas cyber-informed, and earlier this fall I made a presentation to the Arkansas Center for Data Sciences about training cyber-informed apprentices to accomplish just that. This includes basic cyber hygiene—don’t leave your default password on your home network, do have multi-factor authentication on your devices, and so on—but it goes way, way beyond that.
No matter what apprenticeship role they’re in, they need to be cyber-informed because if they do great things to protect themselves from a cybersecurity standpoint, it’s going to trickle into their work. It’s a cultural change, and it will change behavior. So they need training and workshops to understand what cyber incidents are and how to respond to them, both personally and professionally. If you get a virus on your phone or your personal computer, what do you do? Don’t wait until it happens—prepare for that ahead of time. Don’t wait until your grandma gets an email or a call saying that her grandson’s in prison in Mexico and she needs to wire money—have that conversation with her before she gets that call.
We all need to be having those conversations right now, before things happen. And when they do happen, you need to know how to report them. Who do you report cyber incidents to? Law enforcement? Your Internet service provider? There are multiple people who need to know. This all goes back to Forge’s mission and vision. We have forged, and are continuing to grow, strategic partnerships between the public and private sector, because we need to work better between those sectors to tackle a cyber problem that impacts all organizations.
I think everything we do from a cybersecurity standpoint, both personal and business-wise, has national security implications. While you may not think that posting your grandmother’s Christmas cookie recipe on your Facebook account can have national security implications, the 500 likes or comments that you get may signal to a bad actor that you have influence, and they may push propaganda to you in order to get you to share what they want from you. Most businesses are in some way tied to critical infrastructure. Think of who owns that critical infrastructure—it’s mostly the private sector. So if we’re going to secure that infrastructure, we need cyber-informed professionals trained at all levels.
As far as what this training would look like, Forge hasn’t yet developed it as a specific course, but we’ve done webinars to help organizations be more cyber-informed. We already have four hours of curriculum that every professional should complete—every single professional. Name a job that doesn’t use technology these days, in some form or fashion. It doesn’t matter what your specific occupation is, part of your base knowledge should include being cyber-informed. Then there might be another hour or two that’s specific to the industry you work in. In the military, we didn’t focus on checking off a list from a compliance perspective; we focused on how we would continue to execute the mission if something bad happened. Businesses would be wise to run the same way.
Another term I use when talking about cybersecurity, cyber-safety, or cyber-resilience is “leveling up.” You don’t have to go from worst to first overnight. By continuously making the right changes and adapting procedures for the better, you can gradually “level up” to where you want to be. A line I use in my talks is, “When you’re being chased by a bear, you don’t need to outrun the bear; you just need to outrun your buddy.” I say that jokingly, but there’s a lot of truth to it. Those who make themselves harder targets create less risk that they’ll be a victim of a cyber incident.
At Forge Institute, we created and run the Arkansas Cyber Defense Center to help small businesses and public entities understand and identify risks, as well as ways to minimize those risks. In our general awareness briefings, we present an analogy that a member of our team, a former law enforcement investigator, came up with. We show a slide depicting a house with the doors wide open, the garage is open, the windows are open, there are no fences or gates, all the lights are off, and nobody’s home—you can just see that this house is totally vulnerable. Then on the next slide, the doors and windows are shut, there’s an ADT alarm sign, a “Beware of Dog” sign, exterior motion lights come on as you approach the house, there’s a fence around the house, and you can see cameras looking over the entry points. Which house do you think the criminal’s going to go after? Your cybersecurity should be taken just as seriously as the security you invest in for your home.
From a cyber standpoint, there are certain things you can do to “level up” that are going to make you less appealing to criminals and other adversaries, because they have to spend considerable time getting in. So if your doors and windows are locked and your next-door neighbor’s aren’t, the bad guys are just going to pivot over there because they can get into 10 of those systems in the time that it takes to get into your one. When it comes to cybersecurity, I want Arkansas to be the house with the locked doors and windows. And it all begins with every one of us becoming cyber-informed.