 Okay. I'm going to take a special opportunity here on ThinkTech at three o'clock on a given Monday to tell you about our guest. She's Jody Ito. She is, wow, the Chief Information Security Officer of the University of Hawaii system. That's the whole enchilada. She is responsible for the security and protection of information assets across all 10 campuses of the UH system and the UH Affiliated Research and Education Center. That's UARC. She is also the Chair of Cyber Hawaii and the Program Director for the NSA's Gen Cyber Camps in Hawaii. And she co-chairs several other cyber securities. I don't know how you live with yourself, Jody. It's very busy. I have to admit, but I'm never bored and I'm out of staying out of trouble. I'm sure. To a moral certainty. Well, let's talk about this conference that you were a star at. It was not only that you were there. You were making fabulous remarks, important remarks. And Hawaii has a special place to be expert in this. It was called Foreign Intrusion into Academic Research and Training. And it was in April of this year. That must have been very interesting, very exciting. And you must have felt very comfortable in the discussion. Am I right? So I was actually very fortunate to be on a panel with two other very prominent speakers. One of which is Nina Epton, Special Agent with the NCIS. The real one, not the Hawaii one that's come. And also Sean Case, who's a counterintelligence special agent with the defense, counterintelligence and security agencies. So these are some of the federal agencies that we deal with. And their areas of focus is, of course, looking into foreign, perhaps, attempts to acquire information within the state of Hawaii. And there's been definitely a greater interest, especially on China based on the Department of Justices. They have their China initiative that was stood up a few years ago. And it is definitely making a lot of our Asian researchers that are here in the United States, even if they're United States citizens, very uncomfortable because they could feel like they're being singled out. But on the other hand, our government is concerned that the research that they're funding could be leaving the United States. So many questions, so many questions. And I really love talking to you about anything, but especially this. So what is China and any other country, Russia, for example, and who knows who else? Korea, North Korea, who knows? What are they looking for from an academic facility? What kind of information will really help them? It's clear if it's classified information, but there's probably boundaries around that, guardrails of some kind. But ordinary research, ordinary physics, chemistry, engineering, what's so valuable about those? A lot of times, the basic research that goes on, if they were able to grab some of that research and then they can use that to sort of leapfrog the research process. They don't have to spend the time and money investing to come up with that basic research, and they can just start a little bit higher and then just move forward at a quicker pace. So the federal government does feel that because so much of our research has left the United States, that they're accelerating, in this case, China, is accelerating its research capabilities such that they are becoming really manufacturing research academic powerhouse. You know, I almost sat on the jury for the federal prosecution of the stealth bomber who was a spy, made himself a spy, and this was about what, 10 years ago, so he was tried here in front of Judge Helen Gilmore, and he was convicted. Unfortunately, the timing wasn't right, so I didn't get selected on that jury. I would have loved to be on the jury to find out what happened, but this guy was a real fool. It was like fishing. They fished him into it, and they made him believe that he owned the intellectual property, and they offered him money and women and trips to Beijing. And I know this because we had the prosecutor on our show one time, and they took him to Beijing and they gave him the women, but they never gave him the money. It shows you his level of sophistication. He's in jail now, but the thing is that he worked for the federal government, and he did research and design for the stealth bomber. But what I find interesting about it was that he didn't start out that way. He started out confused, and somehow they targeted him and fished him, and then he began to believe he had a right to give him the information and a right to take consideration for it. It was extraordinary. And I think ordinary people, patriotic people, ordinary students, patriotic students, they're all somewhat at risk for being contacted by somebody who's going to corrupt them in some way to get that information. Am I right? So they generally target the people that they would feel is susceptible to coercion or just, I guess, the attention that is paid to them. And they are very skillful in how they position themselves. And again, as you mentioned, for this gentleman, it was the women. I believe there was a couple of other cases where, again, it was a female person targeting a male that had a position where they had access to sensitive information. And so they do target their individuals, and they do research on their individuals. So they know how to approach them. And maybe it's things like the attention, or maybe it's the recognition that they get in China for the information that they have. And if you build up enough of that, then, hey, you're sort of like, in my case, you'd be like queen, right? And then you'd be very willing to share your expertise. But most researchers, I think, don't believe that they can be targeted. They feel that I'm just a researcher. Yes, my work is important. Oh, but all of these people think it's really, really interesting. And let me help them, and then they can help me. Because in an academic community, it's all about sharing. Because that's how we grow knowledge. A lot of collaboration, a lot of exchanging of information. That's just the academic nature. And so it's a different culture when we have to start to think about, ooh, maybe I'm targeted, maybe somebody's trying to steal information from me. But that's not the place we come from originally. Sure. It's all, you know, in recent years, you and I have seen this in the best couple of decades. It's all about collaboration. Everything. I mean, all research now is global. All research is collaborative research. If you want to have a good career in academia, you need to collaborate. You need to have a list of your collaborating faculty and, you know, go research your people everywhere in the world. Then you look good. And that makes it, it makes you very vulnerable. So it seems to me, let me take a wild guess. The people who do this, the ones who try to, you know, corrupt our researchers, they pretend to be researchers too. Right? Or they actually engage with their Chinese researchers to engage with the United States researchers. And then the other thing they can do is they offer them financial assistance. Hi, we'll give you money to help you establish a lab here in the United States. And we'll also help you establish a lab in China. And then you can be director of both of them. But then the information gets exchanged very, very freely that way. Because now you have two bases of operation. And it's great, as you said, because they're prominent. They have their own laboratory. And that's huge as if you're a researcher to be director or principal investigator of your own labs and projects. Then hopefully you'll generate more research income. Right? Because what you want to do is leverage what you're already learning and creating that knowledge and building and extending upon that. So sometimes it strikes me that this could be perfectly legit. This could be a sincere and pure collaboration, academic collaboration, which has no political or espionage overtones. I mean, does that exist? Does that actually happen? Absolutely. So I think more than not, it is genuine collaboration where it's really just about the research and the learning and generating the new innovations. And that's really what drives academic community. It's just that when you get the one or two that infuse themselves and sort of like the bad apple spoiling it for everybody else. That's when I think then our federal government takes a bigger lens to it and sort of says, okay, well, maybe all of research needs to be looked at. But I think it's more about bringing an awareness to the researchers themselves so that they understand where those boundaries might be. And also just to explain to them the methodologies that our foreign governments use to try and acquire this knowledge. So the more we inform them, the better decisions they can make about who they want to collaborate with. And the other thing that I was just going to say, the other thing that's really important is collaboration is great, but you just need to report it. There's all sorts of reporting regulations when you have to deal with what is it? The international traffic in arms regulations. They have export controls. They have commitments, conflict of commitments and conflict of interest. And so if all those things are filled out, then you're probably okay. It's just when you don't, then perhaps the federal government look a little bit more suspiciously upon you. Yeah, well, that's interesting. So the researcher who may be shy, retiring, not ever believing that he's going to be involved in some kind of international intrigue, he may be targeted and not even realize it. And you have to help him. You have to help him define what the risks are and how he should be aware in a given case that he's in a dangerous spot. So, okay, so you're going to say to him look, if you're going to do collaborative research outside the country with people outside the country or that involve laboratories outside the country, you really need to tell us about this and you're going to fill out a form. And then somebody else is going to look at the form and decide whether, you know, this is genuine or maybe a state actor is involved. And that's going to depend on a number of variables. So what's the connection? Do you administer that? Does the Naval Investigative Service administer that? Does the National Security Agency administer that? So for the research portion from the University of Hawaii, there is an export control office that actually looks at a lot of the things related to transfer of knowledge and transfer of technology between countries. So for example, if a researcher is visiting a country, and I not 100% sure, but you know, if they're visiting a country of interest, then they should pass the fact that they're going to this country to the office of export control so that they can help prepare the researcher in terms of what you can and cannot take, you know, devices, do you take your laptop? Do you take a sanitized laptop? You know, where would they be vulnerable when they travel to these countries? And they can also reach out to some of the federal agencies. For example, I believe the Defense, Counterintelligence, and Security Agents, DCSA, can also provide advice as such, right? And then they can talk about sort of the current trends related to that country. And so there is a variety of resources available to research here at the University of Hawaii, and then we will also be able to pull in our federal friends when needed. So it strikes me that Hawaii is a special place in this discussion because Hawaii is crossroads of the Pacific. Hawaii has a lot of Asian students from Asia. Hawaii has a lot of Chinese students, brilliant students, students who make the university research programs, you know, fabulous. But they have a certain vulnerability, don't they? Especially if they were born and raised in China, and they go back there from time to time anyway to see family, friends, what have you. Do you have to look at them more carefully? That's actually a very interesting question. I don't believe at this time they would be singled out just because they're coming from China. But that's not to say that the Chinese government might not be leveraging their families that's left in the country to influence these students as they come to the university. So again it's about an awareness and making sure that the researchers who might be working on projects that perhaps China has identified as being of high value interest to them, we would advise the researcher who was then hiring the students for, and it's mostly hiring the students into their research projects. There isn't any way to say that, hey student, you cannot take a class. But it's more about diving into the research and being part of that generating of the new knowledge, where, you know, I believe the researcher should be a little bit more careful. Yeah, this is so interesting. So suppose, you know, I'm working on, oh, suppose I'm working on something and I'm filling out the forms, I'm answering the questions, maybe I even have an interview with some intelligence agency about what I'm doing and what the risks might be or advice given. They're the ones though, the intelligence agency are the ones that make the decision. Notice, I don't have to make the decision myself. I don't have to say, look, I'm in a dangerous spot here, I'm going to change the nature of my relationships, change the nature of my research to protect the United States better. It's the agencies that I'm submitting the forms to that will make that analysis and they'll look at their other databases and they'll figure out who's connected to who and they'll give me advice. Am I right? Is that the way it works? So to be clear, the forms that the researchers are completing are basically within the University of Hawaii. Unless the projects that they're working on, those sponsoring agencies have additional requirements for then the principal investigators to fill out. But for the most part, we don't or the researcher is not informing the federal government directly. What generally happens is that these federal agencies could approach the university and say, hey, you know, we think that this person needs further investigation. Well, that would actually go to our general counsel, to our lawyers, and they will actually validate the request to make sure there is indeed a legal purpose and it's a valid legal request. So the university does not just really give out information, even if the federal government comes asking for it. So we again make sure that, you know, we go through the proper channels to make sure it's properly vetted. But with that being said, though, the researcher themselves, they could directly reach out to the federal agencies if they wanted to. I have to admit, I don't think a whole lot of them do it. And if I'm if I'm working on on research, that I, you know, I mean, it doesn't take rocket science to know when your research is sensitive and can be useful in an international context. And I've been contacted by somebody and this person is slightly creepy and makes me feel I'm being phished. Then I should do something about that because I'm smart enough to know that I'm a target and, you know, this could this is this has the possibility of wrecking my career or worse. So what do I do in that case? So in those specific instances, generally, those projects have a program officer, somebody at the sponsoring agency that they can contact directly. But they can also come to the Office of Expert Control, Office of Research Compliance, or myself, if you want to keep it within the university, and then we will be able to help them determine, you know, what their vulnerability or risks could be. So so far we've been talking about, I think we've been talking about personal contact with somebody. But maybe some of this contact is not personal. Maybe some of this contact is fishing in the classical sense. In other words, you get an email from somebody who presents as legitimately interested in your work, and pushes all the buttons about, let's have an international cooperation and collaboration, and all that. And then, so you're not, you never really meet the person. You never see this. Does this happen? And how much more risky is it to connect on a completely electronic basis? That's actually a very, very good point. We actually, I don't have very much insight into what the researchers actually receive. But anecdotally, they have told me that they receive, we call them code call emails, where say it's a postdoctoral student that says, hi, I'm very interested in your project, I'm very interested in learning more about what you're doing, what projects you're working on, and perhaps do you have a position for me to come and work on your project. And they actually don't respond very often. But some of them feel that, oh, it's not in my area, I'll pass it on to one of my colleagues whose research area it is. And then all of a sudden, then that particular unknown person gets inserted into sort of a trust network, right? Researcher one knows researcher two. And then researcher two might believe that, hey, you know, researcher one knows this person, and might then open up to that postdoc or that inquiry. So I think the thing is, again, about awareness and making sure our researchers are aware that these are definitely could be phishing attacks. So how do you get that information? Is there some other colleague you can call at another institution even and ask about this person? Really, you need to do your homework and do your research. It's not as easy as it was, you know, 20 years ago, when everybody trusted everybody, and we didn't have all of this foreign influence that has been just escalated in the past years. Yeah, that's really interesting. So you the advice would be you should not refer any particular cold cold cold phishing email to anybody else at UH or anywhere, unless you have done some due diligence on who this person is, and satisfied yourself that this person is not a state actor or a state agent. And while that's a great theory, unfortunately, most most of us don't take that time to think about it further, right? I mean, I get code called by sales people all the time. And they go, Oh, well, who in your department is doing identity and access management? And in general, we would normally just, you know, shift the person off. But nowadays it's like, Well, let me see if anybody's interested in your product, and they'll get back to you if they are, right? And then we just don't do that whole pass the email around thing anymore. And that needs to apply to researchers too. But because they're in this community of sharing, and a community of trust, it's really hard for them to get out of that mindset. I mean, I remember growing up here in Hawaii, we didn't lock our front doors, we didn't lock our cars, look where we are today. And so that's the analogy that we are right now in terms of academic research. How do we get our trusting faculty and researchers to now understand that we are really in a different age? Yeah, it's one great big happy global village. You know, this just reminds me of this really interesting ad where they're, I forget what they're selling, it doesn't much matter. And this is kid, he's eight or nine years old, and he turns to his mother, he's on the computer, he turns to his mother, and he says, Mom, what's the password on your 401k? Why do you want to know? Well, this man is asking me, which takes me to the next possibility here. And that is, I'm very chatty, I'm very friendly. I have this like fishing buddy now spelled the wrong way. I have this fishing buddy, and he says to me things like, you know, I really need to get into that database. I really need to see some of your, you know, internal research papers. Can you give me a password? Can you give me a link that, you know, of course, of course, it's so silly, but you know, sometimes brilliant people do silly things. Well, absolutely, because it's convenient, and you trust the individual again, it's this whole premise of trust. We actually have a very basic fishing scam that goes around the university every semester. It's like somebody impersonating a high level university official, and it's coming, representing that it's coming from that high level individual to somebody in that department, a subordinate in the department says, Hi, are you available? I really need your help right now. And then they actually will engage in a direct line of communication for a while until the attacker goes, I need you to go out and buy gift cards. And can you scratch off the back and give me the authorization codes on the back of it? Then they realized that there's this whole email thread going on within attacker. But, you know, we in Hawaii were eager to please. And it's like, Oh my God, President Lassner is asking me to do something because he's stuck in a meeting and he needs my help. And, you know, people will respond to that. So and the other thing that makes it difficult is when you're reading the emails on your small little mobile device, you're actually hiding the actual email address behind it. So even though it's coming from a Gmail account, you know, it might say, you know, President of the University of Hawaii, and you believe it's from him without looking at the actual email address. You always have to look, I'm in that habit, always look. What do you, all you got to do is click and see who it really is or not. And then you find if it's XYZ element OP on the domain. He said, Oh, this is different. But let me, let me go a step further. Okay. Let's talk about intrusion by way of hacking. It's all the rage. And, you know, where you don't even do fishing, where, you know, you find a way in a portal somewhere, and now you're looking directly at the data, the research papers, and it could be classified stuff too. And you're a really smart guy in a team of smart guys, somewhere 40 kilometers west of Beijing, and it happens to be an army facility, a PLA facility. And you know exactly how this works. And you're just trying to hack into university, you know, intellectual property. Does that happen? And what can you do to stop that? And what do you do when you find out that it did? The question, because it has happened here at the University of Hawaii. So we were actually attacked. And this is several years ago. And we suspect that that afterwards, right, the Monday morning quarterbacking, we suspect it was China that was pursuing research related to maritime. And it wasn't just here at the University of Hawaii, it was occurring at other universities across the United States. And so we now have a buddy system of all my fellow CSOs at these places. But they came in using existing vulnerabilities that were not patched, or they came in via old operating systems that no longer have security patches available. And once they get into one system, they see if they can get to other systems within the same network, right? We call that moving laterally. And they try to get into as many systems as they can. And then one or two or maybe three of them have what we call privileged accounts, route access, which gives you access to so many other things. And once they gain access to that, then they have basically the keys to the kingdom. And that's pretty much what happened here. It happened probably over the space of several months. But if you're not watching your computers very carefully, not looking at the logs, not looking at where the attacks are coming from, you'll never know. And do you look at the logs every day on your laptop? I know I don't, right? So how many people do it, right? And so you don't know. You really don't know what you don't know. Well, here's the thing, you know, the university is loaded with research. A lot of it is a ripe comma granted for somebody who wants it, you know, a state actor, somewhere else. And I'm making a guess, but I assume that there's a lot of, what do you want to call it, independent laptops around the university, where you, Jody, cannot really control what's coming and going. You can't control, you know, what the wireless arrangements are, what the security, what this professor or researcher has put on it for security. And yet there is sensitive material on that laptop. And also that laptop has access to other laptops and maybe, you know, to other machines and servers at the university. So if these guys can get into his laptop, they can leapfrog into other machines. And before I know it, you have a general compromise. That sounds like a very difficult, a very difficult thing to protect against, no? Absolutely. So we at the University of Hawaii, we call that environment a highly decentralized environment, meaning you, J, you have control over your own computers and all of the computers in your department. You can let people onto your network or not let them on, but you often forget to take off their user accounts, right? So now you have these unattended accounts that could be perhaps, we call them, where they're just trying to break the passwords on it, right? So with that, we try to create spaces within the university so it's not easy for the attackers to move amongst, like, say, departments or back to the institutional information system. So we call this network segmentation where you're trying to use technology tools to kind of keep those networks separated. So it's not easy for an attacker to move between them. But it is, it is a big job. I call my job herding cats. And so a lot of it has to be addressed by basically user awareness. So we have a lot of sessions teaching both the system administrators as well as talking to researchers and just even basic office staff about how to properly handle sensitive information, what you need to do to secure it. One of the big things we are pushing is using multi-factor authentication. So even if somebody were to get your password, they still can't log into your account because they can't get to that second factor to log in. Yeah, the cell phone, what have you? Yeah. Correct. What about, you know, what about ransomware? You know, the thing about ransomware is that, you know, the attacker not only gets paid, sometimes huge amounts of money, but he also can get the data. So it's a sort of double whammy to be the victim of ransomware, especially if you have data that he wants or she absolutely. Have you had any experience with that? So we had preludes of ransomware attacks. So in one particular instance, we got called by a federal agency and says, I need to talk to you right now. We saw credentials for, it's a virtual machine environment being sold on the dark web. And so you need to secure this immediately. So it wasn't within our main central data systems, but it was in one of our departments. And when we went to that department, they were able to confirm, yes, their environment had been compromised. However, the ransomware piece of it had not yet been installed. So what was happening is because the dark web and ransomware environment is so commoditized by these cyber criminals, what will happen is one group will compromise the environment and then sell the credentials to that on the dark web. Another group will buy that, and then they will then do the ransomware attack piece of it. So we were lucky that ransomware was not installed. We have had it in a couple of other places, but there was backup. So the units were able to restore from backup. So it wasn't a large-scale ransomware attack, like we read about in the news, where we have hospitals having to pay the ransom to get their medical data back from their patients. And because it's so lucrative, it's a huge thing. Like that's the number one thing our federal government is worried about now. Yeah. Well, you can certainly blow up a researcher's research by locking it up after he has spent, you know, or she has spent, you know, decades accumulating the data, making conclusions, whatnot. So that would be tragic on an individual career level and on the academic level around the country. One other thing I wanted to ask you about before we run out of time, and that's this, it's the 50,000-foot question. Sorry. So we live in a time where one show earlier today where this Chinese lawyer who lives on the mainland from China said, you know, that the U.S. is involved in a slow divorce with China, but inevitable, inexorable, this divorce we're having. And, you know, there may be a time when all of that can repair itself, but not yet. We have geopolitical issues. We have threats on various places near China, looking at Hong Kong and Taiwan and what have you, and threats to the United States in their own way. I mean, there was some Chinese military ships or aircraft or something not too far from Oahu recently. Right. And so what, you know, what we have is this slow divorce going on. At the same time, we have greater sophistication and what's the word I'm looking for, greater arrogance in terms of using hacking techniques, hacking software, hacking resources. And it's not only China, it's Russia. Do we know Russia, bad actors? And so, you know, we are all in a time when this is somehow likely to be worse and get worse. Do you have these thoughts? Do you agree with me? What do we do now when we know that these guys are going to be more aggressive about it next year than they are this year? So that's the hard part is that it takes constant surveillance, constant consideration of all the things that we do. What information are we using? How do we piece that information together? Where are we exposing that information? And we need to do this, not also at a university level, but at a government level, and also at a personal level. And it really is going to be about raising the awareness and not sacrificing your privacy and security for convenience. Because right now, everything is so easy and people say, yes, let's turn on Siri. Let's connect my phone to the car and all of these things. But wherever you're interconnecting these devices, wherever things are networked together, that's where you have the potential of your attacks escalating and moving out. So I am extremely paranoid about all of this. I have to admit, when I bought my car, when I asked the car salesman, so based on the technology in this car, can you guarantee that the data when I plug my phone into the car will not get siphoned off to your servers on the back end and then shipped off to my insurance company? So you know how fast I drive? But if you think about it, everybody needs to start making those types of determinations about how you use data and what you're willing to sacrifice for convenience. And do I think we're headed for a situation where it could be catastrophic? Yes, I think there's big concerns around our infrastructure, right? The colonial pipeline attack just this year highlighted that. And so the government has a renewed focus on protecting our critical infrastructure. But you know, that's not it. I mean, what happens if malware gets dropped into the chips that's going into all of our devices, right into all of the computers that we have, will information be siphoned off because we're not involved in a manufacturing chain? I mean, these are the kinds of things that kind of are beyond me personally, but as a community and as a society in a global society, we need to pay attention to it. How can we verify that that information in that chip is secured and has not been compromised? I don't have answers. No, and you can't tell me that malware is not already in my phone. I can't tell you that. That is true. Jody, I only have one more thing and I wanted to cover this because it's so interesting. And I ended up being part of this report and the foreign intrusion into academic research and training. But I wanted to ask this last question. What did we miss here? What was the takeaway that you guys came away with after this program in April? How did you feel? What did you conclude? What action points did you agree to? I know that's a big question, but sitting here with you now a few months later, what's your recollection of the takeaway of the program? So the takeaway with this program is really to make sure our researchers fully understand the big picture of why and why are you picking on China? Where we're not picking on China, it is because China is doing these things at such a large scale and the consequences could be serious and could impact the researchers' integrity and their reputation and we want to try and help them. So the takeaway here is just to make sure that we keep putting information out in front of our researchers so that they understand all aspects, not only what countries could be attacking them, but where their vulnerabilities are in terms of the technologies and things that they're doing in general. Do they do background checks on individuals that are accessing sensitive data? Do they take away credentials when somebody leaves the program? I mean, it comes down to very basic things, but again, the researcher may not be focused at that level, so our job is to try to bring it in front of them. Yeah, and we the public, we should know about this. We should know the risks at the university. We should know the international risks of intrusion into our intellectual property. It's something we all have to be aware of, not just the people at the university. Thank you so much. Jody Ito, Chief Information Security Officer, University of Hawaii, all campuses, all systems. Thank you very much for coming on. Thank you, Jay. It's been so much fun. Thanks. Always. Thanks.