 Brandon Lester, your guest host for Security Matters Hawaii. I'd like to thank Mr. Andrew Leaning for letting us step in and take over an episode while he's out of town. Today's show is all about upcoming cybersecurity events in the Hawaii area. So I have two great guest hosts. I'm excited to hear all about what they had to say, so I'm excited to have some fun. I have with me Reynolds Hioki. He is the Hawaii State Cybersecurity Coordinator and Bob Monroe from Packer High School and the Institute for Security and Open Methodology. Welcome guys, thanks for joining. Thanks for having us there, Brandon. We appreciate your host here. Absolutely. So for today, I want to go over all the different great cybersecurity events we have going on. I know between all the organizations that are interested in cybersecurity, helping community and really taking an opportunity to lay things out for students, college graduates and even all the way through adults and the elderly. We have a lot of programs available to us, but today we're here to talk about a couple of specific ones. Reynolds, why don't you kick it off? I think we have a slide and we're gonna talk a little bit about the US Cyber Challenge, correct? Yes, it is. So real quick, a lot of these things we're talking about here are kind of emerging. Bob has one that's been done before, but the first two are for the first time this year. So the first I want to talk about is the US Cyber Challenge. If we can get the first slide up here shortly. The US Cyber Challenge is really a program that is in two phases and the first phase really is a quiz and they call it the Cyber Quest. It's a challenge, it's web-based, it's free and the key thing today is it has to be done by this Sunday coming up April 14th. So why Cyber Quest? Specifically, Cyber Quest is the program that you're trying to qualify for a cyber camp. So really Cyber Quest is just the initial part. Cyber Camp is really what you want to go to and Cyber Camp is going to be a summer cybersecurity class that's going to go from 12 to 16 August and the catch to this is it's taught by SANS Institute professionals. For those that in the know, SANS Institute is probably just an opinion, probably the best cybersecurity professional education, training, research, organization internationally in the world. So those in the know kind of will probably agree with me, although they're not the biggest name out there from a certification level, but those that are certified really know what they're doing. I always heard great things about the SANS Institute. And again, it's free. So again, two steps. First, sign up for the Cyber Quest and then do the quiz. Hopefully, if you do good in this quiz, you will be invited to Cyber Camp. Wonderful. So I see on the flyer we've got this first registration, a quick reminder that's got to be completed. Registration and completing the Cyber Quest by this Sunday, April. And for those that qualify, then they'll be invited to the Cyber Camp later in August. I'll jump in real quickly as a AFCA Hawaii member and advocate. I know this specific event is being put on for the first time in Hawaii, correct? Correct. And we're doing it as a kind of community approach. We've got folks from AFCA, ISC squared, and really a goal to make this as available to as many people as possible. Yes, indeed. Okay. So I just wanted to throw something out. You can go back to the slide again, sorry. In addition to the Cyber Camp, which is going to be occurring in August, this event's going to be surrounded with other events. For example, we'll have a job fair, an award ceremony. But within the camp, there's also a capture the flag competition. That's also a kind of cool thing for cyber security professionals or those that are just coming into the into the business. Last comment to this, if you go to the website, you will not see the camp specifically. It's not there yet, but it will be popping up as a camp here in Hawaii shortly. So if you don't know that, you might think you might have to go to another state on the mainland, but no, you're going to we're going to have it here in Hawaii. Okay, great. And one last time as a reminder, make sure anyone interested in participating goes out, registers and completes that quiz by this Sunday about 9 p.m. Hawaii. So Bob, how are things with you? Very busy, very exciting, a lot of stuff going on. Okay. We from Hacker High School perspective, we've got our week long summer course coming up in June, June 3rd to June 7th. It'll be product Milani High School. It's open for all cybersecurity students that have been high school students that have been recommended by their ever Patriot coach, their mentor or their cyber security teacher. It's free. We provide the textbooks. Thanks to cyber Hui. And we'll have a pizza party at the end. The Hacker High School 2.0 course that we're actually teaching in June is the most advanced cybersecurity course ever taught to teams in the world, except for what they have going on in Israel within its under a mile. That's more of a military course. Then following that, we'll be doing another Hacker High School course and master program at Leila Huah. And that will be the following week in June. And on top of that, we've got, let's see here, we're working on Hacker in a box, digital crime scene in a box. IBM has asked us to work on another project with them. And Microsoft is also asking us about doing a diversity program with them, focusing on teaching women and minorities about the careers of cyber security and how to get them into the field of security. Wow, that's great. And then we're also teaching data and a bunch of other stuff. Yeah, we got a lot of stuff going on. Yeah, I mean, it's textbooks. I see you have some gear with you here today. There's not a small lift. You probably put a lot of work into these classes and then going out and teaching and getting students involved. Yeah. Each class is different. For example, I've been teaching Hacker High School, Milani High School every other Friday for their cyber security class. And that's been really, it's been really rewarding for me to see the students go from the crawl, walk, run phase and just explode in the amount of knowledge that these kids are picking up. They are very inventive. They're very curious. They've got lots of initiative. For example, the other day we were talking about deception tools and I showed them canary tokens. And okay, what else can we do with these canary tokens? Yeah, they can be notifications and whatnot. You can put them up with honey pots and honey nets and things like that. What else can we do with them? So then we got into all kinds of learning and things like that. The students came up with some pretty brilliant ideas on how to use those tokens and they're free. The canary tokens are free. Okay. Yeah, talk a little bit about those canary tokens. What is a what's the deception for folks that don't know? What is a canary token do for you in that world of Canary tokens are designed to racially trigger. Let's say you build a website or you set up a server and on that server you have got to put a file in there called log in. Of course, some malicious criminal breaks into there and they come across a file called logins. Take that file and as soon as they go to take it or they open it, the canary token will send a message back to you telling you that somebody's open it and they're at this, this address, this IP address. They'll work, they'll do everything from documents to spreadsheets, URLs, you can put fake URLs hidden in there. There's a zillion different things you can do with these tokens that are just absolutely amazing from a deception standpoint. It's basically taking a honeypot and expanding it to where you can, if you want to go so far as to actually set up a payload. Let's say I want to set up a beacon. NSA was very good at doing this where they would have files download the file. A beacon goes off. So we can actually track where that document is going, what channels it's going through. If they're using tour routers or things like that, we can still find the location of where it's going to go. Kind of like the treasure map finding where things are happening. Maybe they shouldn't be happening there and now you know. Yes, exactly. So in the in this world of cybersecurity, deception is a pretty advanced technology. It's really exciting to see that in the hands of high school, right? Getting them to learn what's possible as early as possible. And the other the other part about it is with hacker high school, we teach protection. First and foremost, security, our definition of security is separating an asset from a threat. You ask 100 security professionals, what is their definition of security? You're going to get 100 different answers. For us, security is nothing more than separating an asset from a threat. Let's say, Ronald in my bodyguard, I'm the asset. And he is to protect me from the threat if you were the threat. So that is security right there. What we teach in hacker high school is how to protect an asset from threats out there. We don't focus on vulnerabilities because they change all the time and there's always a million of them. But if you focus on just the asset and protecting that asset, you have a much greater chance of having a secure environment. Make a great sense. And what used to be just make sure all your things are passed right away now. Oh, yeah, I mean, even authentication, authentication doesn't work. We know it doesn't work, right? You know, passwords and logins, those are horrible, right? Horrible way. Where else have we stuck with 50 year old technology, going from username, password and okay, we're still using username, password, right? So what we're looking at is intent. What are the properties of intent? Yeah, you might be an authorized user. But what you're doing on my network may not be good. So we want a computer to identify the intent. What is the intent of the user? Maybe you're on vacation. Somebody logs into your site pretending to be use boosts you or its access to your account. But it's now downloading or moving material that you wouldn't normally do the intent of that user now. Authentication kind of goes away then. Yes. Now the other thing about deception tools is, which gets very, very interesting. We have honeypots and honeynets and things. Now what happens when we introduce artificial intelligence to honeypots and honeynet, right? IBM Watson, that is an artificial intelligence. That also runs honeypot honeynet as part of the services. Now you've got an artificial intelligence that can repair itself and defend itself and think for itself. And it can pretty much protect whatever it is designed to protect. That's like the coolest thing in the world when you start breaking that down. That's great. So I'm a cybersecurity professional. When do I lose my job to that AI? When are they going to show up? And I don't need to work on the servers anymore. Well, according to the Department of Labor and Statistics, nothing is going to change for the next 30 years. Okay. We will continue to have a deficit of jobs, excuse me, a shortage of skilled labor force. And that's also where Hacker High School comes in. Our goal is to train teams on how to become cybersecurity professionals. Cybersecurity is one of the few fields, technical fields that you don't need a college degree to get into. You just need to know what you're doing. Now I got nine year olds that are running bash script. I got kids that are doing some some amazing things on these computers. And if we direct them in the right location, say, look, you can start a career making good money. You're going to learn a lot. You're going to have a great time doing it. I have yet to meet a cybersecurity professional that doesn't just love what they're doing, right? So we start getting teams involved. Get them to help to teach other teams through our ambassador program. And the other issue we have is the teachers, a lot of teachers are not comfortable with teaching cybersecurity. So what we do is we'll train our ambassadors up or other high school students who've already gone through Hacker High School. We say, okay, now you go back to your community, you go back to your teachers, and you help them. When it comes to a subject or topic, and the teacher doesn't know it very well, now you step in and you apply information from Hacker High School textbooks, the information you have, you help out, you set up your clubs, you set up meetings to help out your fellow students, you become a mentor. As a cybersecurity community, I can't get other, we can't seem to get other professionals out there to understand that they need to mentor. They want the government to grow cybersecurity professionals and the government wants the industry to grow their out. Right. There's no magic solution. Except for Hacker High School. Okay, well, that's great. Well, we're going to take a quick break in just a few seconds here. And then we'll come back, talk a little bit more about some of the other events happening in Hawaii, cyber patriot and how all these things can kind of come together so we can build that workforce. Aloha. I'm Wendy Lo and I'm coming to you every other Tuesday at two o'clock live from Think Tech Hawaii. And on our show, we talk about taking your health back. And what does that mean? It means mind, body and soul. Anything you can do that makes your body healthier and happier is what we're going to be talking about, whether it's spiritual health, mental health, fascia health, beautiful smile health, whatever it means. Let's take healthy back. Aloha. Hi, I'm Rusty Komori, host of Beyond the Lines on Think Tech Hawaii. My show is based on my book also titled Beyond the Lines, and it's about creating a superior culture of excellence, leadership, and finding greatness. I interview guests who are successful in business, sports and life, which is sure to inspire you in finding your greatness. Join me every Monday as we go Beyond the Lines at 11 AM. Aloha. Welcome back to Security Matters Hawaii. I'm Brandon Lester, your guest host, and we've got Ronald Hioke and Bob Munro joining us today. We're here talking about a lot of the cybersecurity events, initiatives, many, many things going on here in Hawaii that are all really good, helping students end up really learn how to engage in the cybersecurity world and what we need as a community. Ronald, I was just thinking about Hacker High School and how that's a great classroom environment. Are there any other initiatives that we have that really get into high schools and get folks interested? Yeah, sure thing, Brandon. So Hacker High is a really good program because it's actually curriculum. There's actually a textbook and there's instruction. But a lot of the other areas are specifically we're talking about is cyber-patriot. Cyber-patriot definitely is not a class. It is a sport. It is probably the national cybersecurity sport for our middle school and high school students. So there is instruction but it's about competition. So a little different but they all come together. They're all kind of doing the same thing. Sure. I was going to ask who owns that program because it's a national program. So cyber-patriot is a national program. It's actually pushed up by the Air Force Association out in Arlington, Virginia. I've had the honor to meet the National Commissioner. I retired Brigadier General Bernard Stott, who I actually worked for. As a Guardsman when he was here at Hickam Air Force commanding the communication part of Hickam. So a good guy. He's actually come out and been our guest speaker a couple of years ago at our recognition ceremony. That was a big hit for us. We actually then had a motion mixer in his honor. About 100 of our cyber-patriot community showed up. That was a kind of cool thing. So cyber-patriot is the national cybersecurity, I call it the national cybersecurity sport for middle and high school. And basically for last year, I'll use that season, last year there was over 6,500 teams that participated. Hawaii had about 100 plus from about 50 different middle and high schools. So Hawaii is getting big in this and they're getting bigger every year. Two years ago we had only about 52 to 54 teams. So over the last couple years we have doubled. Wow. And I think that we'll probably have another increase after this summer, which is a program called Cyber Camps to Protect the Kids for CyberPatriot in this year. Okay. So that's all everything about cyber-patriot. Real quick it talks. It teaches basically to run platforms to include Windows, Ubuntu, Linux, and basic networks. Wonderful. All in virtual environments. Okay. So people don't need to be walking around with their big clunky servers anymore. Yep, they're coming off there with a couple of laptops. Usually it's about five students on a team working on the weekends, competing not against other people in the sense that they're not being attacked. They're just picking defensive measures basically. So they're protecting their system. Okay. And they compete basically with all the other teams that are protecting their system. There is no interaction. Okay. It is all defensive. And defensive is really the foundation where people need to start understanding. Definitely. If you understand defensive then you start learning about offensive. But this program is a defensive program. Okay. I mentioned that. I'm not sure if I mentioned it. It is a defensive program. Are there any events coming up? Yeah. So many schools have been doing a cyber-patriot for the last, that's the beginning when it started about ten years ago. And we as a community have always talked about bringing the teams together. Now let me just digress. So to compete what happens the teams go to their homerooms in their high schools or middle schools. They turn their computers on and they kind of close the door. So no one's going to, no one even knows if they exist. It's on the weekend, the classes are closed. The only visitor they'll probably get is if they order a pizza, is the pizza guy coming for delivery. And that's pretty much it. They might have their coach or their mentor there. Maybe, maybe not. But it's a pretty closed kind of competition. And so, yeah, so the students from one high school do not know the students from the other high schools. And there is no kind of mixing of our teams, which will probably be advantageous when they go to college. Especially when they become professionals because, you know, in cyber security it's all about sharing information. Right? So if you know the people. So we want to start that early. And so this year we're having what we're calling the cyber-patriot application. And what that is is bringing all the cyber-patriot teams that want to come under one roof and basically have an event all focused around a capture the flag competition. Oh, wonderful. Okay. And the capture the flag is going to be a couple hours or a couple days. How's that event kind of work? We're kind of starting small this year. It's going to be a two-day event. The first day is going to be the 23rd of August. And by the way, this is going to be a sacred Hearts Academy. And that is specifically targeted to the new teams, the new coaches, mentors, competitors, parents, those associated with the schools that really never had a cyber-patriot team before, but they're coming on board. So we're going to onboard them, explain to them what cyber-patriot is all about as a coach mentor, what your roles are. We'll have a bunch of workshops. It's really in the afternoon. It's not during the day, so after school. And we'll also teach the new students about what capture the flag is. We'll have individuals that actually base cyber-patriot before that will run these workshops for the kids. Because Saturday the 24th, we're going to have an opening ceremony and then we're going to go right into the capture the flag. And we really don't want the new students, you know, what the heck and just need to completely discourage and give up. It is a little hurdle to get over this type of event. But I think all of our kids would do very well. So that's the capture the flag event for the invitation. So you take what would have been a bunch of teams that are all competing at a national level and then for a couple days bring them together, have one big cybersecurity community here in Hawaii, all the cyber-patriot teams playing together. Yes, those that of course we can't force anybody, but I think a lot of the teams will be coming in. I've talked to a lot of the coaches and mentors are very excited about this program. But it's a great opportunity because again one thing that's not quite being done is bringing the community together, which means, you know, how do we as a community do better? So my thought is a lot of these coaches and mentors would love to help the ones that are not as advanced and you know give them the tools they have or their tech, you know what they do. So you know would I help? Of course it would help a fellow team, but they may not they may not share the secret sauce that they have developed over the years. So collectively this will, our hope is it'll bring cyber-patriot as a sport in the state at the next level all the I think as you mentioned earlier cybersecurity really is kind of a team approach at a defense level, work for a company, you want to keep your network safe, right? There's us, the good guys and then some bad guys out there trying to get in, maybe they're bad, maybe they're just seeing what's going on, but gives everyone the opportunity to see how you work together as a team. And then did we put the slide up? We have a cyber- patriot, invitational slide. I had a couple things I wanted to mention right so there it is, cyber-patriot invitational August 23rd 24th, Sacred Hearts Academy. This is relatively new the committee that's running it just made that decision on Sunday. Two days ago we're working very hard, we think we're ahead of schedule, I think this will be a really good event. So who's invited to the invitational? Really if you're into cyber-patriot, you're into high school, you don't you don't have to be a you can show up if you're an enthusiast in cybersecurity, cyber-piggy or high school. So that's really key to that. And again, in addition to the cap to the flag, we'll have workshops, we'll have presentations, we'll probably have one or two cyber safety presentations for those that want to learn a little bit more how to protect themselves while they're online. We're always welcoming mentors, right? As many folks involved as we can. We definitely will need mentors, so we're engaging with the community and others. Again, just like US Cyber Challenge, the two sponsors of this is AFSEA Hawaii as well as ISC Square Hawaii. Those are becoming the two organizations that are really from a community perspective, specifically for our K through 12 and the new professionals trying to make a difference. Wonderful. Well, I know we only have a few minutes left and Bob brought some some toys to check out here. Bob, what do you have? Well, because we're a global nonprofit, we teach around the world. Our lessons are translated in 12 different languages, so you can pick whatever language you want. And they're always being translated into a new language. We have translators that volunteer translator material. In a lot of the countries that we teach in, they don't have laptops and servers and everything for the students. Some of the countries we teach in, they don't even have constant electricity. So, Lee Herzog, our director, asked me a couple of years ago, how do we fix this? How do we allow Hacker High School to be taught in these places that have kind of more a steer condition? I said easy. We got these things called Raspberry Pis. This one has gone to sleep on me. Wake up. For example, this Raspberry Pi over here, this is running Cali Linux. And the nice thing about Cali Linux is it's a security platform. You can do penetration testing, you can do security auditing, you can do forensics, you can do your homework on it, you can do all of our lessons, you can do all of our exercises on it. It's got internet capabilities through Wi-Fi, Bluetooth, as well as Ethernet. And it can run off a four-pack of AA batteries for about 19 hours. So, for those countries that have a power issue, Raspberry Pi's work very well. And there's quite a few other companies that make similar products like that too. This Raspberry Pi here is the newest one and that is running the Raspbian. Same thing. It doesn't have the security tools on it, but I can switch it out by changing out the microSD card on it. Okay. You can run pretty much any operating system you can think of. I got one that's actually running Windows. Not a great idea, but it will run up Windows. Wow. And these are very accessible and not very expensive, correct? No, not very expensive at all. Wonderful. But these are the tools that will enable the students and cybersecurity professionals of the future. Yes. Let them take these, go learn what they need to learn and continue to grow. And they can use them to scan the area to find out if there's any rogue access points or find out if there's radio frequencies that are being transmitted. Do that with a software-defined radio. Just plug it into the USB port here. As you can see, there's four USB ports. It was the last time you saw a laptop with four USB ports. Right. That's great. So it's very customizable. That's the nice thing about it. Wow. Well, we're wrapping up the show here, I think. So I want to thank both of you guys, Bob and Reynolds. I appreciate you coming on. Thank you for having us. I want to say thanks to Andrew for letting me guest host today. And we're at a point where I am really excited about what's going on in the community. And thanks everyone because community security matters.