 Okay, good morning everyone. I'm Adrian. I'll be your host for the beginning of the session. I'm the Chief Operations of the Syrupist Institutes and non-profit based in Geneva, Switzerland, long way from home. Today we're going to talk about how you hackers can help protect high-risk communities, working with the government, with industry, with academia and with civil society. So it's just to give you a glimpse of what you can all do to contribute to protecting the most vulnerable online. So today I'm surrounded by a fantastic panel and I'll in a second introduce all of them. I just want to tell you a little bit more about how the session is going to be structured. So we're going to do half an hour of introductions, five minutes each, so you understand a little bit better where we come from, what we do to help protect vulnerable communities. Then we'll ask you to contribute. We are doing this session at DEF CON because we want to hear from you hackers how we can do better, how we can protect better those communities. So we're going to break into three small groups and we're going to go in depth into how hackers can help the government. So we have representatives from the government here from CISA and USAID, how hackers can help industry. So we have representatives from Microsoft and from McDermott, Will and Emery, Lougham, and then how hackers can help academia and civil society, representatives from UC Berkeley and the Institute. So without further ado, we have David from CISA who's going to tell us a little bit about the high-risk community initiative that the Joint Cyber Defense Collaborative is launching, has launched actually. We have Maurice from USAID who's going to tell us a little bit about the aid efforts of the US abroad and how to invest in cyber-poor environments around the world. We have Monique from Microsoft who's going to tell us how Microsoft contributes and industry can contribute to protecting vulnerable communities. We have Mark from McDermott, Will and Emery who has just concluded a study on volunteer networks to see how we can provide assistance at scale to these high-risk communities. Then we've got Sarah who's representing the consortium of cyber clinics out of UC Berkeley who's helping students help non-profits around the world actually, not just in the US. And then myself, I'll tell you a little bit more about who I am and what we do out of Geneva for the entire world. So thanks a lot for being here. We expect this session to be engaging, dynamic. Feel free to ask questions, raise your hands. We'll also break into smaller groups so you can contribute directly. And David, I leave you the floor. Hi everybody. Hope you can take me seriously. So I'm really happy to be here discussing this. I actually met my fiance who's right over here when I tweeted at her like six years ago because she had written a paper on cyber volunteerism and the Estonian Cyber Defense Corps. And now we're here on this panel at DEF CON on our two-year anniversary, the first time we had our first date to talk about cyber volunteers. And we're getting married in two weeks. All right. So actually I can't read. So I'm actually switching here for an awesome colleague of mine named Emily Skahill who actually runs the high-risk communities planning initiative. So forgive me, I do have some notes because this is not my particular program. But you know, the reason we're here is organizations that are highly vulnerable and lack capacity to implement cyber security programs probably constitute the majority of organizations if not in the United States and certainly the world as well. And our director, Director Hesely loves to speak about multi-factor authentication but I can tell you my dad doesn't know how to implement multi-factor authentication. It might be as easy as buying a UB key but he doesn't even know to buy a UB key. So there are some basic things that the folks in this room know how to do that some very important organizations across this nation don't know how to do. What we're here to talk about is how to leverage your expertise to help the most vulnerable organizations out there. So I work in the planning branch inside the joint cyber defense collaborative which is inside CISA which is inside DHS which is part of the federal government of the United States. And we're a nation of planet earth and we're in the solar system. And our function in the planning branch is to convene the federal interagency and the intelligence community with a bunch of different industry partners to select very specific cyber security outcomes and actually do proactive planning to achieve them. So one way to think about it is if a lot of information sharing is about managing the problems we have the planning we're doing is supposed to either solve those problems or make them much much easier for us to manage. So APT actors deliberately target civil society organizations across the world to undermine their ability to exercise democratic rights that are essential to the health of our political economy and the political economy of nations across the world. So CISA launched the high risk communities protection planning effort to improve cyber security for high risk communities. So we define high risk communities which is admittedly a nebulous term to really mean civil society. And we chose this focus because they are frequent targets of APT actors advanced persistent threat actors. They have low capacity and low levels of government support and industry support generally speaking today. So we're talking journalists human rights organizations NGOs large and small. So we have three goals for this initiative. A is to raise the cyber hygiene baseline for civil society. B is improve the resilience of organizations that have been targeted already and three is increase government and industry support for civil society through real commitments. So how are we doing this? We've not we Emily has established three working groups with over 30 industry and civil society partners and they are focused on the first is cyber threat intelligence right. So a lot of the cyber threat intelligence out there is generally very enterprise focused. It's not a lot of useful CTI for individuals or for small NGOs. And that matters because a lot of NGOs operate in a bring your own device environment right. So we want some deliverables such as new threat products that actually describe risks specific to high risk civil society organizations and individuals and doing some more information sharing generally between organizations in that space. The second working group is around awareness and accessibility. So in October cyber security month we are going to have a dedicated website up and running hopefully it will have cyber trainings for civil society organizations. Our vulnerability management division has a ready set cyber program that is either allows or will allow someone to take an assessment based on our cyber security performance goals. Determine your level of maturity and then recommends as a free services that we can deliver to address those gaps. And then we're also going to have a database of cyber volunteer organizations and programs. I have a bunch of slick sheets that I'm going to hand out later. It's got a QR code on the bottom. Please tell us what you know about cyber volunteer outfits that are out there today. We want to collect the list and we want to put it out there. So if you want to get involved you know who to contact so everyone knows what's going on. So if funders want to support this space they know who's out there. And then we're going to do an awareness road show for civil society organizations through conferences such as this. And then finally the third working group is around operational collaboration and best practices. So this is about getting companies like like Google and Microsoft and folks with a lot of resources who have been paying attention to this issue to work more together to enhance the landscape for NGO security and risk management. So an example let's get Meta Microsoft Apple to actually reform their threat notifications because today they basically just send an email that says hey you've been targeted. Can we can we give a little more information right. Can we provide some actionable things they can do or creating an actual channel for sustained communications between industry and key civil society nexus points that such as oh my God what is what is the Canadian organization. Yes it is right. So organizations such as Citizen Lab that do a lot of work here. Let's just make sure there's sustained communications. So we are executing the plan right now. It's just been finished. It will continue to live on in a dedicated program office next year. And I think that is all I have to say. So thank you very much. And I also say really quickly if you're looking for chairs there's three up here up front and a few over on that side if you'd like to sit. Thanks David. That was a really great introduction. Good morning everyone. My name is Maurice Kent. I work for USAID which is the agency for international development. I will go into a bit of background. I most of you are probably not as familiar with USAID as you are with CISA. So USAID is an independent government agency. It's part of the National Security Council structure. It's been around for about 50 years and we manage the most of the foreign assistance budget overseas. So we do global health capacity building agriculture capacity building economic growth governance disaster response energy basically every sector in 70 plus countries around the world where we work with governments and civil society and private sector and all of those partners to help promote local capacity building and objectives and well-being but then also you know as those relate to USG national security interests and political interests diplomatic interests and that sort of thing throughout the kind of history and development of all of those projects that we have you know many hundreds and hundreds and hundreds of contracts and grants and partnerships. All of those programs have digital components and they are generating data. People are working you know more digitally and of course we discover that all of those programs have vulnerabilities in many cases will focus specifically on the high risk communities the same kind of organizations that David mentioned whether they're human rights defenders of minority groups LGBTQI groups whether they are journalists of a society organizations other security poor organizations as well in many cases and in many of the countries we work those compared to other places in the US and elsewhere those high risk communities are extremely vulnerable and facing substantial threat with even less safety net than they might have in the US. Sorry my notes went away. And so over the past I don't know ten years ten twelve years USAID has as we're doing you know capacity building and helping those organizations do their day jobs better as well. We're also we've been looking towards supporting them with a variety of cybersecurity and digital resilience skills and tools. We have a couple of different programs either they are indirect so we have the greater internet freedom program which provides through internews resources for a series of independent networks of hackers and digital security consultants that work in 30 plus countries. I run a contract called digital apex which hires security companies hackers some of whom are DEF CON participants to go to countries we work in and provide training and assessments and all those things up there. And then we have country or regionally specific programs that work on resilience of civil society and at risk communities. As we continue to develop those resources we're really excited for the SZA high risk community program to come into existence and to work with them in bringing and leveraging the kind of massive resources at places like DEF CON across the US and allied private industry and the hacker community to continue to ramp up the availability of resources you know as that website and those trainings come live we'll be eager to figure out how we can localize that into different languages and stuff so it's easier to access how we can continue to build more partnerships drive international participation in HRC and continue to engage with the community here with academics and others to build up partnerships. And so I think that's kind of the discussion later is I want to focus in on how we can use our resources to support broader partnerships and kind of wide reaching grassroots efforts so it's not necessarily you know USAID has a partner or USG as a partner we see that the partners had an incident we need to go pay somebody to go and respond that that resource is already in place and potentially you know that network is already there that safety net is already there. So I guess I'll leave it there and we can go from there over. Good morning everyone and apologies in advance for my voice. It's been a hectic dev con but definitely a successful one. So I am delighted to be here. Thank you to all of you for coming. As David mentioned this is the one topic that brought him and I together so it's certainly near and dear to both of our hearts and we talked about having these glasses on and being taken seriously so let's hope that we're getting to that. But in any case yes my name is Monica Ruiz. I am a senior program manager within Microsoft's digital diplomacy team and I wanted to talk a little bit more about what Microsoft does in terms of providing support to high risk communities and I'd like to go into three different buckets in order to sort of delve into those initiatives. So the first one is Microsoft makes it a point to share information throughout the year with a lot of customers users of our tools and services and so we have something called the Microsoft digital defense report and this is something that comes out on an annual basis and it's essentially based on 43 trillion security signals that we receive a day that is then assessed by roughly twenty twenty five hundred security experts across the company and this is a way for us to push out information in terms of what we're seeing across the digital ecosystem to then inform what are things that individuals can do to build better resiliency to be better cyber secure online. In addition to that we have something that's a little bit more regionally focused and it's put together by the Microsoft threat analysis center and so similar like complimenting the Microsoft digital defense report. This is another report that we put out a couple of times a year that focuses on what is the regional state of affairs look like in a digital context and what does the foreign influence information space look like based on our advantage point. And so we essentially put a lot of this information out again on an annual or quarterly basis to be transparent about this is what we're seeing this is what users can do to sort of better protect themselves. Secondly I wanted to highlight the volunteer aspect that that Microsoft employees are very excited to be participating in. So a big example of that would be the Cyber Peace Institute from the digital diplomacy side but certainly across the company we're delighted to volunteer on a program called the Cyber Peace Builders which I know Adrian will talk a little bit more about but it's essentially a very unique network of cyber volunteers across tech companies that provide support to critical sector NGOs to build their cyber security. And this is something that many teams across Microsoft contribute to and have helped now since the program started a couple of years ago so we're pretty excited about that. But in addition to that we are so excited and delighted to be part of the CISA high risk communities initiative that David covered that Emily Sahill is so effectively running. We're involved across the mystic team the digital democracy team and certainly the democracy board team and we're plugged into the different working groups and so very excited to see how we can move that move that work forward and continue contributing on that front. In addition to that I did want to highlight the fact that we also develop free tools and trainings for high risk communities. We have a program called account card and account card essentially offers free trainings but also added protection to individuals that use our services particularly Office 365 products so they get advanced protection, advanced notification. But we also have a catalog of different trainings that we make available to civil society organizations that use our services as well and so that's yet another way for us to be a little bit more hands-on and provide more security to those types of groups. Lastly I didn't include it in the slide but I would be remiss if I didn't mention it is Microsoft's Skilling Initiative. So this is something that we kicked off in October 2021 where we launched a campaign across different community colleges around the US and we're essentially working toward a goal of bringing 250,000 people into the cybersecurity pipeline by 2025 because oftentimes we do hear a lot about the talent pipeline the fact that we certainly need to you know put in the work to to bring more people on board in the space and so that's certainly something that we've heard and so our work with community colleges or in the US is aimed at that. We're making curriculums available to all the nation's public community colleges. We're also providing training to new and existing faculty across 150 community colleges and we're also providing scholarships and supplemental resources to 25,000 students in the US and to compliment that we actually kicked off in March 2022 an expansion of the program and so now we're working with 23 countries outside of the US to again help build this talent pipeline and create more of a community to address certain risks that are faced by high-risk communities but also broaden the scope and the community of folks that are working these issues in the space. So with that I'm very much looking forward to the breakouts that we'll have in a little bit and we'll hand it back to our moderator, Adrienne. Hi everyone, my name's Mark Schreiber. I'm from an international law firm McDermott Will and Emory. We did a study of cyber volunteering that got published last March. The link should be there and up on the board. Looks like this, it's about 80 pages long. We tried to canvas the different groups, nonprofits, state government, universities, anybody doing this type of service. We then tried to break down those different organizations into pros and cons, strengths and weaknesses, what more they would need, how to organize this better. We began to understand that there was both a dearth of cyber security professionals. There was a desperate need by smaller organizations, rural hospitals, civil society, you name it. I mean our firm does a fair amount of data breaches and day to day that's my job. It's a hard job even with the best of forensic investigators and companies. We have the largest clients who can afford and have enormous resources. How are smaller places going to be able to do that? So that was sort of the dilemma we wanted to look at and in an almost chance conversation with David Forsey, to my right, about a year ago here at DEF CON, he gave us sort of the impetus, well maybe a study of some sort would be useful. And that was the origin of what we've done. We tried to break it out into the differences between incident response and proactive cyber assessments, same things that large law firms do with their clients all the time, and drill it down to smaller organizations. And we ended up also coming up with a series of recommendations as a result of that, several of which seem are now being adopted in the working groups that CISA so artfully and vigorously is now putting together. So just a word about how did this all come about? I listened to the shields up web acts that CISA did in March of 22. It's three hours long. At the very end, maybe two and a half hours in, a couple of the healthcare entities asked about services, you know, free or discount services. And the response appropriately was, you know, yeah, we have those, but it might take some time, maybe six to eight weeks for a pen test, we're understaffed, we need more resources. And it occurred to me at the end of listening to that. Well, what if there was some national catastrophic event? What would we do? I mean, we can't manage it for all of the cases and clients we do with all of those resources. So at the very end of that dilemma, and as a result of DEF CON last year, we decided to do this study. We made some recommendations. They're in the beginning of the report, much of it's been tracked in the working groups and there's more to be done. And just the implementation aspects, how do you get boots on the ground or butts in the seas or whatever the right analogy is, that's the purpose of part of what we're going to talk about here until I encourage you all to participate vigorously in the cyber volunteering program. Good morning. I'd like to thank you. Good morning, David. My name's Sarah Pawazek. I'm the Program Director of Public Inter-Cyber Security at the Center for Long-Term Cyber Security at UC Berkeley. I'm really happy to be here this morning and I'd love to get a sense of the room. Raise your hand if you're here from industry. A number of folks. Civil Society. A couple of folks. How about government? Lots of government folks. How about academia? Any educators or students in the audience? A couple. Thank you so much for being here. You know, academia isn't a typical actor in the cyber security space. A lot of folks double as teachers but not a lot of pure educators really come into the cyber security space but actually academia in higher education is becoming a huge player in providing services to under-resourced organizations across the country. So I'm here to talk about the consortium of Cyber Security Clinics and a really interesting model for serving local communities and it's based off of a really simple concept which is that you don't need to be an expert to be of service. For decades, students in schools of law and medicine have provided free services to their communities as a part of their core education. And a number of years ago, a few institutions, University of Alabama, University of Berkeley, or goodness gracious, UC Berkeley, MIT and University of Georgia thought that that model could actually extend to cyber security where a number of organizations that are providing services to their communities were really falling behind on basic cyber protections. So we've been running these programs for a number of years. The basic principle is that students come in with no experience required, undergrad and grad students, all degree programs are welcome and for the first number of weeks they train them. They teach them basic cyber security concepts, basic cyber hygiene, they run through the cyber security performance schools that CISA has brought out, and they teach them how to be trainers. And then for the remainder of the course, the students are paired with a real client in their community that needs their assistance. So each of the different clinics function for different communities. UC Berkeley's is focused on civil society, in particular, organizations at risk of politically motivated cyber attacks. We actually work internationally, refugee organizations and folks prosecuting war crimes, helping protect them digitally online. But a number of other clinics serve really, really local organizations. The University of Georgia serves school districts and local businesses in the greater Georgia area. The University of Nevada Las Vegas has partnered with their small business council and connects with local dentistry and pizzerias and folks in their area to provide them basic cyber services. It's a really wonderful model and the best part of it is that the students get a lot out of it, too. It helps them get hands-on experience before graduating, which helps them get a real job because they can say, hey, I've done this before. I've worked with a real client. I know what this looks like in the wild and I'm prepared to continue offering these services. So I'm really excited to be here, really thrilled to be a part of the high-risk communities program at SZA and looking forward to talking more about clinics. So, hi again. Adrian from the CyberPeace Institute. We're a non-profit based out of Geneva. It was set up a few years ago by the Hewlett Foundation, the MasterCard Foundation, and Microsoft. And we have a very simple mission to bring about CyberPeace. Ambitious. And we try and break that down in three core activities. So first, we provide assistance to vulnerable communities. Second, we document how those communities suffer, trying to draw a line between cyber attacks and suffering of human life. And then we take those recommendations to public and private stakeholders to help them come up with better laws and regulations to protect these communities. When it comes to operational assistance to vulnerable communities, we have set up a program called the CyberPeace Builders that Monica, you were talking about earlier, that complements really well what the cyber clinics are doing because essentially when your students graduate, they have a venue to continue volunteering to protect vulnerable communities out of their, thanks to their employers. So the reasons we chose to walk with corporate cybersecurity professionals are threefold. The first is trust. Because we don't have a professor that's supervising the help that's dispatched by the students to the non-profits, we need to make sure that the people who are helping know what they're talking about. And we need to be able to trust them. So we are working with reputable companies that we can vet and assess at scale, which we cannot do at an individual level, right? If you want to network of volunteers, you cannot vet individually 10,000 people without incurring massive costs. And so we work only with reputable companies and then we leverage the trust that employers have in their employees so that we can dispatch people who we know and know what they're talking about and will provide valuable advice to non-profits. The second reason is availability of talent. The biggest pool of cyber talent these days is in the corporate sector. So if we want to help massive amounts of non-profits and small and medium enterprises, small hospitals, then you need to tap into the biggest talent pool out there. The third is financial sustainability. This is a core issue for us because a lot of volunteer networks have been created in the past and had to stop for the simple reason that they cost money. And people think that running a volunteer network is free because, you know, you don't have to pay for the resource. But it's not free. You still have to manage a platform, you have to come up with processes, you need to have people travel at events like DEF CON, you need to manage the community, do outreach, convince people that you're not a scam because you're providing free cybersecurity assistance so people worry that you're a scam. So there's some costs. The beauty of those networks is that they can scale up without the cost scaling up. So you can do a lot with very little. But you need to secure that base. When you work with the private sector, you're able to tap into their CSR budget and then jump into that because this is their massive positive trends in the CSR world that allows us essentially to ask companies like Microsoft and MasterCard and HPE and Octa and Splunk and with secure and whatnot to give us their employees but also to pay us. Sounds like a double ask. It is. But companies understand why they've got to pay. It's not a small, it's not a big amount that we have to also consider it. There are four big trends in the CSR world these days that are fueling these types of opportunities. First, skill space, volunteering opportunities. If you're a cybersecurity professional these days, you work for a company and you want to use your skills to help, it's difficult. You're going to be able to help clean a beach, but spate in a shelter, give food, things like that, which are very important and very fulfilling. But you're not going to be able to leverage your skills. So there is a niche there and we're trying to fill that gap. The second is snackable pro bono. So a lot of volunteering opportunities these days take time. They need you to travel. They need you to spend a full day or more. And employers don't like that so much. They want their employees to be able to do their volunteering in between two billable hours, to be able to contribute fast, to use their knowledge and not worry too much about the whole logistics of it all. So what we do is we make sure all of the engagements are one to four hours. They're easily scoped. Volunteers come in. It's they maximize face time and the advice they give to they give to non-profits and then they get out and we handle the rest of the relationship. The third is mounting ESG pressure. A lot of companies are asked to report on their ESG practices. There's been a lot of greenwashing in the past. And so when you're doing a skill space volunteering initiative, you're allowing companies to align their social good with their business priorities. So they like that. And the last but not the least is a big trend now in the nonprofit world is what we call nonprofit services software as a service models. So we're trying to create a financial pipeline between the services that we offer and how we generate revenues to pay for our costs. In the past, most of the non-profits would just raise grants from philanthropic actors, governments, which is great. But at some point, these grants dry up because donors have different agendas. The money is not infinite. And so you keep on having to fundraise. The other drawback of that is that when you provide a service that's not financially valued, you can provide a service that's not qualitative because the people that are benefiting from it are not at the end of the day paying for it. So by reintroducing a financial pipeline, having the companies pay for what we offer them, we make sure that we deliver the companies and the volunteers a good experience. And we also make sure that the non-profits receive a valuable service because if the non-profits don't, then they wouldn't come to the network and then there would be no offer for the volunteers and the companies. So these non-profits as models really are a game changer. The cyber peace builders were set up two years ago. We've held so far over 115 non-profits around the world. We've got a few here in the US. We're working with launch groups like the Kenyan Red Cross, like Doctors Without Borders, like SOS Mediterranea that are helping migrants in the Mediterranean Sea. We also help smaller organizations like Agamal in Ghana, helping to fight malaria. There's an NGO we help here called AIDS Resource, helping to protect people with AIDS. And so it's a variety of organizations which makes the volunteers, I don't want to say fun, but engaging for the volunteers because they're exposed to a variety of environments and very worthy causes. I'll close here just to say that when we set out on the mission to create the builders, we wanted to walk the talk of multistakeholderism. I used to work at the World Economic Forum, which is a big organization for multistakeholder collaboration. This is a perfect example of multistakeholder collaboration because we're working closely with academia and UC Berkeley. We have volunteers from the private sector that are helping civil society. We're providing inputs to the governments here in the US, in Switzerland. We're also working with cities, the city of Geneva, the city of The Hague, that are willing to have local companies help local associations. So it's a virtuous model that we're looking to scale. I'm actually recruiting. So if you're interested, come and see me after. But we're looking to scale this up and there are virtually no limits to the number of people that we can take in and the number of people we can help. So thanks a lot. I'm excited to jump into breakout groups. We're going to try and separate. It's a good turnout. So we're separating into three small groups where we can dive into discussions. We'll rotate every 20 minutes so you get a chance to speak to everyone and talk about how industry governments will side in academia can help. And then we'll ask you to contribute. Take a few notes, maybe the brief at the end. But we'll all be grouped in an hour or so so that we can all learn from each other. Is that all right? Sure, take a look. Thank you. Thank you. We'll take an initial question over here. Yeah, sure. We're going to tell them where to go. Sure. All right, yeah. So do you want to take an initial question? No, it's okay. No, we can just tell them where we're going. All right, so let's do walking group one. Government here, so David and Maurice. Walking group two here in the middle with Monica and Mark. Walking group three here with Sarah and myself. And anyway, you're going to speak to all of us because we're going to rotate. Okay? Thank you. Everyone, thank you so much for staying up until the end. We really appreciate you. You had amazing contributions. The other group leaders were telling us that you really had fantastic ideas. So what this group will do because we know each other quite well, particularly these two, and we will capitalize on all of your notes. We will contribute to the high-risk initiative that Cesar is leading. We will input all of those ideas into our thinking. We'll get back to you. And please do follow that QR code at the bottom of that page and let us know if you, either if you run one, if you know one, if you know somebody who does, we want to gather a list of all the volunteer outfits in the country and ultimately in the world. So if you know them, let us know so we can put that on our website. Thank you.