 Welcome back to the Cyber Underground. I'm Dave Stevens, your host here every other week, talking about cybersecurity and all the things that relate to cybersecurity, especially in business. We're going to talk about that today with Andrew Lanning. What I know about business. You've got all the right problems. You were telling me yourself. Yeah, it's been business. It's been busy. I'll say that. Integrated security technologies, low voltage, physical and electronic security. That's your deal here in Hawaii, right? You work a lot with the DOD, state government. Critical infrastructure, yeah. That's our niche. We do the, I don't know, once a month tag on defars for dummies. CMMC. That's right, the new cybersecurity maturity model certification that's coming out. Yeah, the CV7. Did you get through that yet? I have not. Yeah, me either. Every time they add more rules and they kind of modify the old ones and then they say, well, this doesn't look right. So we're going to switch them all. So the numbers don't line up anymore. That's always fun. I think they're on track for January launch though. So I'm personally hopeful that we had that stable set to drive towards so we can start to get people ready. I was just reading an announcement that Katie Errington, who's that director, for that program under secretary, whatever her title. But they have a vision for getting the supply chain to have the resilience that the DOD requires. And in Hawaii, our small businesses here really need to pay attention to this because otherwise the DOD that we support will find someplace else to operate. If we can't deliver the services that they need to stay operational and deliver them in a secure manner. And this article I read this morning, it was from, it was a gov now, one of those publications, but she was like, if you think it's too hard, goodbye. Saying stuff like that. I was like, whoa, so like, you know, it's going to be basically get your act together or go work in the private sector and just say out of DOD business. But even in the state of Hawaii, with 11 military bases, representatives, offices of FBI, DOD, F of CIA, NSA, everybody's out here doing something with a DOD. It is hard to be in a private business in the private sector and not touch that. I think so. I think it's, I think people, when they really look at who they work for, they'll find themselves is a tier three, maybe a tier four, maybe even a tier five provider. And perhaps the requirements won't flow down that far. However, they're going to continue to be looked at it for at least that baseline tier one type of cyber cyber hygiene, right, because the supply chain is part of the problem as we, as we've sort of discussed. And you could appear downstream and not even know you're in the stream. For sure. Yeah. You could be supplying straws to the cafeteria on base and you're going to be scrutinized. You may, you may very well, because someone may decide that the amount of straws that a certain base buys is indicative of how many staff work there. And perhaps that's protected information or something like that. You know, you never know. Yeah. Right. So I always give the example. I was working for a company who did interior space modeling for buildings on base. That wasn't considered even sensitive. Sure. Way back when, but now people know if you know the interior space, you know where the highest ranking people are, because they're the biggest offices. You know where the motor T is, you know where their weapons and ammo is, you know, every ingress and egress off the base. Sure. And so if you're an adversary, that type of information you want, if you want to attack that facility. So, you know, this is a, I think it's a little, there's a change in mindset. And I mean, the change flowed down from government as well, right? They've always, we've always had confidential, you know, secret, top secret, top secret, universal, NATO, all those other classifications for information. And no one really was looking below at what they're now calling controlled unclassified information. And so the supply chain in general just needs to, needs a little bit of a wake up call with the material, how it's handling it, how it's securing it inside of its own data systems. And that's really what this is about. And I think it's long overdue personally. I mean, you know, you and I have been in this space. We know how, you know, badly a lot of this material gets handled. And, you know, our adversaries are just kind of taking advantage of that, you know, and they're compiling vats where they call them data pool, data lakes. Now, keep your data lakes the term. I guess it's not a database anymore. It's a data lake. There's so much of it. And you know, they're putting all this stuff together and they put two or three different facets of something together. And all of a sudden that becomes quite valuable to an adversary. And that doesn't take a human to do it anymore. When you make that data lake, you apply some fuzzy machine logic and machine learning. And you come up with questions that you didn't find. Fuzzy logic. You go back away with that one, that one in the Navy. That's when we were building those little NAND nor gates and all that stuff, right? Yeah, yeah. Well, the old story about today is you're compiling data, and I think as a supermarket on the mainland started this trend, they compile a whole bunch of data using those membership cards. This is way back, maybe the late seventies. And they realized that on Friday afternoon, right around four to six p.m., they were selling tons of diapers and lots of beer. And they didn't know what's going on. So they went in their database and they found out, well, these are all males in this age range and they seemed to all have children. They filled out that survey. And so they found out these guys were coming home on the last day of work, picking up diapers for the family and thinking, hey, I'd like some beer. So they put the diapers and the beer back to back on an aisle. In the store. In the store. And they doubled their sales. Nice. I thought, okay, that's brilliant. Yeah, yeah. From there, you know, casinos, they double sales of beer or diapers is the question. Oh, you know, I never asked. I never asked. I guess it wouldn't both. Yeah. It's probably just double beer. That's what I'm thinking here. Yeah. But you know, casinos picked up on that. And, you know, this is all information that, you know, Vegas, I go to Vegas. Sometimes we gamble, you get the chips and you use them. I didn't know that. But in 2005, the wind casino started this. I was so angry because I got the idea at the same time they baked an RFID chip into their casino chips. Nice. So as they're giving them to you at the window, they slide them across a reader, all the serial numbers are registered to you as a player. Now, wherever you use them, play them, win them, whatever, all the serial numbers are yours, go to other casinos, they track you. They know how much you gambled, how much you're willing to lose what your behavior is. And so, and they know you're in Tahoe or you're in Atlantic City or you're in Vegas, and they send you those deals. Hey, we'll comp your room. If you come out to Tahoe and play Kino like you did last three times. Wow. It's all that kind of same logic. So now, if adversaries gather and gather and gather all this data and put it up there and apply a little bit of artificial intelligence to it, they're going to start getting that information back that we didn't think was critical but could be used against us. And I think let's talk a little bit about InfraGuard. I think that's why we start poking the hornet's nest as it is, putting private and public sector together so we can share information and become more effective at protecting ourselves, right? Isn't that what InfraGuard's all about? Yeah, for sure. It's a public-private partnership with the FBI. It runs out of the Office of the Public Private Sector. And we do have an SAC, which is the Special Agent in Charge of the InfraGuard program in D.C. as well as each of the field offices across the country. 77 different field offices all have an SAC, but they also have for us a PSA, which is a professional service alliance provided by the FBI. Yeah, so out of our field office here, we have an agent who works with the InfraGuard chapter here. So each chapter has an assigned age, like some of the larger chapters, LA, San Diego, they I think have two. I think over 3,000 members in both of those chapters now. Well, what's the mission and what do you guys accomplish in InfraGuard? So first and foremost, I think we provide advocacy for the FBI and for the mission of the FBI. And when I say advocacy, we are out there in the community. So we come across more community problems. And again, it started as really a purely a cybersecurity effort 20-plus years ago, but it's become all hazards today. As we talk about the adversaries and threats and square footage of a base, for example, that's not necessarily cyber information. But anyway, so giving more outreach into the community. And when I say the community, it is a defined community. It isn't just the guy on the street. There are 16 critical infrastructure sectors that have been defined by DHS. They're under the National Infrastructure Protection Plan, which was revisited, I think in 2013, they got a refresh. And each of those sectors, which you can imagine telecom, healthcare, energy, nuclear has its own sector, the financial sector, the defense industrial-based sector. Each of those sectors has a certain component to play in the national security and the national and the economic security of our country. And they all work together. So having expertise in each one of those sectors that can bring back information. And we have a portal through InfraGuard provides us with a portal. Each member has a login to the portal. And we can report indicators of compromise. We can send in malware if it comes into our facility. And it lets the FBI get some visibility that, wow, maybe the west coast is getting, the financial sector in the west coast is getting attacked with a certain type of malware or certain type of phishing campaign. Or the nuclear facilities in different parts of the country are starting to see this some weird attack on their firewall. So it gives them a little more information that we are helping to advocate to bring that information to where if you're not, if you don't know about InfraGuard or you're not around them or you don't have members of your organization that are part of InfraGuard, that information is not getting up and it's not getting the help that it may need or the visibility that it may need. As a community, we get, because of the FBI, and they're primarily an investigative arm of all of these different sectors. So that's their role. Actually, I shouldn't say that. So DHS has a role in most of those sectors. FBI primarily works for the defense industrial based sector, along with DSS. You can imagine that in the financial sector, you have the Treasury Department and DHS. So it's different Department of Agriculture has the food sector has agriculture and DHS. So DHS is in most of those as an element. But there are also elements that are agency specific that also work in those different sectors. So InfraGuard, we have all these sectors. And so across the country, now we have 77 chapters, broken up into six different regions. The National Board is composed of about 13 or 15 folks now. We have over 70,000 InfraGuard members across the country in all those sectors. So you can imagine how many more boots on the ground that gives us, you know, the concerns that they may have for critical infrastructure in Nebraska, for example, are not going to be the same sort of concerns that we may have here in Honolulu. You know, we're not even close. So we share the same concerns. I'll give you that one. But our, you know, our maritime environment, just for example, or they don't have any port facilities there. So, you know, the maritime, you know, InfraGuard chapter there is probably quite smart. I don't know this for a fact, but it's probably small. Well, there's probably a couple of big lakes. Well, they have dams. Sure. And dams is its own, you know, sector or subsector. Yeah, I got to say, it's nice that this organization exists because the organizations are feeding information to the FBI. We don't live in a society where the government gets into your organization and pulls that information out. There are societies that we know of right now that are very large countries that do exactly that. But we live in a society where the government won't do that without a warrant, at least they shouldn't. So we're feeding them the information. I like that that's the direction it's going. And we also get help. You know, if you have a really problematic breach in your company, there's a bit of a size standard for the amount of monetary impact. You know, FBI is not going to show up. You got 10 bucks stolen out of your checking account, for example. However, it could be that 5,000 people got $10 stolen out of their checking account. That might be a case that they would take. So let's take a really quick break. There's a place of bills. We'll come right back after a one minute break, and then we'll get right back into what we're just talking about. Till then, stay safe. Welcome back. Joining us right now is Andrew Lanning of Integrated Security Technologies, Hawaii. We're just talking about InfraGuard and how people can report incidents and they have monetary level that they go for. And you said $5,000 for one person may not trip any bells, but if 5,000 people lost 10 bucks, there might be something they want to look into. Possibly, sure. And I mean, so this is, I mean, I don't pretend to know that level of what the FBI asks is a go or no go. It's going to be like grand larceny or whatever the definition is. There's a really good thing about InfraGuard is that they're present. We know them. We know how to call and ask. And if it's not a resource that they can provide, then they can probably get us some help some other way. Well, there's a, you know, they're obviously they're here in support of, and they meet with our really critical out here infrastructure sectors, right? So energy, financial is very big here. Maritime's big. And I want the community to understand that these guys are all working together. We have a sort of a unique environment here in Hawaii from a critical infrastructure perspective because we're on an island. And because we're on an island and we have such a DOD presence, there is a lot of cooperation that occurs in these agencies. I think that there's a public perception. Several islands. Yeah. There's been across several islands. So there's even more cooperation needed, yeah. Exactly. And I think there's a, I've talked with folks before who felt like, you know, there's a lot of bureaucracy and politics in government and that they don't work together on this stuff. But the rooms that I have been in, they are absolutely joined at the hip. And when we send information up, whether it goes up to DHS, up to NSA, or comes from one of those organizations down, it gets filtered properly and sent to the right group. And because, again, it may be investigative in nature, maybe that it's, you know, DHS does a lot of surveys of facilities that they say what their C-set tool. So there's just, there's ways that information should be parsed to be made valuable to the broader public. We don't need to hear secret and top secret information out here in the public space because then everyone would be here. Talk about the C-set tool really quick. So they have a way, it's changed recently, it's now risk-based assessment that they can go. And what DHS is trying to do is get a picture of it. Let's just say, for example, all the sport arenas across the country. What is their level of vulnerability to let's just say a drone attack or let's say a cyber attack shutting the whole place down and causing a stampede or just like you have fire safety, they're trying to establish a facility readiness. And more importantly, DHS would like to be able to grade those facilities against each other so that we know why. You know, we've really got a lot of need in the western region of the United States compared to the eastern region. Just for example, I don't know the status of the arenas in the country, but that's the kind of idea. And again, they're looking at trains, they're looking at stuff that moves fuel, stuff that moves liquid propane gas up in natural gas from the Gulf Coast all the way up to New York City, for example. All of those types of systems, dams, all need to be assessed all the time for their readiness and for their vulnerability to attack. And then if they were attacked, what's the downstream? Is there 200,000 people that could drown or 200 million? So all those sort of questions are the type of readiness that DHS is trying to establish. And because it's risk-based, that lets us sort of prioritize where to put funding if it becomes available for certain things or to prompt certain industries to shore themselves up. If you've got a bunch of refineries that are level five and you've got a couple that are level one, like, oh, these level one guys really need to be taken care of. It's nice to know that the money is going to follow a logical decision making. It's the idea. Not too many people have that kind of faith in the government. They think it's really corrupt, but these guys are really trying to take care of it. And it's super serious. I mean, we say I've been in the Leadership Academy, we said it. And the Leadership Academy was a little bit more about all the good things that's happened with InfraGuard and the growth of InfraGuard. But at our annual convention meeting that we just had a couple months ago, we sat in a room with NSA, DHS, FBI, and we did a lot of threat modeling. And it was really valuable to have blue-red teams, you know. And so someone's modeling defense, someone's modeling offense. And unfortunately, all the defense has failed and all the offense has won. But, you know, that's a place to start from. You know, if you don't know what you've got, if you don't table top these scenarios, you really don't know how vulnerable you may be. And so that was really insightful for someone like me, who's that's not my normal daytime job. But watching it run by guys who do it on a national level and I think a global level in some instances, because we have bases and embassies and other things across the country that they got to protect. And DHS doesn't do embassies. But when I meet with these groups or when I've been met with or briefed by these groups, it's amazing how closely they all work together. And when there's some major case, it seems like almost every department's had some sort of a hand in helping supply the intelligence, vet the intelligence work. They just all work together. And it's amazing when you're up in DC to see that, you know. It's a big difference from the pre-2001 world. Big time. Yeah, DHS came up as a reason. There was no department of Homeland Security in 2001. Right. So I think that was part of the problems and the breakdown is we had gathered the information so we could have actually intercepted those terrorists, but we didn't share information. Yeah, after Oklahoma City, we set up Clinton, I think it was Bill Clinton, right? It set up what the act was. There was an act. And what it did, what that did is it got all the agencies competing with each other instead of working together. And so after 911, after that attack, then Bush put them together and said, no, no, no, we're going to pull everyone together under DHS. And I believe that the outcome of that has worked very, very well. I have to ask the Coast Guard about that. Sure. I think it's a good thing. Yeah, they did. They got absorbed. I don't know if that's good. I can tell you, when you go to the briefings here though, DOD, bar none, expect Coast Guard to be at the table. Yeah, that's good. And they always mention them. I mean, always. That's great. So and maybe that's our environment. Again, we're a maritime environment, so Coast Guard's a lot more active out here in these investigations, but they're a great group out here. They've got their own mission. They've got their own intelligence guys. I mean, they're their own cyber guys, you know, it's a good team. And several bases. It's a good community out here. Yeah. So it's a good, it's a good to work in. It's kind of odd to go to the national meeting I was at with, you know, all the, some of the western states like Idaho, for example, and their InfraGuard group is just not as tightly tied to all the organizations as we are out here. And so, you know, my, my vision of what InfraGuard can be is, is a little different than what, you know, they look at their local community a little more, their city, maybe out into their counties, but they're really not thinking like statewide, whereas that's just kind of my view because we're just, we're not that big of a state. There's not that many people here. So as a small business owner, should I become part of InfraGuard? I think that anyone that's in, in, if you're into safety, if you're into security for the community, if you've got some bandwidth, and if you've got to, especially if you've got some specialized knowledge in your sector in Hawaii, it could be transportation, for example, we're a huge, you know, distribution and transportation sector here. And it's important to the outer islanders. It's just as important as it is here on Oahu. So just for example, that, that sector, I think is underserved out here. So yeah, if you, if you, or if you have subject matter expertise about a particular component of a sector, I think that you belong in InfraGuard. We did have quite a bit of discussion about that at the Leadership Academy. InfraGuard is doing well with, I think, 70-80,000 members. And we're not, they're not looking to just add, add hawk, add members. What they're really looking to do is to add members that are impactful members of a sector. So if you're interested in InfraGuard, you don't know anything about it, go look at the NIP sectors, National Infrastructure Protection Plan sectors, figure out which sector you work in, in your business, and then see if one of your IT teams or one of your owners or someone from your organization that's got expertise about the activity in that sector, has the time to donate to InfraGuard and come out here and help educate the rest of the community about the vulnerabilities that are, that you're seeing in your sector or the things that, that keep you awake at night thinking about, wow, what if this happened? And maybe no one else even knows that that could happen because they don't have the sector expertise that you have. What is any outreach opportunities from InfraGuard? So yeah, so we actually, yesterday, we had our last meeting of the year yesterday and we have a cyber range. It's a cloud-based range. And so what we're going to try to do is set up some training for InfraGuard members on the range, which is cyber, not, that's not what's captured the fly, but more like scenario attack type scenarios where they are emulated attacks and you learn to defend them. You know, customize environment. It could be environment like you run at your office or an environment like I run in my office. And the attackers could either be another team or it could be set up by the, the range itself. It's in the cloud. It's a cloud-based service. So what we thought about doing was sponsoring kids, bringing kids in as part of the team. And it's about 300 bucks a head for a session. So, you know, get the local businesses to each sponsor kid. It's usually 20 people at a time. You know, and we thought, so, so InfraGuard's looking to get into some of this kind of kind of work, definitely. And we did also do the, we helped out with NC SAM last year, the, you know, in, in November we have National Cyber Security Awareness Month. And so we always gotten teaching the libraries and teach around town. So I've done that type of activity along with Rainn Ode who's been on your show. I think you've done some of those as well, right? We're very tired after doing that. Yeah, yeah. How young are the kids? Are you going to approach some in middle school? We think so. I mean, it's just, we just talked about it yesterday. This just became available to us. So yeah, I think, I think we should be out in the kids teaching. You know, Bob Monroe, who teaches Hacker High School. Sure. I'd like to be out there talking to his kids about InfraGuard and what we're doing. You know, we don't really have a chapter for kids. We do have a couple of college students in InfraGuard now. That's good. Yeah. One was there yesterday, as a matter of fact. So, you know, there's, there's that level of, again, we were looking more for that subject matter expertise in the sectors is kind of what we're looking at. Now there, there are SMEs in that are identified that also could come out and speak to us. We have cross sector councils now, like for the, I'm trying to get one going for the security industry, as a matter of fact, because we have people that work in every sector and all 16 NIP sectors, right? And so we do, we turn it into video surveillance system quotes or access control system proposals. The flip side of that is there's vulnerability there that's not being protected. Like if they don't accept the proposal and they never do anything, there's this vulnerability information that we have about a facility that we can. But that never happens. Once you put a proposal in it, you make a good recommendation. Everybody just buys everything. Sure. It makes me happy. I'm telling you, we, we do busy. But, you know, the, the idea that, you know, we as an industry, I think have some value we can bring to InfraGuard. So I'm hoping that, you see a cross sector council that's, that's electronic security industry based. Does InfraGuard have funds to bring people out? I know we're going to get messages from people who want to come speak as a subject matter expert for InfraGuard Hawaii. Only if they're on vacation, we're going to get you off the beach and bring you in for a talk. There are some, and I talked to some. So I met with, I happened to go to an FCA Bethesda event when I was in DC last month, and Ron Ross was there from NIST. And so I talked to him. So he, they're, they're, they're, those guys are funded to get out here. InfraGuard doesn't have funding for them. But they, they don't, it's tough to, it's tough to, tough to justify for the bank for their buck. Right. To come out here and do one talk. And so what we really need to do as a community is get together with NDIA, FCA, HICTA, these other organizations, and get these guys out here to talk to multiple groups, you know, several speaking sessions set up for them so that they can, you know, have some community impact. And it's not, you know, just the InfraGuard group. Strange. I've been to several conferences here in the islands this last year, and I didn't see InfraGuard representatives. I know. Why not? Why are we? Well, we're, we need to get you out there. I got, and Russell's been going too. So we, we were at a interface. We went and spoke to as is. We went and spoke to HICTA. So we have been making the rounds just, you know, because it's kind of like, well, what's InfraGuard? What do you guys do? Yeah, right. My panel discussions for some of the local groups, I think next year we'll be definitely be in front of ISC squared. You know, we're going to continue to do that. And then we are, you know, we finally got a banner and we got some other stuff. So you'll start to see us at more and more of these events talking up InfraGuard for sure. We don't need to know who you are. Yeah, exactly. That's the first mission. With our last 35, 40 seconds here, give us a plug for InfraGuard and why people should participate. Well, if you're concerned about protecting the community, and you're concerned about national security, and you're concerned about economic security, and you've got expertise to offer, check out InfraGuard. It's infraguard.org, I-N-F-R-A-G-A-R-D dot org. It's free. By the way, did I mention it's free? So it's the right price. Sign up and come see us. It is a little scary when you sign up. They make you give the social security number. Sure. So that was, I was apprehensive about that. But I, you know, if you look at the cert, the HTTPS, that's, that's all valid. And just spell InfraGuard, right? Because if you miss spell it, you're going somewhere else. Yeah, you'll be going somewhere else. Thanks for being on the show. All right. Thanks, brother. Good to see you. Thanks for joining us. I'll be back in another couple of weeks. Next year, we're going to be doing a lot of remote hosting with all our guests are coming in by remote. So the studio is going to change a little bit. Look for some updates and some really special content. And until next year, stay safe.