 Welcome back to Cyber Underground. I'm Dave Stevens, your host. I have here with me my co-host, Mr. Andrew Lanning. Wait, Andrew, you're the security guy. The security guy? I don't know what you're doing to be here. That's my little ticker. Mr. Garrett Yashimi of UH and you're the vice president of technology. Thank you. And the CIO. Thanks for inviting me. It's wonderful to have you here. Thank you. Tell us a little bit about yourself. How did you get to be where you are today? So, you know, I've probably got like a thousand jobs on my resume. I've got one of the longest, literally I've got one of the longest resumes I've ever seen. Wow. I spent a lot of time doing tons of different stuff. Public sector, private sector, contracting, consulting. And interestingly enough, I worked for the university for about six and a half years, mid-2000s, doing infrastructure. So I worked under David. David Lassner, he was CIO. Went out to the private sector. Everybody knows his story, but went out to the private sector. My daughter went to college. Somebody had to pay for it. You came back? She graduated from college. So then I could come back. So this wasn't a plan move, but David ended up doing his president thing. Another big tech guy, David. Right, right, right. So, you know, and his, the job became open. Advertise, applied for it, worked out pretty good. So a pretty cool slot, pretty cool job. Interesting when your boss knows your job inside and out and better than you do. Good work if you can get it. Yeah, absolutely. It's the best job in the world. Hey David, what do we do about the, you know... He's got it under control, you know, so it's really a great place to be. We do a lot of really cool stuff at university. Infrastructure applications kind of across the board. We're one of the largest IT employers in the state of Hawaii. So from a head count, we're about 160 full-time, about 100 students. For the university as a whole, we're actually about a third of the total IT headcount. So we're a pretty distributed organization from an IT perspective. So 160 inside and about another 200 in change spread across the campuses. Some of the larger departments have their own IT groups. Fortunately, we all work pretty well together. Oh, that's good. Good to know. That's important. Yeah, yeah, and you know, it's, and it's hard. University is a pretty distributed environment. A lot of smart people around. Really? Yes. I wouldn't have thought. Tons of smart people. Well, you know, there's sort of the interesting... Two of them are here by the way. So the interesting thing about smart people is they really know what they're doing. And they absolutely know what they're doing. And sometimes it's hard to control it. So it's an interesting environment to work under. But we do tons of cool stuff. The university does tons of cool stuff. So I mean, so you have your perspective from the kind of the KCC side, the instructor perspective, and then we deliver ITS. The organizations that are responsible for it delivers enterprise systems, infrastructure, and services across the whole university. So some of the interesting numbers that kind of describe what we do. We have roughly 80 or 100,000 customers on a daily basis that use our stuff. We're one of, or probably the third largest ISPs, if you were consider us an ISP, providing internet services for a bunch of people in the process. And you got the huge data center now that supports the state in emergencies. Correct. You can fall back to the data center. Oh, they fell over you? Yeah. Actually, as Todd, Nakapuri, the new state CIO was evaluating his organization. They put a bunch of their assets into DR Fortress from an operational point of view. But they also needed to have a good DR site. And in fact, previous to that, the DR site was DR Fortress. So they needed to kind of separate the two. We had just moved into our brand new building with the new data center. And fortunately, we had some space available and worked with our public sector partners. We actually saved them a bunch of money too. Yeah. But we kind of broke off two rows of cabinets within the data center that's actually there. Now they're DR site. Have you taken a tour of the data center? Yeah, I've been in there. I didn't know that Todd has stuff in the vets. That's a great partnership. We need that partnership to save the state money, right? That's excellent. I think the numbers, when we did the initial release, I think the numbers were like $3 million a year saving him from commercial space. So they still, they still pay us. We don't do it for free, right? Because it was built-in. Yeah, we have costs, I mean, sure. Right. But we simply allocate costs that are attributable to those two rows. We actually fenced it in as a physical enclosure as well as kind of the virtual security. Physical security within physical, so defense and layers. No. Absolutely. Access is the vendor control, really. Keep them away. We badge them away when they come in and they're like, okay, that's the guy. Yeah, that's the guy. We want you for four hours, and like, didn't he go for lunch? Yeah, so we got him in care. We can tell when he walks out of the door. You got to badge in and badge out so you know what's going on. Okay, okay. Yeah, super cool place. Incredible building. I've been to a couple of meetings there. I've seen the data center. I took a tour and the people that run the data center, first class. And we have a couple of, they do internships for students there. So in addition to the full-time employees, we do a bunch of student employees. So probably at any given time, about 100 within ITS, including the operations area. So operations security, we do help desk, we do video production, applications, networking. We've got students all throughout the organization. Fantastic experience. Yeah, these are great. So these are great jobs. These are student jobs. Yeah. So you need to be a student if you come into those roles. We actually pay pretty well for student wages and great experience. So that's the number one, right? It's not the student shows up and just hangs out and does nothing. It does their homework. Which is the best job. I love those. Sometimes they do homework. Come into third shift operations. Sometimes it's pretty quiet. I avoid third shift if I can, but I know what you're talking about. So we actually have students on operations and monitoring. 24-7. On all shifts. Wow. So great opportunity to learn. If you need a flexible schedule, works pretty well for them. Yeah. I've heard good things. Your war room is pretty impressive. It's pretty cool. And given them the security mindset, right? Because you know these data ops centers and sec ops and DevOps and all that stuff's happening around the clock now in the real world out there. They get to see a picture of that and what that might be like. So it's better if we can draw them in now to the good side instead of having them end up on the... Exactly. They're always getting pulled into the dark side because the earnings are easy out there. The secret is you have cookies on the good side too. Because the dark side always has cookies. That's right. You also have cookies. You're balancing the equation. So I do take the opportunity to drop off food every once in a while. Nice. And second and third shift. Good. So we got holiday ops today. So they got... What did they get them with this morning? They got some sushi and some chicken this morning. It's a great job. You know, it's a good thing. That's a good gig. Yeah, it is. So cybersecurity is on everybody's mind now. We have to plan the infrastructure enterprise services across the UH system for the future. So you're always looking how far out, five years, 10 years, 20 years? As far as we can get away with it. And technology changes so fast. It's hard to make a cement plan for 10 years out. Because you don't know what's out there in 10 years, right? 10 years ago, we just got the iPhone. So you have no idea what mobile was going to do, right? And IoT now. How are you planning your infrastructure to handle that kind of security load for the future? So that's a really tough thing. And especially because it changes so much. The demands and the load on the organization from a resource point of view. So it's always through the needle. So the demand side, the needle is always pegged. So there's really no relief in the area and none in the foreseeable future. So what we have to do from an infrastructure point of view is we try to stay ahead of the curve from a provisioning and a setup. We have multiple appliances in the thread. We've got a number of automated systems that support threat detection, threat mitigation. But on top of that, like you said, our approach has been not to go with the total lights out approach, the total instrument and automation approach, but to layer people on top of that so that we actually have somebody that's always there. So our operation center is staff 24-7. So there's somebody always there, at least staff and students, usually a mix. But somebody always on the dial to say that, you know, okay, well, something's going on. Something's a little weird. We've got failures at certain places. We've got weird traffic showing up. The alarms are going off. The alarms start going off, right? So a lot of this stuff is automated. A lot of the monitoring is actually automated and can theoretically just go page somebody. But we've got somebody always at the screens and saying, okay, something's going on. Let's figure it out. This is the pattern we're seeing. Let's take our standard procedures, depending on what level of skill is sitting at the table at that point in time. Take our procedures. If we can address it right away, if we just have to monitor it, we can figure that out. It's cool. We can continue to take a look at it, see what's going on, see if it gets better or worse, what happens, maybe it clears. But if weird stuff is happening, it's impacting systems, impacting performance, pick up the phone, escalation. So when does that escalation get to here? He has a unique situation where your customers are some of the hackers, right? The kids are learning, right? They're out there. They're experimenting with Cali. They're attacking resources on the network that you gave them, right? They're not supposed to, but that doesn't mean they're not. They're supposed to virtualize it. We have virtualized environments where the little sandboxes where they can go attack and play. But yes, sometimes they do venture out. I think I told you my students attacked me. I remember that. That's great. I asked them to. They should get extra credit for that. Well, everyone of them got an A in my class, and it was worth it because all 23 students participated in not just our poisoning attack and all these other social attacks, but they built an ancestry.com profile of me to gain knowledge of. That's awesome. They took the challenge seriously. Yes, they did. I like it. They put 160 hours outside of classroom time. And you also got them to work together. You got them to work independently. That's right. You got them to work as a group. Those are all the things that are of very high value coming into the employment center. And a good portion of the students are now with Matt Chapman at UH West. Excellent. They're moving on to the ISA degree, the Bachelor's of Applied Science. So they're applying this stuff to the skater side of the house now. You know, I hope so. Yikes. Yeah. I'm actually going to talk to a couple of people about, so I was talking to, and I think I brought this up at our CIO Council brief that Sandy Labs in New Mexico. Right. They want to have some kind of electrical engineering program at an institution that also includes cyber because these infrastructure guys are great at what they do. It won't ever break, but it can be hacked. Right. So we want to have some cyber with the engineering, and we need to put that together. Maybe stick cyber into the electives in an EE program. Yeah. So we're going to start talking about that. Yeah. There's actually a bunch of places it should go. The great thing about seeing the university from the system perspective is not only, so the community college stuff, fantastic. Very responsive, easy to get to and connect to industry. But also kind of layering the four-year and graduate programs on top of that. Yeah. While we, it's no secret. So as you get deeper into the university, sometimes it takes a little while. Right? Sometimes it takes a little while to get the rock moved. It can take a little while. The thing that's really great though is there's a lot of concentration, a lot of focus, especially in the cyber security area on top to bottom. So from the innovation and research side, as well as from the four-year programs and the graduate programs, just interest in building it and working together to make sure that we add assets specifically around cyber security. Not just to business, not just to engineering and the technical side, but to business as well. Oh yeah. I would expect even art students should know about social networking. This should be required. Everybody coming in. Everybody across the board, doesn't matter. It's like taking English 101, right? Everybody should be able to take. Should take a cyber security fundamentals. Some kind of, yeah, basic technology stuff. Not everybody needs to know how to code. Not everybody needs to know to be an expert developer or networking person. To be your firewall. Yeah, right. Right. You can get somebody else to work for you too. But the basic knowledge across the board is absolutely critical for future productivity, for anybody going into the workforce, or anybody making a living. The other aspect is that the tech you guys got to understand business, because you don't get that funding for your technology program. That's tough. If you can bring value to the business, like that's the physical security that's gone through that transformation. Cyber security is going to have to make that transformation. It's not that the board and the C-suite, they understand they've got to protect themselves, but they need to understand that value. And it isn't just an insurance policy. You've got to bring them some value. So the data that you're pulling from those systems, it's got to be understandable to them. So you've got to be able to make a business case for the why. I need node protection. I need to protect each individual. I need carbon black on every machine. Why? I'm getting a message from our benevolent overlords that we need to take a break and offer a... They're benevolent now. Yes. I love it when the studio is benevolent. Awesome. We need to put our offerings in so we won't be spitting. So we're going to take a little one minute break. Hey, Bill. Hey, everybody. That's Ian, social media manager here at Think Tech Hawaii. Thanks for tuning in. Sorry to break into your show. If you're listening on the podcast, thanks for listening, watching on YouTube. We appreciate the subscription, et cetera. If you are a long-time listener or viewer of Think Tech Hawaii, you would know that we are on every day, five to six hours a day basically streaming stuff that's happening here in Hawaii that matters to everybody worldwide, basically. There's a lot of stuff that we've got going on and we're excited about many of them. 2017 is going to be really cool. Right now, I can tell you that we are on iTunes where you can listen to all of this stuff now. We're really excited about how that's going. And we have just started a on-the-street feature where we take a camera out to the street and stream live to you guys out there and getting what people in the local community out, what they want or are thinking about and sharing that with you. We're really excited about all that stuff. We're really excited about you guys watching and following us on all the social media sort of things, Instagram, Facebook, Twitter, all that good stuff. Look for us. Think Tech H.I. Watch us on Olelo. Thank you so much. Everybody here appreciates it. Hello. Aloha and welcome back to Cyber Underground. I'm Dave Stevens. I'm a co-host here. Andrew, the security guy. Sorry. Hey! Hello. And our guest, Gary Yoshimi from the UH System, VP of Technology. And CIO. And we were just continuing our discussion about technology in the US and the UH system. My next question is, when it comes to your organization, it's different than civilian organizations outside non-academic, so what I'm trying to say. I'm having trouble saying that. But how is your organization different than say regular business? So it's the same and different at the same time. A lot of it has to do with the way that the university environment is set up. So, you know, it was pretty interesting. We actually had the DHS guys come in, Homeland Security, come in a couple of years ago to do a full-on risk valuation assessment on-prem. It's super cool. Those guys are fantastic. They spent two weeks preparing, a week on site, and they did the debrief after the fact. But the thing that is really interesting is our environment looks like... So it's totally different from a regular corporate environment. Corporate environment, you lock it down. You got a fence inside, outside, inside. You do exactly what people are supposed to do and they have to do. You specify exactly what devices look like. You say what devices you're in, what devices are out. University environment? Nah, all bets are off. Bring your own problems. We welcome it off. All bets are on. So it's literally, the base environment is super open. Our security officers, I told you guys this a couple of times, but our security officer calls it the dirty network just by design. And that's the way it is because it's so open. So open, so wide open, and literally a playground for folks to do what they're supposed to do, learn, but also be able to experiment at the same time. And collaborate. Collaboration is huge in college. And that's one of the reasons the network is so open. But having said that, we also have the other side of the operation, which is enterprise services, which is in fact operated more like a corporate network. So part of the institution runs on enterprise services, the student information system, financial system, HR system. We don't do our own payroll. We punt that over to the state guys. But all of those systems that you have that runs a typical corporate organization are present within the university. And within that environment, we're actually pretty heavily locked down with so much personal information. Well, the R&D. I mean, there's so much R&D. That's the intellectual property there. Yeah, that steps. So that's really interesting. So the research side, especially, people think, well, research, unclassified basic research, no big deal. That's prime target. Sure. In part because it's basic research, but also in part because it's generally kind of in the open part of the environment. So it's important for us to really heavily monitor the stuff that's going on from a traffic standpoint, looking for kind of anomalies out of the ordinary behaviors. This is where the appliances come in. They do a really great job for us because, you know, you literally... So at the border, we're currently about 250 gigs to the outside world. Wow. Actually 250 each way. Wow. Well, it's an electrical pipe. Yeah, it's pretty interesting to see the traffic close. But in order to figure out what's going on, you've got to have appliances in the way, right? You've got to have appliances that are kind of... Monitoring the data. Yeah, the mass of the data first. But then when you start to see the things that stick out, you just look for the anomalies, you just look at the log files, you figure out what else is going on, and then you take the bodies and the eyes, the smart people, and you go analyze what's going on, and then you go chase down things that are out of the ordinary, a little bit different. It might be out of the ordinary, but okay. That might be... Sure. Perfect. Well, it might be somebody's research. Yep. Which has happened too. This is pretty interesting. We've actually had cases where research flows that... And they don't have to announce it to us, right? So research flows that happen to the security appliances look like anomalies. Sure. Because all of a sudden you see... You see a spike. This is your regular. Just kind of flowing out someplace else outside the university. But in some of those... And in many of those cases, it's interesting because the appliances will set alarms. In some cases, they'll be automatically locked down depending on how out of the ordinary the flows are. And then we've got to unlock it. And sometimes this is someone collaborating with somebody on a university. Exactly. Yeah. So you take astronomy data, you pump it over to somebody in the Midwest someplace, or international. International collaborates all the time. The traffic just on the graph will look really weird. But in many cases, it's actually what's supposed to be happening. And UH probably collaborates with NOAA and several other organizations for weather and climate and all these other great scientific principles. And the data must flow back and forth just in high volume. Yeah. But it irregular intervals. Right. You can't predict when... Oh, I'm going to press this button and share all my two gigs of data today. And... Oh, what's that? It flags. I was talking with the guys that do the near-earth asteroid detection stuff. Super cool stuff. And he sent it to Florida. Yeah. My numbers are probably wrong, but every six minutes, they have to take that entire picture of the sky and send it to Florida for analysis. I don't even know how big it is, but it's... It's big. That's very big. Right. You know, petabytes or something. Like every so many minutes. So this pipe size. And so I'm sure that, you know, if you haven't programmed for that, that's just going to look bizarre going out, right? Let me just stop and say that I am so glad that that's happening that they actually take pictures of the sky and look for near-earth asteroids approaching Earth. Yeah. Because ten years ago, I was hearing the NASA was like, no, we can't do that. Yeah. We don't have the budget for that. Well, I'm so glad we're doing that. If these guys find one, it's too late in the evening. Yeah. They're hanging on where you are. One of... This stuff's near-earth, like too near-earth. I'm sure they could be that scientist. Well, that thing's as big as the moon. Hold on. I think they're smaller, but it's like... It's unfortunate, you know. They're trying to rig up early warning for some of this stuff, you know. So you could know maybe... I think they really don't know where they're going to hit. It's not that good. I mean, at least they spot it. I hope they were... Put on your helmet. I got a two-parallel hat, but... Those guys are a lot smarter than people understand. Yeah. So it is very comforting to know that this stuff is going on. It's good when you can see... So you can see a little more than the general public gets to... And you have to support that with your infrastructure. Absolutely. You can't impede that. Absolutely. And at the same time, you have to secure that. Right. That's going to be a challenge. Right. So it's kind of a trick. Where's the fulcrum in that balancing act? I mean, where do you... Where do you put the point of where it... Yeah. Tipping point. Got no fulcrum. Nothing. That's just the floating point. Right. Right. Well, so going back to the infrastructure thing, it's all about trying to make best guess in future investment from raw infrastructure and then layering resources on top of that as best we can afford. So everybody's constrained from a cost-to-resource standpoint. Sure. But we balance needs and requirements throughout the organization and then best we can afford we apply it to the places that to us indicate the highest potential risk actual as well as potential. And, you know, so there is a guessing game that goes on from an allocation point of view but it is pretty important for us to make sure that we put enough resources in general into the area so that we can at least represent so that I can stand up and represent to my boss and the board that, you know what, we're doing a reasonable job in terms of risk and risk management and then I also have to represent that we're not resourced to do 100%. And, you know what, frankly, we never will be. That brings up a really great question. So you're in charge of risk and people are probably constantly asking you how do we eliminate the risk? Right. And you know you can't. So how do you say we can't and still say you can still keep me in my job? I mean, how do you do that? How do you reach the surface? Exactly. That's exactly what you did. You have to describe to people that, and it's hard, right? Because this is people that aren't necessarily technicians. Right? So they don't understand all the nuts and bolts below. I like to tell the story about this. So it's not, you can't go to Best Buy pick something out to show. That's right. All of a sudden you have problems going. Stick up the webcam, turn it on. Yeah. It doesn't quite work like that. And so that's an interesting problem. But it's an education process from the risk side to make sure that the folks that I report to and I'm responsible to can at least understand what's going on. That's why it's great to have a president and knows what's going on. Oh, sure. One less barrier to success. It's huge. It's really huge. But having people understand risk and it's really about understanding risk because you're right. You can't get rid of it. There is absolutely no way it's going to get to zero. No way, no how. Don't even try. Well, try. Yeah, try. You won't get to zero. It's a running game. You stay ahead of it. And then when you apply the training to all of your people, you tell them, hey, this is never going to be a problem that can go away. But everyone's got to be involved and know what's going on. So we just reduce, like you said, reduce the surface. And dynamically, right? So it's this persistent threat. I think cyber security a lot of people don't understand. I think like you can turn a switch. Oh, we're protected. There's another zero. We have a cyber guy. There's a new zero like today. Yeah, rich. Right. So that's actually the danger point. So you do training. You take some actions. And then everybody says, OK, we're done. Let's move on. No, you're not done. You've got to repeat the training. The training gets updated on an annual or bi-annual basis. Yeah. And then from a strategy standpoint, you can't just make an investment buy something and then figure you're done. So we have to do this on a regular basis. We're constantly looking at what threats we're dealing with in the short term as well as what threats are present in the longer term. And one of the great things in this community, and it's a little bit unique out here, so one of the benefits of being a little smaller and a little remote than everybody else, is all of the three and four letter agencies work surprisingly well together. OK, that is surprising to me. I think it's not really good here. It is. Really? Yeah, it's good to know. It's actually fantastic. Yeah. It could be better. It could always be better. Sure. Just continuous improvement. But the thing that's great out here is there's a lot of those personal and professional networks that have tied together the different agencies. So our folks work pretty closely with both state and federal agencies, law enforcement in terms of making sure that we can be aware of the threats that are going on and to the extent that they can, those guys share as well. So if they know something's going on in our network or they know something's going on, this has happened. That's a key factor. Sharing the information. Right. I mean, there's been several attacks that we've had to endure in this country that it's the result of not sharing key intelligence. Right. So that's actually really great out here. A lot of kudos to the state. Yeah. I mean, you know, between NSA, FBI, DHS, all these guys are very, very helpful. Right. And that's important. I think I'm getting the message. We're almost done. Yeah. You got 91 seconds left. 91 seconds left. OK. 96. No. What would you like to share with our audience about the UH system and the enterprise services you offer? So I think, you know, so there's a couple of things. I think it's, well, maybe just one, given that the clock is ticking now. Yeah. But I think the thing that's really cool about the stuff that we do, and this is a great job for me. It's a cool job for me. Because we do a lot of things that are kind of outside the realm of most IT shops. And we're big enough to have scale and scope and be able to reach out and deal with really cool technologies. And at the same time, it also increases the risk as well as the level of responsibility. Of course. It's, you know, in many ways, it's a hard job. But, hey, it's fun. Do you feel like Spider-Man? It's cute. It's cute. Great responsibility. Yeah. It's like... Yeah. It's so... It is hard. It is hard. But we've got to be in front of it. We've got to be in front of it as much as we can. And it's critical to be recognized, to be constantly on the watch, and then constantly looking for improvements in everything that we do. So I think that's really the message for the public at large as well. In their own duties, in their own jobs, the stuff that everybody does, you can't ignore this. You have to pay attention. You don't have to be an expert because there's some experts around. You can always go hire people. That's right. But you can't ignore it. It's not something that you can just say somebody else will take care of it for me. It's really important that it's our responsibility as individuals to make sure we take responsibility for our own cybersecurity. That's a good point. Yeah. It's a balancing game. So don't click it. What are you expecting? There's the message we're sending out today. Don't click it if you're ever doubted. It's out for you. It's probably something bad. Okay. Well, thanks for being on it on the show. And thank you for coming back as our host. Good to see you. Good to see you. It's great to see you too. Thank you. All right. Thanks for tuning in to Cyber Underground.