 And we have our final panel here this afternoon, and it has, and we have Scott Carby, a Master's of Science and Information Assurance alum who's going to be the moderator of this activity. I was just talking to Scott and actually worked with Scott way back in 1999 in the Information Operations of the Army. It was the Army Total Schoolhouse for Information Operations, and Norwich was part of the capability that helped to form that. I traveled all over the United States with the leadership and to try to convince them that Norwich had a unique set of skills with the Army Guard to do this. And that was the wild guys in the beginning, as he pointed out, and then they brought in Scott to add some discipline and tamp down the enthusiasm of people like me. So that was probably a good thing, and today it still exists as an entity. So thank you, Scott. Scott is our Chief Information Security Officer for the state of Vermont, and his duties span all aspects of enterprise, cybersecurity, and state government, including operations, incident response, strategy, compliance, and risk management. Prior to his work with the state, Scott served in the United States Army Teaching and Development Network Defense Content to train and prepare soldiers for cybersecurity missions and incident response roles. And of course, Scott is a graduate of Norwich University's College of Graduate and Continuing Studies where he received his Master's of Science in Information Assurance Security and Information Security and Assurance. So thank you, Scott. Thank you. Good afternoon, everyone. I know some of you just had your cookies, so I'll expect to see a couple of drooping eyelids here and there, but for the most part, I really appreciate you hanging out for the end of the day. I've got a great panel here, and what we're going to talk about today is the state of cybersecurity in Vermont. You know, you've heard panels today talking through multiple topics. We had the general this morning. We had the representative from CISA later this afternoon. And you've heard a ton of different perspectives. Well, the perspectives you're going to hear from these folks, I'm not saying it's any better, but it's better, is from people who have actually done the hands-on work that they're doing in their fields and for a number of years. And so it's my pleasure to introduce, starting all the way to the left, with Sherri Ayub. She is a cybersecurity advisor. She's sort of the right hand for me here in Vermont and my conduit to CISA, the Cybersecurity and Infrastructure Security Agency. Thank you, Sherri. Next over is Adam Goldstein. Adam is an associate professor at Champlain College and the academic director of the Leahy Center there. So again, you hear Leahy. The senator has definitely touched all of our lives in this room, at one point or another. And sitting directly to my left is George Donovan. He's the deputy chief information officer for the Vermont National Guard and full disclosure, my former boss. So this will be interesting. Be nice to me, George. Yeah. Yeah. Oh, do you see that? Back and forth. That's nice. So really, what I want to make sure that we get a sense of today is that you've heard a lot of people talk about cyber. We want to focus a little bit more inward. We want to talk about how hopefully you can get something out of the programs and the programmatic topics we want to discuss today. The state of cybersecurity in Vermont is, as many of you would expect, sort of endless work with lack of adequate resources and an inconsistent approach across sectors. For a little background, we have the state cybersecurity program at state government level does not, as of yet, have direct and regular communication with other critical infrastructure areas with higher education, with K-12. Although we're working on that, that's certainly a challenge that we're carrying. That perception overall, though, belies the progress we've made and the dedication of the cyber professionals we have to reach a state of cybersecurity maturity and readiness. As I said, the panelists we have here today are a few of those dedicated professionals. Again, thank you all for being here. For our time in the spotlight, we hope to highlight some of these efforts currently underway. I'm going to talk a little bit about some of the federal efforts that are going on out there, some operational maturity in the role of the National Guard as it pertains to cybersecurity in Vermont. And workforce development and the challenges that we have today and in the future. And with that, I'm just going to get started if everybody's good. So I'm going to start off my first question, and Sherry, I'm going to ask you this one. Please talk to us for a few minutes about what the federal efforts are generally in cybersecurity and more specifically how those efforts are being applied in Vermont. That's a good question. So it's a pleasure to be in the Green Mountain State. I work for the Cyber Security and Infrastructure Security Agency and we're the lead agency for risk to manage it, to reduce it, and to understand it with critical infrastructure owner operators, 16 of which have been identified. I'm part of a division, integrated operations division. There's 10 regions across our nation. I'm part of Region 1. They're led by Regional Director McCann and Regional Chief Cyber Security Officers, Chief Protective Security Officers, and I'm going to just call out their names. Daniel King in the back, also Army Duty. He did for 30 years. Gay Palazi, who's an expert law enforcement background. He's here within the state and what we do is we provide services to state, local, tribal, and territorial entities like your municipalities and as well as private owners. And what we do with that is we give risk and vulnerability assessments, remote penetration testing, strategic messaging. We have emergency communications coordinators, regional exercise planners. These are all dedicated services that if you go to the regions at sysa.gov, you could click on our region, which is one, and go to resources and you'll see all of the services that is available like Executive Assistant Director Goldstein mentioned earlier. So if you guys want to know more about our services, we have that federal catalog that you could go to or you could just go to the region. We work with power hospitals here, states, little towns, K-12, and since we've been up and because of the tensions overseas and what's going on right now, we stood up a shield up page and what's really cool about that page is that you can go to it and if you're a small business, you can kind of go right to what you would need for cyber, like who would you need in the room? And the biggest piece of this puzzle, you can do all the scanning in the world, but you really have to really go down to basics and know your customer, know the services and the applications that your customers are touching and be able to identify that and that's where we come in and we can, or our partners, we work very closely with our FBI and our other Homeland Security counterparts here in the state, Intelligence and Analysis Office, FBI colleagues, the Vermont Emergency Management Center, and also the Homeland Security Center too, where we connect you guys with those services as well. When you do work with us, we won't share your information. We're not a law enforcement body. Our services are voluntary and most importantly, they're free. So there's so much that you can take and if you're an IT, we are your cheerleaders, like Scott Carby said, we work very closely with ADS and Scott and the Army National Guard promoting cyber hygiene and that's what we want to stress is multi-factor authentication, vulnerability scanning, making sure your systems and your applications are patched. So if you go to the site, you'll see everything that you need, but the regional staff is here to help you guide you that way. So if you reach out to either the Vermont Intelligent, let me just like know a show of hands. Does anybody know where your Vermont Intelligence Center is? Oh, good. So that's also in every state. There's something called the Fusion Center and that's your first stop. And are you guys familiar with your emergency management directors of your towns? Yeah? Good. Well, out on the field, a lot of folks don't know about that. And what we want to know or we want to kind of promote is a linkage between cyber and emergency management and kind of make cyber security not such a foreign topic, not a technology topic, but like what Director Easily talks about, a table conversation we have. So this is what we're doing at the federal level so we don't look like we're overstepping each other and we're sharing information. And with our private partners, they're very susceptible and they are taking advantage of the services that you all could too. Even the students, it's also a great training opportunity. Sherry, I'm going to ask you a follow-up. Sure. The, what is one of the key challenges you've had to getting your foot in the door within the community in Vermont? Good question. I think it's just a lack of time people have, right? You know, when you're dealing with critical infrastructure owner operators, they just don't have time or resources to know about these things or to take, because they're, let's say they're a hospital for say, you know, it's a matter of having a doctor or a nurse or, you know, a managed service provider, you know, a new one or checking in on that. And that's where I think we could come in as the federal government, all of us, and help, and as well as the private sector help us understand their critical operations. Because if we don't know, we just don't know what we don't know. And without collaboration, we're not going to get anywhere. So we also promote if the entity is part of state, local, tribal and territorial government to also sync up with the MSISAC. Does anybody, does everybody know what the MSISAC is? The Multi-Sharing Intelligence and Analysis Center. And in Vermont, that is your Albany location. And there's so many free services that are provided. And we just want to sync up everybody. They provide great webinars. We have also election integrity toolkits. That's another sector that just got promoted by CISA. If you go to our Shields Upside again, you could see all of the common known vulnerabilities. And lots of times, there's advisories. And one more plug I want to give to that Shields Up page is our advisories that come out jointly with FBI, NSA, or other US Coast Guard. We did an advisory with them, maritime security, and tabletops. Lots of this could be found also on CyberWire podcast. And you could listen to it. Which is pretty cool. And it gives you a breakdown of how to patch your systems or what you need in order to do that. Some of the many, many resources. Thank you, Sherry. George, so Sherry's just talked about all of these great services that are out there. How have you seen that offering, that full-court press basically from CISA since they've become an agency, impacting the cybersecurity landscape in Vermont? Well, first and foremost, let me just say thank you to Norwich for this opportunity to be here. This is fabulous. Never had this opportunity before. I'm very excited about it. As far as those services being available to the Guard, or the Army National Guard, honestly, we haven't, or I have not seen leveraging of those resources within our organization. We have a command structure. We report back up through National Guard Bureau. They dictate down to us the requirements that we need to meet. And there are Guard directives that we are following. There is absolute standards that we need to conform to that is a significant challenge to us in and of itself. But it also is great for us because we know where we stand. Stig standards, National Guard Bureau directives, we work hard to get to where we are achieving and meeting those standards. We don't always do it. But we know where we stand. Every three years, roughly, they come out and they do a deep dive inspection into the way we do business. And that is brand new. We've been through one so far. We expect it to be in the next three or four because it is a little backlogged with COVID and everything. But over the next three or four years, we expect them to be coming back to us. And we are working on that even now. Every single desktop, every single server, every single switch, every single router has standards it must meet. And the scanning tools we use, which are awesome in helping us achieve those standards, obviously you don't know. If you don't know what you don't know, you gotta be able to meet the standards. And that's where we come from. Now, there have been organizations that have reached out to the Guard for help in their own operations. And the National Guard is a state, the Army National Guard is a state asset. We work for the governor. Until the President calls and federalizes us, we are here for the state of Vermont. And if the floodwaters rise, the adjutant general gets a phone call. If someone has a hack, that adjutant general is receptive to that phone call. And as mentioned earlier, UVA Medical Center had a pretty serious situation and the National Guard got called. And we went on site and we helped them. And because of the significance of it, Vermont residents went for 30 days with limited healthcare coverage. Not no healthcare coverage, but surgeries were delayed and serious things were delayed. That is something that we take very, very serious. And we were all hands on deck. I lost people on my staff for a significant amount of time while they were there helping. We are a state support entity. The Army National Guard stands proud with that. And for any young folks that are looking at cyber careers, I would ask you to think about the Army National Guard. Tuition Assistance, if you want someone to pay for your schooling, we may not pay all of it, but we'll pay a significant portion of it, probably all of it. We need good people. And not to sound too much like a recruiter, we would love to have you come join us. Does that answer your question? Sure. And I think, and that actually leads me to a question that I have for you, Adam, which is so similar to other information technology fields that have had historical shortages in the workforce. Cyber security professionals are experiencing their time in that spotlight. Talk to us about higher education, Champlain's efforts to meet the challenges of these shortages, what possible solutions there are to increase the pipeline, producing more qualified workers. And if you have any feeder programs or non-traditional programs, that would be great to hear about. Well, thanks, Scott, and thanks to my fellow panelists, and thanks everyone for sticking around. It's not on my tag or in the book, but I should have an MO6. I'm an alum master's in 2006 from Norwich. Cool. So I think I was in the second or third cohort through the master's program. So yeah. So yeah, so at Champlain, as with Norwich, we were very, very early in the cybersecurity education. I think Norwich and Champlain were two of the, in that very first tier of Centers of Academic Excellence through the NSA that we've been hearing all about. We started our on-campus program in 2007. And I think it's good, when we've been talking about Vermont, you were talking about the state of cybersecurity in Vermont at the beginning, I think something we do need to recognize is how strong we are in cybersecurity education between Norwich, between Champlain. We have two of the largest undergraduate cybersecurity programs in the country. I was talking to Professor Reed earlier, and he was saying, yeah, if we looked at per capita CAEs, you know, we're one for 300,000 folks. And if you throw Dartmouth in there, because you know, Dartmouth is kind of Vermont. You know, I worked at Dartmouth for a long time, and historically, Dartmouth was part of Vermont for a period of history. For those of you who know the history. And they'd be welcome back if they wanna come. So we could claim two and a half CAEs in Vermont. So I think we have a resource here, and that resource is our students. And I think it's a resource that we've really taken advantage of, and that we're using to the state's benefit. And I think Senator Leahy has been really instrumental in that. Both in his investments here, and then at Champlain in 2010, we started the Leahy Center for Digital Investigations. Now the Leahy Center for Digital Forensics and Cybersecurity. We are employing between 80 and 100 undergraduate students every semester, working on real world cybersecurity efforts. So we have, so it came up earlier, talking about how do we get students to develop those hands-on skills that are really required in the workplace, that can take a student coming out of school and plugging them right into meaningful work. And it's through experiential learning programs like we have at Champlain, like Norwich has. Where students are partnering through the schools with community organizations, with governments, agencies, and things like that to do real work. And I'm sure we'll kind of talk more about those efforts as we go through the panel, but to kind of get to your question on the pipeline, we're doing in Vermont about as good as anybody's doing right now in terms of bringing cybersecurity students to the state, and it's not enough. My self and the Norwich faculty were at a conference over this summer. Rodney Peterson, who's director of NICE, the National Initiative for Cybersecurity Education through NIST, was talking about all of their efforts. And over the past 15, 10 years with the NSA Center of Academic Excellence and all these huge pushes from the federal government to increase cybersecurity education, we're doing a good job. There's more schools, there's more programs, more students graduating, but it's a drop in the bucket. What are we graduating? Maybe 1,000, 2,000 students a year with cybersecurity degrees. When, as we've been hearing, the demand is huge. And what Rodney Peterson was saying is they just came out with the, I forget which study it was, but the number of open cybersecurity positions. So they increased the number of graduates out of programs by 10 or 15%, but the number of positions open was 25% since the last time they ran the study. And again, so I think that when we look at pipeline, we need to look at how do we diversify it. We're already bringing in the students that are interested. So how do we overcome some of those other barriers? How do we get students that wouldn't normally be interested in studying cybersecurity education to be interested? And I think a lot of that has to do with how do we connect with what makes them passionate? We've heard about passion in the prior panel. And I think what we're seeing in this younger generation is a passion for service. We were talking earlier, I have a daughter who's a senior in high school, I have another daughter who's a junior in college. Their generation is inclined to community work, to doing good things. And how do we make that connection in this environment that cybersecurity is one of those things that results in doing good work? And that it's not just about ones and zeros. It's not just about studying science and technology which may be off-putting to certain students, but connecting to a broader range of students that maybe have some of that social justice driven intent and motivation towards their futures. May have some of more of those kind of community minded aspirations in terms of what they do. So helping make those connections working with government agencies and others to kind of show that. And then I think another barrier is a barrier for anybody who's trying to study is financial. We've talked about things like the Scholarship for Service program and we've been very heavily involved in the DoD cybersecurity scholarship program. Exceptionally great programs, very, very generous for the students. But we're talking again about hundreds of students a year when we need thousands. Is there a way that we can invest in that pipeline that we can impact more students, maybe through less generous scholarships, through additional feeder programs and incentivizations through the high schools, through state funded scholarships, through federal scholarships that are more easily attainable that are going after those underrepresented students. Those students that are currently not in the pipeline to get them thinking about the pipeline, to get them interested in studying but can ultimately lead them to a career either working in cybersecurity or supporting cybersecurity. So one of the earlier panels and discussions that came up and this is, you know, you're really striking a piece of passion here for me is around how do we get that interest going, right? You can go into K-12 schools and see that there are some kids, second, third graders who get it, like I don't share my passwords, nobody gets my passwords. And then you also see a culture occasionally where there's an entire rack of Chromebooks in the corner of the room and every one of them has a sticky note on it with the password for the individual student because it doesn't facilitate quick access to the computers if one child has forgotten their password. So getting into that security awareness, somebody mentioned in an earlier panel, how do we foster, and I realize you work in higher end, I'm asking you an elementary question, but... This is very relevant and I'll talk about why. How do we foster that cybersecurity awareness at the youngest of ages, which may very well drive a passion toward a cybersecurity career later on? Yeah, so I mean, I can speak to that again. One of the pillars that we have at our Lehi Center is education and outreach. So we have, again, talking about this resource, we have in Vermont. We have college students that are studying cybersecurity. We have an initiative, CyberTech VT, CyberTech Vermont. It's under the umbrella of the Lehi Center at Champlain. You can go to their website. We have Champlain students going into the school to work with the students, to work with the teachers, to connect with them on these very issues, whether it's cyber hygiene, whether it's careers in cybersecurity, and again, it's making that connection of we could go in there and are we really gonna resonate and connect with that younger generation, or do we send our students in there? We've had a lot of success with that model of, again, using that resource we have here in the state. To work with the students to speak kind of, hey, you're only a couple years older than me. These are the things that are important to me and this is why I'm studying it. Resonates really well with those students. And I think we've had, especially some of our female students going in and talking about social media and talking about sharing some case studies, sharing some statistics, talking about some of those things and younger female identifying students that really resonates with them and gets them thinking about some of those topics that may not connect quite as well if it's coming from a bald guy like me. And those schools are so understaffed. I mean, they must be welcoming that help. It's man from heaven kind of thing because the schools I've talked to, they are working as hard as they can to get those Chromebooks built out. Well, and then you've got a student that takes it home and it never comes back. I mean, they drop them, they break them and they are so short staffed. That is a wonderful support structure for them. Great, thank you. So, Sherry, I'm gonna kick a question over to you. Critical infrastructure and its relationship to cybersecurity has been an evolving topic for a number of years now. Tell us a bit about the relationship of cybersecurity and critical infrastructure and what efforts you and your team at CISA have made over the last few years. And then where can people, I mean, I know you've covered a lot of this already, but specific to individuals that you've interfaced with, where are they finding the resources in order to have a better relationship between the federal government and critical infrastructure organizations? Thank you for that question. There's a lot of resources, kind of like the symposium, in individual critical infrastructures, like power. And going to these conferences, students, I would suggest you go to them too. In the healthcare industry, in the financial services sector, in every single critical infrastructure of 16 we mentioned, if you're interested in elections, I would urge that you go discover that or maybe get a job in that to another panelist's point, become a subject matter expert in a specific field, if you will, because the people that are running these operations are very short staffed and a lot of times they don't have the resources it takes to even train somebody coming in. Even though they wanna give the opportunity too, it's gonna require a little patience and a little respect for a generation that is operating our critical infrastructure that may be on the verge of retiring, like in the agriculture sector or in the healthcare sector. Operating legacy systems, you have a tall task, but with patience, you guys can do it. At CISA, we're hiring. We also have a Pathways Internship Program. We are really looking for talent. We wanna leverage all different types of talent, not just cyber, but all critical infrastructure owner operators and technical specifically. Thank you. So George, we just talked briefly about critical infrastructure in general and Sherry mentioned healthcare in other words and healthcare and agriculture. The National Guard has really good communication across its critical infrastructure sector, not just within Vermont between units and otherwise, but nationally. Can you talk a little bit about the coordination? I know you mentioned already that the National Guard Bureau pushes down requirements to you, but that's really just a very small part of the coordination that your organization does on a daily, weekly, monthly basis with National Guard Bureau. Talk a little bit about how cyber is communicated across that community to maybe make sure that there's as much information available as possible to everyone. Absolutely, absolutely. And I mean the same way the Army National Guard for Vermont is a Vermont entity working for the governor. All 54 states and territories in the district work the same way. These are distinct entities. There's someone with my job in every single one of those locations. The cooperation and the teamwork, the allying between those states is unprecedented. We here in Vermont for the last several years right up until we went cloud, we had agreements with Wyoming and Maine and New York and New Hampshire where we would stockpile and safeguard their backup instances because backup is the lifeblood. I mean information is the lifeblood of every organization, right? You lose that information, you're in a real bad position. So what do you do to safeguard that? Well, you gotta get it outside your data center because if your data center is compromised even if your backups are there, that's gonna be bad, right? So if I understood your question, we work with any other state that's willing to partner with us. We backup our data to them, they back up their data to us. If they have a problem that takes their installation down we are ready and willing to help them when they are ready to receive that information back. That is a very good service that lets us sleep comfortably at night because ransomware is nasty. If you don't know, my directive to my staff is that if you can't get our data center back up in four hours, you better tell me why. And that's a very high demand because a data center's a lot of data but that doesn't mean that they shouldn't meet that standard. Now, we would suggest that anyone looking for assistance can reach out to our command structure who will then reach out to us and we will help them to build that level of cyber protection because you really wanna be able to sleep comfortably at night. You shouldn't go home worried about what's gonna be there the next morning. And when I go to my people and I say that to them I know that those people are the most qualified to know where our weakest links are. And those people answer to me if they can't say yes, we can absolutely get ourselves back online in four hours or we can get our data and operations up online in four hours. We may have to have all those pay sections and personnel sections come and work in our building but that's okay because we can continue to do business. I mean the mission is you don't lose data and for young people that are developing in their career field, if you're gonna go into cyber, understand and this is my opinion, cyber means protect your information. Information is the lifeblood of an organization. All of this other stuff is just fluff. If you go down and you can't come back up again that's a problem. You don't wanna be answering to your boss that you cannot get your information systems back online, right? So yeah, so it comes down to a level of preparation within that maturity model that you guys have already and it always fascinated me that there was such great coordination across those lines between states within the National Guard cause you guys see yourself all as one big community. And I'm gonna kick it over to you, Adam. I'm not super familiar with the information sharing within the higher ed community but I'd be curious to hear if there are informational and organizational channels that help you guys in that same way whether it be through cyber preparedness or cyber recovery. Yeah, thanks. I think in terms of information sharing, right? There's REN ISAC, the Research Networking Information. That is very active in higher ed from an operational perspective, right? So research universities, teaching universities, colleges participate in REN ISAC. And it's a really valuable resource similar to MSISAC but I think the challenge with some of those is trying to broaden that out to more community information sharing. A lot of those information sharing services are really geared towards cybersecurity professionals, cybersecurity experts. And when you move away from those institutions that are large enough to participate in that, it gets challenging. So a lot of the work that we're doing at Champlain and again, thanks to Senator Leahy, we've recently received appropriations funding to continue and develop this work is we're working closely with municipalities and school districts and nonprofits in the state. So for a number of years, we've been providing, again, SOC security operation services, managed services. We work very closely with the Vermont League of Cities and Towns looking at the 200 plus municipalities in Vermont. Is how do we build their cyber preparedness? And going back to what George was saying, I really liked his point about information being key. When we go and talk to those organizations, we go talk to a small town, they don't have the resources. They don't have IT expertise. They may have four full-time employees and now they're being confronted with the threat of ransomware, and as we're looking at statistics, you look at the leading targets of those types of attacks, towns, school districts. These types of organizations are at the top of those lists. They're some of our most vulnerable organizations. They're some of our most important organizations. And when we work with them, the first thing we say to them is, okay, what do you need to survive? You know, what is it that if it was gone tomorrow, you would be in big trouble? Okay, we've identified that, let's start there. It really is this idea of taking a ground-up realistic approach of how do we work with these very critical important organizations and use academia, use the institutions that we have in the state to build that information sharing model so that we can work with an organization like the Vermont Leagues of Cities and Towns, and we worked on a project with them two years ago where we developed a template security policies that all towns could leverage, information sharing, right? This past year, we did a IT assessment needs project where we worked with a number of municipalities to determine what their IT needs were, especially around cybersecurity, to kinda now help us, and we developed a template for how do they write calls for proposals for managed services? You know, what should they be asking for? What is the language that they should use? We gave them a catalog. So again, using the resources that we have to kind of address the need for information sharing, and that's what this appropriation is for is we're gonna be developing and using our students to do security assessments, to do incident response planning and building it into, as was stated earlier, an ongoing engagement, right? These aren't one and done. This appropriation is for us to build a program that is gonna be sustainable and long lasting where we have Vermont organizations working with our student resources to be able to develop and deliver these very needed services, and information sharing is a huge part of that. Great, thank you. I wanna make sure I leave a little bit of time for questions, but I do have what I call the fun question, right? And the fun question is always, it's a bit risky to talk about the future of anything in technology because it all moves so rapidly, it takes strange paths. However, I'm gonna kick this one at Adam to start with. Talk to me about how you see cybersecurity evolving from a researcher and educators perspective and are we looking at trends where cyber becomes just another field of technology or will it continue to be sort of its own track? Yeah, so I'll start with a little story. So last week, so we, at Champlain, we have a partnership with a cybersecurity firm in Munich in Germany where we have students that go to Bavaria every summer and intern at firms that this cybersecurity firm works with. So Aldi, BMW, Canon EOS, Siemens, a lot of different firms. And last week we had a presentation at Champlain on automotive security. So we had some students working with BMW and some other companies about the future of cybersecurity and automotive space. And the regulations, international, national, the ISO standards, all these things coming down the line just around automotive and even broader mobility security. They're talking about potentially tens of thousands of jobs just in cybersecurity related to mobility. You factor in smart cities, smart schools, smart, you know, all of these areas, you think about healthcare, you think about all of these spaces where the internet of things manage devices, monitor devices, they all have a cybersecurity component. So this notion of the exponential growth of threats which we've heard about earlier, we're also seeing that exponential growth of skills and jobs that need to work in this area. You look at any given sector and the demand going forward is gonna be huge. So I think it comes back to this pipeline question. I think we're gonna need cybersecurity professionals. I think that cybersecurity for the foreseeable future will be a discipline. But I think that so many other disciplines realistically to combat this needs to have cybersecurity integrated into it. So if you're studying engineering, if you're studying software development, if you're studying bioinformatics, if you're studying advanced manufacturing, you're studying any of these fields. If you're working in public policy, law, having some understanding of what it takes to secure information, we live in the information economy, we live in the digital age. That's a really good point because one of the things like looking at the four of us sitting up here, none of us started our careers with a cyber focus and that's not just because some of us are old. But I think all of us, I started as a software developer. I think George, you started in that space. Sherry, you started in finance. My undergraduate is in history and political science. In history, right. I knew it was a non-cyber discipline. And so I think that that sort of leads me to a quick follow up with you, Sherry, which is from the federal government's point of view, how do we take what's coming in the future and provide some support, some core support from the federal government in order to leverage that into the SLTT and the critical infrastructure communities. Well, it's like our executive assistant director said, we are working with FEMA and CISA is leading an initiative for state, local, tribal, and territorial government grants. And it will, right now it's in, we're telling states to make a planning committee and include all the folks you would, but include the CISO. For K through 12, we put out a toolkit and your agency of education has been taken up on that offer and so has the Vermont Emergency Management and the Homeland Security Unit right here in Vermont on helping the communities get at these rural areas that may have very low resources on getting funding. With this, we hope to have a lot of output, but we need people that, especially as you graduate, to kind of just lead the torch and see what's going on, be in these critical infrastructure owner-operator fields and get with your Vermont Intelligence Center or Emergency Management or Agency of Digital Services and kind of see this convergence happen because it is happening and get ahead of it. So it's not just like what we were talking about, it's not just technology. It's cyber security is really everything and we at CISA want to kind of promote being left of boom. So a very good word I heard today was defense in depth, right? And security and making sure you're resilient, operationally resilient. Those are things that we're focused on and again, if you go to CISA.gov, you could see all of the tools, the assessments that our regions could help either guide you towards. If you want a career in cyber security, we have training, free training, through Fed TV for, and also industrial control systems that is very big I heard today. And with the state too, we're working with many different entities. So we are just encouraging all to embrace it and to share information and if you're a state, local, tribal, territorial to sign up with MSISAC and also with us basic cyber hygiene services, vulnerability scanning and this is all free. At the end, they produce reports for your internet-facing applications. Also, know get your stuff off search. You know, all of your applications that may be out in the wild. Also, some initiatives in the state of Vermont that are coming up. Next week, we have chemical security inspectors. That's a regulatory body of CISA and they're having something, if you go to our site called Chem Summit and that's coming, that's virtual, that you could kind of check out if you're interested in industrial control systems and anything for counter-terrorism with chemicals and weapons of mass destruction. We had Operation Flashpoint. In September on the eighth, the Water and Wastewater Treatment through Vermont Rural Water Association, the Department of Environmental Conservation within the state of Vermont, CISA and the FBI are all going to lead a day of cybersecurity for the water sector, a great avenue and then after do a tabletop, which we also offer on our website, different services for that. One more that's coming up on the 21st is the Vermont Emergency Management Conference that our regional director, McCann, will be speaking at and also Tom Philippone, which will be talking about the grant that FEMA and CISA are leading, with CISA being the lead and FEMA working out those arrangements with your state. Thanks, Sherry. I'm gonna close by saying that overall, and I'd like to echo the comment that Adam made, we've made really great strides in Vermont, cybersecurity-wise, not just in our education pipeline, not just in our communications with the federal government, coordination with the National Guard, but also at the state level to mature our cybersecurity model over the last five years. We consolidated the agency into the Agency of Digital Services, which basically put the onus on my position to coordinate all of those pieces that Phil read off before, the risk and compliance and operations and coordination with other agencies. So we've really come a long way and I appreciate the time that you guys have taken and I'm open to taking any questions. Hi, this is Chris Michener from the University of North Georgia. And my question to you is to each of you, it's one question in 27 parts. And that's a joke, but part A, if you were to across your organizations individually, look at cybersecurity from a tactical, operational or strategic levels. What is your biggest risk? What keeps you up at night? What gets you going? And across each level, choose one if you will. Sure, why don't we just go down the line? Let's be brief, because we could all talk about this one thing for a significant amount of time, but Sherry, what's the one thing that keeps you up at night? Just ransomware and also this idea that cybersecurity is a technology thing. Not at every whole approach. That kind of keeps me up at night. That we're just focused in one lens of cybersecurity and not all components of our society. Great, Adam? Well, after 20 years of doing cybersecurity operations and then switching to being a professor, I sleep much better at night. You know, I think this pipeline, you know, there are so many opportunities for students and there's such a huge need in our country and among our allies and whatever to develop that generation that is technically literate that has some of these foundational skills, understands some elements of cybersecurity and hopefully worse than cybersecurity. So how do we get students interested? How do we get young people interested? How do we diversify that pool? How do we really, really, you know, we're tapped out with the students that are already coming. So how do we broaden the appeal to those underrepresented groups that we want to bring into our program? Perfect, George? The one thing that worries me the most is email because you are supposed to be able to receive email from anybody that wants to send you email and just earlier this afternoon, we had one of your panels that said, yeah, I got an email that said my, whatever it was and yeah, I clicked on it. A seasoned professional in a moment of weakness clicks on a link and you're done. That's what worries me the most and that's why I tell my staff, you gotta have this environment back up in four hours because I know they can't do it but I want them striving to hit that target in four hours. Email, I mean it used to be web browsing. Web browsing has been pretty well neutered. Email on the other hand, at least in our organization. Email on the other hand. Everybody wants to get that message and all they gotta do is have a moment, you know, end of the day on a Friday, I'm trying to get out of here, oh gosh, I got an email from the president, I better look at it, double click, boom. You're done. Email is the thing that keeps me up at night. Thanks, George. Roger that. For me, visibility. Hands down from the tactical and the operational point of view is the visibility across my network is not knowing what is on my network, right? The not knowing what's not, what I don't know. That's really the thing that makes me the most nervous. That's the one thing that keeps me up at night. Okay, thank you. So my question is kind of multi-part too, but I'll try and restrict it to just one question. We've been talking about the state of Vermont. The answers have been kind of two part. State infrastructure, national guard infrastructure, versus municipalities, small businesses, educational districts and so forth. And I think my question is more towards the latter half, which is if you could wait, but it points to what Scott just mentioned, visibility. So there are things you don't know. There are things you know you don't know and there are things you don't even know you don't know. But if you could wave a magic wand and get information about the small businesses, the municipalities, the school districts, the people that we serve, what would you want to know in order to be able to better protect them? We have, it sounds like CISA has a great pull model. If you know the resources are there and you've got the time or the personnel, which implies money and other resources to be able to go at this information and then implement it, great. But maybe you're a two-person mom and pop shop or you're a four-person organization or you've got one person who's dedicated to IT and they're pulling their hair out, dealing with other things and tasking them for yet one more thing is an issue. So what would you like, and if there was a handful of things that you would really like to know, maybe to increase your visibility into what's necessary or needed by the state or to better serve them so that they could get these resources, what would it be? George, 30 seconds. I was hoping you were gonna start down there. Well, in order to help someone, if I understood your question correctly, if in order to help someone who's got themselves in a bind, you really would have liked to have been there ahead of time and had a meeting with them so that they could define what their priority was because if you're doing it after the fact, it's really hard to help them. Is that 30 seconds? Close enough. Not enough, I can keep going. No, that's all right. Preliminary. And for brevity's sake, I think that when I mentioned visibility being one of the key pieces, it's also the resources that are tied to that visibility, right? You can buy all the tools, I'm not saying that the state of Vermont has all the money in the world to buy all the tools, but there are so many times where I have rejected what could be a very good tool or system because I know, hands down, I don't have the resources to apply to that tool or system and be able to improve. And I wanna give the young man behind you an opportunity for a question and happy to talk to you afterward, Matt, some more. Good afternoon, thank you all for being here and speaking with us today. So I was talking to my friend the other day who just graduated and is working at the county level for cybersecurity. He was talking about how difficult it was to get some new policies implemented just because their leadership was a little bit fuzzy, they didn't know who to report to, who wouldn't force it. So my question is, how does organizational and leadership structure impact the implementation of cybersecurity policy and procedures at the SLTT level? I think I'll answer that one for brevity's sake. It's tough, it's really hard. Even sitting in my role, I can recognize that we need a new piece of policy or a new process or a new procedure. And it's a multi-tier, multi-day, week, month, some time process to push it up the chain. The key to getting it done and your friend who says that he recognizes that you need more policy or that you need a new process, champion what it is that you want. If you want a new block in the incident response plan, champion that, show that you can write it, show that you've thought it through, show that you can make it work and integrate with the process and the plan as it is already. That's what I got. Thank you. And I'm about to get the hook anyway. We're gonna make you stay there for just a second. Okay. And I'm gonna make a couple of final comments. You're kind of closing this first annual Senator Patrick Leahy cyber symposium. The request to create this, I believe was in February or so, that this was something that we wanted to do and looking at the schedule that was taking place in the United States Senate. And at that time was it had to be the August recess because everybody has to be there every day at this moment with a closely divided Senate. But I just have a couple of really quick remarks back in 1930, no. So I wanna thank President Anarumo and Chairman DeForest, the Norwich Board of Trustees for the will and desire to make this happen and the support of the Board of Trustees to make cyber part of what is Norwich's reputation. And I can't but hesitate talk about Senator Leahy and his staff, I've had the pleasure over the years to work with a number of people that you may or may not remember. I started with J.P. Dowd, way back when he was legislative assistant. I got yelled at by Danny Ginsburg several times, well more than several times and more recently Sherman Patrick and he hasn't yelled at me yet, but there's still time. And Michelle Monroe from Senator Leahy, can't forget Kevin McDonald, the man who always knows how to say no in such a creative and such a nice way. So I greatly appreciate all of that work. And when we were doing the video to be able to outreach and get Senator Leahy's family to participate and I could have paid extra money to have Chuck Ross show up in shorts. Chuck was the state director for Senator Leahy when we started playing this game a long time ago and it was Gary Kessler at Champlain College. Gary Kessler and I and Chuck met on Church Street and talked about cybersecurity probably in the late 1990s. And there's three or four different tracks that we've gone through along this path here. There's a number of folks in uniform here and that reminds me that Norwich working with the Vermont Army National Guard with Electronic Warfare Associates with the Air National Guard. I don't know if General Duby has left, I spent some time traveling with him to San Antonio for the creation of the 229th Information Operations Squadron and I was supposed to be the academic talent to his warfighter experience. And right after 9-11 the most memorable thing was I'd show my paper license from the state of Vermont and get slipped right through and General Duby would show his credentials or that. Back then Colonel Duby would show his credentials and they'd say, come on over here we got a special place to search you as you were going through TSA. So I don't know exactly how that all worked. But today I have a number of people that I really need to thank for this coming together. Of course the folks who came, Representative Welch joining us today was just fabulous that he could make time for that and of course James Paradise from Senator Sanders. You'll notice that all of the folks including Governor Scott were so kind to provide timely letters so that we could capture the sentiment from the leadership in the state of Vermont for all of the work across which Senator Leahy has done. Of course Matt, thank you for leaning on Eric and getting him here. We greatly appreciate Matt McCann our alum and CISA rep for region one to bring Eric Goldstein here to this event. That was really cool and of course we have to thank Senator Leahy and his for pushing on General Nakasoni to get the Director of DISA to show up to this event. And it was so easy to just call Annette Redman from the Department of State and say Annette please come join us and she said I'm here. Right behind Annette is Paul Maxwell, one of our critical partners with the Army Cyber Institute nor which worked with the Army Cyber Institute on Jack Vultaeck and hopefully we'll be doing some more stuff together. Thank you so much Paul for driving up from what we call Norwich on the Hudson to... Yeah, I'll get paid for that later. And we can't forget all of the participation from our senior military colleges about four years ago or five years ago we reached out to the senior military colleges. Sharon Hamilton and I were introduced by a guy by the name of Billy Wells. Billy's still mad at me but that's okay. I won. Sharon's working at Norwich at this point in time and we created the senior military colleges cyber institutes and what Sharon has done with the support of those cyber institutes is to really have the leadership at the top of Cyber Command and the DOD CIO and the National Security Agency looking at building supporting these programs and it all goes back to the tree or the roots all go back to the support from Senator Leahy to get the funding going to support the authorization language that allowed us to be able to create these programs. So over and over it goes back to those sets of activities. And I'm really excited because a couple of years ago we had, I don't know if he's still in the room or not we had wanted to create a cyber forensics program and I talked to an old friend of mine Frank Vanacheck and I said, Frank, why don't you teach cyber forensics for us, some digital forensics for us and Frank looked at me and said, are you out of your mind? And Frank did a great job, he went, took some classes and became the first principal investigator for that and now these years later we are gifted with such a great group of faculty at Norwich. I look at Hugh and Charles Snow and Matt Bovey and I'm gonna miss people, Jack has joined you. Mike Batting's gotta be in the room somewhere. Thank you, Mike, for leaving St. Mike's and coming down the road every day to Norwich University for this program. So it's just been a really great trip. On our screen here we have the folks who supported this conference for us today and it's really important to recognize all those organizations because we've worked with them also with Directly and Indirectly with Senator Leahy through Revision and VSET from Montcenter for Merging Technologies and Global Foundries, Spotlight Labs, and who am I missing? And the National Cybersecurity Preparedness Consortium and Nuwari's benefited over the years. So it's, but there's really somebody important here. In the house here, Kathy Murphy Moriarty retired from Norwich, I'm really good at capturing these people who retire, right Steve? And getting them to come back and help us. Kathy actually came back and helped us build this video and track all the information. And then we had support, of course, from all the folks within our communications department. Chrissy Eastman did a beautiful job on our plaque here and Diane Sclero, Lindsay Lord, and they're gonna peep, I'm embarrassed to say they'll be people I forgot. But there was one person who in the middle of all of this just kept pounding us to the end and across the finish line. And without Julie Lappin, come on down, Julie. Without Julie Lappin, this event would not have happened. So Julie Lappin rounded up a lot of people. There's a lot of people here today. She worked the students. She worked a number of different issues. She made sure that the email blast went out so everybody knew that they were getting when the event was and what was happening. And without Julie, we wouldn't have been able to pull off today. We were very lucky that you joined us only a few months ago. And now we're gonna make sure that she doesn't run away after we see Chrissy. This is what the job is about. But I just really wanna thank you all for coming today and joining us at the symposium. If I missed you and I should have spoke to you, I apologize. But it's just been, in my opinion, a fabulous day. And in many ways, to stand next to Scott Carby who was part of the group that way back in 1999, 98, 97, when Norwich first got involved with information operations, the land information warfare activity. Brian, are you still in the room? And EWA and Carl Grary to be able to, that was really the starting point. And working very closely with Martha Rangel and their team to do that all the way today. And that activity, that support, that activity, that building all go back to Senator Leahy. So I close out the first annual Senator Patrick Leahy's Cyber Symposium and I look forward to seeing you next year. Thank you. Thank you.