 Our moderator of our next panel is Annette Redman, a North University class of 1983, and Deputy Assistant Secretary for Intelligence Policy and Coordination in the Bureau of Intelligence Research at the Department of State. Deputy Assistant Secretary Redman leads and directs the Development Coordination and Implementation of Policy relating to a broad range of intelligence operations and counterintelligence activities. Additionally, she provides strategic direction to the Department of State's support to the intelligence community and foreign policy oversight of sensitive intelligence operations. Ms. Redman has previously received the Intelligence Community and Department of Defense for more than 30 years, both as a retired Army officer, well, probably as an Army officer, and as a senior civilian. She is in the Senior Executive Service, positions in the Army and most recently Army Intelligence CIO. Ms. Redman holds a BA in Criminal Justice from Norwich University, a Master's of Science and Strategic Intelligence from the National Defense University and the Chief Information Officer Certification. Annette, thank you. Thank you. Can you hear me? How do you turn it on? Now can you hear me? Very good. Okay, so we'll leave it up here. So I have a great panel with me today and I'm very happy to be home at my alma mater. I haven't spent an awful lot of time here as Rich Snyder used to give me a very hard time, but the last couple of years have been absolutely wonderful in my engagement back here at Norwich. I have an August panel, as I mentioned, Mr. John Withrow is a Senior Executive for Law Enforcement North America in the I-2 Group at Harris Computer and also near and dear to my heart a Professor of Intelligence and Investigative Analysis here at Norwich University. On his left is Mary Knapp, who received a master's in 2016 in Information Security and Assurance. And she today is an Info Security Officer for Union Bank of Vermont and New Hampshire and lives here in Northfield. And then on her left is Ashley Chambers, who is a data analyst for missing and exploited children. And she is also on NU's Board of Fellows. So thank you all for coming. I'd like to ask each of you to give us a thumbnail of your expertise and how it applies to the problem set at hand, which is, as Senator Leahy laid out for us, cybersecurity has been a very persistent problem. And how do we apply new techniques and technology to help fill the shortfall? So with that, John. Thank you very much. First of all, I'd like to state how humbled and honored I am to be here and want to wish Senator Leahy a quick recovery. It was wonderful seeing him here. I've been with Norwich for about a year and it's started into applying some new approaches in, as you know, the institutes that are here, potentially another institute that's focused in human trafficking. And my invitation here, all the way from Arizona, was to speak about attribution, part of my background, former secret service, worked in the intelligence community, retired military as well. And so have a substantial background in that. And some of the questions that we'll feel today, hopefully I'll be able to talk about two primary things, training and tools. It's gonna come down to training and tools, no matter what we do, what position you're in. And I'd like to color in a little bit more about that as the questions come in. My name's Mary Knapp. Can you hear this? Mary Knapp, I am the Information Security Officer at the Union Bank of Vermont, New Hampshire. I've been there for a couple of years. Prior to that, I was the ISO at the Vermont State School System. I got my master's degree here at Norwich University. That makes this extra special. It's a great honor to be here sitting on this panel today. I got my start in information technology way back at Augusta State University in Augusta, Georgia, where I got a computer science degree. And was in IT and switched over to cyber when I had the opportunity to get my master's here and have been really passionate about cyber ever since. I'm happy to be here to answer questions. Hi, can you all hear me? I'm Ashley, all right. So I'm Ashley Chambers. I currently work at the National Center for Missing and Exploited Children. With it being a nonprofit, I wear a lot of hats, but primarily I'm a data analyst, so I was hired as a data analyst there. But I also do a lot of their kind of data science tool development. Previous to that, I was at the National Security Agency for a couple of years. While there, I worked in cryptanalysis and then also vulnerability research. So two different teams while I was there. As such, cyber definitely holds a special place in my heart. I did love my time at the agency. And then in my current role, I think I get to see a lot of machine learning and how kind of the future of that. So talking about future technologies, definitely something that's interesting. And I'm so glad you all had me here. So thank all of you panelists. I'd like to highlight in my current role, I oversee five offices. Those offices cover all intelligence topics from mazint to covert action. But one of the offices that works directly for me is the original cyber office inside of the State Department. From there, we've birthed several iterations of cyber policy functionalities. And today we're helping stand up the very first Cyber and Digital Policy Bureau at State Department, which is the office that will be helping formulate national and foreign policy cyber norms for the future. My team, what they do, my office of Cyber and Emerging Technology is the element that provides the intelligence support as well as the coordination on all offensive and defensive cyber operations. What I've found in my five years at State is that cyber space often is a hybrid operation that doesn't just involve cyber. And I think, John, that you come at this in a hybrid approach, applying new and unique techniques. So if you could, could you define your work on attribution for the audience? What does attribution mean? How is it related to cyber? And how can we apply those techniques to make us stronger? Okay. That's an excellent question. I wonder. Who wrote that? Yeah, so two pieces of my background that I did not reference. One, also National Defense University graduate in counterterrorism and Homeland Security Leadership. And I also worked at Twitter. I was their head of threat intelligence and investigations. Attribution came in in a massive way in that capacity. Specifically, you would have anonymized accounts, people would make death threats and they would need to be investigated, but the person is, there's no email or phone number or anything of that nature back in the past. So analytic methodologies were developed to be able to understand who the actual person is behind those, where they're physically located and then assessing the capability of carrying out those threats. Years later, had the pleasure of working with some folks that worked in that arena but were cyber specific. Former background for those folks were in the alphabets and they wanted to know the art of attribution. Now it's both an art and a science. Part of after leaving Twitter, I got recruited by IBM, was doing work with them, became a data scientist. And so after 30 years of law enforcement, once I understood how these tools worked, I had a lot of input of how to simplify the technology. In the end, when it comes to attribution, cyber will identify down to the port, they'll make arrangements or adjustments there so that it's no longer breached. Attribution is the art and science of finding out who the person is behind such an attack. Is it a 12 year old kid in his grandmother's basement? Is it a nation state actor? Is that a dry run for something larger coming down the road, et cetera? So attributing it to people behind the threat, the threat actors themselves, gives another layer of information to be able to accurately assess that risk, that threat and the risk associated with it. Over the years, once working with technology, I'm currently involved in helping develop technology to the point where you don't have to be a data scientist or you don't have to be an engineer or an analyst for that matter. Tools being simplified when you see a two year old that can pick up an iPhone, swipe through it, put the code in, get to the app that they want, that's intuitive, so the more intuitive we make these technologies, the more people that can use them. And I have more to speak about a little bit later on. Thank you, John. So Mary, additional privacy and cyber regulations will continue to be developed forcing businesses of all sizes to take cybersecurity more seriously. This is especially true for health and wealth organizations like the one that you work in, as two sectors that often are targeted the most. Specifically, private healthcare related data and sensitive payment information, private health records can be worth a fortune, credit card data can be used for fraud or sold on the black market. What approach, from your perspective, can assist to protect this data? I would say one of the things to consider is just don't reinvent the wheel. Use one of the frameworks that are out there, NIST, ISO, FFIC, CAT, but adhere to one of those frameworks which is easier said than done, right? So if you're in one of these organizations, especially in healthcare, a lot of those facilities are understaffed, they don't have the budget to just say, sure, I'll adhere to that framework. They don't have the cyber and IT resources. So align yourself with an MSSP and they can worry about the framework. They can worry about what kind of security you have in place and instead of having internal resources, if that's not something that's feasible for your organization, that's the next best way to have a cyber guard dog and I think that's probably one of the best moves for people that really feel like they don't have cyber in place. Perfect. So Ashley, widespread mobile adoption has led to the explosion of social networking and of course that produces more data. The data is ripe for research and marketing needs but also cyber criminals want access. How should individuals approach social networking in a lower risk way? Yeah, so this is a big question. I mean, four billion people use social media that's about 50% of the world's population for an average like two to three hours a day. So you're talking about a significant amount of data. Out of that, we see two kind of large type of exploits or ways that there's vulnerability there. One is from the user, I mean, you're always gonna be the biggest threat. So you're your own biggest threat in social media and one way is oversharing. So that can look like a few different things. Oversharing can be letting people know when you're on vacation, kind of threatening that physical security. People now know you're not home. You're leaving yourself kind of open to that exposure. And then second is that personal oversharing. So people learning things like your mother's maiden name or your favorite dog's name. Those type of things that can be used for security questions, which makes it a whole lot easier to figure out your passwords. If all of a sudden you know everything about the person that you're researching, you no longer really have to hack into their account or anything because you can just directly figure out their password or act like them. And so out of that, you see a lot of identity theft. Kind of another risk is obviously phishing. So we've all heard of phishing. You'll get sometimes those text messages that say something like, you've been locked out of your account. Click this link. Or another common one is called just the LOL phishing attack. And so that's when you'll get a link and it'll say something like LOL or hey. And then you'll just get this link with no other context from a friend. A lot of times if you click those, you're giving access directly to your data, to your phone. As someone's able to install malware. So we see that. And then also with phishing, there's a different type. So people have typically heard of cat phishing or have seen Catfish, the TV show. That's when somebody pretends to be somebody else online. And at first glance, that sounds kind of harmless. But we, especially at my job, we see a lot of that within dating apps where someone will pretend to be somebody else. And then ask for things like illicit photos. Out of that, then they're able to blackmail or extort the person. So a lot of times obviously I do deal with teenagers, but you can see it across the spectrum. And so just teaching that that is a risk and that the person you're talking to online isn't always who you think they are. So out of that, I would say those main risks. There's kind of four or five different things that you can do to start thinking about those in a more secure, better way on social media. So first of all, just like commonly, if you're connecting a device, let's think about protecting it. So if your device connects to the internet, whether that's a phone, a tablet, your computer, that you're accessing social media with, make sure you're keeping your security software up to date, that you have antivirus, that you're using some sort of protocol to actually ensure the safety. Also, make sure that who you're sharing information with is who you think it is. So you can limit your privacy settings. You can obviously disable things like location service. And then don't send any private information that you wouldn't say to someone face to face or that you wouldn't give a stranger because strangers can't see what's online. Lastly, I would say think about implementing better security on your phone itself. So maybe using multi-factor authentication. So if a new account or a new device is logging into your social media, make sure that you're getting those notifications that say, hey, is this you? And if you get it, make sure you're going directly to Facebook or Instagram or Snapchat to make sure that it was them who sent it as opposed to clicking that link. Along with that, also make sure that when you're downloading new software, so like third-party apps, that you actually understand the permissions that you're giving it. A lot of times those third-party apps have a lot of permissions where all of a sudden they're able to go through things like your photos or your messages. And so make sure you're not just downloading kind of willy-nilly like apps to your phone. Yeah, I think all of those will ensure that you are more safe on social media and able to enjoy it and connect with people without your information getting stolen directly. Thank you, Ashley. So John, earlier you talked about your work and attribution being both art and science. So does intuition play a role in cyber? And can it be taught to aid cyber warriors in their attribution, but also in their core function? Absolutely. The first course that I taught here at Norwich, Dr. Travis Morse, if he's in the audience, can't tell. He had asked, how do we make more of you? How do you teach that? And so I figured out a way, let's define intuition first. So quick and ready insight. So when you see data, and if you have, again, training and tools, and as soon as you see that data, you recognize it for the value that it is. For example, what can you do with an IP address? You'll see folks, investigators that will subpoena data, come back, and now they have it. Now what do they do with it? If they don't have the right tools or they don't even understand what that data is, metadata from a phone, IP addresses. What can you do with an IP? What can you do with latitude and longitude, et cetera? And so what I'm trying to teach here, actually, what I'm succeeding in teaching here is how to be intuitive, and the basis of that is any of the data that you're examining, you have an instant understanding of what it is. You may not be the World Subject Matter Expert on it, but you recognize it for its value and you actually know what you can do it. With a latitude and longitude, it's not just a cross-section, it also can be converted to an address. You can go to Elevation to figure out what floor that person is based on that as well. IP addresses. You can look at Analyze and IP, let's say we have a death threat that comes in and you look at that IP and you wanna analyze what that IP is in the other set of IPs. If that other activity is related to criminal activity and this one is just related to that, is it a university or a coffee house that has laptops in it, things like that. So intuition is experienced and it can be taught. I'm teaching it here. Ideally, law enforcement online will get the same, so I went into law enforcement in 1988 and I've had the benefit of the last 30 years of seeing what law enforcement looks like today and it's very similar. They don't teach this kind of stuff. You don't get it at the academy. If you become a new investigator, homicide detective, et cetera, you're not necessarily going through any of this training to teach you that. You're learning about blood splatter, you're learning about the traditional trade crafts. My focus now is in human trafficking and so to my colleague's point, most of that is online and so if you're pulling down data or metadata or all that information, if you recognize it and you understand the value of it and you have the tools to actually find missing persons, was at a conference two weeks ago, the International Association of Human Traffickers was one of our business partners and we're talking about children from age four and up. Let me repeat that, age four and up. Why is this not something that our nation is just inundating with resources and training and whatnot? We're far behind the ball and so in 2017, the Department of Justice had deemed that the clear rate was 60% so 40% of all homicides are not getting solved. That was in 2017 and DOG deemed that a crisis at that time. Well, we're approaching 2023, where are we headed? It's a down climb, perhaps less than 50% of all homicides, less than maybe a fourth of all sexual assaults and human trafficking layers, drugs and assaults and weapons and all these other things there and to use an analogy back in the day, you would do a knock and talk. My partner, I go up to a door, knock and talk, they're saying that you're doing drugs in the neighborhood and mind if we come in and look around, well, at that time we could have been standing in a meth lab until you got the training to say, okay, these are the things that you're doing. Human trafficking is no different. All of it comes down to training and tools, intuition, learning the tradecraft. There's a huge gap in trying to make a difference in that. So from murder to cybersecurity, here we go. So at State Department, I've found a very strong advocate for supply chain risk management and the government is starting to get much more serious in this arena, so Mary, we know even unsophisticated hackers will automate their strategies in their efforts to infiltrate vulnerabilities both in companies and other organizations. Hackers are taking advantage of the increasing reliance on our supply chain to support our organizations. Government, as I just mentioned, is looking at ways to reduce our risk. Do you have thoughts for both them and for companies in this arena? So statistically speaking, if you're gonna have a data breach, it's probably gonna be with a vendor. So really, I think right now any organization probably has, by definition, probably hundreds of vendors. And the best way that you can really kind of get a handle on that is to have a very strong vendor management program. At the bank, I'm responsible for that. And I think the easiest way to do that, because you've got hundreds of vendors, how do you categorize all of them? How do you look after all of them? So you've got to break them down, define them by risk. You've got to define your highest risk vendors and focus on them. And you need to focus on those high risk vendors and look at their due diligence documentation. Do they have any? Are you comfortable with their cybersecurity posture? Are they doing things the way that, not only you're comfortable with, but by regulation, are they meeting those standards? You need to make sure you're getting access rights on these companies, the logins for these companies and all of your users. You need to make sure annually you're looking at this or whatever frequency that you've deemed appropriate for that vendor. And when you're looking at vendors, cyber and IT need to be involved very early on. I can't tell you how many times with other organizations I've seen somebody buy something and then go to IT and cyber and say, here, make it work. And that's just not the best practice for making sure that your vendors are properly vetted, that your supply chain's gonna be there, that they're not higher risk and that they're not putting you at higher risk. And in an industry where you're regulated, this is something that will be scrutinized. So just because you're not in a regulated industry doesn't mean you shouldn't be taking it just as seriously and implementing just as strong of a program. Thank you. So Ashley, if you were a student coming here to the new Leahy Center and you were contemplating this career path, what would you think you would need to pursue to be prepared for the challenges you will face? Yeah, I think cyber or data science right now, either one, is really interesting because people come in it from a variety of paths. So you'll see people with vastly different backgrounds. I think all of us up here have a different background and a different way that we came into it. And so first of all, I would say like, whatever path you're on, like keep trekking down that. And I think in that there's three different kind of things that I think about to be successful in cyber or in data science or one of those kind of tech industries. And I think the first one is you need to find what you're passionate about. I think that within this industry, you'll see people kind of work their way into their own niche area based off what interests them and the people who are most successful have found things that they're passionate about because if you're passionate about it, I think that you'll find that you want to work on projects. And so I know that for me, I started my undergrad. I knew I liked computers. When I started building my own desktop computer to use and then wound up doing hard drive stuff. So I would like fix other people's motherboards or fix other people's like smartphones. And so in doing that, I learned a lot more than I did just reading about different hardwares. And so I think in the same way, I've had friends who are really skilled programmers who just loved video games and they decided, okay, I'm gonna spend some time and I'm gonna create my own video game. And so I think first of all, find what you're passionate about and then be willing to actually spend some time on it. So maybe that's an hour a week that you can dedicate to actually working on projects. So I would say find that passion is the first thing. Second, you do need to develop some technical skills. A lot of cyber kind of builds on itself. So programming, for example, you're not gonna go from writing hello world to all of a sudden having beautiful, efficient code. So I would recommend spending a little bit of time. Maybe it's just 20 minutes each morning. I know in college I did that. I would start with like a coding challenge of the day and just sit down and spend 20 minutes and say I was gonna solve one problem that day. And I think you'll find that you, by doing something like that, are able to build on that skill set and learn far more than you can cram into one quarter or one semester of classes. And then I think probably third off of that, I would say to like keep growing. It is a vastly highly evolving field, both cyber and data science. And so with that you wanna keep up with the current trends. So maybe that's attending conferences, maybe it's participating in things like capture the flags or hackathons. A lot of both workplaces and school have opportunities to get certifications. So by keeping up with a lot of those things you're able to stay competitive in the industry. And I think if you do those three things like you will find something that you enjoy and are good at because I think you've gotta be passionate about it to actually do well. That's great. So I would tell you I think all four of us are passionate lifelong learners. But John, how does someone in the cyber arena benefit by learning and applying attribution tradecraft to support cyber security? Very good question. So having worked in law enforcement, intelligence community, military and corporate security I have a decent perspective on, I'll say this gently, who pays the most for your skill set? Most people are trying to figure out what their worth is. There's across the spectrum, if you're a cyber professional and you develop the mastery of attribution, now you have two different disciplines. And to her point, if you're passionate about it, I can reference a couple of folks that were cyber experts from the alphabets and they had asked me to train them in attribution. And once I did that, they shifted from cyber and went into human trafficking. There was data that they were familiar with to my point. The intuition, they knew it, they understood, but they didn't know how to take it further. And when you do that, they also had the skill set of being developers. So we would run into a problem and they would literally from scratch build the technical solution to overcome that problem. Well, tradecraft is nothing more than how you know how to do something that works for you to overcome certain problems in a huge variety of ways. And so if you have that multidisciplinary education or experience, whether it's formal or passionately developing it on your own, when you get in front of somebody, you can speak to all these different backgrounds and things that you bring to the table. It's not just a certificate or experience or X number of years doing this. You have a diverse spectrum of skills to apply to solve the problems. The more perspectives that you apply to something, especially if you've already overcome problems in those areas, the more successful that you will be. So I highly advocate developing your skills in OSINT, develop your own tradecraft, how do you deal with certain problems? It could be any number of things. I recall specifically that I would have data, I would need a certain tool or whatever, have to buy a license and we weren't gonna pay for that, so figure it out. So you figure out a way to do it. With that skill in all the positions that I've had, it's definitely helps increase not only your professionalism, the spectrum of where you can work and what you actually bring to the table in resolving any number of different issues in the capacity. Thank you, John. So Mary, today we understand that hacking has evolved. It used to belong only to those with specialized tradecraft and skills. Security teams are outnumbered 100 to one and the industry faces a huge talent shortage. This needs to and will change in the future with the help of places like Norwich University. What thoughts do you have on reducing that skills gap? I think that we need to look at cyber culture and we need to invest in people. I think we need to invest a lot more in people and I think we need to start it a lot earlier. If you think mentioning cybersecurity to your elementary school kids is too early, you're wrong. Ask your kids what age they got their first email address at school. Ask your kids what kind of things they're doing on their computer and what's required to be done on a computer when in school. That whole cyber culture needs to start to be ingrained a lot earlier and then we need to start teaching those skills to our kids a whole lot earlier. This is a long sale cycle, I get it. This isn't something that we're gonna say, you know, let's start doing this and then tomorrow we're gonna start pumping out more professionals. This is a long sale cycle starting with the very first time the kids start touching a device like you were saying, you know, my little one can pick up a phone and search for something on YouTube and I didn't even teach him how to do that. So earlier than you think, we need to start talking about cybersecurity with our kids and then we need to make it available in the elementary schools, in the middle schools, in the high schools. There are a lot of kids coming to college and they're seeing cybersecurity for the first time as something that they can even learn about and I think if that's already something that's ingrained in them, that's part of their cyber culture, they're gonna pump out of these high schools and they're gonna be ready to engage in higher ed, doing something in cyber and then coming out of the school system with a skill and a whole lot more experience than what some of our kids are right now and the other thing that I think is huge is for all of these companies that have holes in their cybersecurity staffing that they need to hire the guy or the girl with no experience. Grab the person that just graduated, grab the person that's in the middle of getting their degree or they just have a certificate and no experience and teach them, let them learn with you, find the really good workers that maybe don't have the skill set yet and let them build that with you but give them a chance. I don't really think the gap would be as bad as it is right now if people would look at some of these folks here that have a fresh degree and give them a chance. So I think that's what Phil Sifman's trying to get us to all do, right? So Ashley, ransomware, data breaches, phishing and security exploits are the top threats to the cyber environment. Recent reports cite that over 80% of all breaches have human interaction. What can we do to protect the human from inadvertently causing a breach? Yeah, so I think this is a great question. It immediately made me think of the fact my first week at my new job, so I swapped over to a non-profit about three months ago. And the first week I got there, I got an email that was like, review your order from Amazon. And I was like, oh, I don't remember ordering something from Amazon. I clicked on it, having just come from a job in cybersecurity, like I knew better. I clicked on it and it was like, hey, you would have just failed this phishing test. It was like from my new workplace. And I was like, oh, that's such a good reminder that even somebody who knows something about it is still likely to click on something. So I would say the top thing is be aware, keep that security mindset, even when you're in a new environment or when it's something where you're not having to think about it. So three, once again, of the kind of main failures we see is that phishing attempt. So we talked about it earlier. It's the same thing with that link that was supposedly from Amazon. Or a lot of times we see it in advertisements too. So if you're on a website, a lot of times we'll see like the Zeus virus recently was caused by if you click on an advertisement that had a link in it, it would download malware to your computer, which then would search for banking information directly on your computer. So be really mindful of where you click. Second is those brute force attacks. So if you're using weak passwords, that is a very common source of error and where you can be breached. So for your passwords, you should always have upper, lowercase, number, special character, and be using different passwords. Ideally using like a randomized password is more secure. So you can use a password manager, which will keep encrypted passwords saved. But I would definitely recommend using a strong password because otherwise even a fairly inexperienced hacker is able to kind of brute force those simple passwords. Lastly, once again, is the threat of malware. So being aware of what we're clicking on. So in order to stop some of those, it's some of the things we talked about earlier, but you can also make sure that you're continuously patching and keeping up to date with the security, the most current security software because you'll see that a lot of times when vulnerabilities are released, they will patch it, but we as the user a lot of times don't feel like updating our security. It's like, oh no, I'm gonna have to shut down my computer and all my work's open or I don't wanna have to plug in my iPhone overnight while the new operating system installs. But all of those are what keep us secure and safe from those vulnerabilities and those patches that we know about. Other than that, you should be encrypting your sensitive data. So if you have sensitive data, we want to use some sort of manager to actually encrypt that. Other than that, you can obviously stay behind a VPN so you can use a VPN, making sure you're up to date on your antivirus and then always being vigilant on those social engineering attacks. So making sure you're not clicking links or releasing information that you shouldn't be releasing. Awesome. So, John, last question. Do you see in your work and attribution and the work that you're doing here at Norwich, new RE moving towards teaching attribution and applying it to the current spike in crime in the US, both in the cyber and the physical space? Yes. President Sussman, if I can say some of the initiatives, so the company that I work for is ITU Group and we partnered with Norwich. We're currently exploring an academic fusion center and one being located here on campus and a potential center located in Arizona, where you have Arizona, Texas and California. Part of that would be students that are working on a minor or major degree and working in that center where law enforcement does not have the training or tools that those cases, active cases can be worked by students here. There's a whole lot that goes behind that but simply stated, that's one initiative that we're looking at and that can be in the capacity of human trafficking, cold case homicides, any number of different things. So, part of that would be expanding the coursework that we have right now that's focused just on attribution alone which is mastery of OSINT, understanding all the sense and the application of it and through that, potentially offered online to law enforcement so that that ticks the box of the training gap that I spoke of earlier and the other is the tools. This is the company that I work for, has the tools to do that. ITU also known as Analyst Notebook, if you're familiar with it or not, we're pretty much in all of the alphabets globally for intelligence and investigative capabilities. So, that's something we're working towards. We've got the right people involved and I want to throw one more thing about when we were talking about passion. I consider passion is equivalent to talent. Some of the most talented folks that I've seen, it wasn't about their formal education, although that education is invaluable, you can't replace it with something else. So, if someone doesn't have that opportunity and they've developed those skills with them, instead of, if I am looking to hire somebody, it's not necessarily okay, well, you're a SME or subject matter expert, it's the talent that they bring, again, that makes them so much more diverse in what they see, what they understand and what they can do with it. And so, I encourage everybody, find your passion and move forward with it. And as we continue with our efforts in the Academic Fusion Center or Human Trafficking, whatever ends up becoming titled, I'm excited for that. I've stated before in other circles. I've got about 10 more years left in me in the fight. I've retired law enforcement, retired military, and this is my focus, and I'm with the right group, nor which is the only place I can see the other successful institutes that we have, we're in the right place to do this. And thank you. So, it sounds an awful lot like the SOC work that Norwich is already doing, just a similar approach. So, if you take your cyber initiatives, the cyber institute itself, and what we're doing, there is a marriage there. The skills and the training and the tools are very similar. It's the application, and that's what we wanna broaden up nationally and one day globally. Thank you. So, Mary, in IT world, we're moving away from net-centric approaches. In fact, we're even moving away from things like cloud-specific or container-specific security. Organizations are gonna need solutions that continuously monitor for threats and risk potential. This obviously happens often in the banking world. But to do that, we need to do it in a way that doesn't slow down and certainly slow down financial transactions but other kinds of activities. Do you have thoughts on this? I would say that one of the biggest things you can do, again, if you don't have the internal resources, is to align yourself with a really good MSSP. They're invaluable and it's not something that you should try to just, you know, kind of half at it. You really need to have strong cyber posture in place. The threats are constantly changing. They're coming at you 24-7, 365. And if you're gonna handle it internally, make sure you've got the right tool sets. Make sure you've got the right technologies and the right people in place to make use of those technologies. For instance, having a sim in place. That's something that if you've got a powerful sim and then you've got somebody who knows how to operate it and the right people watching your systems, they can catch things before they ever become an issue. And then on top of that, you really need policies and procedures. So you've got your technical controls but then you've got the policies and procedures so that the human aspect, where that's where your biggest threat is in any organization, you've got them all doing things in a secure way or at least they should be according to the policy and the procedure. The technical controls are wonderful to catch some of the things that people maybe will forget or do on accident but that insider threat is a huge risk area for your organization. So having training in place, the policies and procedures of the technical controls, all of that you need to just layer your defenses and make sure that you're looking at your cyber posture holistically and from all of the different aspects of it. And then the other thing is the training and the testing. I think that's really important. A lot of people are only training according to whatever minimum standard is out there but you should really take that minimum standard and multiply that. The training and the testing should be pretty constant. It keeps people more aware, it keeps people on their toes, it keeps people thinking. And again, all of this is part of that cyber culture where everybody is focusing on cyber because one of the things that we say is no one person is more important than the next when it comes to cybersecurity at your organization. I don't care who you are, what you do, what your job is, where you're at. Everybody is just as important. Everybody could be that weakest link. So that cyber culture keeps everybody kind of thinking about, well, is this really something that I expected to have emailed to me? Is this something that I should click on? Maybe I should pick up the phone and call this person. But without that cyber awareness and that culture and that constant training and testing, people might not think about it and just click on it and go and then that's where the start of the next news headline is. So I think that layered defense and the holistic approach is kind of the best way to look at things. So I'm going to ask Ashley one question and then we're gonna turn to the audience and if any of you have questions for our panel. Audience members in the auditorium should come to the microphone set up in the aisle. Our live stream audience should email their questions to cybersymposiumatnarwich.edu and we'll read them aloud. So Ashley, while all of you are thinking, can you talk to as a data analyst at the Center for National Center for missing and exploited children, how your work there contributes, particularly in the cyber arena to finding and helping these children get back home? Yeah, I can definitely expand a little bit more on my job and what that looks like and how we're adding to the cyber world. So the National Center for Missing and Exploited Children gets lots of data. We get data from law enforcement, from different ESPs, so from electronic service providers. So like Facebook, Instagram, TikTok, Twitter. We get a lot of information when they see child exploitation or else missing children. And so within my role, we're developing tools to help analysts be able to more quickly process those. A lot of the data comes in these long free text fields and we get millions a year. So there's, our analysts don't have time to read through every single report. And so within my space and my sphere, I've been working on tools to use natural language processing to kind of shift through that and to streamline some of the analyst workflows. So overall, it leads to a lot of tool development within those ESPs as well. They are able to integrate some safer measures for children and you see out of that improved cybersecurity protocols coming out of a lot of like metas criteria or the way that they handle imagery. So lots of cool, exciting stuff going on there. So I don't see anyone with questions. So we have one. I actually have two questions if that is okay. I guess there's another one, so I'm just gonna ask one. How would you go about marketing your passion? More specifically for me personally, I love developing malware and offensive security tools. So I can of course put that on my resume as in, hey, I know how to do this, but if I wanted to let's say prove it, right? Meaning I would release source code and things like that. I personally cannot do that ethically. How would you go about marketing skills like that? Go ahead. Here we go. So amongst loosely described, the team that I work with, a bunch of talent. Again, passion equals talent. And one of the things that we would do is we call it a puppy challenge. And what that started with was a colleague of mine who was the CEO of the company, his wife bought a Havanese puppy online for $500. And this is during COVID. So when it was all said and done, it was about $7,000 and the puppy never existed. The website that she went to, so I asked him, I said, what'd you do? He was, well, I called the local law enforcement, they're like, what do you want us to do? He notified federal law enforcement, they said, yeah, sorry. And so he said, what can you do? So I applied my skill set to it, developed it, got it so far and threw it to my cyber guys and said, what can you do? And so they took that, it went from all of the websites that I identified based on the data, so it's just not a person. It's the websites, multiple websites, same domain, shipping company, which is all the websites they're doing is driving you to the shipping company that gets you past the $500 and gets you into the $7,000. And they wanted in preloaded credit cards, visas, et cetera, so there's no attribution to them. The long and the short of it is, I threw a puppy challenge at my peers, my team. Once they got past what I had done and they got to, okay, well, this went through Nigeria, we actually know the names of the people there, it went over to an account in China, and so on and so forth. And so that passion, when they had a problem, they demonstrated their passion by developing certain technology on the fly to overcome the problems that I was discussing. And so in any spectrum, if you're aligned with people like that, if you don't, my nephew's another example. He's, I introduced him to that group, puppy challenge comes his way. Similar to what I'm teaching, I'll throw a problem at you so that I can see what you're gonna do. If you're passionate, equals talent, you're gonna see it, you're gonna understand it, you're gonna overcome it. There's your bona fides right there. You're functional, you're successful in your approach and what you're doing. And so I would recommend if you're putting the stepping stones between you, a strategy's nothing more than how you get from A to B, right? Yeah, I flunked that question in grad school because I gave the dictionary definition. All it is is how to get from A to B. If you're A and you know what B is, work backwards from that. What are the stepping stones to get you there? Your education, aligned. You've got students all around you. Some of them may be passionate, equal. They're working on their own projects. They're developing their own stuff. It's working outside the box that makes you, that monetizes your passion, again, equalized as talent. So that would be my short answer. So I would add to John's answer just, I've hired hundreds of professionals, particularly in Intel and server. And I would tell you that you can't train attitude. And so if you get an internship, fight for one, and be the best whatever they put you to do, I don't care if they have you doing the worst nug work. If you're doing the best you can to accomplish the goal set out for you, that's your foot in the door. And it may not be exactly what you think you want to do for them, but they'll give you a shot because of that attitude. And try and capture that as best as you can in that piece of paper that's called your resume. Internship, I forgot that, thank you. You have a question? We've been listening to how kids are getting hands on devices a lot earlier, and how it's super intuitive to go on YouTube and search up whatever you want to look for. And I've noticed with discussions with a lot of people, common sense security measures such as MFA are considered this big hassle that no one wants to deal with, and yet a lot of cybersecurity tools that are accessible need to be used by more people to just make their digital lives a lot more secure. So my question is how do we make more intuitive approaches to cybersecurity that makes sure that the average user is able to be as equipped against malicious activity as most of us are in this room? So you probably don't know what Coco Mellon is. I have a two and a half year old grandson who can walk up to the TV and put it on, use your interfaces today are far easier than they ever were. But I would imagine one of the two ladies might have some thoughts on specifically ways to make cybersecurity applications easier. I think education is one of the first things people don't know about it. I'll talk to my family members about the password managers. You know what, you're making all of your things this one password when I ask, well, how do you get into this? Oh, my password is this for everything. And they don't know what a password manager is. That's not their fault. That's not a common thing that we all go out and have coffee and talk about. But if it was something that we had a little more education about, that was a little more readily accessible and it was out there a bit more. I think everybody would go, you know what, this isn't that hard to use. This is really easy to use. It secures all of my information. It keeps me from having to remember the passwords. And a lot of these password managers too, you can put your credit card information in there. So if you lose your credit cards, your wallet, you've got all of that in there, you can put secure notes in there. There are a lot of technologies that can make our life a lot easier if we know that they exist. And we have a little bit of training on how to use them. And I think mentorship is a really big thing that everybody here that's a cybersecurity professional could do. Find somebody in the community that you can work with. Find a group, find a family member, go to the schools and talk about cybersecurity. You've got a talent, you're a resource and we could make this easier for a lot of people just by sharing what we know and teaching them how to use the tools that already exist. So I absolutely agree with mentorship but also if you look at the banking industry it's not quite universal yet, but they're forcing you into multi-factor authentication and we need to do more of that. So I think we have time for one quick question. First I have one comment and that is that what Annette said about not being able to teach passion I think is hugely important. And I think that if you're looking to hire people attitude and passion and the willingness to keep learning because you can go to school and get a degree but that's not the end of it. I'm nearing retirement, I'm still going to courses and getting more education. The question is as we have these issues with lack of workforce availability where do you see artificial intelligence and automated response fitting into the mix in helping us do more with less? Actually. Yeah, I mean I think artificial intelligence there's definitely a lot of room for it to be able to cover some of those roles. You'll obviously always need, well for the most part need somebody to develop upfront but then also to check some of that work. But I think we see that artificial intelligence is allowing for us to use people a little bit more wisely. So for the computers to do a lot of that those automated tasks and then freeing up our workforce to be able to do kind of the roles that take a little bit more analysis or analytics that the computer isn't able to do. Thanks. So I think that pretty much wraps up our panel. I just would like to say to the students that are still in the room, I'm extraordinarily jealous as an old core member. I didn't have these kinds of opportunities when I was here, take advantage and learn everything you can because you'll find this place really will set you up for success. So thank you.