 Cyber Security Champions, Jill Tokuda, Michael Cretinas. Welcome to the show, you guys. Thank you. I'm Jay Fidel. This is Think Tech, and we're going to talk about cybersecurity. And the first thing, I guess, let me ask you, Jill, how does that relate to people in companies that are doing business with the federal government, the military? Absolutely. Well, if you think about even before the pandemic, so much of our lives, our work was migrating online. And so, of course, we had to protect ourselves. And, you know, with the increase in business and everything that we do in work and life, moving into a digital platform, cybersecurity has become even more important. And for some small to medium-sized businesses and nonprofit organizations, having the capacity and the people training to be prepared for potential intrusions and attacks really weren't there. And so, this Cyber-Ready Hawaii program, in which Michael is one of our star cyber leaders, and has actually gone through it with his company, I was really to put in place to really help with the human element, making sure that all of us are ready to be able to prevent attacks and know how to respond if and should one happen. Okay, let's meet Michael. Michael, you're a cyber professional. What does that mean? Did you go to school starting at the age of five? Thanks, Jay. Well, cyber for me, I mean, I've spent 20 years working in the federal government and as a contractor. Most of that is in IT and technology and just as being a federal contractor and working in the military, the biggest concern for us is security. So we have to learn how to secure our systems, how to protect our data and information as well as, you know, our own personal assets. Really an ongoing practice and ongoing education for myself and I want that, you know, we continue to focus on here. Yeah, okay, I want to drill down on that, but before I want to make a movie recommendation to you, Michael, it's on Netflix and it's called The Billion Dollar Code. It's about a half a dozen German, young student people in Berlin who invented Google Earth before Google Earth did and there was a lawsuit about it, you know, on the claim that Google Earth infringed their original algorithm way back in the, I guess it was the 90s or even the late 80s. And what is so interesting about it is that the trap door of this German organization was personal, it was like fishing. This guy worked for Silicon Graphics. It's a true story on Netflix, The Billion Dollar Code. This guy from Silicon Graphics took one of their essential programmers out all night and asked a million questions about the breakthroughs they'd had in developing their Earth map and fellow was very friendly and they responded and told them everything and then he copied it and then he left Silicon Graphics and went to Google. Next thing you know is Google has Google Earth and it looks exactly the same. It was a lawsuit. I haven't finished this series yet but you guys ought to be interested in looking at this because it shows you that, you know, the trap doors are not only electronic and technical, sometimes the trap doors are just people who have loose lips, you know what I mean? Yeah, so what's the state of play these days, Jill? Is it getting worse? Do we, you know, there was a piece about how ransomware attacks people every X number of seconds in this country that's happening but what's the state of play? You know, well, I think you nailed it on the head, Jay, with your Netflix recommendation, right? I think it's so much easier to actually not just be attacked but really to get inside people's information and systems than we'd like to think and you can have all the high attack gear that you want in software but the human element really is the vulnerability that exists and when you consider the fact that every second, like you mentioned, right, attacks, potential phishing scams, ransomware intrusion is taking place, it really is about being prepared and understanding what kind of human behavior and corporate culture we need to put in place to make sure that our digital presence and our businesses are safe online. It's not just about business as you well know, looking at our CyberAce White program, it's about the vulnerabilities that exist in government, state government, county government, our federal government in particular with this program, they understand that they can come through the supply chain and that could be the weak link that ultimately can do great damage to systems that make sure all of us are safe and taking care of it every day. Now, isn't that true? We worry about the supply chain these days and maybe we don't realize that the whole world especially the supply chain is vulnerable to attacks, electronic attacks are very important. But the other thing I think we should talk about is you're interested in facilitating the relationship between the business community and the federal government and the military. And part of that is that the federal government and the military has certain regulations and requirements and examinations and qualifications that have to be met or no deal. Can you talk about that? Well, I think one of the things that we know for sure is that the rules are constantly changing especially when it comes to the federal government. So even clearly what will be required for compliance when it comes to making sure that you've got the basic cyber safeguarding in place is literally being developed as we go along. But what we do know on what Michael and others are doing is a great job of working with small to medium-sized businesses here in Hawaii is one of the basics that you'll have to have in place to make sure that if you take a federal contract for a Department of Defense contract that you've got essentially what you need in place from a software element, from a policies and procedures and response element to a human training element to make sure that you're okay. So as the rules are being written and the guidelines are literally getting stronger every day we wanna make sure our Hawaii companies and businesses are prepared to meet whatever expectations are coming so that they continue to get that work with those contracts. So most of this Michael is preparing in advance. Most of this is identifying those rules and regulations and making sure that a company that is doing business and wants to do business with the federal government is aware of them and follows them. This sounds like training to me but it also sounds like troubleshooting. So which one is more important or are they equally important? I would say Jay that they're equally important. You know, Cyber Hawaii a few months ago contacted myself, our company to participate as SMEs as Jill would say basically to go through the cyber readiness program and to try to identify where we were today in terms of security posture, right? How secure were we? The truth, what we felt to be the truth versus what the reality was, right? So they did a really good job spending about four weeks with us about a few hours a week just kind of going through the programs going through the policies and some of the human elements of security and just really stepping through that to really guide us toward, you know where we needed to be in terms of federal compliance. What we came to find out though is that we weren't nearly as secure as we thought we were. Is that always the case? When you drill down, you always find things that, you know, that are unhappy. Absolutely. So, you know, the program, you know really was about, you know, training us but also really helping us to understand where we were and how to communicate that to the rest of our companies, right? Because as much as we as the IT leaders can be prepared and understand where we are the most important thing is that we train our people, our employees, our staff of how to have, you know standard secure practices in their day-to-day activities. So, you know, I don't want to tell you anything you don't know, but some people in this world Michael, Bill, are Luddites. They wouldn't know the bottom of a computer from the top and they have no idea. And, you know, just the way it works they're going to be in this class, in this training program. How do you deal with the, what do you want to call it differentiation between people who are being trained with a relish, you know, who are eager and interested and unafraid and those who are terrified of anything that looks like a computer. Oh, well, no, sorry, go ahead, Joe. No, no, go, go, Michael, please take it away. Well, you know, one thing that we know is, you know, to create a professional team we know that there are a certain amount of people that are very technical and can understand some of the basics of cybersecurity, especially, you know, some of the younger generations growing up with iPhones and iPads and just computers in general versus, you know, not. So what I really liked about the Cyber Hawaii program is that, you know, gave us access to not only the information that we needed but also resources and training materials that really help us communicate really what we're trying to train people on and on the culture that we're trying to build. And not that it's, you know, so to say it's on made down but it made it really easy to consume to the point where we could easily translate that into training that was both engaging and very beneficial to our end users and our employees. So going back to my movie recommendation, Jill, one of the, you know, one of the things is that these guys in the German company, they were very trusting and friendly and they had no concept of how you avoid telling people, even people who seem to be friendly too much. And that goes to the whole question of, you know, the military and classified information. And I guess the same thing is, you know, proprietary information of one kind or another, which is a hole in the boat, if you will. So can you talk about what you tell them, how you try to train them so that, you know, they don't have that hole in the boat? Absolutely. Well, I think, you know, it's really just passing on some really basic recommendations and guidelines like Michael mentioned, right? Making sure that you've got systems in place for your employees that aren't the IT professionals. By the way, they're not the ones who do the coding and, you know, and do the updates or whatnot or building the software and things, but really simple things like password protection, understanding what a phishing email even looks like. And they're very sophisticated these days, they don't have to take it onto the bar and, you know, get them talking anymore. They literally are able to mimic and pretend to be someone that is trusting. And it is about looking for those warning signs. So just, I think, generally creating a culture of being aware and stopping before you click, right? And if you do click by the way, it's okay, but know how to respond in those particular instances. And so giving them, as Michael mentioned, sample policies that they have to put in place, actual trainings that they run people through, as well, that's critical. Even some of the biggest companies have these great policies in place. You never actually make sure that it is taught and trained to your employees. You don't double check it, know where it is. And I always tell people that it's printed out, in case your system, your tech system goes down, you want a hard copy to know what you need to do next. All these basic little things are really critical to make sure that all the potential leaks are plugged. But again, it is a culture of comfort so that everyone who knows IT and cyber or doesn't can feel comfortable knowing that they know how to respond and best protect themselves. I suppose I'm qualified, I understand the policies, but I make a mistake, unintentional. And we have a problem in my company, if there's been a leak or a ransom or have you. And the federal government is always concerned about that. The closer I am to military classified information, the more concerned it would be. Could I lose my contract if I don't follow those policies? Should I lose my contract if I don't take this seriously? Does that happen? Michael, did you want to go first and then I can jump in? Is somebody in it? Absolutely. So as a federal contractor, our daily day activity is with the military and with the federal government. And part of that is about securing our information, securing the way we communicate with them. And you're absolutely right. If we have incidents and incidents where data is exposed or we're hacked or ransomware attack, it's critical that we know how to respond and to contain the incident. Now, what we find a lot of times, IT professionals or security professionals such as myself, will draft these policies and procedures and we'll say, okay, we have these policies and procedures, but sometimes the extra step is not taken to then train the employees of the company. And so you technically have this policy and procedure in place, but when the actual attack happens, you really don't know how to respond or the user sitting in front of the email who's getting the phishing attacks does not know how to respond. And so that's the most dangerous part of that. You know, one, have policies and procedures, but also how, you know, ensure that your employees know how to utilize them. And you're absolutely right. If you don't contain that well, you don't follow an incident response plan. You are a danger of losing that contract or, you know, exposing critical data. You know, a few months ago, Lori Ito, you know, the cyber lady at the UHO. Jody Ito. Yeah. Yeah, she's really terrific. She was on the show and she talked about a conference they did over intrusion, okay? Where foreign countries and China was one of them, but not the only one, I wanna know what we're doing in the academic world and the research, the scientific world. I suppose it goes beyond that too. It goes into your world of cyber and, you know, military contracting and the like. And they had a conference and she was part of the conference. And what I think was very interesting was that, you know, they had to protect against people who were very sophisticated and who did not necessarily intend to bring your system down or to do ransomware, but to get the goods, to get the data, to learn more about you for, you know, geopolitical purposes. Is that in your real house, Jill? Are you also concerned about that, the concept of intrusion? Let's call it espionage. Let's call it trying to get information that, you know, they shouldn't have, but should give them a geopolitical advantage. You know, I think considering our proximity, right, just our geographic location, that's always the concern that we have. It's both an asset for Hawaii in terms of our businesses and even our academic institution, but it's also a vulnerability as Jodi shared as well. One that, again, for those that are in industries who have access to this information, who's dealing with it every day, it's an extra added level of security and considerations that we have to take into place. And, you know, to your point that, you know, the question you just brought out that Michael was talking about and just making sure that, you know, if your ducks aren't all in line in terms of cybersecurity and you have a federal contract, can you be held liable? You know, just in the last week or so, the Department of Justice has been launching these civil cyber fraud initiative, which essentially says that if you just say, you have all these cybersecurity protections in place and you've got federal contracts and then you're attacked, you could be held liable for basically lying and not truly being prepared. So it's definitely being defined out more, but it is, again, putting an extra level of accountability in there from the federal government because they understand the huge risks that exist both in state and out of state as well in terms of their security and where it can happen at any point. Yeah, we still are a nation of laws, we still are. So Michael, imagine me in your class, okay? And I'm a newbie in your class and it's the first day of training. And I ask you this question, what's the one, you know, cyber attack, intrusion, fishing kind of experience that I should be most concerned about? What's the one thing that I should have top of mind at all points when I am using a computer or computer network or system in the context of a federal contractor or a military contract? Well, Jay, there's a lot of answers to that. There's so much to consider when it comes to cybersecurity and just doing things in a secure manner. But I would say, you know, there's four things that you wanna focus on is one, having really good, strong passwords. Two, being aware of and, you know, aware of fishing attacks and what that may look like outside to identify, you know, potentially, you know, potential fishing attacks through email. And three, really is just to understand how to respond when something does happen, right? You know, okay, you might wanna, you might get a fishing attack, you might have a ransomware attack. Maybe you just wanna disconnect from the internet and dispose your laptop and then call someone who may be to assist you. So those are some really quick high level things that I would say. Those are probably through the major item. Okay, two questions come to me on that. Number one is passwords are such a pain. They really are. It's the, it's really, it's to hassle almost every minute of every day. And so there are programs, you know, people would like to capitalize on this and they build programs and I can name some for you. And those programs will remember your password. The fact browsers are now built, right? Remember your passwords. And so when, you know, ideally, at least for the user anyway, you go on your machine and it says, oh, put your password in. Oh, but he's putting it in for me. My browser or my, you know, my password program is putting it in for me. And I say to myself, that's really terrific. It's a labor saving device, you know, takes away the hassle. But query, is it safe? That's a mixed bag, Jamie. And there's always that saying that, you know, you can make things either more secure or make them more convenient. So things like where you can, and your face or your, your thumb print or whatever it might be, just to enter your passwords for you. That can still be, you know, at, if you will, it could be, you know, used as a vulnerability. So there are tools out there, which get a little technical that allow you to do, you know, multi-factor authentication, which is, you know, a big topic these days. Using biometrics, things like that sort of thing. Yeah, if it seems too easy, maybe it's not so secure, right? Well, you know, anything that's magic like that, you really wonder if they can hack into that, they can get everything. And then there's a terrible, terrible price to pay. This is all about security. And I suppose, you know, for, you know, it's not only, and we talked about this briefly before the show, Jill, it's not only for people who are actually, you know, in contract with the federal establishment, it's for people who may want to be in contact, because they have to be, you know, sophisticated, they have to know the ropes, have the policies, systems, what have you. So that kind of opens the lens, it opens the keyhole to a number of companies in the state that are not right now doing military work or federal work. So you could be busy all day long. How do you handle companies that might, you know, do that work but aren't doing that work? And how much resource do you have to reach all to the, every SME in the whole state? They have tons, you know, we can't duplicate Michael, unfortunately, or we would clone a bunch of him and we'd have tons of cyber leaders out there working with SMEs, you know, but I will say this, you're absolutely right. While there are many companies that are not currently doing work with the federal government or the department of defense, given how much federal dollars come into the state, there's a really good chance that if you're in the healthcare industry, the education, you know, industry construction, you know, IT, anything, you name it, even ship repair, right? You will be coming into contact with federal dollars and how do we make sure that if a, you know, if you should be called upon to comply in order to continue that contract, that you will be ready. And that's really what this program is. And it's very unique, I think, as we've mentioned to you before. It is an online program and system but pairing it with cyber leaders like Michael ensures accountability. It's an integrity of the training itself. And it really also provides these companies with mentors, if you will, access to, you know, professionals through cyber Hawaii that can answer questions that they may have that goes above and beyond the curriculum. And really, really critical. We've talked to some people who were just thinking about having a federal contract, but now thanks to Michael and other cyber leaders like him, they've got a great foundation to work on, to keep their everyday business and work secure. And I think that's really important for us is how do we help everyone be more digitally, secure and safe personally as individuals, but especially as businesses and organizations helping the state to move forward. So we need more Michael. That's a hard one to find right there, but definitely more small to medium-sized businesses and nonprofit organizations. Anyone who comes in contact with private information, you know, secure data, it may not just be classified information, you know, but how are you making sure that that is safe and it doesn't get half? That's the big thing. You know, you were mentioning that you had an event recently where you brought in some of your constituents' clientele, what have you, can you talk about it? We've had a couple of different webinars, you know, but one thing that we are doing right now is really kind of holding some of these open houses, if you will, not, you know, in person, obviously, but virtual to really be able to give people a chance to learn more about our cyber-ready Hawaii program. I'm here from Cyber Leaders like Michael. Michael's a really unique case. Again, like he mentioned, he went through the program as part of his company. So he was his company's cyber leader and then really graciously stepped forward to pay forward and really help other companies go through the ropes as well. And so we're trying to do more of these in terms of getting small to medium-sized businesses and entities interested, knowing what the program offers. And part of it is hearing from people like Michael, understanding that even if you think you got it all down, it really does help to go through the program again, just to make sure, just to double-check that the training you think you've got in place is good and it will prepare you for what you've done. How often should I go? Because, you know, there's nothing so constant as change itself. And we know that, you know, the world of software and then we want to call it, all the networking things around software is changing all the time. So do I need to go every month, every six months, every three months? How often do I need to go to keep current? Maybe that's a question for Michael. It is. And, you know, please, Michael, tell them, but go through our program once. You don't have to go through it twice, but folks like Michael will help you on create that system of how often you should be checking on training. So, Michael? Absolutely. You know, absolutely. You need to go through and establish, you know, baseline processes and procedures for your company to standard cyber hygiene. That's important to do at least once. And anyone that's familiar with doing business with the military federal government, you know that they make easy training almost every year, sometimes multiple times a year, specifically on a cyber security. So, at the very least, you know, staying abreast of all the new technologies and all the new policies, at least trying to refresh yourself every, you know, quarter or every year, that's kind of a good role of them. Definitely not something you can just let slide. No, no. And you know what? One thing that strikes me, though, that there's a number of companies around town, private companies, not state funded, having nothing to do with the federal government, who make a living talking about cyber security. Some of them come on our shows and they, you know, they tout and promote their companies. That's okay. That's good. Because this is a ubiquitous problem. It's everywhere for everybody. You can't exist in our society without, you know, being at risk to some extent. So clearly what, you know, how do you interface with them? I know, you know, you've been in the private sector. You've done this on the other side of the street, so to speak. Maybe you're doing it now on the other side of the street. What is the difference between working for cyber Hawaii and working in the private sector, you know, to sell services around cyber security? Well, I think the biggest thing here, I mean, is especially during the pandemic, we realized that Hawaii really needed some other avenues for a resume, right? Tourism was gone. I mean, me working in the second industry, it just made sense. You know, we can work remotely here in Hawaii. We can do a lot of federal government contracts here. But as I heard more about some of the stricter compliance things going on within the federal government, meaning we have to be compliant in order to even have a contract. It really began to worry me, both for myself, but also for the small businesses around Hawaii that also work with the federal government. The difference being, you know, cyber Hawaii is free. You can participate for free. You get the assistance of cyber Hawaii to walk you through the basic processes and get you on the paths for, you know, cyber security, save cyber security practices and compliance. So I don't think there's anything else like that. That's available without spending a lot of money. So I definitely want to be a part of that line for work. So that, but that's an interesting kind of competition, isn't it? Because the other guys are not free. Well, I don't think we're a competition with one another. I think it's hard to think about it. We get them on a path. And then, you know, after that, you know, if they want to implement a stricter security or need technologies, I think that's where we work collaboratively. Yeah. You know, Jill and Michael mentioned that in the time of COVID, you know, things changed and no kidding. Have changed. And PS, they are changing now. And PPS, they are going to continue to change. And I wonder how that changes the world in which you guys live. How it changes the way you train, how it changes the way you perceive, you know, your market, the SME market. And, you know, how it affects, you know, the connection between the SMEs and the federal government. Because, you know, we are in a different place now and business is different. That matter, the federal government is different. How has it changed for you? Absolutely. I think it definitely blew wide the universe in terms of entities really needing additional cybersecurity training, help, and guidance. Not to say that it was a small universe, but definitely it reminded us how all of us in some way are touched, you know, by cybersecurity and IT. And especially when it comes to the federal government, our worlds are much closer. We're in the middle of the Pacific. But that's really not too far these days, given the increased traffic that we have over the internet and how much we have expanded the use of our digital presence and self as well. So I think it definitely widened it for us. And it reminded us that even programs like the Cyber Ready Hawaii, we are literally learning as we go along. And I think that's the greatest thing. As we work with cyber leaders and companies through Michael and other cyber leaders as well, we're learning where are the pain points? Where are the struggles? Where can we do better as well? Working with our cyber Hawaii members and our leaders to help businesses and companies prepare because you're right, things are constantly changing. That is the one thing we know for sure is it's constantly changing. How can we create an adaptive, flexible, prepared digital culture, if you will, here in Hawaii that will be able to respond and anticipate whatever we've got to come next? We just know that something will come and we create some great policies and buy-in too. One of the things that I should mention is in addition to cyber leaders, the company, we often talk to the CEOs or the heads of the companies about the program in the very beginning because as Michael well knows, you need to buy-in from the very top all the way through the company to say that this is not just something that we'll do, check off the box and leave, we're going to adopt this fully. And that has to start right at the top and go through the entire company as well. No, Michael, this is one of my pet peeves, if you don't mind. If I have a software, okay, even a really good software and I want technical support, there are some companies that pride themselves on responding to you, very few of them on the phone, by the way, it's email or it's chat or something. And others are impossible. You can't reach them for love or money. You write them an email and nothing happens or the person at the other end is not Akamai and doesn't really care about helping you, it doesn't. And I mean, it's very frustrating. I think it's an industry problem. But I wonder how you deal with that if you have a software specific security problem and you need to contact someone and they are living on Mars. How do you deal with that? Are you better off than I am? And you find a way to talk to these people? Because I sure can't. They know if we could solve that problem, I think we'd all be in a better place. As a security professional, the best thing I can say is like the federal government, everything that you choose to adopt through your research, make sure that you can reach them, make sure there's warranties and support processes in place and let that be part of your guiding decision points in terms of what you choose to use. There's a lot of great things out there, a lot of them are free, but like you're saying, if you have a problem with it or if it gets exposed or there's a vulnerability with it, it's very difficult to get that support, right? Yeah, okay, we have more. It's comforting to hear you say that. Well, the other thing I wanna ask you is, okay, so it's a matter of response, okay, response. So now I'm suspicious, I'm suspicious. Some weird thing happened. It sounds like phishing to me or my computer is acting up and I get a ransom message. That always helps make your day. So I say, uh-oh, uh-oh. It's that everything that Jill and Michael were telling me is coming true on my watch now. Uh-oh, who do I call? Am I called you? What would you do for me when I called you in a cold sweat, huh? I, you know, me as a security professional, I could definitely put you in touch with cyber incidents. They typically get reported to the federal agencies and things like that and they can help you guide you through how to respond after the fact. But responding after the fact is always the worst thing, right? So you wanna be more proactive. You wanna take some steps now. I mean, that's where we're here. We wanna raise awareness for cybersecurity and try to spread that. And so that people can be a little more proactive and avoid those ransomware situations, right? Yeah, absolutely. Don't be putting Michael's cell number and email on the bottom of the screen now, Jay. And he'll have all the calls coming to him. But- Yeah, that was my next question, Joe. What's your contact? But you know, it's a great question. And I think one of the things that leaders like Michael and others have companies immediately start to think about is, ooh, exactly, who do people call and reach out if they're suspicious that this might be a phishing email or maybe they press click and we did something wrong. And so it is about in every company, in every entity, do you know who that first phone call is gonna be to ask the question, to verify if it's good or not or to figure out, do we now have to take the next step that I accidentally, you know, press send there? So stop, think, don't click. Well, let's tell people, right? Really, it's sometimes human nature. We're doing two things at one time and we press send, we enter, we just put the information in. But really, in every company, do you know who that first phone call is going to be? And it doesn't mean you have to have an IT professional in your company, but that's why. The person who is trained through our cyber-ready Hawaii program, hopefully will be that person that any employee in the company can call to say, I'm a little suspicious or oops, I think I did something wrong. And again, creating a culture of not being shame or afraid to ask the question and to get help. And that's really the whole basis of making sure everyone is cyber secure. Absolutely, very worthy, increasingly so in our complex times. Thank you so much, Jill and Michael. Appreciate you coming on. Thank you, Jay. Thanks, Jay. Bye-bye.