 Yeah, we're back. We're live. We're doing military in Hawaii here at two o'clock on a given Thursday. We're talking about cyber ready Hawaii. With Jodi Ito of the University of Hawaii. She's the chief security officer there. Wow. Well, I want your job Jodi. Okay, and Jill, Jill, she's with the state legislature, state senators that were. And I want your job do job. I wonder if I can have both jobs at the same time. I was associated with cyber ready Hawaii. So which one of you wants to tell us what that is. And a point to Jill. Well, thank you Jay and yes, in my former life I was in the Hawaii State Senate but really happy right now to be able to co direct cyber Hawaii with Jodi Ito our chair and you know really what it comes down to is, as we were talking about before attacks intrusions spyware it's everywhere these days and it was around before the pandemic but it definitely accelerated as all of us moved online, whether it was business or just interacting with family or learning. And so really we have to up our game and the federal government is aware that that has to happen to because attacks can happen anywhere on the supply chain. So to make sure that our local businesses and organizations can compete for these federal dollars, whether it's Department of Defense or any other federal contractor, we want to make sure that our local companies are cyber ready. And that means a lot of different things to a lot of different people, but the bottom line is, this is about making sure that the best practices to keep your digital presence safe and secure, your clients, you know your customers safe and secure. This program make sure that you are ready to be able to compete for those contracts and put these best practices and safeguards into place and we've been thrilled to be to work with Jodi and so many others to, you know, make this happen. Well, what I get is, you know, the alliance, the business alliance between the Chamber of Commerce and, you know, the military community needs this, because you have to have these contractors prepared to come work for the government to meet the specifications, especially the security specifications and doing work for the government. And we the public, we certainly want that we want the government to be secure and we want you to have people who are. How come I about security working for the government, it all works together. Jodi, what are your thoughts about how, how you do this. Do you have meetings classes, what do you do. So it's a variety of approaches so what we're doing with the cyber ready Hawaii program is we're also working with the young, young students and recent graduates to also try to train them up to become mentors for the small and medium businesses in the cyber readiness program so we're working with partners the cyber readiness Institute, who has developed some curriculum and the mentors the cyber leaders would then walk through the program with the business is and it's not just filling out a checklist. It's about making sure that with the businesses they go through and do you have the right policies in place do you have the proper onboarding and off boarding. So what other kinds of practices do you want to put in place for your company to make sure that your company becomes cyber ready, and is practicing what we call the basic safeguarding. So the federal government is coming out with these programs called the cybersecurity maturity model certifications. And basically, if you want to participate for federal dollars, these, especially defense contractors, they need to be certified at that level of safeguarding level. So this program is designed to bring the businesses up to that level, and then hopefully it won't be that difficult for them to get their certification later on. So part of it is check the box. You have to have certain certain procedures certain systems in place in your company to meet the federal military specifications. You can teach them about that. But what about, what about in general, you know the risks of cyber attack, because you know you'll agree with me it's a moving target. Absolutely. Go Jill. I just want to stress what Jodi mentioned is a key component of this program that really separates it from I think what might be out there, you know, as well. It's really the human element to all of this so when you think about cybersecurity and you know in tech, you might think it's a lot of hardware and a software it's all these technical aspects but the reality of this is, people are key to making sure businesses and organizations, everyone in the pipeline are secure. What is a human behavior element. Are you making sure that you're not just checking off the box but you've trained sat down and trained all of your employees. You know that you don't just say I got somebody I hired a company a vendor to take care of me, you've actually sat down and have the conversation about what happens if, and when I get attacked because we know it's not an if question. For many people it's going to be a when question so if I do get infiltrated what are the first three things I've got to do. The first person I call this can't just be a check off the box go online fill out a form kind of thing. It really is about sitting down virtually nowadays with someone who's going to take you through that process and have that conversation with you and I think what's really been rich about the cyber ready Hawaii program. As Jodi mentioned, we have young cyber leaders who will be the next wave, next generation of cyber professionals like Jodi out there so it's great we're able to train up future forces of Jodi ethos we can't get enough of those I will tell you that right now. But at the same time we're pulling people like Jodi back in as mentors, and they're able to sit down with a lot of these companies and these young leaders and have conversations about what's it really like to protect the University of Hawaii system. How would I deal with every single day and how would I address a question that they might have so this mentorship train the trainer component one on one conversation. That's really what makes this a very rich meaningful program that I think will yield results beyond even thinking of, you know far 52 and CMMC and every other federal acronym you can think of, but looking at creating a strong cybersecurity presence and capacity human capacity here in Hawaii. So that's really exciting for me. How old are you Joe. Me. No, the program. I'm just kidding. This is a brand new program that is kicking off right now through the support of D bed but I will say this cyber Hawaii's entire mission has always been about growing the human capacity and the cybersecurity capacity of our state working with various organizations and government entities so it's really staying true to the mission of cyber Hawaii as well. So you have a connection on this I mean you're obviously for many years you were in the interstices of the state legislature I realized now that you left 2018 as I recall. But, but, but that that tends to carry on because you're familiar with the way state government works and I recall also that the program the cyber security program we're talking about is connected with the bed. Can you talk about that connection. Yes, so I think and I'll let definitely Jodi speak to this as well, because she can really really a lot of the, you know the frontline experiences she's had but I think it's a real strong realization by government at all levels including the state that as a result of the businesses in attacks and trillions of increased dependency quite frankly on the Internet, and this type of communication we've got to make sure that we're secure we can't take it for granted that our companies, big or small are prepared and so this grant really is to be proactive in understanding what Jodi mentioned that the feds are coming down with more stringent guidelines, and even the most basic requirements that seem simple, not everyone has put them in place, you'd be surprised. And so making sure that we can walk our companies through that so that they are ready to compete for federal dollars which is a big portion of our economy, quite frankly. So this really is a proactive a step to make sure that our companies are ready, but as well make sure we have the cyber security professionals, ready to be able to work side by side our businesses and organizations. So the local industries you know the military contractor industry to be prepared to do the work qualified to do the work because if you don't do that. Then, then you'll have contractors coming from the mainland who will be qualified. So we have to make sure our local contractors are qualified in order to build that that sectors I think that's what the alliance is about. And the Chamber of Commerce is certainly obviously interested in doing that, because it wants to, you know, build business in Hawaii in general. Let me go to you Jodi, you know, we talked before about how it's a moving target. Every time you turn around there's some crisis, and it's front page crisis you know ransomware. And of course when when we hear about ransomware and these other cyber attacks we know that those who conduct those attacks would love to attack military institutions military information. And that includes Russia my favorite cyber attackers Russia. And I guess I'm also there with China. And actually, just this past Monday the Department of Justice unsealed an indictment that was actually their alleging for Chinese attackers. And so it actually is an attack that lasted several years. So it's actually an interesting read to understand the mentality and the patients that these attackers have. And recently you've been seeing the slew of ransomware attacks that's been going on through this pandemic and so examples are the colonial pipeline attack, which actually affected the fuel supply. There was a cyber attack a ransomware attack on a meatpacking plant which is now affecting our food supply chain. And so these attacks are happening everywhere. The whole cyber criminal organizations around ransomware is very commoditized so very organized. So they actually have groups that will compromise the infrastructure so the computers and the networks, and then they sell that on the dark web, and the ransomware operators will buy the compromise infrastructure and then conduct the ransomware attacks. And but it's so big that CISA the cybersecurity infrastructure security agency from the federal government just stood up a stock ransomware website that was just announced this week. And it is a big thing that threats change all the time ransomware is sort of the malware du jour of right now. That's not to say that you know what is the next attack going to be and how do we prepare for it. And so again cyber ready Hawaii is helping to at least get that basic understanding and awareness and uplift of the security posture across way in general. It's really very frustrating because no sooner do you solve or move away move off one problem then another one pops up, and it's a fresh threat so to speak and absolutely come up with a fresh solution. And you're never done with it you're it's never over the thread is always there. But if you practice the basic cyber hygiene practices, you basically elevate yourself a little bit above the slowest person in front of the attacking there right so you don't want to be the person with the weakest security, you want to be a little faster and the cyber practicing basic cyber hygiene helps to get you to that point. So to the point where ransomware is sort of the malware of our current cycle. If you patch your machines make sure you don't have any vulnerability you strong password multi factor authentication. These are some of the things that prevent the machines from being compromised in the first place. So therefore the ransomware operators cannot come in and encrypt your, your data. So it, while the attacks change. A lot of times, some of the basic practices can help prevent some of those additional new attacks coming in the state of mind. There are a number of issues than just one attack it's a state of mind and on perfection. Let me let me go to you for a minute, Jill, because we have a question. I love questions it means that people care about what you're saying. Okay, quote, I think there is a great need for people to be educated on how to do business with the government in general. Surely we all agree to that. And that's part of the military in Hawaii show itself. It's a core point. Now was cyber cyber readiness being only part of it. Are there some good resources, Jill, but nonprofits and small businesses to get educated on how to do business with the government in general, cyber and in general, Yeah, no, absolutely. That's a great question and you're absolutely correct right the cyber ready Hawaii program is just one component of doing business effectively building that relationship with the federal government if you're a small business an organization. I would say other resources are out there is a small business administration they've got great programs and depending on the kind of organization you are, they may have additional resources maybe you're a woman on minority owned business or veterans business right there might be a lot of different training programs and even resources grant programs loan programs that you could benefit from so definitely SBA. Another one I'm a fan of is a small business development center. They have a slew of resources to look at helping businesses become federal contractors, you know some basic tips to much more refined tips so I would say those two particular resources off the top of my head would be great for people to connect with and again also, you know, if you happen to be, you know, a native wine organization. If you happen to be minority owned women owned there are other resources as well that you could tap into but love the fact that there's a recognition that we often work together to get everyone ready to be able to compete compete aggressively for the contracts Absolutely. And for many years Hawaii just didn't want to read the manuals. And now we have learned it started it I want to say in the 90s when Pat Sullivan of Ocean it decided to read the manuals. And all of a sudden oh my god there's a there's a wealth of work out there why don't we do that. And he built this company around that notion and now we understand that better. And you guys are implementing the same idea. So joining you know I do want to emphasize that you are the chief security officer of the University of Hawaii systems which all the campuses and all that. That's that's quite a job, and certainly well qualifies you for this for this, you know the cyber, the cyber security program in the chamber of commerce. And one major question I want to start with what what exactly Jodi is your password. It's a secret. And it shouldn't just be a password you should be using multi factor authentication so even if your password. They still can't log into your account so right that's one of the basic cyber hygiene principles that that everybody, everybody should be practicing so that was that was smooth though Jay. It's like that had on TV with this, this kid has his mother, I just got an email what what's the best word to our family savings to count again. Right, right. But you know that's how a lot of the phishing attacks are right, they sort of read this story and they slide in what they want from you and you feel like you want to help them. So, especially us from being from Hawaii, we're so willing and wanting to help people that oftentimes we won't think twice and we'll just respond to the email, and then later it's after the fact you go, Oh, I wonder if that was a phishing email that I give up any kind of personal information. And oftentimes the attack stems from you responding to a phishing email. So how do we make sure that people recognize what that is and what the new techniques, the spear fishers are using to try to infiltrate your mailboxes and then drop malware on your computers. That's an interesting point you raise. It's like, so you had a moment where you weren't really focused, and you were being agreeable, and aloha whatnot, and you bit you bit on the bait, and you realize just a second afterward but too late. They just got something from you. They're going to do something to you. Yes. So here's my question show you you must have seen this, you know, in your life and times at the university. What's what's the, what's the, what's the step after that you just realized you've been mad. What do you do. It depends like if you gave up your, your, maybe a social security number or a phone number or some other personal information, go back and think where else you've used that information. Definitely if it's your social security number, you know, make sure you do a credit freeze on all of your, your credit accounts, right, or if it's a credit card, just put a stop on it immediately, just to make sure nothing happens to it. But what we're seeing right now a lot of times it's passwords that may inadvertently be given out. So just change your password right away or turn on multi factor authentication right away. So it really depends on what information you gave to them, and then think about how it's used in your personal life, and then go back and do the prevention around that. The Federal Trade Commission does have a lot of good information about what you can do when you think you've been compromised. And again, the methodology that you take will depend on what you gave. Do you have any further advice on resources for nonprofits and small businesses who want to get educated in cyber to deal with the federal government. You know, mentioned a bunch of them, but what you have any other thoughts on that. So from and so I'm coming from the cybersecurity side because that's, you know, my real house. The Department of Homeland Security does have a lot of resources online, and the cisa.gov website is a fairly new agency within our federal government and they are actually providing a lot of what they call cybersecurity information. The one thing that I would suggest everybody does is sign up for they're calling it the advisories so that if there's a vulnerability in a product that you use, at least you'll know about it quickly, and then they'll also publish the steps you can take to fix it. So, you know, the earlier you know that there's a vulnerability with any of the applications or computers that you use, the sooner you can patch it up, the less likely you're going to be a victim. Everybody should sign up for that and follow it. So least you can do to protect yourself. You know, we've been talking about the federal government, we've been talking about small and medium business and we know that small and medium businesses and nonprofits are the backbone of this state. And it's not only government, I mean, federal government, some of it is state government, you know, and you were involved in the interstices and you still are involved in the interstices of state government. So the same principles apply. What advice, what help can people get if they are in small businesses, small and medium businesses, in dealing with the state of Hawaii or the counties. Mm hmm. Well, that's a great question and absolutely we know that the state government isn't necessarily easier to deal with, because it's smaller than the federal government I can say that openly now. So, but there are there are definite resources, right that they can go to I know the Hawaii Alliance of nonprofit organizations is a good one the Chamber of Commerce. So, you know, a little plug there is also really good at helping people to navigate and I would just say the cyber readiness program that we're offering the cyber radio program is a great foundation for anyone looking to first and foremost safeguard themselves and their business interests, but also look to engage with government at all levels because as Jody mentioned, these requirements, they're nothing new. And quite frankly, they're nothing that would surprise you, but it is foundational steps that you can take to secure your business, no matter what you want to do to engage at all levels of government. So I would say the cyber to Hawaii program is a great entry point to getting you connected and ready to deal with state government county government federal government as well. And it allows you to not just do it by yourself online but to be able to engage with professionals that have walked in your shoes have know what it's like to kind of feel a little bit nervous about did I do something wrong am I really prepared do I have the right person on board on the same as a vendor. It's a safe space to be able to get ready to engage with state federal government local government so I would really encourage people to, to come on board, and I want to jump back to the question you asked Jody the what happens after you press that button the oops my mistake that the lapse in judgment. What we always tell people is first and foremost, don't just turn off your computer walk away and think it's going to be okay. Don't don't do the shock and all thing and just oops, you know, and don't feel ashamed, because it happens to absolutely everyone. It's really knowing who in some cases if it's your business or what not who to call first to let them know that I think I may have compromised the system, you know alerting people never being ashamed to ask for help, you know, putting those calls in as Jody mentioned because I think more than not we see issues of denial, if I just turn it off, it'll go away right. It looks like it's never happened and so it is about creating this culture and that's what we talk in our training program with people out creating a culture of comfort with technology and understanding that we're all humans. So what do we do in this case, if we accidentally press yes give up our password other information. Just putting it out there don't just walk away. That's very valuable advice, a very good point that because what you what you learn from cyber ready Hawaii changes improved the way you look at technology in general. And we all have to do that we can't turn our backs on it. Let me let me go to another point that you and I discussed before the show. And it you know it tracks on the whole thing about how this is all changing always changing spiral up, you know it's a competition between the black hats and the white hats and what have you and you've been in this business. You know what happens everywhere. And it's a situation where you don't, you don't necessarily know that you made the mistake, you know, it's not whoops, it's, oh, right, right. You know, in months later, even years later, you find that you've been compromised and you, you know, X number of records, data on personal data sometime health data business data what have you has been caught. In fact military data have been compromised. Now my recollection is the law requires you to report that. And so what can you talk about what to do when you come to the conclusion that something, something happened a long time ago, and you have been compromised. So definitely if you're a state agency with Hawaii state government, you do have a due diligence to report to one or state legislature through the Hawaii by statute for 87 and they actually provide very specific guidance as to what needs to be reported, how specific individuals need to be notified and timeframe by which you need to submit these reports to our government. Now, the federal side of it that is changing. Right now, I don't there's certain duties to report. I think if you're have a deal Department of Defense contract, but that's not to say that you have that same reporting requirement for other agencies, you do for HIPAA data for data, there is a requirement. And for student information there's also a requirement but what the government is doing right now there are bills going through our Congress Congress right now that wants to mandate reporting requirements across all industries not just government. And so, especially around critical infrastructures. Those are our power or water or transportation private companies would need to report an incident within I think they're looking at 72 hours. And that's a very short window. We're not sure where it's going to go. But the idea is with the reporting then people have to be more transparent. Hopefully they can get more assistance quickly to prevent the hidden types of ramifications from the attacks that you were talking about. But again, the compromises are huge. And it's lots of times from the private company you don't hear about it until like maybe a year later. So I think they want to try and get that transparency out in front of it. Yeah, and we want the military to know if there's been a compromise, because you know that's really important for national security. One of the things that Jodi and I talked about before the show Joe was the Pegasus at the NSO company in Israel that sold this very special powerful software to governments, and then somehow it got out of the government or maybe to the wrong You know that we're authoritarian governments in the nature of a way to surveil terrorists but it went way beyond that. And now we have a global crisis on this, what do you call it zero click. Yeah, spyware that could go on anybody's phone and could take all your information all your data and surveil you for the rest of time voice and video and everything you have, even if it's encrypted. Once it gets in without even a need for you to click on it. So, you know, to me, I mentioned to Jodi that this is the game changer. And it changes the way that the world works it changes the way we work. It changes the, you know, the, the transmission of information on cell phones voice and data both. So my question is, how does this impact. I mean maybe too early to ask you this question but let me see what you say. So Joe, how does this change things for cyber ready Hawaii with a game changer of this kind of threat. You know, I think really what it, what it does for a program like cyber ready Hawaii and it really is embedded in the curriculum that we have for businesses but also to train those cyber leaders those young professionals that are helping to lead this. It's really to make sure people are flexible, they're nimble they're prepared and they're ready to think outside of the box because you're absolutely right every day. The way we are attacked the where these the way these intrusions take place and where they enter from it changes every single day. Another thing we have on our side is we have a human brain and human people right there that are able to be flexible, receptive and ready to respond to these incidences. What I love about what Jodi folks do at the university is they are training our children to think differently, and to prepare and to anticipate all these types of attacks and to hopefully even be in front of it. Before the next one even hits us. That's a mindset change. We're not thinking about how old we are but our generation, we were through that we've been through. You know, we are brains aren't hardwired to think and respond and adapt to these constant attacks, but these this next generation, they are and so that's really what's exciting to about what cyber Hawaii does, you know, throughout the P 20 pipeline is we know that it's not just adults working now. It's the kids that are in school to be able to prepare for that next attack it's Pegasus Pegasus today. I have no idea what it's going to be tomorrow. But if we create a workforce locally prepared to adapt and to not just you know defend but attack at some point. That's really where our strength lies in in terms of our cybersecurity capacity. And that's coming soon and some of your students show me may be the ones that can do that. The younger they are the more confident they are seem like. I'd love to be for them to be able to take that spyware reverse it so that we know how to protect against it right. I think some of the things we're talking about is like the company and so they created this spyware and they're selling it. They're in a really good position to go out and create the antidote to the spyware and sell that to right so then they can play both sides of it. But really it is about when you see the malware or how do you get ahead of it and a lot of it is you actually have to do something called reverse engineering to understand what is going on and then therefore you can put in the antidote or the preventive measures. And that it cannot embed itself and it cannot go live. And this is a skill set that we really need and our intelligence communities also looking for that skill set to right as we get attacked so this is a field where there is definitely is job security. Well taken yeah absolutely. And then looking into the future that will be so increasingly so as we go forward. Absolutely. Thank you Jody. I hope that all the right people were listening to this show to get the idea that if NSO could develop Pegasus NSO could reverse Pegasus just as easily. Nobody in the world is as well qualified to do that. So yeah by stock and NSO immediately. Okay well let's we're about out of time and I want to offer Jill and Jody the opportunity to make closing remarks about the subject about cyber ready Hawaii about the military in Hawaii chamber of commerce and the future of what you want to call it the military contracting sector of our economy Jill. Oh well thank you for having us you know and just the bottom line really comes down to the fact that the cyber ready Hawaii program is about people and making sure our people have the capacity and the know how to protect our interests to compete. You know for those federal contracts to help build and sustain our economy both from the defense perspective and across the chain and you know we're very very excited to see where this leads because if anybody has the know how as Jody said to get ahead of things to reverse the future of the future near the issues to be at the front the tip of the spear when it comes to combating a lot of these cyber security threats. It's our people here in Hawaii. So we're very proud to be able to spot partner with the university with the chamber our partners that cyber readiness Institute and others to be able to make sure that our cybersecurity capacity here in Hawaii is strong and that really means our people are strong educated and they're ready so thank you so much for having us and please people log on to cyber Hawaii and you know be a part of our cyber ready Hawaii program. Yeah and your your your group of participants. It's not only they deal with the federal government they deal with they they change their way of looking at things they deal with all governments and all industries and from them, I would add this myself from them, we may have, we may find that there are some people who can solve really difficult problems. We want Hawaii to be very Akamai about this, not only for the government but for the world. May I say, we the right countries the right. Absolutely. So Jody what would you add what is your final statement your final summary your final advice. So to what Jill said it really is about the people, making sure that we as the Hawaii community understands the cyber threats and how to protect ourselves. So really if you have the opportunity there's a small and medium business feel free to come through the program. This is actually a bleeding ed program. It's not been done anywhere else in the country. So there are a lot of eyes on this project, and we really want to be successful and small and medium businesses please go to the cyber Hawaii community.org website and sign up. It really is several months I think it was, I'm sorry is a four week program Joe. It's about four to six weeks and we'll be doing this for the next 12 months so we're looking for a lot of, a lot of organizations to participate. And it's also a great opportunity for our young cyber professionals to come through understand what it is for the basic safeguarding requirements and then help a business mentor businesses through this process, and you build your network you build your knowledge, and you really build the cyber awareness here in Hawaii. So you really want to be part of this huge momentum and this wave so, but thank you for this opportunity Jay we really appreciate your having us us. I'm encouraged, you know kudos to the Chamber of Commerce kudos to the university kudos to DBED. Good for you guys. This is a great program for Hawaii, and it has it has legs it will, it will help with all thank you so much. Thank you.