“I'd say this is a project about nonprofit cybersecurity…but it's also about how cities can better protect infrastructure that isn't their own, and how cities can actually play a much bigger role in the cyber defense of their own communities.” - Sarah Powazek
Bryson Bort welcomes Sarah Powazek, Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity, to discuss the organization’s work providing cybersecurity resources for the public, and CyberCAN, a project to connect cities and nonprofits providing critical services.
How can cities play a larger role in protecting their communities? What are the biggest cybersecurity challenges facing nonprofits? What innovative solutions are being developed to address the cybersecurity resource gap?
“It's never going to be enough to have one federal agency help every single organization in a country. We're just too large,” Sarah said. “I think the solution is to create more infrastructure at the state, local, and regional level.”
Join us for this and more on this episode of Hack the Plan[e]t.
Hack the Plan[e]t is brought to you by ICS Village and the Institute for Security and Technology.
Bryson: I’m Bryson Bort, and this is Hack the Plant, season 5, brought to you by ICS Village and the Institute for Security and Technology. Electricity. Healthcare. The food we eat. Our water supply. We take these critical infrastructure systems for granted, but they're all becoming increasingly dependent on computers to function.
In Season 5, it’s more important than ever to ensure that our essential services are resilient to disruptions. This season, we’ll bring you insights on four of our most vital lifeline sectors - electricity, healthcare, food, and water. We know that our interconnectivity makes us vulnerable to our enemies – but what can we do about it?
We walk you through the world of hackers working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day. From the threat posed by Volt Typhoon to the aftershocks of the Change Healthcare data breach, it is clear: the time for action is now.
In my day job, I'm the CEO and founder of Scythe, a start-up building a next-generation threat emulation platform, and GRIMM, a cybersecurity consultancy and co-founder with Tom Van Norman of ICS Village, a non-profit advancing awareness of industrial control system security.
I'm also an adjunct Senior Advisor at the Institute for Security and Technology, a 501c3 Think Tank dedicated to tackling technology-driven emerging security threats.
Subscribe wherever you find podcasts to get each episode when it drops.
Bryson: For today’s episode, I’m joined by Sarah Powazek, the Program Director of Public Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity, where she leads flagship research on defending low-resource organizations like nonprofits, municipalities, and schools from cyber attacks. She serves as Co-Chair of the Cyber Resilience Corps and is also Senior Advisor for the Consortium of Cybersecurity Clinics, advocating for the expansion of cyber education around the world.
Sarah: “...CLTC is a really unique organization within the UC Berkeley School of Information, and we offer a sort of think tank, a small research center within the university that's really focused on the problems that no one else has time to solve.
So for example, cyber attacks, we're really busy putting out fires and we're trying to think five, 10 years from now. What problems are going to remain and what can we do now from a structural point of view to try and make those problems better in the long run? So we do a lot of convening. Our research really runs the gambit.
We have an AI security initiative run by my colleague Jessica Newman. And my initiative is called Public Interest Cyber Security. So like I mentioned, we're really focused on the have-nots. There's a lot of different ways to describe them. Target rich, resource poor, below the cyber poverty line, all the types of institutions that really don't have the resources to defend themselves. And we do a bunch of different things to try and help them."
Bryson: What are the biggest cybersecurity challenges facing nonprofits? How can cities play a larger role in protecting their communities? What innovative solutions are being developed to address the cybersecurity resource gap? And if she could wave a magic, non-internet-connected wand, what is one thing she would change? Join us for this and more on this episode of Hack the Plant.
Sarah: I came to cybersecurity like a lot of folks from a totally different field. So I– actually, my degree is in political science, with a concentration in technology policy, and my first job was in local government. So I worked for the city council. I was very enamored with the ability for local governments to move quickly and do really good things for citizens with minimal drama.
I would say not no drama, but certainly minimal drama compared to some of the things we see at the higher levels of government. So I was really enjoying my job at the City Council, but wanted to get back into technology policy. Not because I was particularly interested in technology itself, but because I was really excited about what it could do for residents and for people.
So I was lucky enough to get placed at a cyber policy fellowship at the Institute for Secure Data Technology, you and I both know Phil, and was lucky enough to get put on the Ransomware Task Force Project, and so I actually helped them stand that up, and then have gone on to do a bunch of different things in and outside of the nonprofit sector.
So I was at CrowdStrike doing consulting. So strategic advisory services for them, helping run maturity assessments and tabled up exercises. Anywhere from Fortune 50 company to a very small hospital and learned a lot about cybersecurity and in particular about the haves and the have nots, the folks that can afford to contract CrowdStrike or another consulting firm to give them the resources they need and then everybody else who sort of falls through the cracks and I've been really lucky to have my position at Berkeley where I can pretty much full time just work on the have nots.
How can we take the resources that we have, the research that we have, and put all of that towards the sorts of communities that currently cannot afford to protect themselves against very basic cyber attacks.
Bryson: I always find it so interesting how folks start somewhere else, typically in college, and then the paths that lead them into this field, just fascinating.
And in fact, I think that's worth really highlighting to our listeners is, for those of you outside of the space, we want you, we need you. And we're willing to work and help you. And that's part of what I'm hoping that this podcast helps do with highlighting all the different great folks doing things in the different initiatives.
Let's talk now about the Center for Long Term Cybersecurity at Berkeley. What exactly is that and what is the mission?
Sarah: CLTC is a really unique organization within the UC Berkeley School of Information, and we offer a sort of think tank, a small research center within the university that's really focused on the problems that no one else has time to solve.
So for example, cyber attacks, we're really busy putting out fires and we're trying to think five, 10 years from now. What problems are going to remain and what can we do now from a structural point of view to try and make those problems better in the long run? So we do a lot of convening. Our research really runs the gambit.
We have an AI security initiative run by my colleague Jessica Newman. And my initiative is called Public Interest Cyber Security. So like I mentioned, we're really focused on the have-nots. There's a lot of different ways to describe them. Target rich, resource poor, below the cyber poverty line, all the types of institutions that really don't have the resources to defend themselves.
And we do a bunch of different things to try and help them. We have one arm of CLTC that really focuses on direct services. So if you've heard of cyber clinics before, we run a cyber clinic at UC Berkeley, we run a consortium of cyber clinics across the country called the Consortium of Cyber Security Clinics, and these are programs based at a college or university that train students to do a high level maturity assessment for an organization that can't afford it, very similar to how law schools have clinics where they'll do pro bono services, it's just like that but for cyber security.
We also have an arm of CLTC that does more traditional research. So that's the CyberCAN project that we're going to talk about today. We're currently organizing a coalition of cyber volunteering organizations to come together and share best practices and develop a strategic report around that. So that's the more like, classic think-tanky convening and writing and policy advocacy.
Bryson: What does a risk assessment look like with these students out of a cyber clinic? Are there any case studies that you can share to give us some detail of the anecdotes?
Sarah: We have a bunch of different clinics doing different things. So UC Berkeley's clinic focuses on nonprofits at risk of politically motivated cyber attacks. So they might work with a women's health organization, an LGBTQ advocacy organization, a refugee assistance organization that might be a target by their own government.
So, really high risk nonprofits and they focus a lot on. Training folks to cover their digital trail and use secure communication tools like Signal and other encrypted messaging platforms. That's one end of the spectrum. RIT, for example, Rochester Institute of Technology, they'll actually do pen tests as their senior project for a small business nearby.
And it really runs the gamut. I'll say the Indiana University Clinic actually works with their local fire department and there's a really great broadcast coverage of them, you know, sitting in the fire truck, working with the firemen and talking to them about what digital assets do you have and like, what is the risk and how could that risk cascade to impede your ability to fight fires and use that to sort of convince them to take certain measures there.
Bryson: Is that something, if an interested organization wanted to participate, that they could go to the Berkeley webpage?
Sarah: Yeah, you could go to cybersecurityclinics.org. That's the consortium that we help run. And there, there's actually a map of all of the different states and cities in which you can find a cyber clinic and how to get in touch with them.
Bryson: And how do you recruit the students for that? Is that an engagement with different universities, or is that something also that students are interested in anywhere, even in a non participating university, can sign up?
Sarah: Right now it's for participating universities, and it goes back to our earlier discussion about trying to get folks in from different majors into cybersecurity.
Clinics are a really great way to get folks, like me, who really care about the mission, but who, just the idea of computers doesn't get them out of bed in the morning, but the idea that you could use technology to protect people. Really draws in folks from different fields at Berkeley. We get a lot of folks from the human rights major program.
We had a lot of journalists. We get a lot of law and business students. So clinics are actually a really great way to get some interdisciplinary folks into the cybersecurity field as well.
Bryson: Awesome. Well, if you're an organization looking for help, we've got an answer. And if you are a student or just another volunteer in our Year of Volunteerism here, there's a path for you there as well.
Now pivoting to what is the core of what I was hoping to cover in today's program, CyberCAN, cybersecurity for cities and nonprofits. Tell us about that.
Sarah: I'd love to. So this was a really interesting collaboration that we've done over the last year with the city and county of San Francisco. So we talked with them, we're based in Berkeley, they're in San Francisco.
We have an established relationship there. And we sat down one day and they said, you know, we're really preoccupied with our nonprofits. We give them grants, they provide really critical services to our residents. This is housing support, food banks, boys and girls clubs, all the types of organizations that really keep a city running.
We don't own them, we don't own their infrastructure, we can't see how they're doing, and we're worried about them, and we're at the place where we feel really comfortable with the city's IT infrastructure, and we want to help, and we don't know how, and we said great, we're a research institution, we'd be glad to help, and we started this collaboration very closely with to better understand how the nonprofits in San Francisco were doing and how the city could play a bigger role.
So at its face, I'd say this is a project about nonprofit cybersecurity. A lot of the things I'll toss out are about how the nonprofits in San Francisco are doing. But it's also about how cities can better protect infrastructure that isn't their own and how cities can actually play a much bigger role in the cyber defense of their own communities like San Francisco is doing.
Bryson: Can't remember if we did an episode or if it was tied to Hack the Capitol. By the way, the new name for Hack the Capitol is now Critical Effect.
Sarah: Oh, I love that.
Bryson: It'll be June 12th and 13th and we have a workforce development day on the 11th. Thank you. I'm glad that you like the name. We were trying to come up with something that was, of course, pithy, different.
Play on words critical infrastructure. What's the impact we want to have with it? We don't just want to talk about this, right? Going to what you're doing. We don't need more paper. We don't need more people talking about the problem. Get out there and do something. Have a critical effect. That was the idea behind the conference.
And it was Kelly Moen, who's the CISO of New York City. And it was really interesting talking about the municipal, the city level perspective on critical infrastructure because most citizens and most practitioners even really have been driven by the federal government's perspective on how we classify critical infrastructure.
And it turns out, not everybody necessarily thinks that way. And so, Kelly has talked about that with us before. But contrasting, of course, nonprofit and the municipals that you're working with, primarily San Francisco, what have you seen?
Sarah: We found a lot of things. I would say some of it, to the folks listening, some of this is going to be completely unsurprising.
For example, 85% of the nonprofits we surveyed had experienced at least one cyber attack, and that's known cyber attacks. I'm sure that there were more that they maybe didn't understand or realize or have the tools to detect. So that's not going to be surprising to anyone who understands nonprofits.
They are the second most targeted sector after government agencies. Folks may not know that, but they're very common targets. They have funding, and they often don't have, in particular, nonprofit budgets have overhead. So that's about 10% of their budget that they can spend on everything that doesn't have to do with their mission.
So 90% of their budget has to go directly towards giving out food, giving legal assistance, whatever it is their mission is. 10% is everything else. So HR, finance, leadership, staff. salary, everything else, and a teeny, teeny part of that is also technology, and a teeny part of that is cyber security.
So that isn't a surprise to folks, but that's something that we found, as well, is that they're frequent targets of cybercrime. They really don't have the resources to defend themselves to begin with. Some things that we didn't expect, though. One, the staffing resources were a big surprise. So, the average ratio of, let's say, IT, full time IT staff, to other employees in the companies, about 1 to 33, 1 to 34 nonprofits usually.
So that means you have one full time IT staffer for every 34 regular full time employees. In the nonprofits that we surveyed, that ratio was 1 to 96. So, even for the folks who do have cybersecurity staff, not even cyber, but just IT staff, they are really overloaded with the amount of work that they have to do and cover for the entire organization.
So those are the nonprofits that do have staff. Nonprofits that don't have staff, we actually found 53% of them didn't have a single full time IT staff. And it doesn't mean they don't have IT. It just means that it's someone's extra job, essentially. So over half of them didn't even have a single IT staff, and for those that did, the ratio was very high.
So we do know about nonprofit. We know that they're the second most targeted sector, and we know they have very little funding. And we know that even for the folks who do have someone they can ask for help, those folks are very overworked.
Bryson: So, just so I'm clear on that statistic, you said earlier 80% of nonprofits that you'd surveyed had been hit by a cyber attack?
Sarah: 85.
Bryson: 85% of the nonprofits surveyed had been hit by a cyber attack. Is there any detail on who those threats were? They don't know that. They just know they've been hit and they had to recover the depth of the impact. Did it affect the actual nonprofit operation?
Sarah: So 85% were hit with at least one cyber attack.
For 71% of them, that was a phishing attack. So it was a phishing attack that was either successful or one that they were able to catch and mitigate. 32%, it was business email compromise, which is really commonly when we hear anecdotes about nonprofits suffering from cyber attack. It's most commonly business email compromise.
So that includes CEO fraud, bank account fraud, sending them an invoice that says, hey, you haven't paid us yet we're a contractor. And it gets paid before they realize that account is actually going to a criminal. So that was the second most common. And the third most common was credit card or bank account fraud for nonprofits at 29%.
Bryson: Those statistics match with more of what I've seen in typical small business organizations where initial access with phishing is a piece, but a lot of it is just business fraud because there's money there to be stolen. And that's what the fraud's purpose is. It's just, it's the biggest shift that we've had since the 70s when I had to walk up to a bank to rob it is now I can wake up somewhere else in the world and come at you over the internet to rob you.
Sarah: Yep and it was tricky too, because I think a lot of nonprofits. are trying to understand why and how it is that they've become targets. We hear a lot that folks say, well, why would they come after me? I'm so small. You know, I'm so small, they can't possibly want what I have. And they don't understand that they could get caught up in a wide net of cyber attacks that are just spray and pray.
And they get hit because they have compromised credentials. I think a lot of this was an education project about talking to nonprofits. Why are they a target? Why do they need to care? And how do they make the case to their leadership that they need to take more action on this?
We did talk to the city a lot, and I think this is something that we did really differently than a lot of folks who are focusing on municipal cybersecurity. Everybody sees cities as ransomware victims, and that is certainly true for a lot of cities.
But there's also you mentioned Kelly Moan for New York City. I mean, there are some cities doing incredible work in cybersecurity. They're really taking their job very seriously. They have, I won't speak for Kelly because I don't know what their budget is, but they're able to advocate for themselves and get a sizable budget to do great things for their citizens and for their IT staff.
Bryson: Kelly Moan is the CISO for New York City. I talked to her at a fireside chat at our policy conference. Hack the Capital back in 2023, which you can check out the video at ICS Village's YouTube channel Hack The Capital is now rebranded as Critical Effect and will be coming the middle of June in Washington, DC. Hope to see you there.
Sarah: So I can't say anything bad about the city of San Francisco. I'll say we didn't assess them the way we assess the nonprofits, but we did talk to them about what sort of resources do you have that you could potentially extend to nonprofits. And really what we heard back from them was that they consider nonprofits an extension of their city services.
And that was something that we hadn't heard before. A lot of folks are like, nonprofits are on their own. You know, we're responsible for our own infrastructure and anything beyond that is someone else's problem. But we really saw the city of San Francisco take on this idea of, we're the protectors, we're the ones who have the knowledge in this regional area. It's sort of our responsibility to start taking care of organizations that can't protect themselves that live within our region that are serving our residents.
Bryson: So the level of the city's integration with nonprofits, I would presume that is limited to the nonprofits that are providing community services. I know, like a lot of churches have a homeless outreach and there's meal kitchens, those kinds of things. Or is it all nonprofits? I mean, I'm going to, I'm going to guess San Francisco is limiting to the ones that are actually, there's a financial transaction that's tied into community.
Sarah: Yeah, they call them community based organizations. We just use the term nonprofit. But they call them community based organizations, CBOs, and these are organizations that have some sort of relationship with the city, whether or not they receive a grant from the city to help them distribute their services throughout the city, or whether or not they're just on a mailing list, they have some sort of pre existing relationship with the city, which we believe is fairly common in different cities.
Bryson: So the nonprofit work that you did really did tie into the city itself. So you said you were surprised about that. So the scope of the project had originally been those two is separate. And then when they came together, it was , oh well, look at that we have an intersection of what we've been doing.
Sarah: I think what surprised me was that their willingness to extend their own services. So we were prepared to give the recommendations and I'll share some of them with you. So some of the recommendations that we gave to them were around. extending their own resources, which is a difficult thing to ask a municipal government to do.
They have a budget. They probably have their hands full. We asked them to hire virtual CISO to work exclusively with nonprofits. We asked them to host a biannual cybersecurity workshop to connect folks. that work at nonprofits to the local CISA cybersecurity regional advisor to the local FBI. We were able to bring those folks in and talk to folks during a workshop that we held.
And we were expecting the reaction to these recommendations to be fairly lukewarm. And we were pleasantly surprised that a lot of the folks that we worked with, the CIO, the CISO, the folks in the digital equity department, Said, yeah, that makes sense that makes sense. And we would love to be at a place where we could do this.
And that was what was surprising to me. We thought they would say, you know, we just can't we're too busy we have too much to do. Thank you for these recommendations. We'll pass them along. And that wasn't the reaction that we got. And I think that gives me a lot of hope that there are other cities that are willing to extend their services, even with the constraints they already have to try and help some of the nonprofits.
Bryson: So what are some of the other recommendations?
Sarah: A couple things. One that ties back to the clinics, we said, why don't you host some summer interns over the summer? You know, you're in a location that has a million and one universities and community colleges in the Bay Area, have some really bright students.
What we found is really useful to bring students into help is that students oftentimes are at the exact right level to give the advice that a nonprofit needs. They can ingest basic cyber security controls, they understand why they're important, they might have a background in communications and law and policy that help them deliver those recommendations in a way that nonprofits can understand.
And the nonprofits are right there, they're saying, don't give me a million and one missed recommendations. Give me five. Give me five things to do and tell me why I need to do them. And that's something the students are very good at doing. So we told the city, you know, we have a cyber clinic. You should bring in students over the summer.
All you have to do is supervise them and they'll actually help you by going out individually to some of these nonprofits and doing some assessments for them and helping them with implementation. I think. That's where our assistant stops, we're researchers. And so the direct action piece of it, the implementation piece, was something that we wanted to help provide them.
Bryson: With respect to the city of San Francisco, did you tie into any of the more traditional critical infrastructure sectors?
Sarah: This one was just scoped for nonprofits, but I would love to see. Cities and counties start to take on more of that work at the regional level. I don't know if you want to start talking about the shared responsibility model for cyber security, but okay, I'll get on my soapbox for a minute.
Bryson: Sarah, you have an entire podcast episode of a soapbox.
Sarah: I'll get on my soapbox. I think we're in a really interesting period of cyber security policy. I think there are a lot of great federal programs. Like the state and local cyber security grant program, the SLCGP, and since that, that we're not sure are going to continue, let alone expand, like some of us want to see them grow and expand and continue.
We don't know what's going to happen. And even if all of those programs continued, I would argue that it's still not enough to help every organization that needs help. It's never going to be enough to have one federal agency help every single organization in a country. We're just too large. And I think the solution is to create more infrastructure at the state, local, and regional level.
I'm not the only one who thinks this. This is not my thing. But I think it's true. I think we need to build in regional and community resilience to cybersecurity. We need to have folks who live in every region in the United States who have the ability to help folks recover from and prepare for cyber attacks.
This is one of the reasons why we think clinics are so important is because they're based at an institution that has very strong community ties to its region and is able to retain talents there instead of sending it to a major metropolitan area. And I think that's going to be really important to us.
We need folks who are already on the ground to help come in when folks need help. To create mutual aid between other regions and states and cities, we really need to build a sort of regional network, and I think CyberCAN is one piece of this, the CyberClinics is a part of it, you mentioned Project Franklin, if you've heard of the state Cyber Corps programs, where states are creating these volunteer corps, sometimes Cyber Reserve Corps, where they'll go in and help with cyber attacks for different municipalities.
All of these programs are starting to crop up where folks are realizing that help is not coming, that they're not making the threshold for it being important enough for help to come and that they still need to do something about it.
Bryson: I haven't seen that many states really going down the state core state auxiliary approach.
I mean, the original that I can always think of is Michigan. I've seen both the state of Florida and New York taking a state level interest in growing the investment in their capabilities. Which doesn't necessarily include an auxiliary core. Are there other states that are stepping up?
Sarah: Yes. And Michael Rezek, who was a Share the Mic and Cyber Fellow at New America last year, published, and he's now a non resident fellow at CLTC, he published some great research out of New America last year on the Cyber Reserve Corps.
So I know Ohio, Wisconsin, Michigan, obviously have cores. His reports really the cream of the crop there. And he said, okay, Maryland, Michigan, Wisconsin, Ohio, Texas. And Oklahoma, Indiana, and Virginia are currently considering them. He actually wrote a model law for them to implement at the state level that will give states the authority to establish a cyber core here.
So it is starting to pick up steam.
Bryson: Okay, so on top of being able to participate through cyber clinics to volunteer, if you are in one of those states, or hopefully in one of those future states, we've got more options for you to get off the sidelines and get involved.
Sarah: Absolutely. I think we need to, right?
We don't have enough. We need folks to get involved. We need folks to advocate for states to pass these sorts of laws that will help them establish Cyber Reserve Corps. And there are all these cyber volunteering programs cropping up too, right? These are folks at the regional level that are saying, there's not enough available for the places and people that I care about.
And I have the knowledge, so I'm going to help in my spare time. So more and more of that is starting to crop up. And I think we're at the very beginning of establishing something. more formal and structured at the regional level that will stand the test of time.
Bryson: Before I bring you to the lightning round, is there anything we didn't cover that you want to cover, Sarah?
Sarah: I'll toss out one more thing about nonprofit cybersecurity that surprised me because I think we were going and expecting folks to struggle the most with not understanding cybersecurity. They're really mission focused. We didn't think that they would understand the threat. So we asked two main questions.
We asked, one, what are you struggling with? And two, What would you like to fix it? And the number one thing that folks said that they were struggling with was funding. It's, we need funding. That is the biggest barrier to them, is funding. But then when we asked what they needed to fix it, funding was third.
When we asked what they needed to fix it, they said, we need services. And that really stuck with me. Because money is the problem, but giving folks money won't help fix it. Because the prioritization is actually one of the largest challenges that they face. And having someone come in and tell them how they need to spend their money to get the most bang for their buck, what tools they should buy and what tools they don't need, and everything else that you don't get with a tool.
Like, how many people do you need on your staff? How do you talk to the board about cyber security? What are the three controls you should implement now and why? No one's there to explain that to them. And I really can see them struggling for that sort of professional services piece of it. And like I mentioned, I was at CrowdStrike.
I can't say how much we charged for it, but you have a consultancy? Like, that's just not something that's available for folks that have An I. T. Budget approaching zero, right? They can't even afford to pay someone to do this work, let alone hire a consultancy. So I think that's a really big challenge. It's one that we identified in this work with nonprofits, and I think it's something that we as a field are going to have to fill this gap in hands on services, not just tools, but actually having someone come and explain it to you and walk you through the process.
Bryson: So to me, I'm not surprised by that or I'm surprised that you were because I'm gonna be concerned about something that's abstract, but if over 85% of us have been hit by this thing, I know it's a problem. It bothered me. It affected me. And again, where there's always a silver lining in the bad colonial pipeline.
2021 ransomware became what I call a kitchen word. Your grandma knows what ransomware is, doesn't know how ransomware works, but knows what ransomware is and knows it's a problem, which leads to the third part of the solution. And I see this being a challenge still where I see practitioners in our space denigrating folks.
It's like, you're dumb, you don't get it. No, they get it's a problem. We've already covered that they get it's a problem. They just don't know what to do. And there's so many of us who are saying so many different things. They're like, well, should I start with MFA? What is MFA? And by the way, you can't just implement MFA easily, right?
Anybody who's ever actually done it, it's not so simple as just like bullet item, do MFA. It's painful. And it's good. Things are gonna break and it's gonna continue to be a thorn in doing that. All right well, if I'm not doing MFA, then I'm gonna be doing some other control. Which one? Which one should I do?
And how do I do it most effectively for me? That's the gap. And so it is partially money, but I think what you tie into service is it's really resource, which is a combination of money, technical talent and prioritization with direction.
Sarah: Yeah. And adding on to that, I think the prioritization piece for nonprofits fits.
that only have a percent of their budget to even spend on technology gets really difficult. How do you decide whether or not you need Gmail or cybersecurity? Like, these are the sorts of decisions that they might have to make. It's like a critical tool for our business or having someone who can help secure that tool.
That's a difficult choice for them to have to make.
Bryson: Are you ready now?
Sarah: Yes, I'm very ready.
Bryson: Sarah, if you could wave a magic, non internet connected wand, what is one thing you would change?
Sarah: I would ensure that the SLCGP grant program at CISA would stay around for the next 10 years. I would double its budget and I would ensure that folks could very easily use that funding on services and not just tools.
Bryson: So the state local grant program at CISA continuing and getting increased funding.
Sarah: Yes, and being allowed to use that funding for services and resilience and not just full technology purchases.
Bryson: Yeah, it turns out what I buy, I have to implement it correctly.
Sarah: Yeah, so you can replace legacy devices, but they'll get old eventually too.
Bryson: You waved your magic wand, now looking into the crystal ball for a five year prediction. One good thing, one bad thing.
Sarah: I'll start with the good thing. No, I'll start with the bad thing. Never ends on a bad thing. I'm very worried that the services that we're relying on for CISA are not going to get continued funding.
In a very apolitical way, we're seeing a lot of programs get canceled. And I think that there's a lot of services that CISA provides, especially for free, for a lot of small public institutions that we really rely on. It's not enough. But we still need it. So I'm very worried that those might disappear.
And so not only do we already have to grow this network to expand CISA services to the more proactive side, but we also then have to find some capability to replace those if those programs don't continue. So that's something that I'm very worried about in the next five years.
One good thing is, I think that cyber is starting to blend itself much better with other fields.
I think we really like to stay in our cyber bubble and I recently went to a conference of mayors and nobody cared about cyber security. And I actually think that our field is starting to get much better. At blending with the privacy folks with the law folks, I think that certainly we're becoming more mainstream and it's becoming, front page news when a big cyber attack happens.
I think that's all good for our field because I don't think that we can succeed by ourselves. I think we really need to start to blend cyber security into other problems that people care about, for example, K 12 cybersecurity. Let's talk about education and student privacy instead of cybersecurity, because that's language that most people understand.
And I think we're getting much better at that. Certainly, the work that you all do with ICS cybersecurity and utilities and critical infrastructure, that is language that's super accessible to people. That is language that resonates with lawmakers. And I think that the field is getting better and better in that, and I'm hopeful that as we continue to do that, we'll be able to carve out pieces of funding, pieces of policy for cybersecurity that start helping those siloed mission sets.
Bryson: I hope all of that happens. Well, thank you so much for joining us.
Sarah: Yeah. Thanks for having me.
Bryson: This is Hack the Plant, a podcast from the ICS Village. Catch us at an event near you. Subscribe wherever you find podcasts to get episodes as soon as they're released. Thanks for listening.