National Cyber Security Alliance (NCSA)
This week I am talking to Kelvin Coleman, Executive Director of the National Cyber Security Alliance (NCSA) (@StaySafeOnline) that is building lasting public/private partnerships to create and implement broad-reaching education and awareness efforts to help enable us all to be cyber aware and cybersafe
Kelvin describe himself as the Forest Gump of Cybersecurity building the ultimate team to help combat the challenges of security and cybersecurity. Bringing together competing companies and government agencies who are all united in their focus to bring education and awareness making the world cyberliterate
We have seen a collection of new scams that find cyber bad actors posing as survey companies, healthcare companies and more to glean consumer information and perpetrate fraud (the DOJ even issued guidance alerting consumers to the rise in “post-vaccine survey scams). This is no the first time we have seen this, back in 1918 newspapers were filled with scams and snake oil, only today we use technology and information moves faster as must our response.
As Kelvin shares these groups are very well organized and are highly effective – you can get a sense of the extent of these organization in Mark Rober’s video that details the why, how and background to some of these scams and even includes “Glitter Bombing” them
Their simple message of action for everyone is
- Robust password
- Multi-factor authentication
- Keep Your Machine patched
Listen in to hear how the NCSA is approaching the messaging success we have seen with the likes of Smokey the Bear, the inclusion of identity management and the clear message that this is a solvable problem in the same way that car safety and seat belt wearing was a problem that could and was solved.
Listen live at 4:00 AM, 12:00 Noon or 8:00 PM ET, Monday through Friday for the next week at HealthcareNOW Radio. After that, you can listen on demand (See podcast information below.) Join the conversation on Twitter at #TheIncrementalist.
Listen along on HealthcareNowRadio or on SoundCloud
Raw Transcript
Nick van Terheyden
Today, I’m delighted to be joined by Calvin Coleman. He is the executive director of the National Cyber Security Alliance. Calvin, thanks for joining me today,
Kelvin Coleman
Nick, it is a real pleasure to be with you today. Looking forward to it.
Nick van Terheyden
So, for the benefit of the listeners, you have, as many of my guests Do you have an interesting background, you’re in a highly personal role at this point, in terms of many of the challenges that we have in cyber security. Tell us a little bit about your journey and how you got here, if
Kelvin Coleman
you would, you know, I still at my heart, I’m a country boy from Blair, South Carolina, you know, got the good fortune of getting a, a internship in the governor’s office back in South Carolina in my college days, and then I was able to come to Washington, DC, and I was working at Department of Justice and homeland security. And my boss came to me, this was probably around 2008 2009, saying, hey, it needs to look at cybersecurity, and what the state and local folks are doing. And I said, Look at what it was this real journey over the past 1213 years where I find myself now. So feel very, very fortunate. I tell people, I’m sort of the forrest gump of cyber security, right, just find myself in these wonderful situations talking to wonderful people. Certainly today’s company is included in talking to you.
Nick van Terheyden
Well, I appreciate that. I think that’s a wonderful analogy and visual for people to connect with you and your background. So let’s get to the National Cyber Security Alliance. And for those of you that are interested, the Twitter handle is stay safe online, I think important to follow. You know, there’s some great work going on. Tell us a little bit about that the formation and your role there.
In our neck. The National substrate Alliance is the ultimate team game. It’s certainly you know, we, we couldn’t do it without the team of folks we have in the private sector as well as government. On the private sector side, we have about 30, board member companies, they represent about 7.8 trillion, that’s what a $2 trillion in market cap, these board member companies are keenly interested in making sure, you know, Americans and increasingly, our global community, understand cybersecurity, they see it as a not only a good thing to do, but they see it as a business case, as well, it more cyber literate customer is a better customer, a more trusting customer, longer lasting customer. So they want to make sure that we’re doing everything we can to educate, again, the global community on cybersecurity, give me a perfect example on our board, we have discovered MasterCard, Visa, and American Express. They’re all fierce competitors in the marketplace, you know, as well as they should be. But around the board table of the NCSA family, they’re working together to make sure that folks understand how to protect themselves and how to protect their community. You know, and so that’s a real great example of kind of how we work together. And on the government side, we work primarily with the cybersecurity and infrastructure security agency, sissa, many of your listeners probably begin to really know a lot more about sissa. During the fall elections, they played a very key role in making sure that our 2020 elections were secure. In fact, I think Chris has paid a price for that being successful. I run play now. And so you know, we work with them on almost daily basis. So the National Cyber Security Alliance, we do it we do, because of our partners, we do it we do because of the team first, you know, mission that we have. So very proud of that public private partnership that we built over the years.
Nick van Terheyden
So it’s interesting, you talk about, you know, what are fierce competitors, you know, that sit in your environment, but work together, and they’re drawn to this and they’re drawn to the direction that you’ve taken, because ultimately, damage in one instance, damages them all through, I guess, I’m trying to think of the word but it’s sort of you know, it, if somebody causes disruption in one area, it impacts them all. is is that been the experience? Is that what sort of helped drive that partnership?
Oh, absolutely. I think they understand that they share many of the same customers, right? You know, I mean, I don’t know how many credit cards you have in your wallet, Nick, but I got a few of those folks in my wife and I think they realized And they’ve come to the conclusion. And by the way, we have, you know, like said 2526. Other members, you know, you think about Bank of America, US Bank, Wells Fargo, they compete on a daily basis, yet they sit around the table at the National Cyber Security Alliance as a family. And to your point, they all recognize that, you know, we either hang together or hang separately, right, we have to be able to work together to, you know, bring education and awareness to, again, America, but more increasingly, the world, they want to see people be cyber literate and protect themselves. So it’s absolutely in their best interest to do this together. And the collective is always more powerful than the singular, right? You know, so they’ve realized that coming around our table, not, we’re not not for profit, we try to keep our Good Housekeeping Seal of Approval, Nick, in terms of you know, we don’t take a stand in terms of one product being better than other, not at all, what we do take a stand on is that we want everyone to engage in this continuously connected society, as safely as securely as possible.
Nick van Terheyden
So I think anybody that listens to my show, and knows me knows that I’m extraordinarily passionate about this. I mean, this is a core problem. It represents itself in so many facets, not just in the banking and the credit card, we see this extraordinary sort of impact on the individual in all sorts of ways. And one of the ones that is very current is the whole level of inflammation around vaccines and the poor sharing of data. And in fact, this extraordinary jump in on the path of these individuals, to essentially use this challenging time to grab people and cause all sorts of mischief. How do you go about dealing with this?
You know, fortunately, and unfortunately, this is not a new phenomenon, right? In terms of bad actors taken advantage of a horrible situation. You look at the last pandemic, you know, in the 19, early 1900s, when a country went through this, you know, if you’re so inclined, you can go back and look at newspaper advertisements, where, you know, they’re putting out literally, that’s where sort of snake oil, a concept came from literally, you know, saying, Hey, here’s a special oil that you can rub to get rid of, you know, the flu. Of course, we know that wasn’t true. But bad actors have always taken advantage of bad situations. And in this particular case, what I tried to tell people is they’re simply using technology today, to further their aims. Now, you know, in 1980, DARPA, the Defense Advanced Research Projects Agency, they put out a counterterrorism report, Nick, that said, small, organized, and technically proficient groups will be able to confront and overcome current standing nations. What they predicted in 1980, was that, you know, if you are really good in technology, you can even the playing field. And that’s what we’re seeing today with bad actors, be it nation states, be a nation, state sponsored organizations being bit long actors who are just simply doing it for the financial gain. So it’s really unfortunate, but not surprising that they’re taking full advantage of covid 19 pandemic, to further their malicious aims.
Nick van Terheyden
So if you think about that fact, do you have a sense of the proportion of organized aspects of this versus just sort of, I don’t want to say loan. I mean, there are sort of banded together groups, but you know, how does that break down? Is it mostly small groups? Or is there a lot of large? I mean, it feels like it’s a business in some instances.
Oh, it is a business. It doesn’t seem like it is a I was gonna say, a legitimate business but legitimate for the heck yes, not illegitimate at all, Nick. But it’s organized, I can say that these folks are extraordinarily organized, extraordinarily sophisticated. in technology, I think the mistake is to say that, Oh, well, there’s this kind of, you know, messing around and trying to be opportunists and pick up where they can not true at all. They understand technologies, cyber malicious actors, and in terms of what kind of organizations they’re coming from, kind of hard to tell sometimes, right? If they’re sponsored by someone or if they’re just in it for themselves. But most of the time, what they’re stealing in terms of information, you know, we know ends up on the dark web, I mean, I can go right now and buy pieces of folks their information as you know, to olmec or, you know, buy the whole thing, right and get it all a cart, I can get the buffet. And so when we talk about, you know, what, who they’re part of in terms of groups and things of that nature, kind of hard to tell sometime, but I can’t tell you that they are well, well organized. These are not opportunities by any means. There are folks who are extraordinarily targeted, and know their stuff, they do their background, when they send a ransom, you know, where to, you know, a city or hospital or education system, generally speaking, that guys, you know, they’re not asking for, you know, astronomical amounts of money, right? They’re asking for some sweet spot that they’ve done research and said, you know, what, Baltimore City can pay $400,000, right, you’re not gonna ask for 40 million, never get it? Let’s ask for that sweet spot. And so that tells us they do their research. They know what they’re doing. very sophisticated.
Nick van Terheyden
It just blows my mind. I mean, as you’re talking, I’m thinking, are some economists essentially working to decide what that sweet spot is of that? This is, I think they’re gonna pay this, but they won’t pay. I mean, it’s just, it’s shocking. So I terrible circumstance, I will link into the blog post, I think, extraordinary. Well done video that chases some of these folks down, you know, shows the level of organization well worth the sort of 20 minutes and and indeed, it’s entertaining. It includes glitter bombs, which I. But as we talk about this, I think what I really want to hear is, what can we do about it? What can we help to sort of combat this? What What is your group doing?
Yeah, you know, as as it may not sound very exciting or sexy. But again, education, awareness, and history is on our side here. You know, if I say Smokey the beer, most people will say, only you can prevent forest fires, right? That was a public service announcement that was like campaign that put it into the consciousness of people that Yeah, I have a part to play in mitigating, you know, fires. And so let me play my part. You know, my dad often reminds me that, you know, growing up, seatbelts are now a big thing for him and his generation, but people were dying in car accidents that were completely preventable. If they had on their seat, as my dad was saying, harness, you know, that that seatbelt well, public service announcement, the early 70s or so came out, hey, wear your seatbelt, it saves lives, you know, we can go down the line, smoking or DUI or, you know, these public service announcement that bring education awareness to people to make them realize that I play a part, the National Science here realized we’re leading the National Public Service Announcement right on cybersecurity, what people can do to protect themselves. And just like the seatbelt campaign, you know, relatively low hanging fruit things you could do seatbelt campaign, just click it, that’s all you have to do at the National Cyber Security Alliance. We’re encouraging people to do three simple things, right, have a robust and thorough alphanumeric password, right? enable multi factor authentication where you can and make sure your machine is patched. Doesn’t that’s not gonna cost you a whole lot at all, Nick, to be able to do those things to now with that guarantee that you’re protected against criminals, not by any stretch of imagination, but it does guarantee you’re less likely to retarget than those people who will not do those things.
Nick van Terheyden
So for those of you just joining, I’m Dr. Nick the incrementalist today I’m joined, joined by Calvin Coleman, he is the executive director of the National Cyber Security Alliance, we were just talking about the mitigation methods. Calvin was just talking about, you know, the three factors that, you know, you’re advocating, I think simplifying it as much as possible. And, you know, the analogy that I have relative to that is, you know, it’s not 100%. But, you know, when it came to the car loans that didn’t stop people from breaking in, but it sure as hell made them walk past your cars. I mean, that and that’s okay, you know, if you’re going to, you want to minimize this and make it as hard as possible. So, great advice there with robust passwords, I think multi factor authentication, right. So that your machines are patched. So they have the latest in terms of updates. So I, as I think about this, those are all sort of, you know, great elements, but a lot of this boils down to people and we were talking before about Smokey the Bear. Now I didn’t grow up with that outside of this country, but I do recognize Is it? And, you know, I can relate? What’s the same principle here for cyber security? Do you have a sort of message that is as simple as that for folks to really get them engaged?
Yeah, we last year started a campaign. Hashtag, be smart, do your part B cybersmart. Right. And with that, right, and sort of what does that say to people? Well, you know, probably not much when they’re just listening to it for the first time. But behind that, we provide a number of resources, tools that individuals, families, communities, can use to protect themselves. So do your part be cyber smart. Each link in the chain means something. So you know, if if someone gets a malware, you know, successful malware attack against your machine that access is now their contacts and, and their address book. Well, you’ve now exposed other people, right? Not even meaning to, but you have and so be do your part, be cyber smart is both an individual thing and a community thing, do your part, right? To be cyber smart for the entire community. That’s what we’re doing. Now. One important thing, Nick, that we did last year, every October, we celebrate National Cybersecurity Awareness Month. Well, for the first time last year, we dropped the national on it. And we started celebrating Cyber Security Awareness Month, because we just felt putting national in the front gave the indication that this is just an American thing, or just one country. No, no, this is a global phenomenon. So through Cybersecurity Awareness Month, we use that as our Hey, that’s our world cup of football, right, we want to make sure folks have eyes on cybersecurity at that time. But Nick, we also enjoy cybersecurity so much, we invented a celebration called identity management day, celebrated the second Tuesday of every April, you know, this is the first annual celebration this year, you know, and we’re so excited about it, we created this holiday with the National defined Security Alliance. And it was just a wonderful, wonderful, you know, combination of a lot of effort to bring, you know, to bring access, or to bring sort of attention to identity management, which as you know, is so important. You know, the majority of successful attacks come through compromised identity, you know, be it credentials or anything else. And so, so we created identity management, and one last thing, data privacy day in, in January, January 28. And so we use these opportunities to really bring awareness to people and make sure they understand, again, not only understand the issue, but how to protect themselves.
Nick van Terheyden
Yeah, I and I, you know, I personally have a passion around this because my identity was not well, it has been stolen, let’s be clear, it’s been stolen to essentially scam other folks. In the dating applications I have had now I can trace five individuals that have reached out to me to say is this really you that stuck in Afghanistan, I you know, a number of places. And what they did was took elements of my story pictures of me, and then created this fake profile. So I can’t tell you, one of the challenges I’ve had is, I don’t know how to combat that I can’t even get to the original sources. So you know, I think awareness is the most important thing that really sort of comes out of this. So going forward, I mean, this is, you know, it’s interesting, you dated back to 1918. Because that’s, you know, being very topical with the vaccines and everything. And, you know, the challenge with this pandemic, it’s clearly going to be an ongoing problem. We’ve even seen artificial intelligence used by some of the perpetrators of this, they’re using the same technology as we are to combat it. What’s the future? How do we Is there a point in time where we can actually combat this and it becomes a much smaller problem, do you think?
Yes, for sure. I must say. I’m very, very confident of that. Because at one point, you know, again, someone may have said, Well, how can we combat you know, people dying on the highway? It’s their right to drive and not to put on that seatbelt? Well, awareness made them sort of realize that no, no, no, we can do something about this week, we can help each other out. And and by the way, we have to do this, Nick, because five years ago, probably about 15 billion connected devices around the globe, today, about 20 billion connected devices, that’s about a 33% increase, a very healthy increase, by the way over the last five years to go from 15 billion to 20 billion in the same amount of time, Nick, and that next Five years can be at least 16 billion connected devices around the world. That’s a 300% increase a three fold increase. And so we’re going to go from internet of things that Internet of Everything, artificial intelligence, conversational platforms, brain computer interface. And so this explosion that we’ve seen in the last 20 years and technology, it’s going to pay out in comparison to the next 20. Why point there? You may say, Well, yeah, I guess more opportunity for the perpetrators. Not No, no, I refuse to believe that. Because I think awareness, awareness, awareness is going to be the key to make sure that folks understand how to use devices safely and securely. The last thing I’ll say is that, in terms of focusing on people, that’s always been undervalued in technology. Well, now there’s a realization that no, no people still account, their products, their processes, and their people. And we think that last piece is so very important, if you only look at the how the bad actors have, you know, historically performed in the very beginning of the technology revolution, they were attacking products, they were trying to back in some vulnerability in the software, or take advantage of some, you know, hardware, you know, vulnerability, and then they started attacking processes, right? Well, let me send an email to the executive assistant of the C fo, to say the CEO needs this check, oh, they attack that process. And we got smart there. Well, now they’re attacking people. And we are finally focusing on people when you talk about your spear fishing, or well fishing or just fishing in general. Now, we’re at that point where no, no people still count. And certainly, that’s what we’re doing at the National Cyber Security Alliance, along with our partners, and private and public sector partners.
Nick van Terheyden
So do you think that I and, you know, I’m not naive enough to say that we’ve solved the problem, but do you think that the majority of that product side has been resolved to a sufficient degree, and I’ll give you a specific example, around that. So many defaults are set, you know, our sort of position on security and products is, oh, just make it wide open, you know, put in your dishwasher, and it’s connected to the internet? Well, that’s not a problem. Well, guess what Vegas found out that the fish tank was a problem, because they use that as a port of entry. Do you think we’ve gotten there? Or we still got some ways to go?
I certainly I want to draw a raft of some of my board members who make some of these wonderful products. But I think even they would say, we got a little bit more ways to go. Right. You know, I don’t think there’s no harm, no filing, saying that. The if you look at the pandemic itself, you know, Nick, and then of course, with you being a doctor, you understand all too well, that, at the beginning of the pandemic, it was about accessibility. So healthcare technology was certainly coming online, but network enabled point of care services and mobile apps, you know, they were just not where they are today. Even in a year, we’ve lived far I had a web of work. So my point there is that the companies recognize that they have to make better products, more secure products. And by the way, this is a business case for them. They want to be known for having secure and safe products, because a part part of becoming cyber literate is now deciding who you’re going to do business with, because they’re going to protect your information the best.
Nick van Terheyden
Yeah, and I think, you know, back to your original example, with seatbelts. And you know, that that is a sort of model. My recollection of that history was it wasn’t a feature. It was, you know, this was a pain. It was additional carnage. But I’m pretty sure maybe this is a European thing. But I don’t know if this translates, but anybody in Europe would be able to say the safest car is and then fill in the gap with the company that focused on that and sort of preempted and I think that’s exactly what you’re saying in the cybersecurity world,
as that’s such a great example. I’m still that, Nick. And you know, and I give it I will attribute it to you though. So if you think about you know, that seatbelt being safe passwords, well, then the evolution of the car, you got the airbag right now, you know, say what you want about airbags, but that may be relative that may be compared to say, multi factor authentication, right, that extra layer of protection that keeps you you know, as safe as possible.
Nick van Terheyden
Fantastic. Well, as usual, we’ve run out of time, unfortunately, I want to say that I’m just so excited to hear somebody in your position, leading this consortium that crosses all of these boundaries of competition, all pulling in the same direction, but the piece I want to pull out specifically, was how positive you were, that this is, it’s not solved and it’s never going to be 100%. But we are absolutely getting to the point where you know, this is not so very Are you excited to hear that excited about the work and just remains for me to thank you for joining me on the show?