CyberWire Daily - A bipartisan blueprint for American leadership.
Episode Date: May 15, 2024U.S. Senators look to enhance American leadership in AI. Federal Agencies Warn of Rising Cyberattacks on Civil Society. The Pentagon says they’re satisfied with Microsoft’s post-breach security pi...vots. Patch Tuesday updates. A Mississippi health system alerts users of a post-ransomware data breach. The FTC cautions automakers over data collection. CISOs feel pressure to understate cyber risks. On the Learning Layer, Sam and Joe continue their certification journey. Guest Sarah Powazek of UC Berkeley's Center for Long-Term Cybersecurity (CLTC) speaks with N2K’s Brandon Karpf about cyber civil defense clinics. A crypto mixing service developer finds himself behind bars. Our 2024 N2K CyberWire Audience Survey is underway, make your voice heard and get in the running for a $100 Amazon gift card. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Sarah Powazek of UC Berkeley's Center for Long-Term Cybersecurity (CLTC) speaks with N2K’s Brandon Karpf at 2024 RSA Conference about cyber civil defense clinics and the CLTC. Learn about their upcoming Cyber Civil Defense Summit being held at the International Spy Museum in Washington DC next month. Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K’s comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss how to use the midterm exam and Test Day Strategy video. Selected Reading Senators Propose $32 Billion in Annual A.I. Spending but Defer Regulation (The New York Times) Civil society under increasing threats from 'malicious' state cyber actors, US warns (The Record) Post-data breach, DOD held 'very candid discussions' with Microsoft (DefenseScoop) Microsoft issues patches for over 60 software vulnerabilities (Tech Monitor) Adobe releases May 2024 fixes for critical issues in Reader, Acrobat, Illustrator and other products (BeyondMachines.net) CISA issues ICS advisories on hardware vulnerabilities from Rockwell, SUBNET, Johnson Controls, Mitsubishi Electric (Industrial Cyber) 900k Impacted by Data Breach at Mississippi Healthcare Provider (SecurityWeek) FTC fires 'shot across the bow' at automakers over connected-car data privacy (The Record) Security leaders report pressure from boards to downplay cyber risks (​​ITPro) Tornado Cash Developer Jailed for Laundering Billions of Dollars (GB Hackers) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. U.S. Senators look to enhance American leadership in AI.
Federal agencies warn of rising cyber attacks on civil society.
The Pentagon says they're satisfied with Microsoft's post-breach security pivots.
Patch Tuesday updates. A Mississippi health system alerts users of a post-breach security pivots. Patch Tuesday updates.
A Mississippi health system alerts users of a post-ransomware data breach.
The FTC cautions automakers over data collection.
CISOs feel pressure to understate cyber risks.
On The Learning Layer, Sam and Joe continue their certification journey.
Our guest is Sarah Powazek from UC Berkeley's Center for Long-Term
Cybersecurity, speaking with N2K's Brandon Karp about cyber civil defense clinics.
And a crypto mixing service developer finds himself behind bars.
It's Wednesday, May 15th, 2024.
I'm Dave Bittner, and this is your CyberWire Intel Briefing. Thanks for joining us here today. It is great to have you with us.
A bipartisan group of U.S. senators has introduced a legislative plan focused on enhancing American leadership in artificial intelligence,
proposing $32 billion annually by 2026 for government and private sector research and development. While advocating for a federal data privacy law and anti-deepfake
measures in election campaigns, the plan largely delegates the responsibility of regulating AI,
including its potential to cause job loss, health and financial discrimination,
and copyright issues, to congressional committees and agencies. The initiative,
led by Senate Leader Chuck Schumer, along with Senators Mike Rounds, Todd Young, and Martin
Heinrich, follows a year-long tour gathering insights on generative AI technologies.
a year-long tour gathering insights on generative AI technologies. The proposed legislative approach emphasizes incremental bills rather than comprehensive packages, reflecting the rapid
evolution of AI and a preference for fostering innovation over stringent regulation.
U.S. cybersecurity agencies, including the FBI, CISA, and DHS, have issued a warning that Russia, China, Iran, and North Korea are increasingly targeting civil society organizations such as NGOs, think tanks, human rights activists, and journalists worldwide.
These organizations are considered high-threat targets due to their role in promoting democratic values and often have inadequate
cybersecurity defenses. The advisory, supported by cybersecurity insights from multiple countries,
identifies specific state-backed groups engaging in intimidation, harassment, and surveillance
by installing spyware for more extensive tracking and data access. The advisory suggests that these civil society entities
typically lack the necessary resources to fend off sophisticated cyber threats
and calls for enhanced cybersecurity measures and support
to protect these vital institutions.
Pentagon CIO John Sherman expressed satisfaction with Microsoft's security adjustments following a significant data breach in early 2023 that exposed the personal details of over 20,000 people.
In a recent interview at the GeoINT Symposium, Sherman commended Microsoft for conducting a thorough after-action review and making necessary procedural changes to prevent future breaches.
He emphasized the ongoing partnership with Microsoft in addressing the incident, which involved sensitive information from various Defense Department components, including U.S. Special Operations Command.
Command. Despite the corrective measures, Sherman noted that the full details of the affected DoD entities and the original cause of the data spill remain undisclosed. Microsoft has patched 61 new
security vulnerabilities, including two zero-day exploits as part of its latest Patch Tuesday
update. One of these zero days, discovered by Kaspersky,
could allow attackers to gain system privileges
and has been observed in conjunction with malware like QuackBot.
The second zero day potentially allows hackers to bypass OLE mitigations
in Microsoft 365 and execute arbitrary code.
Additional vulnerabilities addressed include those in Windows Mobile Broadband Driver,
Windows RRAS, and others affecting various Microsoft and Adobe software,
with potential impacts ranging from remote code execution
to privilege escalation and information disclosure.
Adobe has released a security update fixing 35 vulnerabilities across several products,
including Adobe Acrobat and Reader, Illustrator, Substance 3D Painter and Designer, Arrow,
Animate, FrameMaker, and Dreamweaver. The update corrects nine critical vulnerabilities in Acrobat
and Reader that could enable code execution attacks. Other products affected include Illustrator with two critical flaws,
Substance 3D Painter with critical code execution and memory leak issues,
and critical vulnerabilities in Arrow, Animate, FrameMaker, and Dreamweaver.
Adobe emphasizes the importance of updating these applications to prevent potential exploits,
although no current exploits are known.
And CISA has issued advisories on four industrial control systems vulnerabilities
affecting hardware from Rockwell Automation,
Subnet, Johnson Controls, and Mitsubishi Electric.
These vulnerabilities, located in systems critical to infrastructure sectors
like manufacturing and energy,
could allow attackers to execute code remotely or escalate privileges.
CISA's alert includes detailed information on the nature of the vulnerabilities and the recommended updates or mitigations.
Mississippi's Singing River Health System has begun notifying approximately 900,000 individuals
that their personal information was compromised during a ransomware attack in August 2023.
The breach, first noticed on August 16th, allowed unauthorized access to data including names,
addresses, social security numbers, and medical information. Initially, SRHS reported to the Maine Attorney General's Office
that 252,890 individuals were affected.
This number was later revised to just over 895,000 individuals.
SRHS is now sending notification letters,
offering 12 months of free credit monitoring,
and providing guidance on protecting against identity theft.
The health care provider has also enhanced security measures and employee training to prevent future breaches.
The Federal Trade Commission has issued a warning to auto manufacturers about their practices of collecting and sharing sensitive car data,
such as geolocation information, with advertisers. Highlighting the potential illegalities of such practices,
the FTC's recent blog post stresses the importance of protecting consumer data
and adhering to privacy laws. The blog post references recent enforcement actions and
settlements involving the misuse of geolocation data,
indicating a focused regulatory scrutiny on the auto industry's data privacy practices.
The FTC underscores the need for companies to ensure that collected data is used solely for legitimate purposes
and advocates for data minimization to protect consumer privacy.
and advocates for data minimization to protect consumer privacy. This warning follows a period of increased legislative pressure on the agency
to address privacy violations by automakers.
A survey from Trend Micro reveals senior cybersecurity professionals
report feeling pressured by their boards to understate cyber risks,
with 79% experiencing such pressure.
This credibility gap makes it challenging for chief information security officers
to secure necessary funding for enhancing cyber resilience. Many board members view
cybersecurity concerns as repetitive or overly negative, leading to dismissal of the risks. About half of the CISOs
feel their C-suite does not fully understand the cyber threats, and many believe only a major
breach could change this perception. To bridge this gap, it's suggested that CISOs frame cybersecurity
issues in terms of business value and involve themselves more in strategic decision-making,
thereby enhancing their credibility and influence within the organization.
Coming up after the break, on our Learning Layer, Sam and Joe continue their certification journey.
Our guest, Sarah Powizek
from UC Berkeley Center for Long-Term Cybersecurity, talks about cyber civil defense clinics. Stay with
us.
Transat presents a couple trying to beat the winter blues.
We could try hot yoga.
Too sweaty.
We could go skating.
Too icy.
We could book a vacation.
Like somewhere hot.
Yeah, with pools.
And a spa.
And endless snacks.
Yes!
Yes!
Yes! With savings of up to 40% on Transat South packages,
it's easy to say, so long to winter.
Visit Transat.com or contact your Marlin travel professional for details.
Conditions apply.
Air Transat. Travel moves us.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks.
But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30 frameworks, like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
On today's Learning Layer,
our hosts Sam Meisenberg and Joe Kerrigan
continue their conversation on Joe's certification journey.
Welcome back to another Learning Layer segment.
We are continuing our discussion with Joe Kerrigan as he gets ready for his CISSP exam.
Joe, this is a special edition.
I mean, the whole conversation with you is a special edition,
but today's a special within the special edition
because we're halfway through your studies
and we're going to talk about the midterm exam that's part of your N2K course. So let's flip the script a little bit. Okay.
You are a studier. I am. You are getting ready. Before you start the midterm, you have a couple
questions for me. I do. Go ahead. So first off, I'm looking at this. It's qualified as a review
quiz and I'm supposed to allocate like 90 minutes. So,
this is a time commitment. Yep. I need about an hour and a half of undisturbed time to sit down
and take this. But before that, there's also a midterm exam day test strategy video. Yes. It's
like an hour long. Yes. I'm going to watch this video. Yes. But if somebody else were taking this,
would you recommend they watch the video?
Or I mean, what's going to be covered in this video?
So I will answer your question and I'll give some context.
This is one of the videos you definitely need to watch.
And I'm not just saying that
because I am the person presenting in the video.
I am saying that because it is important.
So let me back up.
So first of all, the midterm exam is just,
it's called a quote midterm because it's only on domains one through four. So a lot of people
maybe get a score that they're not expecting. What I always say is like, it's okay. It's half
the material, right? And again, it's just more data about yourself. But the strategy and the
skill that you're trying to build now in the midterm
is actually sitting down and concentrating and taking a bit of a longer assessment.
Because up until now, you've been doing quizzes that are, you know, 10 questions, 15 questions, right?
They go very quickly.
Yep, exactly.
Even if you're using the question bank, they're probably shorter quizzes.
We need to build that ability to sit
there and focus and concentrate, which I know you can do when you're going through material, but
answering questions is exhausting, right? So we're trying to build that skill.
Now, once you start watching the video, you will hear me explain that we're going to do two things.
We are going to talk about how to eliminate answer choices. So
that's basically one of the test day strategies. Ideally, you know the right answer right off the
bat. You can even try to predict the right answer, which is another strategy that we talked about in
the video. But for those that are like, you're between two answer choices or you don't know
which one is right, we talk about basically common traps and frameworks that the
test makers write that will sort of point you in the right direction to the right answer.
Things like that is what we'll talk about. And then we talk about those skills because we
basically want you to practice those skills in the midterm. Now, after you take the midterm,
the second half of the video,
the test day strategy video,
is basically talking about
going through questions themselves
and breaking down questions from the midterm.
So we do a detailed deep dive
into one of the questions
to talk about not only the content,
but also the test day strategy.
Okay, so I should watch the first half of the video,
take the test, watch the second half of the video.
Correct, because you definitely want to take the test
before you see me explain some of the right answers.
Right.
So Joe, enjoy the video.
Good luck.
How can I not enjoy it, Sam?
Actually, you know what?
After you and I talk, you don't even need to watch the video.
No, I'm just kidding.
No, I'm going to watch it.
There's some good stuff there.
All right.
Well, we will talk again after you take the midterm.
Looking forward to hear how it went.
And we will sort of pivot to the second half of your studies,
the mains 5 through 8.
Excellent. That's N2K's Sam Meisenberg
and my Hacking Humans co-host, Joe Kerrigan. Sarah Powizak is from UC Berkeley's Center for Long-Term Cybersecurity,
and at the recent 2024 RSA conference, N2K's Brandon Karp caught up with
her about cyber civil defense clinics. Here's their conversation. I am here with Sarah Powazik
from UC Berkeley, and she is here working on some critical civil cyber defense initiatives
from UC Berkeley. Sarah, thank you for joining us. Yeah, thanks for having me.
So we were talking a little bit before we started recording on the work you're doing
through UC Berkeley. Can you just walk us through your role and the vision and activities that
you're working on? Yeah, I'd love to. I'm really fortunate to be the Program Director of Public
Interest Cybersecurity at the UC Berkeley Center for Long-Term Cybersecurity. We go by CLTC for
short. And we are mainly focused on trying to help organizations
that are under-resourced,
but are providing critical public services
to their communities,
trying to help them bolster their cyber defenses
in several different ways,
both through direct services and through research.
So I'd love to dig in a little bit,
but I'll say one of our major programs
is the Cyber Clinics Program,
which uses students and is sort of a dual purpose, you know, cyber workforce training
program and cyber civil defense initiative working to help under-resourced organizations.
Yeah, this model that you were sharing about of kind of taking the model from the medical field
where they have these community clinics where doctors or nurses can volunteer their time to
support. It gets the doctors and nurses important entry-level experience,
but also provides tangible value to the community.
I love this model, especially lately we're hearing issues in cyber talent,
but specifically on the hiring side.
A lot of folks are looking for a lot of experience.
So can you walk us through this model,
how it works, who the practitioners are that you're working with,
and then who the customers are for the're working with, and then who the
customers are for the clinics. Whenever people tell me that they've never heard of cyber clinics
before, which is actually pretty frequent, I say, you probably have, you just haven't heard it called
a cyber clinic before because everybody's heard of these med school clinics or law school clinics,
where as a part of their training, students will get real world experience and are expected to offer their
services for free for community folks in need. It instills the sense of public service, but it just
hasn't been applied to cybersecurity in the same sense. So about four or five years ago, a handful
of higher education institutions thought, I see a lot of similar problems between the medical sector
and the cybersecurity sector. We have all these community-based organizations, we like to call
them. We have nonprofits like food banks,
like refugee assistance organizations
and legal organizations.
We have cities that are providing essential services
to constituents.
We have small utilities like wastewater
and electric co-ops.
And we have municipalities, cities, hospitals.
There's just a huge collection of organizations and they really don't meet the threshold for national security protection.
So the federal government is busy trying to take care of the largest threats to our nation.
No one's really thinking about the community model.
And so cyber clinics are really there to perpetuate the model of clinical teaching, to give students that hands-on experience, and to give local organizations
opportunity to receive services for free and give them the first couple steps. So I'll go a little
bit more into the program. A lot of them actually don't have prerequisites. So imagine you're taking
a class at a university. Maybe you're a political science major. Maybe you're a journalism major.
Maybe you're a human rights major. That's actually what we see at Berkeley pretty frequently.
You'd sign up for this course
and the first half of the course, at least at Berkeley,
you'd learn everything there is to know
about the cybersecurity hygiene basics.
So we talk about multi-factor authentication.
We talk about patching schedules.
We talk about secure communications.
And the students really learn a suite of tools
that they can use to teach a client organization.
Then they'll join groups. They'll get matched to a local organization. At Berkeley, we focus on nonprofits at risk of
politically motivated cyber attack. So we work with folks like LGBTQ advocacy organizations,
with refugee assistance organizations, with folks prosecuting war crimes,
typically organizations that might be targeted by governments. So students will be really focused on encryption and secure communications and multi-factor authentication,
those types of things. They'll be matched to an organization. They'll work with them for up to
six weeks, meeting every week, asking them questions about what their setup is, what their
budget is, how much leeway they have at work to be able to do their job, how many people they have
supporting their IT team. Sometimes, best case, they have one full-time staff, right? Worst case, there's like
three or four folks who are each doing a piece of it, right? Because they all have their day jobs.
They're all trying to do the work of these important nonprofits. And by the end of it,
the students will present a report to them. It'll include a small threat briefing of the biggest
threats that they think that that organization will face. And it'll prioritize, you know, one to five recommendations
that the students think are achievable for that organization. And that's really the key here is
that folks in these under-resourced organizations oftentimes don't know where to start. They're not
going to pick up the NIST cybersecurity framework and be able to absorb that and know what they're
supposed to do first. And so that's really what these students are doing. They're helping them prioritize
and get a head start. And hopefully that will be just the beginning of their cybersecurity journey.
Something that I find really impactful about this, I go and I advise local companies,
small businesses, I give talks on cybersecurity and risk management. And I'm often asked,
what are the resources that I on Main Street can use for this?
You know, as you said, they may have one IT person who doubles as our security, but it
might not be anyone for some of these organizations.
And I oftentimes point them to, you know, the CISA resources, their local FBI field
office.
But at the end of the day, those resources aren't really going to walk them through developing a security program or managing their security in a way that they can understand.
So what you're doing with these students is really actually quite sophisticated.
Can you maybe walk us through the impact that these clinics are having both on the student,
the workforce and talent side, building talent, getting talent into the community from non-standard
backgrounds perhaps, as well as the impact on non-standard backgrounds, perhaps, as
well as the impact on the services side, the organizations that you're helping?
Yeah, I'll start with the workforce side.
So I think one of the great things that Clinic does, and it really dovetails with the National
Cybersecurity Workforce and Education Strategy coming out of the White House ONCD, it's really
focusing on keeping pathways open for different types of students to get into
cybersecurity. So there are a lot of great programs that are focused on getting students who are in
computer science and computer science adjacent majors into the cybersecurity field into entry
level jobs. And those are really important. What we also need to keep in mind is that one of the
best parts of the cybersecurity field is that we have folks with very different backgrounds all participating in the field, thinking about
this in different ways. You and I talked earlier about, you know, you wanted to be an English
major. I'm a political science major. The liberal arts and humanities actually provide really
critical skills to our field. And something that cyber clinics do really well is include those
students in the process and provide them a teaching experience and a way to learn cybersecurity that is accessible from
where they're coming from, right? They're not going to think of taking a network security class
in college, even if that school offers one, which many do not, which is a whole nother problem,
right? This is somewhere where they can come, where they can learn about cybersecurity, where they can apply their mission-driven orientation.
You know, you might have students who care a lot about cities, and they're in MIT's Urban Studies and Planning Department.
Sure.
They join MIT's clinic, which is actually housed in that department.
And you get a lot of folks who are interested in city planning and city design, care a lot about city safety into cybersecurity. And
they would not have seen that path if not for a program that lets them connect their desire to
protect their community to cybersecurity. And cybersecurity is the tool there and not, you know,
the overarching program. So I think that that's a really important career opportunity that we keep
open for students. I think that's something that clinics do really well. We're working on expanding
clinics to community colleges, to HBCUs and HSIs, to communities that might not have access to these
sorts of opportunities and that may come from non-traditional backgrounds. This is really a
program that's meant to be accessible to almost anyone in school. Fantastic. I mean, the impact
sounds like it's outsized. Sticking with talent for a moment, how do employers view this program?
Are they looking to hire practitioners out of this program?
Is that something that you've seen?
That's something we're excited about exploring.
I will say the consortium of cybersecurity clinics is a group of over 15 institutes of higher education across the country that have all come together.
We're all running different flavors of these clinic programs.
And we're starting to think about how can we feed these programs into other programs? How can we get
students internships? How can we keep them in the volunteering core throughout their professional
careers as well and integrate sort of pro bono volunteering as a part of their lifetime careers
like it is in the legal career? So I think that's something we're really excited about. And I'll
give a shout out to Google. They've made an incredible investment in the legal career. So I think that's something we're really excited about. And I'll give a shout out to Google.
They've made an incredible investment in the cyber clinics programs.
They are funding the creation of 10 brand new clinics
across the country.
So we are growing, you know,
rapidly with the number of clinics
that are popping up across the country.
And I think we're in talks with them
and with other private organizations about,
you know, do you have an internship program?
How do you feel about having this hands-on training? And, you know, what we're hearing most
often is they see things like clinics akin to internships, right? And there aren't that many
internships available, but there are lots of clinics popping up and it gives students that
same ability to get hands-on training and help them get just that first entry-level position.
Yeah, that's incredibly important. And we know we need that more and more. We see the job
wrecks that have mandatory times in multiple years in the industry for entry-level roles.
And so getting this type of hands-on experience matters. The other thing that I'm struck by is
you sharing this model of the legal profession. One of the goals of this company, N2K and N2K CyberWire, is to turn
cybersecurity from an industry and turn it into a profession. And we often use the legal profession
as kind of a model for us, either the financial profession or legal profession. And the fact that
there is pro bono work that's included in that, that there is an aspect of giving back and service
to the community that is really important to the professional identity. So right now you're talking to the audience of security practitioners, right?
Everyone from senior folks at the White House to CISOs at Fortune 500 companies, all the way to
entry-level analysts right now. What support would you ask for from this audience?
Yeah, two things. I think the number one thing we could use right now is help spreading the word.
These are really incredible programs. They've been running for a number of years,
and not many people know about them. And the more folks that know about them, the greater chance we
have of starting up as many clinics as possible. One of our goals at the consortium is having a
clinic in every state by 2030. We are well on our way to that goal. Seems doable. Yeah, it's a lofty
goal. It's our moonshot. But I
think it's really important to have geographic diversity in cybersecurity. We're really
passionate about building local trust networks, right? The federal government is really good at
many things. They're not going to be able to answer the call for every municipality in the
country. It's not sustainable. And frankly, local organizations are going to reach out to someone
nearby them, someone that they've built a trust relationship with them. And educational
institutions are actually really important pieces of that puzzle. They actually, they're a part of
that local trust group. They're often connected with local officials. So we think empowering
educational institutions to be hubs of cyber defense is in the long run going to help build
our national resilience to lower level cyber attacks
like ransomware.
So to the audience listening,
if you know your alma mater,
if you volunteer
your local community college,
every single institute
of higher education
is a candidate for a cyber clinic
in some way, shape or form.
You could be a small class
of five students a semester.
You could be a student club.
You could be a years long program
with several courses.
All of them are clinics. It's a very flexible model. And so I'd encourage you to think about how to get involved and how to encourage your local educational institution to participate.
Yeah, wonderful. And we will definitely have links in the show notes so folks can learn more. Now, you do have an event coming up.
Yes, we do.
In just a few weeks. So I want to give you an opportunity to talk about that. Thanks so much. I'm really excited to talk about this too. So we're hosting for the second time,
the Cyber Civil Defense Summit. It's going to be on June 13th in Washington, DC at the Spy Museum.
So we've got a great venue. One of our favorites. It's incredible. We publish the podcast, right?
Spycast. I can't speak enough about the Spy Museum and how beautiful it is and how excited
we're hosting there.
But the Cyber Civil Defense Summit is a really special event.
I'm sure folks on this podcast have been to many, many, many cybersecurity conferences.
This is really a community event.
This is about bringing together folks who are doing good work, trying to help under-resourced organizations across the country, give them a chance to meet each other, to learn about programs they've never heard of before that will inspire them, and to get to interact with lawmakers who are
passionate about promoting these programs and giving them the spotlight that they need
to continue and to expand.
So we highlight in our speaker lineup, we have all new speakers this year.
We're going to have folks from state and local government, from academia.
We're going to have students there talking about their experience in the clinics.
And we're going to have incredible representatives from folks in the federal government, both from CISA and from the White House ONCD.
We're very fortunate to have our first keynote speaker announced, the CIO of the Cherokee Nation.
She is fantastic.
We cannot wait to have her come and talk about her experience and stay in local cyber defense.
So it's a really great event, and I can't encourage folks enough. You get to meet really big names in a very small space and that's a rare thing in
Washington, D.C. So if you're interested, please go to CyberCivilDefenseSummit.org or go on our
website and learn more about the event. It's a community event. It's $35. Very affordable.
Nice. Coming out of RSA. So looking forward to seeing folks there.
That's great.
And CyberWire will be there.
So we will be there supporting the Cyber Civil Defense Summit.
Amazing.
And again, that is CyberCivilDefenseSummit.org.
There will be a link in the show notes.
Sarah, thank you so much for coming on and sharing this with us.
Thanks very much for having me.
That's Sarah Powazek from UC Berkeley's Center for Long-Term Cybersecurity,
speaking with our own Brandon Karp.
Cyber threats are evolving every second,
and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker,
a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly
and securely. Visit ThreatLocker.com today to see how a default-deny approach can keep your And finally, the developer behind Tornado Cash, a cryptocurrency mixing service,
has been handed a prison sentence of over five years.
His crime? Crafting a digital laundromat that washed a whopping $2.2 billion worth of ether through its pools,
making dirty money sparkle with anonymity. The court wasn't buying the I-just-made-it-for-privacy
defense, especially when the service ended up scrubbing funds from 36 different thefts,
including a notorious heist by the Lazarus Group. Along with a stint behind bars,
the developers FlashyPortia and Treasure Trove of Cryptocurrencies were seized.
Looks like Tornado Cash stirred up a perfect storm of legal troubles.
And that's The Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead
in the rapidly changing world of cybersecurity.
If you like this show,
please share a rating and review in your
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people.
We make you smarter about your teams while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester with original music and sound design by Elliot Peltzman.
Our executive producer
is Jennifer Iben.
Our executive editor
is Brandon Karf.
Simone Petrella
is our president.
Peter Kilpie
is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here tomorrow. Thank you. measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.