“America 3.0” – with Bill Britton of the California Cybersecurity Institute (CCI)

Andrew Hammond: Welcome to "SpyCast". The official podcast of the International Spy Museum. I'm your host, Dr. Andrew Hammond, the museum's historian and curator. Every week we explore some aspect of one of the most fascinating subjects of all, intelligence and espionage. Please consider leaving us a five-star review which helps other listeners find us, and subscribe to us wherever you get your podcasts. Coming up next on SpyCast.

Bill Britton: But then we say go in and look at how many apps have a microphone attached to it and the microphone is on. And it's that kind of, uh-oh, wait a minute, you mean there are people listening to me on my phone? And the answer is yes, it's a technology that is listening to you.

[ Music ]

Andrew Hammond: Bill Britton is this week's guest. The Director of the California Cyber Security Institute and the Chief Information Officer of Cal Poly. He was formerly an intelligence officer and electronic warfare officer in the US Air Force but we sat down in our brand-spanking-new studio to talk about what he has been immersed in since he left the military. Cybersecurity, information security, and space. When you put those two words together, California and cyber, on the surface, it seems like they're fast snuggled together like strawberries and cream or tequila and lime. But, as Bill explains, there's a massive shortage of qualified workers on this day and nationally. In this episode, Bill and I discuss his take on cyber as someone who has been around since its inception, how to address the skill shortage and worker shortage, digital literacy, and what cybersecurity is now that it's more important than ever, and how Cal Poly is addressing cybersecurity and enforce it. The original podcast on intelligence since 2006, we are "SpyCast". Now, sit back, relax, and enjoy the show. Okay. Well, thanks ever so much for joining me this morning, Bill. Yeah, thanks for being here.

Bill Britton: Absolutely, it's my pleasure to be here. I'm looking forward to this and looking forward to having quite a good conversation about some of the cool things we've done in our doing at the university.

Andrew Hammond: And that's one of the reasons that I wanted to chat with you and for many other reasons because of your career in cyber. So, I think a good place to start off, can you just tell us a little bit more about the California cybersecurity institute. It sounds really cool.

Bill Britton: Yeah. So, about eight years ago, Cal Poly University decided that they wanted to create a cyber center of excellence. And to form it, what they were trying to do is to bring in outside support that could help them stand it up and get it ready. At the time, it's really interesting, I was working in DC for a company that did cybersecurity information technology, all those sorts of things. And we were purchased by another company, the owner, the CEO of that company is a Cal Poly grad. So, Cal Poly asked them for a donation and he gave them to me. Right. And so, I came out to the university, interviewed for the job. Of course, I got it because I was a freebie to them. But the idea was to stand up a cyber center for the university. One of the things that I noticed about the university was this magnitude of opportunity. You know, it's a true polytechnic, we've got ag, we've got business, we've got liberal arts, we've got engineering. In that engineering, we have civil engineering, we've got, you know, building engineering, architecture engineering, and we've got, of course, computer engineering. So, we thought and looked at that and said, wow, you know, how do we make this thing go across all these different academic arenas? And so, we started down the same similar path that a lot of different centers really work on, which is to try to get to the federal government and get them to help you with the cyber institutes, and the cyber centers, and really build on that. But what I found was really interesting was this that Cal Poly's 3000 miles away from DC. And for every hour, you go away from DC, the interest level dissipates significantly in providing funds and support. And so, I started looking at it and going, wow, we're in line behind all these other schools. I mean, if you go to Marylands and the Virginia Techs and such, they're very tied into the federal budget for what's going on in cybersecurity. So, what we did is we said, you know, I actually read a report that said, you know, California is like the fifth largest economy in the world. I said, "Why are we looking at the federal government?" I mean, we are the fifth largest, so why not look internal of California? And so, we started talking around different agencies and organizations and came up with the idea of this making the cyber center, now the cyber institute. And working with state agencies in the State of California to provide assistance and training and simulation, and other opportunities that they historically have to get on an airplane and go east to get. So, the idea was to build something in the backyard of California for Californians. And so, we connected strongly with the National Guard of California, the Attorney General's Office, CHP. CHP in California is the emergency responder for cyber incidents. And so, it's always traditional agencies in California that nobody thinks about as being cyber-oriented. And so, we really started this conglomeration of working with them and the institute, and it's been growing ever since. It's just an interesting story.

Andrew Hammond: And it sounds to me like there's a soft spot in your heart for California. Is that right? Are you a Californian?

Bill Britton: No, I'm actually from Virginia originally. I've been in California five times, four with the military and this time with the university. My wife, however, was born in LA and moved to Seattle. So, I think we have a 50% on that for being Californians. Which, you know, that gives us some credit. But now that we're there, it's just an amazing experience. There's all sorts of things going on in California that are, you know, high-tech. We're two and a half hours out of Silicon Valley. The connectivity, the closeness to us is just so enrichening for the students. And the opportunities to see what's really going on in the forefront of things is just awesome. I'll probably stay there until the day I retire. But I've tried to retire three times and haven't gotten it right yet. So, I'm not sure that's going to happen any time soon.

Andrew Hammond: And do you have links with Silicon Valley?

Bill Britton: Oh, absolutely. The best links we have with Silicon Valley are our students. Absolutely amazing the number of students who have graduated from Cal Poly and moved to Silicon Valley and go work there. And over time, you know, they become captains of industry, they're really in new positions. And we're doing some other interesting things to develop our community around Cal Poly, some things with the space support in Paso Robles and other things, they're just really kind of cutting-edge technology-wise, trying to draw people back into the region.

Andrew Hammond: And just very briefly, just set a scene for our listeners in terms of locale because I've driven down that way and it's gorgeous, it's halfway between LA and San Francisco. I believe that's the location of the world's first motel and it's partly because it's halfway between Los Angeles and San Francisco.

Bill Britton: That's right, that's right. So, if you take the map of California, right, and it's on two pages, and you fold it in half, right where you put a staple, that's where San Luis Obispo is, it's right in the middle of the state, three and a half hours north of LA, three and a half hours south of San Francisco. And we're right on the coast. So, you've heard of Pismo Beach, Bugs Bunny makes the wrong turn and ends up in Pismo. The students have everything from hiking to mountain bike riding, lakes, ocean, surfing, volleyball, beach volleyball is very big at the university. So, and it's an amazing opportunity for students to just --

Andrew Hammond: And there's 400 wineries in the neighborhood.

Bill Britton: Yeah. I've heard that.

Andrew Hammond: Is there any faculty vacancies?

Bill Britton: Yeah, there certainly is, certainly is faculty vacancies. But if you get into the wine, you don't want to teach anymore, just it's all you want to do is lay around and drink.

Andrew Hammond: And that must be like, what, 300 days plus of sunshine throughout the year or something.

Bill Britton: Yes. 285, 286 of sunshine. It's absolutely amazing.

Andrew Hammond: Wow. So, just tell us a little bit more about California and cyber. So, some people will probably think surely California's cyber center, they've got Silicon Valley, all of these companies that come out of California. It seems to me like part of your role is to try to coordinate and push some of these skill sets together and build out capacity and increase cybersecurity in the state. Is that --

Bill Britton: Yeah, absolutely. What's really interesting about that is, yes, it is the home of a lot of those startups. And the first thing they do is they go and they get federal contracts, and then they say if we're going to have this federal contract, we need to be near whomever we're dealing with. So, most of them end up moving or putting an office in DC, moving to where the food is, as Sam Kinison used to say. It really is this drawback to the national capital region, which where, of course, you have your NSAs, your CIAs, DIA, you know, all the intelligence agencies that are looking at that cyber is really here. Now, conversely, on the commercial side, commercial cyber has this kind of philosophy of seen but not heard. They don't want you to think about the cyber, they want it to be built into your app, or built into your software, or built-in so that you don't need to have a cyber person do it. And that's kind of the way that the industry in California has really built out, which is we built cyber into the portfolio. That kind of makes it a really interesting conversation when you say, "Okay. Who's doing cyber for this and that?" And so, we have as a state, we have a critical shortage of cyber professionals because they either go into a specific area for commercial or for the government. If they go to the government, they're usually moving out of the state. If they're going into the commercial side, we just can't keep up the pace. It makes much more sense. The hopping, job hopping is huge in California. And the demand, the number of students we are putting out, they're qualified to do it, it's really interesting, when I ran that kind of business in DC, we always wanted somebody with at least eight years of experience, having worked with numerous customers before. And so, there's kind of a gap between the new start person getting out there, and then where everybody is hiring at. And so, this gap is something we're trying to really address in workforce development which is how do you validate and prove that these individuals have better skills, that they can move into those other jobs. And so, workforce development, what we've seen and what we've convinced a lot of others is, it needs to start in middle school, particularly around the cyber skill set so that those students are motivated to go into that. Because by the time they get to college and they're thinking about cyber, it's kind of a too-late scenario for them to really get engaged.

Andrew Hammond: And as part of the research for this interview, I've read various reports and some of them said it's like 465,000 cyber vacancies, other ones have said 650,000. Let's not quibble about thinking, let's just say it's a lot. Let's just say it's a lot. So, why is that the skills got -- how did that come about?

Bill Britton: Yes. So, it's really interesting because I've been in this a long, long time. And what I've seen is that cyber was extremely slow to ramp up. And it still is to have those kind of numbers. I mean, those are massive numbers of shortages. So, part of the problem lies in multiple different areas. One of the problems is the employers themselves don't really understand what cyber is. And so, they say, "Well, I need one." "Well, what do you need?" "I don't know but I need one." You know. And so, there is that factor. So, that's hard to hire, again, when you don't know what you're really looking for. The second one that we've seen is that in specific areas like the federal government and others, they know exactly what they're looking for. And they have an exacting person. And that government employer and eight others want the same person. And so, the competition for that same person grows exponentially. And so, you have -- I refer to it as job hopping, you have individuals who will go start with one government agency. A year later, they're moving into another one and getting the 10 to 25 percent pay increase and then moving and moving and moving. So, it creates this really crazy employment networking that goes on. The third thing is that again what we don't see -- so I'd like to start off this way. So, I give lectures to large groups and I say in that large group setting, give me the name of one cyber white hat who I can talk to, teenagers to 19-year-olds about, that we can use as an example of someone to look up to to emulate in cyber. So, I'll ask you that question.

Andrew Hammond: Eric Escobar.

Bill Britton: Okay. Stop it. That's unfair. That's unfair. He is a good example. But honestly, the answer is cricket noise. It's normally don't know. You know, we don't know people that do that sort of thing. They don't advertise, you know. And then the black hats side, you definitely hear about all the time. So, that's not good, right? We don't want them to emulate that. Name movies that had hackers in them.

Andrew Hammond: So, WarGames.

Bill Britton: WarGames. Okay. Teenagers. Who's going to identify with that? And, oh, by the way, they were doing bad things, right, so that was really a bad side of the fence. Let me give you a couple of others. Another one that I like to refer to is the movie Blackhat itself. Do you remember who played the hacker in that?

Andrew Hammond: I can't remember.

Bill Britton: Thor. The guy that plays Thor. So, how many hackers -- bingo. Exactly, how many hackers do you know? So, here are these, you know, middle school, high school children looking at that movie going, I'm not going to be him. That's not me. I might be Thor one day but I'm not going to -- you know, that's not the real thing. The other one is Swordfish, which is Hugh Jackman, the same scenario, right? These are cut, big, tough guys that the gamer is looking at, going, "Hm, not me, bud. I'm not going to the gym." You know, or I'm not doing that, that's not my style. We're trying to get them to really say, "Well, if I can do that, I can go into cyber and I can do these things in life, and I can go work in that area, and I can find some really good jobs." And that may include skipping college. Not that I would ever say that again out loud. But, you know, it may include going direct into the business and then going to the college after you get your feet underneath you. But we're trying to establish a way that people think differently about what cyber really is and does for them.

Andrew Hammond: So, you're trying to address that from your job at Cal Poly but then you also do outreach, what, across the state?

Bill Britton: Yeah. So, the idea is so that we run a cyber competition we call the Space Grant Challenge. What we've done is we've combined space, spacecraft, Moon, the whole nine yards with cybersecurity. Because space is cool. Nobody who doesn't think space is cool. So, what we're trying to say is, you know that cool thing you like, there's a way to be involved and be in cyber simultaneously. And it's a gap, it's a major gap in spacecraft design and everything else for cyber. And so, by combining those two things into an e-sport, a gamified cyber activity, and a virtual capability, we really are having our students, the Cal Poly students, they build this game in a competition. And it's really cool because they work with Eric as part of our technical advisory staff where they are helping to design real-world capabilities that could occur. And they also help us from actually doing real-world accidentally things that shouldn't have happened. So, they kind of help us confine the game, make it realistic. And then we offer that game to middle schoolers and high schools to participate in. And we do that nationally. The idea then is to get them in that mode of thinking, wow, this is fun, this is exciting, and I can do these things. Now, what's nice is the game itself is actually tied to standards of learning associated with cyber education.

Andrew Hammond: On the topic of space, I was just thinking a few years back, I went to the space center in Houston and you see all of the NASA stuff, the space technology, the rockets. And one thing that's quite striking understandably because of when it was, a lot of it looks very "back in the day", a lot of it. So, has the space industry, have NASA, have they kept up with the times or are they all using cutting-edge cyber technology, or is it still a little bit analog, a little bit back in the day?

Bill Britton: Yeah, it's getting there.

Andrew Hammond: Okay. Right.

Bill Britton: It is not there. So, if you think about this, some of the platforms that are being used today were launched four, five, six years ago with no cyber design on them at all, right? So, there are lots of gaps in the architectures. Many of the current commercial platforms -- interviewed a couple, we won't use names so they won't shoot me -- asked them what their security architecture was. Their answer was, "Well, we use proprietary solution." Proprietary does not equal secure, it just means nobody knows what it is. And if they think that's going to prevent somebody from figuring it out, wrong, right? Another one I talked to a startup company and I said, you know, you have a Chief Information Security Officer working on your platform. And they go, "No, but we're looking at hiring one." "Oh, what are you looking for? What are your skill sets that you're looking for because I know some people in the business?" "We're looking for somebody just really to protect the internet." And that should send shudders up your spine. This is basically the defensive architecture of systems isn't at the maturity level. And so, part of the question is who should designate that because FAA owns commercial spacecraft. You know, is FAA big into cyber? No. And if you look, they just published a big RFI for cyber enhancement for space for FAA airports and such. So, they're in that major push now. So, the spaceport side, the spacecraft side is still kind of behind the power curve on that who enforces. The other part that they're asking the question is if I'm a startup, where do I get cyber parts from? You know, many of the parts for small sets are bought online, from anywhere. And so, who's doing the validation on those? And would that work? Could they even afford to have the components on it? That's been an argument I've heard is that the new start -- the RND small sets, they can't afford to have security on it. Now, that technology is changing rapidly that there is the ability to do those things. The key becomes if they don't have somebody on their team that's an engineer that has a security background, who builds it? So, again, what we see is the demand for cyber-knowledgeable or cyber-cognizant engineers is growing exponentially because it's now a system of systems in space. You know, we've talked to a couple of companies that are building plane-to-plane space internet, right? Well, who's protecting that? How are you protecting that? And again, intellectual property isn't the answer. So, if it's a system of systems, you have to have engineers who understand cyber across the board. So, again, we see a greater need for engineers with cyber understanding, not so many specific cybersecurity specialists. But you've got to design those systems from the get-go with that secure architecture included.

Andrew Hammond: I've heard you describe elsewhere, I thought it was quite an effective way to do it. You speak about a house, okay, a house, imagine a house, you have keys, you've locked your doors, you're going to update your alarm system, and so forth, you close your windows when you go on a vacation. So, I just wondered if you could try to break it down for the people that are not into cyber and that don't know much about it. So, just briefly, one of the things I love about our podcast is that there will be people that are -- work in cyber, at NSA, but there would also be just the average person on the street that loves a good spy story. So, for the people that are like -- that you're going to give me something more that I can hang my hat on here, just help them understand at the most fundamental level.

Bill Britton: Yes, so we -- I call it my cyber 101 speech, which is really talking about the basics of cybersecurity. We start the conversation, first of all, with this thing called digital literacy, right? And so, it's really about understanding that the world we work in has changed so much on a digital scale, right? And that means things like this phone. You know, I was talking earlier about we do an educational class where we have the people hold up their phone and do all sorts of weird things with it just to see how amenable they are to following directions with the phone, and they do everything we say. It's hilarious. But then we say go in and look at how many apps have a microphone attached to it, and the microphone is on. And it's that kind of uh-oh, wait a minute, you mean there are people listening to me on my phone. And the answer is, yes, it's a technology that's listening to you. So, we start with digital awareness which is you as a human are no longer an individual located in the middle of nowhere, you're no longer that needle in the haystack, right? Because even if you are, the second thing we talk about is cloud and cloud computing. Because now that we have all this information being gathered and collected. It used to be, well, you know, they're not going to find me, I'm just one of 400 million people. Well, with the cloud, so what, we can find you. I can run 18 servers until I do find you in that specific instance that you're in. So, your digital awareness expands exponentially with the cloud, in other words, that your data, your information, stuff about you is now in that cloud that people have access to. And when they hack a site, and put it into the dark side of the world, that just makes it even more available. And so, again, your presence, your digital presence now is everywhere. So, all that information about you, do you want all that information out there, and that's where that third leg comes in which is this cyber awareness, understanding that protecting that first leg, that information about you and your family, your health, and all those things is part of that third element, the cyber aspect of what you do. And so, I start then with the conversation around, you know, why is cyber important? Okay. Well, do you have a house or an apartment?

Andrew Hammond: Apartment.

Bill Britton: Okay. In your apartment, do you have door locks?

Andrew Hammond: Sure.

Bill Britton: And do you have window locks on your windows?

Andrew Hammond: Sure.

Bill Britton: And do you have a balcony somebody could climb up to get in the window?

Andrew Hammond: Yeah.

Bill Britton: Oh, okay. So, do you lock all of those or do you leave it open?

Andrew Hammond: Lock it all.

Bill Britton: Right. Why do you lock it all?

Andrew Hammond: Because I don't want anyone to steal my stuff.

Bill Britton: Exactly. You don't want anybody to steal it. So, think about your computer and your digital presence in that same context. Why do you leave the door open on your phone, on these other devices? You should be locking them down. So, the internet is great but it's not your friend, right? It's really interesting, in my era, and people still do it, they named their phones, they named their computers, so they put stickers -- nobody has stickers here -- they put stickers all over them, they personalized it so they are personalizing their communication to a computer. The problem with that is that you put all that cool information about yourself on a computer, well, if somebody asks the computer a question, it's not like one of your friends who'll say, "Well, I don't know if I should tell you that because Bill is a good friend of mine, I don't want to irritate him." The computer says, sure, here's all the information. Have at it. Oh, and here's some more you might want too, right? So, it doesn't discern, it doesn't think on your behalf. So, again, as a consumer, protecting yourself, why do you tell it all that cool stuff? I mean, I'm guilty. I did this. In the first ages, you know, owning computers, I built Excel spreadsheets on my bank accounts where I had everything and all this sort of stuff up, right there open and available. And I think about it now and I go, what was I thinking? Right. It's insane that I put that much information out for someone else to have access to it. So, it's that kind of thought and philosophy that's really the basis of what cybersecurity is. It's being a consumer of your own data and protecting it just like you protect yourself when you go to the grocery store, when you go down a dark alley, when you get home at night and you put the locks on your doors or windows.

Andrew Hammond: In this interlude, I just want to share with you some really exciting news. Next week begins the first episode in our five-week Spy Chief Special. It features David Petraeus, former CIA Director and four-star general, Wilson Boinett, the former head of Kenyan intelligence, and the man credited with turning it around, Micheal McElgunn, the current head of Ireland's Garda Síochána Intelligence, Vappala Balachandran, the former number two at India Research and Analysis Wing, and Tish Long, the first female intelligence agency director here in the United States, who served the National Geospatial Intelligence Agency. This took months and months to bring together and features two scoops, officials who have never spoken out previously. I'll let you guess which two. Clearly, it's not David Petraeus. If you could subscribe or share this detail with a friend, we'd be most appreciative.

[ Music ]

Okay. From your current job at the California Cybersecurity Institute, what's your take on this day of US tech talent at the moment or where you would like them to be or do you think that there is still some work that needs to be done?

Bill Britton: The problem is the same everywhere, it's just in size and magnitude. California has a massive shortage just because of the sheer volume of companies and entities that need the cyber. Everything from space to medical, it's a huge shortage of cyber people in space, in the medical community, and others. And so, again, it's a magnitude problem, it's in numbers. But you have that same problem everywhere. And you can look online and just, if you're looking for a job and you want to go look at cyber and look at the number of Chief Information Security Officers, CISOs, that are out there from everything like banks, hospitals, architecture firms, law firms, everybody is requiring someone who's going to come in and say, "I'm going to protect your internet." And that's the basic premise what they think about is protecting my internet. But it's really all that other data. How much data do you store on these things and how do you protect it? Well, if you're a company, you really want to know do I have company data on my phone and what am I doing with it, right? And so, those sorts of things. So, we see that problem across the US today. And what we also have is this international threat presence that is always looking us as well. So, not only in the commercial side of it but now the government side that is looking for professionals in the cyber arena. And so, there's a shortage there. If you really look at this, what we're creating is this need that says maybe it's not a cyber person I need but maybe it's an engineer who is designing cyber and understands security portfolios to be part of the solutions around what I do. Maybe it's an IT person who is really security aware that builds my architecture for the office and secures it. There's not enough people that have the right skill sets in this arena. Those that do have the skill sets are paid mightily. They get a ton of money to do their job and they're usually very, very good at it. One of the things we talk about in our cyber 101 is really what are the crown jewels that you need to protect at your business, at your area that you work in, that's where you spend your money, that's where you spend your time. If you're spending on everything, I mean, I know people who have told me, "Their house is so -- their internet at home is so secure that nobody could break through it." Why? What do you have on it that you need to spend all that money on that? I mean, again, you have to put this as an equation to what is my cost of effectiveness if I lose it, what do I do if I do lose it? Does the business shut down because I lost this information? And really, you kind of work backwards from the understanding that. What is the impact to you and your business to do these things? That simple kind of skill set is not really taught, that's one of the things we try to work on. I don't know if you ever saw the Jimmy Fallon show that they went out in the street and they actually got people's passwords just by interviewing them on the street. And they gave up their passwords. It was so simple. Because they don't think about that I'm protecting, you know, I don't give you the password to my lock from my house, I don't give you the key to my house, but I'm giving you the password to my internet, which has so much more on it. Right? So, there's a lot of material there that's available.

Andrew Hammond: So, you know, California Cybersecurity Institute, yourself, you're doing loads of work, you're trying to address the skill shortage, you're trying to get people up to speed on this, but I'm just wondering how much of the ownership should also be on tech, on the companies that are making this stuff so --

Bill Britton: It's a great question.

Andrew Hammond: I mean, it just seems like, you know, if you think about so you give the example before we went on air of you went to Sacramento, you gave a talk, you found out that someone had 38 apps actively listening to her daily life basically. You know, she --

Bill Britton: It was 68 apps.

Andrew Hammond: And she didn't have a clue what was going on.

Bill Britton: Right.

Andrew Hammond: You get -- you buy these phones and you get, you know, scroll down this list and you click agree at the bottom. I mean, it could say really anything. You know, people are busy, they're getting on with their life, you know, they don't necessarily have time to sit around figuring out emerging technology or disruptive technology. So, how much of the ownership should be on tech? Or I'm even thinking about data breaches. You know, we had a guest on a couple of years ago and he said there's hardly any incentive for them to do stuff to address this because there's not a lot of punishment there. He said if you're charged the company a dollar per day for every person whose information has been breached until the breach is fixed, you can guarantee that that problem would be reduced quite significantly within a couple of years. But at the minute, it's privatized gains and collectivized losses that companies take the money but when all goes wrong, it's like, oh, well, I guess, your Joe public didn't do cybersecurity properly. And the average person is like, "What the heck, I'm just trying to pay the bills and make ends meet." So, just give us your thoughts on that about --

Bill Britton: Yes, a really good question. So, I want to blame the internet. We'll start there. I think there's been this acceptance that the cyber, or the hardening side, the protection side would be taken care of somewhere, but not really identified where. The original intent of the internet was just push the information around, to do research, right. There was no security architecture really designed. There was IP architecture so that you knew who was talking to whom and such. But really that whole emphasis on security has come well after the technology has been launched, the market has been established. And so, now a lot of that technology is an add-on, and it doesn't work the way it should have it been designed into. And so, again, what we're looking at is kind of reshaping the way that the market space is working. We're seeing this in the development of futuristic spacecrafts and other things where they're changing their delivery techniques, they're adding security as an engineering factor in. There's a type of design called security by design that's really taking effect in the cloud where you design your security architecture as you design your application or your medium for storage. So, that it's in the upfront stages as opposed to the add-on at the end. The challenge with an add-on is whatever that product is doing, be it a phone or anything else, it is a main function. And by adding something on, you never really get to all of the code and all of the aspects to protect it. So, I see the community is adapting but it's slow, it's slow because we don't have all the engineering cyber individuals we need to design. So, you've got the market screaming -- it's like watching the stock market, screaming up as the number of people eligible to help it slow down and secure is still at a steady level pace. And so, these two things are not converging together, they're slowly moving toward the same level. But technology is outpacing the secure environment. And one Saturday night at a discussion between the medical community and the cyber community, and, boy, was it just a really fun argument because the conversation was I've got to get my medical product to market as soon as possible to save lives, therefore security can't slow me down. Well, just that thought alone is like, oh, my God, did he really just say that? The answer is yes. They really are trying to go at a massive pace to deliver, to change the world that we live in. And the security side is perceived as a slowdown to that delivery cycle. So, again, how do you expedite that?

Andrew Hammond: I read something the other day and it was talking about doctors in the United States. And there used to be a much higher percentage of doctors per American. In the past couple of decades, it's come down quite considerably. And this article traced it back to our reduction in the number of residencies in the 1980s. So, that's the pinch point in the system so there's enough graduates, there's enough people that want to do it but there's not enough residencies. So, the number of doctors has decreased over this period of time. But it seems like one of the pinch points that you're talking about is when it comes to a company or a C, they're looking for someone that's "cyber" but they don't really understand what cyber is and they don't really understand the functional differentiation within cyber in terms of competencies, it's like you want have an air force and you say, well, let's get lots of pilots. And you're like, well, okay, so who's going to arm the planes, who's going to maintain the planes, who's going to do the electronics, who's -- okay. So, we need people for that. But how are they going to be fed, how are they going to be moved around? You know, so like the whole ecosystem that comes along with putting a very small percentage of planes in the sky but people just don't know where to do the intervention, is that correct?

Bill Britton: Yeah, that's absolutely right. Look at cyber as truly an ecosystem that has so many gaps and holes in it that it's hard to solve the entire equation. The interesting part of that is that you can have a cyber person, you know, an internet, right, firewall, you can have somebody who runs the security operations center, you can have somebody who does forensic analysis. These are all different skill sets, different people, different roles. In many places, they may be combined one or two or three, but what you find out is with size and magnitude, more data, more information, more all things, you need more people to do that. So, a lot of what we're seeing now in technology is to move to AI- and ML-based support structures to help with the security decisions so that many of those things are automatically flagged. The human in the loop is to ensure that there is a problem. And so, that is going alleviate some of the problem. But then again, we still need those people who understand how the AI works, who program the AI, who build it into the other architectures. And that AI and ML has to be checked, it has to be balanced, it has to be evaluated to ensure it's doing what you've designed it to do and it hasn't decided to go off and do its own thing. So, all of those now are even adding more complexity to the conversation. So, as we add technology to make it easier, we still need more people to figure out how to run the technology.

Andrew Hammond: And just help our listeners understand what that ecosystem looks like. So, you know, it's obviously very large and very complex, so I don't expect to enumerate every single part of it because that wouldn't even be that interesting or informative. But just that broad-brush level, so let's just say in army, you have got infantry, people know what that is, that's the people with the rifles, you've got armor, you've got tanks, you've got logistics, you've got all of these different parts, so there's dozens and dozens of roles within all of the whole spectrum of the army. Can you just break down for our listeners what the cyber ecosystem is?

Bill Britton: I think if I can fully answer that, I would be the richest man in the world because that is part of the problem exactly is that ecosystem is fluid, it's flexible, it's based on who you are as a company, what you are as an entity, what kind of information, what kind of technology you use. I mean, again, the amazing thing is to go look to the ONEedge, the jobs for hire. And I saw one, Fairfax had a radiology company or office needs an information security person. Well, what would they do? Well, mostly it's protect the internet. Mostly it's protect the data associated, it's protect the transactions that occur. So, you get into this basic protect mode. So, that's a skill set that we would identify in the ecosystem, which is protect or defend, right? Then there's the second which is the forensics area, that is the person who says, uh-oh, something happened on my machine, let's figure out how and who did this. And you're not going to do anything other than protect it, hand it over to law enforcement whomever. But the idea is to figure out how to prevent it from happening again. So, that's a completely different set of skill sets than the defense side who is really kind of evaluating, monitoring, you know, observing what's going on in your network that you're looking at, then you've got the connectivity side, the communications. So, that would be like a networking type. But a lot of these are also IT skill sets that the network engineer needs to understand the impact of security. So, you're really taking the entire ecosystem of IT, deputizing it as cyber as well, and then adding a whole another layer of policy, of review, application security. I mean, all of these things thus it gets to look like one of those measles charts where you've got everything everywhere, and everybody has to know something about the same thing. Right. And that ecosystem really is you, it's you, your company, it's who you are and how you want to protect yourself in that process.

Andrew Hammond: But what are the stereotypical job advertisements for cyber? And maybe that would help us understand a bit more.

Bill Britton: Yeah. The classic one is Information Security Officer, ISO. That is kind of like the all-knowing, all-seeing cyber person for a company. And they expect that person to do policy, they expect that person to do protection, they expect that person to do defense, they expect them to do all these other things. Normally that person can't do all of that, and so they hire a lot of different companies from here to help them figure out all these different vectors and avenues and other things. So, that's really the basis, Chief Information Security Officer, or Information Security Officer. The next side of it is really all these networking and engineering roles that have a security part to it. So, you're transcending between your IT team and your security cyber team back and forth. So, that's kind of the third area where they're all part of it but they're not directly applying to it. I think the other one, there's the most confusion about, it's the forensic side, the investigator of what's going on. So, an investigator or a forensics person is not the same person that would run your firewalls, right? That person is looking at what's inside your computer, how did it get something there, what was the effect on your system, and they're looking to make improvements to the process. And that is just a humongous skill set, that knowledge base of understanding and getting in there. What you see is a lot of forensics also understands the hacking element. And a lot of former hackers become the investigator. And so, that's it. And then there's the classical hacker, that's on outside or inside, either a white or black hat as they call it that is really looking at how do I attack a system, or how do I protect the system after I've hacked it because I wanted to hack it first to see what the vulnerabilities were. So, I think it's those four generic categories, that creates your ecosystem for cybersecurity.

Andrew Hammond: Okay. Thank you. That's very, very helpful.

[ Music ]

The cloud. Bill has spoken about it several times in this episode and I realized that it may conjure up that image of those dreamy Renaissance paintings where angels and saints and cherubs are suspended high above the mortal earth on billowy pales of white fluffiness. In the context of this episode though, we need to recalibrate. The cloud is the term that can fuse these perplexities and bewilders many people, but the basic idea is rather simple. Cloud computing means storing and accessing data and programs over the internet instead of on your computer's hard drive. Think about your PC or Mac at home, which is simply an electronic device that manipulates information or data. Cloud computing means you still use that device to manipulate data but instead of the storage and programs being there on the premises with you, you access the storage and programs over the internet. Think Netflix, think Dropbox, Google Docs, and Zoom.

[ Music ]

And I just wondered how you ended up in the California Cybersecurity Institute. So, I know that you've got an intelligence background that you've got a military background, I know that you spent some time in private industry, around DC.

Bill Britton: I'm a real oddity in this marketplace. Yes, so I did 20 years in the military air force, the United States Air Force, in which I was able to do some amazing cool things in the areas around intelligence, electronic warfare, electronic combat, cybersecurity. I then retired and went to work as a beltway patriot, or a beltway bandit whichever you want to call it. And so I did that for quite a time. Ended up running an intelligence group that did IT architecture, cybersecurity. We built things that we took into the field and when they brought it back, they put it next to the Ark of the Covenant on a shelf, turned off the lights and locked the door, and walked away. I was running the small company or the intelligence side of a small company. The CEO of that company was a Cal Poly graduate, and they said, "Gee, we don't know what to do with you so how about you go work at Cal Poly?# I had to look it up. I'm an east-coaster by birth and I found out that there were two at the time and didn't even know which one to go to so I waited for the airplane tickets to figure out where I was going. And ended up going to the university. I was there about six months, at the university, and the CIO retired, and they said, "Do you know anything about IT?" I went, "D'oh." And they said, "Well, could you be the interim CIO for the university and run the cyber institute." And I said, "Well, I will give it a try and then figure it out. I don't really want to move away from here." So, I applied for the job as the CIO, got the job, and had been doing a lot of digital transformation cybersecurity for the university. I think it's an interesting mix of skills and background because I worked at DARPA for a while, I worked for the NRO for a while, I worked for all these different agencies. And a lot of what I'm doing today is what I learned in those areas, which is really being out of the box, being transformational, being innovative, and applying it to an area that may not understand all those things in the application of the day-to-day existence. And working with the academic side, trying to build and innovate the university. I have a belief that as a CIO for a polytechnic, we have to be able to teach with students, utilizing the kind of equipment they are going to go use in the field when they start their jobs and work in the world. And that's an expensive proposition for any university you have to try to do. That's why we moved the university to do cloud-based infrastructure support. So, we are all in on the cloud.

Andrew Hammond: I think one thing you said there that's quite interesting. I think a lot of people have this stereotype of working for the government is just being a cog in a machine and being gray and mindlessly put in one foot in front of the other, day after day. And Silicon Valley is where all I would say out-of-the-box thinking takes place. But the places like DARPA and Skunk Works, and In-Q-Tel. Those are all these people that are really pushing the envelope, right?

Bill Britton: It's really interesting. When I got to the university, the students think that the federal government is a bazillion miles away. It's on the other end of the world and they're really strange people, and very restrictive because it's the government. And so, I brought a young lady out there that was working for me at the company I was at, and asked her to talk to the students. That was wonderful because she's into yoga, she rides a Ninja motorcycle, she's as much Californian as the rest of us were, and she looked at all these students and they said, "Why would you go work for the federal government?" And she said, "You don't get it. I have a free get-out-of-jail card with the government. I can do amazing things in my world of hacking on behalf of the government with the government, that you can't even think about doing or you're going to go to jail." And she said, "It's that experience, that ability to think out of the box and do things amazing, and protect people in the process that is really rewarding." And they were amazed.

Andrew Hammond: And just coming back to Cal Poly, is there a difference between a CIO and a CIS or is it basically the same thing?

Bill Britton: Yeah, a significant difference. So, the CIO is responsible really for the entire enterprise and architecture of the IT, information technology, that supports a university or a business, or any of those entities. And a lot of people ask me what is a CIO. I go Chief Information Officer. They go, "What is that?" And I go, "I work with computers and the internet." "Oh, yeah, I get it." Well, it's working with but it's an orchestration, right? I'm the conductor of IT at the university. Everything has to work, everything has to tie together. I'm responsible for making sure that students don't lose their homework in the cloud, that students can talk to mom and dad every night on the Wi-Fi, phone, you know, that all of this IT works no matter where you're at at the university. If you think about a polytechnic, a polytechnic is really about data, all the student data, study data, homework data. It's all data. And moving it from place A to place B. And so, again, the CIO acts as the orchestrator, the conductor for this orchestrated effort of information flow around the university. The Chief Information Security Officer says, "Jeez, that's a lot of data. We have to protect it." We have all these different rules. We have FERPA, HIPAA, the ITAR, and government rules and all this information technology rules, rules about the data, rules about information, rules about credit cards, all those sorts of things. We have to monitor all that. We have to assess all of that. We had an announcement one day about some work that we were doing with the federal government. The next day, we had 1000 direct hits on our -- brute force hits on our university webpage direct from Russia. They weren't even trying to hide it. They wanted to come in, they wanted to find information on what we were doing. It was just direct. Right. And so, the Chief Information Security Officer was responsible for precluding the attacks, for protecting information, really protecting the crown jewels of the university.

Andrew Hammond: So, the CIO would have a CISO working for him or her.

Bill Britton: Yeah, that's a great argument. Many CISOs do not work for the CIO because it's believed there's a conflict of interest. The way we work it and with my background, the CISO does work for me and we both work for the president of the university. In some places, they work in separate areas so that they can have -- they are not conflicted, that the CIO would say do this and the CISO would say don't do that, and he'd still have to do it because the CIO said so. We don't have that challenge. So, again, it's a different environment. And it's run differently in different companies. Some places don't even have CISOs. And that's where you see the CIO has all these roles and responsibilities that are supposed to hand.

Andrew Hammond: How many people are on your team?

Bill Britton: So, I have overall 185 employees for the university. And I have eight that are in the security portfolio.

Andrew Hammond: I think that Cal Poly or just the university is a really interesting example because knowledge, data, advanced research, all of those types of things. So, it's quite an interesting problem or challenge to take over, okay, this university, this information ecosystem I have to take control of. So, again, just on the topic of elaborating what these ecosystems can look like. So, you arrive day one on this job, what does that look like for you? Like, help us understand. You sit down with your, you know --

Bill Britton: Sheer panic.

Andrew Hammond: After the sheer panic, you know, you get the yellow legal notepad and you're making boxes, and you're here's this, this, and this. What were the this, this, this, and this?

Bill Britton: Well, you know, it's interesting. The first thing I did was a risk analysis of the university. And I did it from not just a security risk, I did that, but I also did it from the perspective of risk for the university. How old is the computers? How old is the data center? Where is the data center? And we conducted this risk analysis, and, of course, that's when I had my second panic attack was when that was done. Because the list was just massive. And one of the things -- I wish this were not true but it's true, I mean, we do all this standard stuff and we kept coming back to this number one risk. Our data center was in the basement of the science building, and these were the servers that are storing all the information, important information for the university. And that rack of servers was underneath a restroom. And that restroom had overflowed before and continuously overflows so that it floods the floor and then leaks down on the servers. We lost a million and a half dollars worth of servers. And this is something that is just completely unacceptable. So, I took my little risk analysis and all my little charts, you know, and I went to the risk officer and I said, hey, we've got a bad problem here. It's interesting because his response was, "Well, the guy before you didn't say it was a risk, why is it a risk now?" I said, "I don't know, but I'm telling you." I actually said it was a level 4 risk. At the time there were only three identified levels. I made up the fourth just to show him how bad it was, you know. Just to really drive home the point. And he said, "I don't get it." So, I took it to the cabinet, which is our C-suite equivalent for the university. And I said, "Look at this chart, you know, this is level 4. We've got a problem. This is a bad situation. We can't afford to lose this information." So, we created a campaign that basically in the campaign we said we are one flush away from losing our data at Cal Poly. That actually worked. It resonated. It got people's attention. They said, "Wait, what do you mean one flush away?" I said, "Well, it floods, you know. All the stuff -- there's poop on the --" And they said, "That's unacceptable." I said, "No joke, it is completely." Yeah, it's unacceptable. And then they go, "What do we do about it?" And that's where I had them. So, when they said, "What do we do about it?" That was our ability to then make the sale and say, "Okay, what we need to do is develop a solution that takes us out of that data center, that future-proofs the university."

Andrew Hammond: So, just a couple of final questions. Bill, this has been really enlightening. So, one of the things that I was thinking about while you were mentioning there, you know, you go there and it's like, well, the last guy never thought this was a problem. This must be a problem for CIOs and CISOs all over the place. They go to the president or the CEO and it's like, oh, come on, you know, can we not do without it? Reminds me a lot about like a former landlord where every expenditure was this massive imposition. There were payment pinching and can we not go away without not doing this?

Bill Britton: I've talked to companies who actually said to me, "I'll pay for security when I have an incident." And it's too late. I mean, by that time, you're not preventative anymore, you're just reactionary. You know, malware, ransomware, you're going to pay, you have no protection. And so, it is an eye-opener, particularly if no one has been doing that role before. Or if that role was looked at differently. And so, many CIOs, not all of them, but, you know, some CIOs are in the role of "I provide the enterprise", and that's it. And so, I have to deal with all that.

Andrew Hammond: This has been a great discussion. Thanks so much for sharing your expertise with me and with our listeners.

Bill Britton: It's been a pleasure. I hope we can do this again sometime in the future. Awesome. Thank you.

Andrew Hammond: Thanks, Bill. Thanks for listening to this episode of SpyCast. Please follow us on Apple, Spotify, or wherever you get your podcasts. If you have feedback, you can reach us by email at spycast.spymusuem.org or on Twitter at intlSpyCast. If you go to our page at acyberwire.com/podcasts/spycast, you can find links to further resources detailed show notes, and full transcripts. Coming up on next week's show.

Unidentified Person: So, again, I think the role of intelligence is what it always is, it is crucial. The difference here is the sources of intelligence which have evolved enormously.

Andrew Hammond: I'm your host, Andrew Hammond. And my podcast content partner is Erin Dietrick. The rest of the team involved in the show is Mike Mincey, Memphis Vaughn III, Emily Coletta, Afua Anokwa, Emily Rens, Elliott Pelzman, Tre Hester, and Jen Eiben.

[ Music ]