🌐 Project Galileo and The Global Cyber Alliance

Hi everybody, my name is Jocelyn. I am a program manager on Cloudflare's public policy team and I am super excited to be joined by Megan Stifel, who is the Executive Director of the Americas at the Global Cyber Alliance. And we're going to be talking about all things ransomware, cyber attacks, cybersecurity, threats to journalism groups. But I want to kind of take a step back and kind of explain the relationship between the Global Cyber Alliance and how Megan and I started working together to provide a ton of different types of tools to a range of groups on the Internet. So for background, Cloudflare started Project Galileo in 2014 to provide a free set of cybersecurity protections to a range of groups on the Internet, from human rights organizations to independent media groups. And now, you know, seven years later, we are providing more, we are providing protections to about 1500 organizations in 111 countries. So a majority of the organizations that are protected under Project Galileo are actually independent media and journalism. And we've reported a lot on different cyber threats that have faced these groups. And as we kind of share these insights, we started to collaborate with other types of organizations. And one of those organizations was the Global Cyber Alliance, to figure out how best to protect these groups on the Internet. So I'm really happy to have Megan join and kind of talk about the work of the Global Cyber Alliance, because they provide great toolkits, but they also do so much other work in the cybersecurity industry. So Megan, I'm really happy to be chatting with you. So do you mind doing a brief introduction and kind of talk about your background, how you got started in the cybersecurity and policy industry? Thanks, Jocelyn, for the invitation to be here and for your partnership together with your colleagues at Cloudflare. We're delighted to work together on tackling some of these major risks. So I'm actually now the Global Policy Officer at GCA and direct the Capacity and Resilience Program, which is one of the steps that we took after we just completed a strategic review. And so we'll get into some of those other projects that we work on, I think, in our conversation this afternoon. But I came to GCA after about two and a half years ago, having previously been at another nonprofit organization really focusing on cybersecurity, that's public knowledge. Prior to that, I spent a good almost a decade in government service, both at the Department of Justice and then at the National Security Council at the White House. And I really fell into policy space, as it turns out. I was an attorney and was working on helping the government investigate national security threats, largely through a tool that many didn't know about before, but now as kind of a household name, the Foreign Intelligence Surveillance Act. So having been an attorney and thinking about the application of law that the United States government uses when it's trying to investigate threats by nation states and what we call foreign powers, some of those, that body of law, the policy application of it and the policy environment definitely overlaps with cybersecurity. And as the government took a more detailed and really a more assertive look at cybersecurity with the HSPD-23, NSPD-54, which was the Comprehensive National Cybersecurity Initiative, that's about the time that I made the transition from really doing legal work on behalf of the government to also doing policy work. And it's been a tremendous opportunity. And it's a bit like going to sort of there are pinch me moments where you think, wow, am I really in this space? This is pretty amazing. I never thought that I would be here. But it's also, I feel like I've had an opportunity to have just a tiny bit of impact and certainly the ability to work on missions that are, I think, essential to democracy has really been one of my core kind of centers for my professional career. Yeah, it's interesting because I feel like the cybersecurity environment, there's, you would learn so much because the technology changes day to day and being able to bring your legal framework into that environment, I think it's such a value-added value-added part of your work. So it's really, really exciting to hear that part of it. So can you describe a little bit more of the work of the Global Cyber Alliance and how your organization operates and like how you kind of tackle the big cybersecurity issues facing the global communities? Sure. Yes. So GCA is a little bit younger than Cloudflare. We're about five and a half years old and that's what we call ourselves, the Global Cyber Alliance. We're a nonprofit. So we're a 501c3 organization. We're also a nonprofit in the UK and Belgium. And we're about a 30-person organization. We have partners from close to 200 partners from 25 countries around the world, including law enforcement, governments, nonprofit actors, and for-profit entities like Cloudflare. And we really think about cybersecurity in terms of wanting to help close some of the gaps that lead to larger risks for the global ecosystem. We really were founded to prevent cybercrime with some initial seed funding from the Manhattan District Attorney. And his goal really was to reduce the likelihood of cybercrime because there's not really a way to prosecute one's way out of cybercrime. We really need to prevent it. So GCA's mission really is to reduce the risk of cybercrime by enhancing and making accessible cybersecurity for all. And the way that we do achieve our mission is by uniting communities, scaling cybersecurity solutions, and then measuring their impact. And we've undertaken a number of efforts along the years. One of the ones that the security community I think is more familiar with, but the average consumer is not familiar with, is something called DMARC. And that's an email security protocol that we have been active in promoting and making resources available to help organizations implement DMARC. Those resources are freely available. And really, probably a theme I'll come back to a few times this afternoon is this idea that cybersecurity doesn't have to cost a lot. In fact, the most expensive thing of cybersecurity is probably your time. There are a few steps that can be taken that don't require more than an investment of time. And in some cases, it's really not a big investment of time. Yeah, it's interesting you bring up the time aspect. I didn't necessarily think about it in that way, but it's really important because there are tons of tools that organizations like the Global Cyber Alliance provides to help a range of actors on the Internet keep themselves safe from cyber attacks. And a lot of these tools are free, but you need a specific amount of time to learn about that tool, how you can implement it effectively, and also being able to understand your risks, which can be really difficult if you might not understand how the Internet works or how your internal systems might operate. So it's definitely a huge learning curve. So in the kind of current cyber landscape, when it comes to particular types of threat tactics, we've seen that ransomware is a huge concern, and the GCA has done a ton of work in terms of creating awareness around ransomware and also kind of the changing cybersecurity environment. So what do you think that some organizations should implement to protect against ransomware? And what has GCA been able to do to kind of prevent these types of attacks from happening in the first place? Sure. So I think the opportunity of a challenge with ransomware is that it's making headlines, and so it unfortunately, we are again in a position I think where users and consumers sort of feel powerless. But really, the reality is that ransomware has been around for a while, and that there are these known practices. Ransomware is a form of malware, and malware has been around for a long time. There are these practices that we know organizations can take that can meaningfully and significantly reduce their risk of becoming a victim of ransomware. So the first step is really to do something, and actually that's one of GCA's mottos is to do something and then measure it. So in terms of having organizations do something, I think the first couple of things that I would point to are actually available in some of the toolkits that we offer, and they include things like using multi-factor authentication. So that code that you might get on your phone or using a resource, a second-party resource to maintain and offer these codes that we can enter into our profiles to help us access the resources that we need. Another stuff that we know that consumers and users and organizations of all sizes can take is to think about ensuring that we keep our software up to date. In many cases, this is particularly for smaller organizations. It's more complex when you get into a larger environment, particularly in thinking about enterprise environments. But for the average consumer, making sure that when you do get that notification that your phone has an update, whether it's an Android phone or an Apple phone, it's important that that be installed right away. The third thing I would say is in that making sure that we have our software up to date as well as using multi -factor authentication is thinking about ensuring that our devices and our systems have been backed up. So we have many cases, this is also something that can be almost set it and forget it, even though I don't like to sell that. I don't want that to be the motto and the mantra of organizations when they think about cybersecurity. It really is kind of this virtuous circle. But that turning on some of these features is in many cases of one -time activity, and then you can set them to automatically update, automatically backup. And entering that kind of six -digit code doesn't take a few seconds, and it's actually quite effective in reducing the risk. Yeah, it's interesting. It's interesting to see how ransomware, like you said, of course, it's a form of malware and it started, and then terminology changes. I think my mom, this is like a telltale sign that the times have changed because my mom called me and said, I know what ransomware is now. So it's interesting to see how in the media, you're seeing so many of these different types of attacks, but these attacks have been prevalent for a long period of time. It's just now coming up because a lot of critical infrastructures have been hit. So it's interesting to see kind of that shift in the cybersecurity industry. So thinking about kind of going to focusing on journalists, for example. So the GCA provides a ton of really great toolkits for a range of groups on the Internet to kind of effectively address their cyber risks. But also, do you mind talking a little bit more about the GCA toolkits and specifically what types of entities you provide toolkits to and how you kind of came about with the toolkit model? Sure. So really the vision for GCA is a secure, trustworthy Internet that enables economic and social progress for all. And so that we achieve this mission, as I mentioned, by building practical, measurable solutions and tools that are easy to use. And we work to support and accelerate adoption by working with partners like Cloudflare. So we offer three toolkits. One is for small businesses, one is for elections offices, and the third is for journalists. And the small business toolkit is the first that we launched a little over two years ago. And that those toolkits really all of them work to provide users with actual guidance and direction to reach tools that can help them implement the known best cybersecurity practices identified by organizations like the Center for Internet Security, things like the cybersecurity framework that the United States government together with industry developed. But we've also mapped these tools and these toolkits to guidance from partner countries, such as the United Kingdom, Australia, and others. And the idea to develop toolkits really came about through one of our other core kind of operating models, which is to seek input from partners. And it was at a meeting that we held a couple of years ago, where one of our strategic advisory council members suggested to us that there was a tremendous need in the ecosystem for a small business toolkit. And we were fortunate to have the opportunity to receive some support from MasterCard. They're one of two sponsors for the toolkit, they're development sponsors. So we work with MasterCard and Intel just became a recent sponsor of the small business toolkit as well. And we're fortunate then to work with particularly the MasterCard Trust Center to reach small businesses that are using payment card systems offered by MasterCard, there are others, so that they have resources to protect themselves as they really work to, again, drive our economy. Following the release of the small business toolkit, it was actually at RSA in 2019, where a few government officials were together with some funders and the idea to tackle election security came about. In 2018, the Center for Internet Security published a handbook for election security. And in 2019, early 2019, the idea was created to identify resources from this guidance that we could at GCA pull together in another toolkit really to support elections officials. And so the elections toolkit has been about two years old, it was almost two years ago, yes, two years ago last month. And it's available in English, I should note that the small business toolkit actually is available in five languages. So the small business toolkit is available in Spanish, French, German, English, and Bahasa, which is one of the native languages of Indonesia. At this time, however, the elections toolkit is only available in English. And we are working through a number of recognized elections organizations to reach the audiences of that toolkit, particularly looking to target local elections offices, where they may be particularly under -resourced to manage the risks that pose to them. And again, thinking about their role as a foundational element of democracy. And then the third toolkit we offer is the journalism toolkit. And we're pleased, of course, to have the Athenian Project in the elections toolkit and Galileo in the journalism toolkit. The journalism toolkit we launched almost a year ago, it's available in English and the elections toolkit and journalism toolkit, we're fortunate to have support from Craig Newmark Philanthropies to offer these resources. And when we say toolkits, I think we should probably be more specific. So often we think about toolkit has a few tools in it, the tools that the way that we organize them is through toolboxes. And back to the comment I was making about three things that an organization could do. So there is a toolbox for each three of those activities, and it will direct a user to, for example, if you're operating a Mac system, it will point you to the space on the Apple website where you can turn on, get instructions on how to turn on automatic updates and automatic backups. So these are the types of resources. We really think about cybersecurity as building blocks. It's not a quick fix. You can't turn one switch and really have security. You need to implement a number of things. There are, of course, organizations like Cloudflare that are synthesizing this and making it more accessible. And so we're pleased to partner with you all to bring these resources to these communities. Yeah, I love that many of the toolkits are in different languages, because as the Global Cyber Alliance, it's really a duty to provide, we think about the US cybersecurity, but there are so many issues in terms of election security as well. So working with many organizations that help election entities abroad is so important. And the accessibility part, I think, is probably one of the most challenging that I have faced, for example. So you have small businesses, you have election entities, you have journalists, but also trying to get these types of audiences who might not have a very technical background and understand what the risks are, getting them to use these types of products in a way that is safe, but also reliable and not opening them up to further cyber risks. So specifically with the GCA toolkit, I love how easy it is. It provides a certain amount of time it takes and also an advancement level. So if you're not necessarily sure how to use, for example, a web application firewall, maybe you should start with some of the easier types of ways to prevent against cyber attacks in terms of multi-factor authentication or making sure you can do these types of updates. They take a little bit of time, but it's also that time spent is really, really, it's way more valuable than the time you would have spent trying to recover from a cyber attack. Yes, for sure. We also offer a couple of other resources to help organizations use the toolkit. So in addition to giving users a sense of how long it might take to use a particular tool and how complex we assess it to be, there is a community forum that we have. The difference between the community forum and the toolkits is there's no requirement to sign up to use the toolkits. They are free. As I mentioned in the beginning, the biggest investment there is your time. The community forum, really to help facilitate interaction and ensure that we're being as helpful as possible to users, there is a requirement to sign up. And you'll see in the community forum that each of the tools that's offered has its own room, if you will, where we can help answer questions about a particular tool implementation and the like. The other two pieces I think I wanted to mention about the toolkits is really our emphasis on training. So we are working, we worked with Totem in the case of the journalism toolkit to bring training to journalists so that they understand their cybersecurity risk and can decide which tools to use and to take action to minimize it. Likewise, in the small business toolkit, we have a learning management system where a user can work self-paced through the toolkit. And I mentioned also this email security protocol, DMARC, which is a part only of the small business and elections toolkits. DMARC is not an easy capability to implement per se, but it is possible to do. And so we've spent a lot of time building, again, a self-timed and self -directed set of resources to help organizations implement DMARC. I would say it's one of the most essential things that we can do really to help not only our own organizations ourselves, but also others on the Internet. The final thing that we have, particularly for the small business toolkit is a handbook. So if one likes to read detail, we have written out the detail for you. I think in the case, particularly for journalists, there is little time for that investment of kind of really understanding the why behind some of the actions that we recommend. So in order to reach and kind of convey the why, we have very short videos that are in many cases somewhat humorous, but really try to convey the point behind the importance of a particular best practice that we are recommending and showing users how to use. Yeah. It's always interesting working with journalists and independent media because they are sometimes the most at risk in terms of cyber attacks, but also they're, for example, if you're going through university and you're studying journalism, you understand how to keep sources private, but it's also like, you're not taught how to keep your own information secure. And like, since cybersecurity is such a growing industry and like now with the pandemic, it was kind of like zero to a hundred, we're all online. They're not really taught how to keep this information safe. So it's really great to have, you know, a platform where they can go and be able to use these types of tools. But also I love the idea of a community forum. So for example, you can have many people, if they're having issues with something, you're able to assist them, but also creating that sense of community, because I assume that a lot of different, a lot of organizations have the same types of questions or might see very similar types of attacks. So being able to have a community forum where you can open the space up and talk about some of these issues, I think is actually a really great value add to the toolbox. Yes. One of the reasons behind the community forum is this idea of, as you say, of creating community. And we know particularly for cybersecurity, but in many other things in our lives, it's really our peers that help influence our behavior. So if we're able to create a safe space where users can ask questions about how significant and how important it is to use multi-factor authentication or two-factor authentication, and where they can find the place for a particular app that allows them to turn that on. I was shocked the other day to see the low use of multi -factor authentication in Twitter's transparency report. It's something like 3%. And Twitter is actually a very popular platform for journalists. And I think particularly in the InfoSec community, a lot of us are on Twitter. So it's so important not only to try and go for that blue check, but even before that, to really lock down your login, as the phrase goes, and think about this multi-factor authentication and how by protecting ourselves, we can also I think it's critical for all of those communities, but journalism and election in particular, to think about not creating fuel and adding fuel to the fire of particular challenges of late, like disinformation and misinformation. So to your point about making sure that we're keeping source information and perhaps an investigation that we're working on, if you're a journalist, secure, we would want them to make sure that they've locked down access to these types of projects that they're working on, so that someone isn't able to suddenly steal their hard work, right? You want to protect your information and report the news on your own time if you're a journalist. And by using known best practices in cybersecurity, that's one of the key ways that they can do so. Yes, definitely. And I want to talk, I know like people are tired of talking about COVID, but it still is really important. And it's still a huge issue that is facing the global community. So I'm curious if you saw, for example, in the small businesses or journalism or elections, if there was any types of, did you see this big push to implement these cybersecurity features? Like since we all went from like zero to a hundred of working from home, what was your experience with that? And what were some of the kind of like the biggest obstacles that you found with these groups when it came to going to remote work? Yes. One of the key challenges I think we identified is this, there is so much information out there. How do you know who to trust and where to go for that? So we created the toolkits to be that kind of central hub and really looked to identify trustworthy third-party resources. And we actually use an application process to include tools in the toolkits. And we review them to ensure a number of things, but in particular their efficacy and kind of the privacy approach that they take. But in thinking about where can users go if suddenly I'm working from home, how do I know that my laptop is secure? And how do I protect my children if they're thinking about online education? Last year, GCA was pleased to work with a number of, particularly of nonprofit organizations and stand up a little work from home website, a portion of our actual website. And there we really actually identified three things that users could do, including among others, the idea of using a service that the Cloudflare offers. We have one as well, using a protective DNS service to think about how users are browsing the web. So that if you're trying to get to your bank or if you're trying to get to your corporate website, you're not suddenly routed to someplace that actually is an imposter website and thereby subject to a range of potential threats, unfortunately. So we gave users guidance on three particular types of activities. Many of the ones that I've been talking about, but also thinking about, and it's a bit nerdy to talk about, but that home router, how do you make sure that that home router is up to date? A couple of years ago, there was a big issue around some vulnerabilities in home routers. And I think at the time, one of the pieces of guidance that was offered, which sounds a bit crazy, but was at the time, basically, if you unplug it for a few seconds and plug it back in, sometimes that will refresh the router and it will then, not in all cases, and that's where this challenge comes, of how can we empower users and give them information that doesn't overwhelm them and turn them off from security from the outset? And so the idea of this work from home website was to give them three things to do that could really have impact. And we saw, I think, a good deal of support and visits to that website. Of course, also we're happy to see industry partners offer guidance as well. And so thinking about, I think the work from home shift gave everyone, particularly in security, an opportunity to really rethink the threat landscape and the threats that can be posed. We've talked for years about bringing your own device and the challenges of that, but these issues of thinking about the home router and the other users on a particular machine, if it's not a corporate-issued computer, really give us a chance to think about what more can we do and how better can we equip our employees to be the frontline of defense for our organizations, whether it's a nonprofit like where I am or a for-profit entity, empowering users to recognize that they can make a difference in their company's success or failure, I think, became even more apparent through the work from home shift. Yeah, and I think you bring up a really important topic that is, you know, as there's so many organizations out there and even if these, you know, multi-million dollar companies, they have the same issues that like a small business might have as well in terms of cybersecurity risks. They might have more of a risk in terms of they're getting attacks all the time, but they also have the resources to devote to those types of attacks. So, it's hard to figure out like, okay, everybody's working from home. There are tons of cyber attacks that we've identified at Cloudflare as well for this huge shift. So, providing tools to be able to kind of give everybody a playing field where they have the tools to keep them secure is really, really important. But we have about three minutes left. I want to ask my last question, which I'm very curious as to, you know, what you're working on right now. What are you excited about for GCA in the future? Do you plan, are there other toolkits, other types of products you're thinking about? I'd love to hear what you're working on. Sure. So, I mentioned that we've gone through this strategic review. So, we've consolidated our work and programming into two programs. One is Internet Integrity and the other is Capacity and Resilience. Capacity and Resilience, we're working on the toolkits. We also have a resource for law enforcement, which is, we call it the Cyber Flipbook. It's in beta right now. And we're really trying to equip law enforcement communities, even down to the local level, with resources to help them investigate digital crime or crime involving the Internet. It's not to say cybercrime per se, because it's more than identity theft, really. So much of our lives is lived online that we really need to have law enforcement capable of gathering the evidence needed to ensure that all types of crime are investigated appropriately. And the Internet Integrity Program, something you mentioned about, and I think where we're, sort of the difference between these two programs is really thinking about where can we have scale and use leverage points to bring security at scale to users. And in the Internet Integrity Program, we're working on IoT security. We have an IoT ecosystem where we're gathering malicious, excuse me, IoT attack data and looking to see what trends we can identify and where we might offer information to other providers in the ecosystem to allow them to take action. Likewise, in the Internet Integrity Program, we have a project called Domain Trust, where we're supporting registries and registrars in sharing malicious domain information, so that they, again, are able to take action on their own by reducing the likelihood of attacks on IoT devices or domains. We're able to have real security and impact at scale, so users themselves aren't necessarily required to install that multi -factor authentication app. Rather, they are protected by the ecosystem, the Internet infrastructure, the guts of the Internet, so to speak, and through partners, looking at both platforms and CDNs and cloud providers, really working with them to bring better security so we have a more trustworthy ecosystem and in fact have social and economic growth. Yeah, I like to think about that as like it's taking the human factor out of it, so if you have a device and it's installed to have these types of protections, like the human factor, you don't have to worry about that. But Megan, it was really great talking with you. I always feel like I learned a lot about cybersecurity industry, the infosec industry, so I really appreciate you coming on this Cloudflare TV segment. Thanks, everybody, for watching. If you have any additional questions, feel free to reach out to me, definitely check out the GCA toolkit. I've learned a bunch from it, so we're really happy to have Project Galileo included. Thank you.