The world of cybercrime continues to run rampant—with cybercriminal activity increasing on an annual basis—even though countless efforts have attempted to intervene. As the number of personal devices and software updates increases, there seems to be no end in sight in the battle against cybercrime. This raises the question: Can individuals be motivated to take meaningful action on their own?

For this podcast episode, I am joined by Greg Oslan, chairman and CEO of the National Cybersecurity Center (NCC). He also serves as a strategic advisor for Howso as well as the managing partner of One Strategy Group consulting. Together, we discuss the reality of vulnerability in today’s digital landscape, what steps individuals and organizations can take to stay safe online, and how a new tool from the NCC can help promote cybersecurity.

Below is a lightly edited and abridged transcript of our discussion. You can listen to this and other episodes of Explain to Shane on AEI.org and subscribe via your preferred listening platform. If you enjoyed this episode, leave us a review, and tell your friends and colleagues to tune in.

Shane Tews: Walk us through the changes that you and the board decided to do to advance what we need in this next generation of keeping secure online. Also explain—is this enterprise-driven or are we talking about individuals, and then what do we do? How do we use your tools, your new toolset?

Greg Oslan: Middle of last year, we shifted from a project-based nonprofit charity, essentially, living year to year—and most charities do. You really don’t know where next year’s money is coming from in most cases, especially in the cyber industry. We recognize that if we were going to be around and help this country for the next 50 years, we had to build a business. We couldn’t, in the emotional or traditional sense, we couldn’t be a charity. We had to be a business.

What’s a nonprofit business? You make as much profit as you can, you spend it every year. That’s what we needed to create, versus doing things for free. That said, in our shift, we realized the problem: There’s 6,000 funded cybersecurity companies in this country, dealing with the commercial world. I can’t compete with the commercial world. But nobody’s helping the individuals. Individuals—you, me, our families, our friends, people we meet—they’re the ones who make up society and they’re also the ones who make up business. If we can help individuals become safer online, inherently, so will businesses.

From a problem set, commercial world won’t solve it because there’s no money in it. The government won’t solve it because it’s just not what they do. They are not great at communicating to the public in a direct sense, right? They’re bigger picture kind of mindset. It would take a nonprofit. Then the question was, if the problem was there is this big gap between those of us who are technologists and the majority of society who’s not, what role do we play in that?

What we decided is we were going to build a platform to create the awareness, knowledge, and solutions for individuals to protect themselves online. And it couldn’t have been done three years ago because AI, at least at scale, did not exist. But we went from ground start last April, May, to having our MVP product available and out. It is free of charge. We are distributing it. We will ultimately soon. It’ll be at both in the Apple Store and it’ll be in . . . the Google Play Store.

Am I giving the app permission to monitor what’s going on?

We’re doing no monitoring. People are afraid of that. They don’t trust. It’s hard not to not be compromised, let alone giving the information up. But they trust their bank. They trust Google. They trust, at some level, anybody they give information to. What we want to do is—if you did this, you filled out, even if you didn’t do your profile—the two things you’re just going to get more. If you didn’t do a profile, you’re just going to get all the alerts, which might be overwhelming and frustrating. Then you’re going to have access to the platform itself, which does multiple things. You want to ask it a question.

Think of it as a verticalized GPT rather than . . . and so it’s just simple. Any cyber- or really technology-related question you have, ask it. It will give you an answer in simple plain English. You’re not going to—you search in Google, you get a hundred things. It’s ads. It’s God-knows-what. You go to ChatGPT, it’s going to give you a summary and a bunch of choices. We give you an answer.

If you ask, “How do I change my password?” there’s not choices, you get it. If you ask, “What’s the best antivirus software for me?” it’ll ask you a bunch of questions, come up and, ‘We recommend X.’ And the way we do that is we rotate amongst the top five of any particular solution or product out there because we’re unbiased. We want to provide the truth. We want to provide the best answer to solve your problem today.

Let’s say there’s an update for Instagram. The app is not going to update it for me but it’s going to say, “If you are an Instagram user, here is how you update it,” and it’ll give me the step by step. What’s after that?

First, you’re going to get the alert. You need to update. There’ll be the classic red number one and you click on it. It comes up and it says, “Instagram has a compromise. They’ve issued an update and you need to update. Click here to go through and walk through your update.”

We’re not doing it for you, but we’re walking you through. Long term, maybe we do, but today we’re keeping it simple. Nobody wants another monitoring service. What people need is information that they can act on simply, easily, and now, or they’ll never do it. We’re, all of us, even technologists, are the same way, right? How many times should we, but we didn’t?

Will the app be a fee for service or something else?

I think long-term it be a freemium model. Our business model is . . . today, everything we provide is free. But as we add things that cost us money, we’re going to have to create some fee, but it will always be small. Since our mission, first and foremost, is to serve society, while we need to make money, our primary motivation is not profit . . . our primary mission is society and an element of that.

We built—as I said—design, build, operate, the Space ISAC. And in February, March of last year, we actually split, which was always intended. Because they’re a 501(c)(6), so they’re a member-driven organization. We’re a 501(c)(3), which is different. We don’t do members. We were never designed, long-term, to be together. We created it in the realization that cyber and space were going to be big in terms of the intersection between the two. Everything we do on the ground here is a problem in space and it’s harder because you can’t just put a firewall, if we talk of the old days, or antivirus software on a satellite that’s been up for the last 30 years. We’re providing awareness, knowledge, and solutions that don’t require any tactical knowledge or capability, don’t require you to go, “Well, where do I change my password?” It will tell you how to do it for you, walk you step by step.

Two key components to the platform. One is alerting. There is no alerting mechanism in society for individuals. How do you know you’re at risk? If you look at the compromises in the last four weeks, simple ones, there were three big ones, right? You had Google and Chrome, you had Microsoft and both Windows and Edge, and you had Instagram all occur. They all did some kind of press release and you saw it in the news. If you’re paying attention to the news, not a single one sent a notification to all their customers. You need to update your software now. People assume it’s just updated. In fact, neither of . . . there you go.

You assume Google and Chrome would just be automatic, not unless you log in and log out. If you haven’t turned your computer on or off, or actually purposely logged out of Chrome and come back in, you didn’t get an update. Nobody knew that. We found that out from our own tool. It’s kind of funny because as we’re moving this, I’ll talk about the business model, but as we’re moving this to society, obviously we want to eat our own dog food. And in doing that, I just went through the alert and told me what to do. I mean, step-by-step instructions: Go to here, do this, and so on. And I did. Then it starts updating. I go to the team and I go to our security guy and I’m like, “You realize we’re not secure right now from the period of time that you were aware of it to the period of time—if you didn’t reboot—you were vulnerable.” And we’re in the business. These are great examples. Apple sent out a release, I know a few days ago—less than half of all Apple users have updated their software, and it’s been out for weeks.

Source link