Northwest now is supported in part by viewers like you.

Thank you.

None of your data is secure.

Now, that sounds like an extreme statement, but with a wave of data hacks and the deployment of new artificial intelligence weapons, your sensitive information is almost certainly compromised.

We now almost have to say cyber security with air quotes.

That's how bad things have gotten.

Meanwhile, the South Sound is emerging as a bit of a cyber security center.

And that's part of the discussion next on northwest.

Now You.

In 2016, 60 minutes did a story revealing that the Chinese corporate espionage program resulted in the losses of hundreds of billions of dollars and about 2 million jobs.

Russia is right in there, too.

Even America's nuclear secrets are compromised thanks to several ongoing digital espionage programs that our adversaries have been running for decades now.

Corporate and government entities were always the obvious targets, but now individuals are in the crosshairs, too.

It was just revealed that phone communications on the nation's wireless carriers is no longer secure.

Just look at the trend line of sites that are actively leaking data to be used in ransomware attacks.

All the big guys are getting hit.

Capital one, Equifax, Heartland Payment Systems, JPMorgan Chase, Yahoo, Facebook, Activision, American Financial Change, health Care, and, ironically, the U.S. Consumer Protection Bureau in Washington state.

There's been a surge in data breaches, with 11.5 million cases reported by the AG's office in fiscal year 2324.

That's the most ever.

Hacks included the Employment Security Department, with a couple hundred million dollars gone.

The Washington state court system, Boeing, Comcast, Fred Hutch, Seattle Public Library, SeaTac airport, the Highline Public School District, that's just to name a few.

And remember, those are just the ones we know about because let's face it, reporting that your data isn't secure isn't something your local government service provider or employer wants to advertise.

Now, all that lost data is being picked apart to identify individuals and then combined with artificial intelligence tools to imitate voices.

Government officials and friends and family turn people off for billions of dollars.

Into this challenging environment marches the growing cybersecurity industry.

As Steve Higgins tells us, students are training to battle the cyber crooks right here in the South.

Sound.

You take one of these network cables?

Leroy Williams knows it.

He's enrolled at the center for Cyber Security at Clover Park Technical College in Lakewood.

If you build a good, strong foundation, you've got a good understanding of what's going on.

It has.

Williams says his military training relates to the curriculum and plans to graduate this summer with a bachelor's degree in cybersecurity.

That's basic.

But before diving into artificial intelligence, network intrusion detection methods or system penetration testing, students learn the basics with hands on training.

What a computer is, the hardware, how to repair it, put it together.

Take it apart.

Whatcom Community College is host institution to two national centers.

Michele Robinson from the National Cybersecurity Training and Education Center at Watkins Unity College in Bellingham, aims to advance industry education across the country and help fill the gap between qualified candidates and open jobs.

You'll notice it said there's like ten over 10,000 job openings in Washington state.

As the demand for trained professionals keeps growing, so too are the number of attacks.

Washington Attorney General reports the number of data breach victims in our state exploded more than 150% over 2023.

The office administering Washington's courts networks believes swift action thwarted a probable data exfiltration attack last November, saying a computer virus from a malicious pop up advertisement forced delays with gun sales, background checks and other services until the network was restored.

The Port of Seattle refused to pay ransom in an August attack that threw ticketing, baggage handling and other services at SeaTac airport.

In the chaos for weeks out of the cooler.

Now!

Hands up!

Get out!

Face away from me!

In January, Pierce County sheriff's deputies arrested someone they say tricked an elderly woman from Ashford at a $14,000 after a fraudulent pop up ad claimed her bank accounts were hacked.

We believe this is not isolated to this one event.

Other agencies have informed us that it might be connected to cases they have really flexible.

Close, not far from where I live.

You know, they got hybrid training.

So you could be in person or, you know, you can do it on, online.

Williams praises Clover Park's program and sees a promising future.

He explained cybersecurity to his less than tech savvy friends and family in a way that hits home so hard where it was.

Do you like your money?

Right?

And would you like to keep it safe?

As the industry is expected to grow, Clover Park Technical College instructor Jeff Turner believes a solid future can be earned in the South Sound.

It's a match made in heaven here, and it's right here in the edge of Tacoma in Pierce County.

Steve Pickens, northwest now.

Joining us now are Saint Martin's computer science professor Robert Thompson, and Zubair Shamsi, cybersecurity expert with Tacoma's strike Proof company.

Welcome, both of you to northwest.

Now, this is a topic that's been on my mind for a while.

You know, people ask me, and we had this discussion before we started taping.

Well, how do you come up with ideas?

How did you get the idea for this particular program?

And frankly, it was just me looking at the constant drumbeat of the news, the constant hacks, the constant breaches, and saying to myself, oh my gosh, it's a disaster out there.

Now hopefully you'll be able to talk me off the ledge here, and things aren't as bleak and as dark as I think they are.

But that's what we've got you here.

My first thought, Robert, is this.

The hack is complete, your data is out there.

But now AI is being used to craft these emails and these deep fakes and make it sound like grandma's colony for money.

What's the state of the art out there from your perspective on this?

And how serious do you think it is?

I think it's a very serious thing.

Now we're going to have more deepfake technology and tools that can use deepfake and allow content creators just people without any real skills, to be able to perpetrate and pretend like they are family members, your boss, and they'll sound exactly like your boss or your stockbroker or your stockbroker.

That's correct.

And now they do.

You know, the first phase of any type of penetration testing is reconnaissance, where you do social media, open source intelligence and you're looking for that, and they're looking with what's called Google Dorking or Google hacking, and they're doing other open source type ways to find out information on the target that you're trying to perpetrate in this case.

And so that's going to be a real problem going on with AI in particular.

Zubair, is that a little does that represent a little bit of a I hate to use the word advancement when we're talking about the crooks, but an advancement the crooks have made.

It used to be the hack was the thing.

Oh, I've got the data now I can monetize it now.

It's no the data if I'm just starting with that now, I'm going to craft this beautiful piece of thievery and come get you.

That seems like kind of a radical change that's occurred as the technology has gotten better or worse.

However you want to view it.

Yeah, absolutely.

But I think Robert hit the nail on the head.

You know, it's it's a matter of, you know, these attackers, they have deep pockets.

They have money to put into systems and technology that can craft very, very real life deep fakes.

You know, you can't tell the difference when it's an AI generated voice that's on the end of your line asking you or telling you that your bank account has been breached or compromised.

And can you give us your your details so that we can go in and secure your account?

It's a it's a big problem that is one of the and that's one of the real nasty things about this too, is that oftentimes the entry in that text or that phone call is, hey, there's been a problem.

The bad guys telling you there's been a problem.

Only problem is they're not the right guys to solve it, but they're representing them as the guys to solve it.

And that's where your defenses go down, right?

And they like to instill a sense of panic or or uncertainty.

Right.

They want to make you nervous about what's going on, so that you will be more willing to share that information with them.

I think that's a good rule of thumb, and I keep hearing that from all the agencies and all the companies and things that have been breached.

Bob, is is it is it fair to say that if there's a real sense of urgency, call me now or you'll be arrested, call me now or your bank is going to go to zero or or we're going to collapse all your your investment.

You got to do it now.

That's a real red flag, isn't it?

Absolutely.

In fact, they use that sense of urgency in order to make the decision making process shorter so that it can put you under pressure.

So you have to make a decision now, like the boss needs it right now.

We need you to give this, you know, email wire transfer today because we need to pay this vendor.

Otherwise it's going to slip the whole project timeline.

And so they're creating this artificial sense of urgency.

And this gets back into user training for cybersecurity awareness.

And that's what we need to train our user base on is to be able to recognize these social engineering attacks that are now they're going to have it done by AI.

Now, it's not just by humans.

It's already here.

Yeah.

And you you talk about the training piece and we're going to talk about the your actual college program and what that looks like.

But I wanted to talk about user training too.

And Zubair, maybe you could hit this one.

You know that that sense of urgency is one of the tricks that's used on people.

But it's it's almost there's a naivete that has to go along with it as well.

Is it there?

I, I sometimes look at, you know, this lady, you know, she emptied out her bank account to some guy she'd never met or heard before and started writing him.

Western Union Telegram checks.

Where does where does bad criminal behavior and having some brains as a user kick in.

And we had the conversation before we started taping too.

I no longer tell family members if they say, hey, is this safe?

If I do this, my answer is no.

Nothing's safe.

It's all out there.

How do you answer that question?

You know, a lot of the people who are falling prey to these types of attacks, they're not unintelligent people by any means.

The attacks are very well crafted.

I mean, I've gotten emails and phone calls and I'm like, is that legit or not?

I don't know, it could go either way.

And because I'm in the field, I can do a little bit of research into what I'm getting and determine the average user isn't going to go through all that.

You know, I think the best way that they can protect themselves is by staying skeptical of anybody who's calling you and ensuring you know that you remember a bank is never really going to call you.

The police are never really going to call you.

Yeah, the police want you.

They're going to come to your house and get you.

If a bank is calling you, they're going to disable your card, and you're going to have to call them and ask them, why isn't my card working anymore?

So it's important to, to, you know, again, stay skeptical of the people that are calling you and just, you know, put some real thought into it.

Talk a little bit about the kinds of victimization there are two I've got a little list here.

There's phishing, ransomware, zero day malware, and even some viruses and things.

Getting into the Internet of Things, you're at some point someday maybe your refrigerator acts against you, you know?

So talk a little bit about that, Robert.

There's such an array of threats hitting different things.

Some in your email for phishing summit ransom for ransomware at work, where now those records are going to be held.

There's there's so many fronts on this battlefield.

There are many fronts.

But phishing is where a lot of our attacks come from, where somebody clicks on a link and then they're automatically installed some malware.

That's where the user training comes in.

But when you talk about ransomware, the key to that is have backups.

You know, offsite backups are disconnected.

I like to tell users to have images you can download free imaging program like Ayo, EMI offers free windows imaging, or you can use Clone Zilla for Macintosh, Linux or Windows.

But it's a command line only interface that is able to back up your data to an external like five terabyte USB hard drive.

That way, if you do get ransomware, you can go back and restore your image and you don't have to worry about it.

But if you don't have that, you know, or if your image gets, you know, compromised, then that's why you have to have like a father, son, grandfather type thing where you have three hard drives that way in case one of your hard drives also has a ransomware that locks all your files, because it's pretty much impossible to be able to break the encryption algorithms.

They're very strong to be able to, you know, get your files back if that happens.

So the rule is kind of having three backups, maybe one locally.

One.

No.

Just rotate, just take, you know, three different hard drive, five terabyte USB hard drives all work.

You plug in and you make an emergency boot disk on a USB stick so that it's a bootable thing that has a generic USB drive.

And then you image the entire hard drive.

So it does your entire operating system, every, you know, application you've installed, programs that you've installed on there, every piece of data, it's all image back.

And if your hard drive goes bad or if you get ransomware, you just stick a brand new hard drive in.

You take your last backup, put the emergency boot disk, and then you're off and running.

Go drink a coffee.

Depends on how much data you have, and then it's restored for you automatically.

Some of these mid-sized and small time operations, though, like dental practices.

I'm thinking about family here and medical practices and things.

There's a lot of data there.

And, I actually was told a story once where they saw this ransomware attack underway and were able to pull the plug on the internet to pull it and restore.

And they were able to catch it in time.

Zuber is that a is that a valid strategy?

Hey, I'm going to unplug the wire.

I'm going to get my computer when I see the attack coming or no, it's too late.

By the time you figure out what's going on, at times it's too late.

By the time they figure out what's going on, you know, these attacks can move very quickly and they kind of work in the background a lot of the time.

And it's not until you've been all of your data has been encrypted that they pop up that screen on your window that says, we encrypted all your stuff, pay us some Bitcoin and we'll freed up for you.

So, you know, sometimes if you can catch it quick enough.

Yeah, that that can work.

You know, get that machine off the network so that it can't encrypt any more files.

The computer.

You may not get files back from that, but if it's connecting to any shared drives or shared, repositories of data, you might be able to protect that data.

Having backups is the biggest thing for ransomware.

You need to have good backups and you need to test those backups.

Can't tell you how many times I've gone into a client and they're like, we have backups.

We go to restore backups, corrupted.

Sorry.

I mean, you did all the right things, but we didn't.

You never tested your backups to make sure that they're working.

Okay.

You can't really recover anything.

You that's a good one.

You know, I create the zip file and upload it to the cloud every month, but I should download one every now and then just to make darn sure I'm doing it right.

Absolutely.

That's a good point.

I'm putting that on my list.

Speaking of the cloud, I know this is a very open ended question here.

Is the cloud safe?

Isn't it just another computer that can be hacked by the hackers or no professionals are administrating these things?

Robert.

And it's the clouds.

Pretty safe.

I'm weighing these two ideas, all these cloud based system providers, you know, data providers and things have been hacked.

But it's not your local computer where, you know, the guy who used to be in marketing is now doing it is, you know, wearing two hats and trying to protect the system.

So how do how should we view the cloud and cloud based services on the hierarchy of security?

Oh, cloud.

It's definitely not a totally secure type thing.

I would never want people to think that the cloud is 100% secure.

You don't have to worry about it.

That's not true at all.

It has many attack vectors.

You know that you can attack the cloud on, and so you can have like on GitHub repositories, which are for developers.

They load their API keys or application programing interface and they have the, you know, the authentication key sometimes left in there.

And, you know, hackers will go through and they'll pull down the GitHub and they'll find an API key.

They can get into the cloud.

There's VM escape where people can get into a virtualization hypervisor and escape from that.

That's more rare where you can get out, but once you escape the hypervisor which creates these virtualized environments, which the cloud is on steroids, on virtualization, I mean, everything is virtualized virtualized routers, virtualized switches, virtualized appliances, virtualized servers.

And so there's many way and it's a connection between on premises and cloud.

And so it's not just like, well, I'm safe in the cloud.

Attacked can perpetrate from one area.

And then they do a pivot and escalate a privilege attack.

And so it's not like you are safe by just going to the cloud.

So you're your cloud based backup may not be enough.

That is what I'm hearing.

Because you have to make sure that your cloud is secure as well.

I mean, it's you're killing me.

I'm so sorry.

It's reality.

We live in this world where attacks are coming out more and more, and it's going to be AI versus AI.

If you look at like cyber threat intelligence, where we're taking in intelligence feeds and we look at endpoint device response things that are feeding into what's called a Siem, a security information event management system.

And it looks for correlation of data to say we're an indicator of attack, indicator of compromise is happening.

These things are now we are now using machine learning because machine learning can look for pattern recognition on steroids.

It can find that needle in the haystack.

There's so much data happening that it's no, it's impossible for a human to be able to look at this with their own eyes.

It's just too quick.

And if you're looking, you know, for anomaly based detection, where you create a threshold like, this is my normal data exfiltration out of my network.

This is normal infiltration of data.

How much input and output of data.

Then you can make rules on that because it's not everything is signature based where we're looking for what's called a mathematical hash algorithm, where you're just running a one way mathematical hash on, you know, malware, and that malware has a signature to it.

And that's how we're detecting a lot of malware now.

But now they're coming out with polymorphic viruses and other types of things where it can avoid the signature based detection.

So we didn't have to use heuristics, you know, type detection techniques.

Or you can use anomaly based detection techniques.

But these things, it's an evolving type landscape where every time we invent a mousetrap, they invent another mousetrap around.

Comment from both of you on this.

Do you think the in the end the bad guys win or the good guys win?

I think it's an ongoing battle and we're going to see more and more integration of AI and ML machine learning involved in cybersecurity, both from the attackers point and from the defenders point you're going to see.

And that's why I'm pushing my students at Saint Martin's.

It's like you cannot just be a network engineer and a cybersecurity professional.

You have to learn.

You don't have to become a data scientist, but you have to learn how AI is being implemented with cyber now.

Yeah, and machine learning, you have to understand these concepts because they're going to expect you as a practitioner to be able to implement these types of things when you go out into the real workforce, what's your gut say?

The bad guys winning right now, losing.

Will this be and ultimately end up in a drawer with battling AIS?

How does this play out?

I don't think it ever ends.

I think it's a constant game of cat and mouse.

As we develop more strategies to protect ourselves, the bad guys are going to develop more strategies to break what we've what we're using to protect ourself.

You know, whether it's now or 50 years from now when everything's changed in the technology landscape, it's it's going to be the same problem.

So remain skeptical.

Back up your stuff.

Don't don't think the cloud is your solution.

I think those are some good, good takeaways.

I want to give you both a chance to speak about your respective programs, too.

Robert, give me a brief overview of what's happening at Saint Martin.

What what the degree is, what the classes are and how many kids you have involved.

Well, we offer several programs at Saint Martin's.

We have now three bachelor's degrees in computer science.

We just we have a traditional bachelor's degree in computer science, which is traditionally, you know, you have to take the whole calculus, single variable, multivariable differential equations, linear algebra.

Then you get to do the coding.

Then we offer an information system which is much less math and more application.

And then we offer a new one that we are just starting in January, just next year.

Here I'll start teaching in that.

And that's a cyber security.

Why is that important.

And we also offer a master's degree in computer science as well.

And we have 12 full time instructors there at Saint Martin's in the computer science program.

We're out of the Department of Engineering.

But cyber security, if you look at, you know, computer science is the tree of knowledge.

There's branches off of that tree.

You have, you know, artificial intelligence is one twig off of that.

You have, you know, cybersecurity.

But if you look in the US Department of Labor and Statistics Occupational Handbook, which predicts all the jobs in the United States for the next ten years, the average of all jobs over the next ten years combined is 4% job growth.

Cybersecurity has the second highest and, you know, okay, science is 33% projected job growth.

So it makes some sense as to why you're diving into that.

Zuber same question for you.

Talk a little bit about strike proof, what the company does.

And I will add that you baits, there are several, institutions of higher learning here in the South sound that are, that are working in cybersecurity.

And we've become a little bit of a cyber security center here in the South.

Sound strike proof.

Also in the commercial side being one of those talk about what your company does and, what brought you to the South Sound?

Yeah.

So we're a full scale cybersecurity company.

We offer, you know, penetration testing, vulnerability assessments, governance, risk, compliance assistance, anything that's related to cybersecurity, we want to help you with that.

You know, I was born in Seattle, Washington.

I've lived here basically, basically my whole life.

So that's why I decided to kind of headquarter out here in Tacoma.

And, you know, from our side, when we're looking for, potential candidates with our company, you know, we need somebody who has a lot of technical expertise.

Yeah.

It's, you know, I hate to say it, but oftentimes a degree is just not cutting it for us.

Like, we need to see real, real world experience.

Yep.

A lot of the things that, you know, you're learning, we can teach you as well.

And we have our way of doing things.

So having somebody who's a go getter who, like, wants to get out there and learn and is kind of, your, your quote unquote nerd who loves to get into computers and, you know, get their hands dirty and learn new things.

That's the biggest thing for us, like just constantly learning because it's always changing.

And I think that reinforces Robert's point, too, that, you know, the opportunities here are nothing but expand and grow and a great place for somebody who is, you know, has that mindset, to dive in in our last two minutes here, we get now into one of Tom's peeves, which I always enjoy in the program.

One of Tom's peeves is being asked by small time service providers who have none of the protections in place.

They probably should.

They demand my name, social security number, date of birth, driver's license number.

I'm so heavily documented out there, it's not even funny.

Doesn't that have to stop?

Robert, don't don't these small time service providers who are totally focused, I know on getting paid.

I know that's I know they got to get paid.

I'm not denying that.

But my gosh, you know, they really are incurring some potential liabilities when they demand everything.

I got to do business with them.

Oh, in my humble opinion, we don't have a data privacy like Europe said the GDPR in Europe, which protects, you know, consumers.

They are opted out by law with teeth to it.

They have inspectors with big fines in Europe.

And it doesn't matter if even if you're dealing with the EU citizen here in the United States, those GDPR laws apply.

But in the United States it's the exact opposite.

Yeah.

The first thing I got to do on the phone is enter my Social Security number.

And I'm thinking to myself, really?

Right.

And that's PII.

And every time you put in like your credit card to a website and then the store it there, you have to worry is that website, how secure is that website?

What do they do when they do technology refresh and they get a new server?

Are they going to wipe that old hard drive and, you know, overwrite the hard drive seven times?

Or it depends on what kind of hard drive solid state versus conventional.

But you know, are they going to protect my data.

So I tell users always turn on two factor authentication, whatever you can on everything that's financial use virtual credit cards, capital one.

Right.

It's one of the few numbers where you can create a virtual one for just that instant, right.

And you can then put an expiration date and it'll create a virtual for free.

And then you're not giving your actual credit card data to a company.

You know, and so yeah, this is a huge problem right now that we have in our industry.

Great conversation guys.

I appreciate you both coming in.

I'm not sure I'm left feeling any better about all this, but, you know, your job is to make the host feel good.

But I think there's some good tips and some good things to think about.

Inside of this.

Thanks, guys, for coming.

Thank you.

Thank you.

This is another one of those programs that isn't going to end the way I'd like it to.

With some solid steps you can take to make sure you don't become a victim of cyber crime.

Frankly, the bottom line is that you probably are going to be a victim of cyber crime.

Consider identity theft insurance and do the best you can to verify the people you're talking to.

Back up your data, keep passwords secure, and keep your machine clean.

Sadly, for now, a lot of this boils down to just crossing your fingers and hoping you're lucky enough not to become a victim.

And that's the best I can offer.

I hope this program got you thinking and talking.

You can find this program on the web at kbtc-dot-org.

Stream it through the PBS app or listen on Spotify and Apple Podcasts.

That's going to do it for this edition of northwest.

Now until next time, I'm Tom Layson, thanks for watching.

Music