Oregon State University, the University of Oregon and Portland State University have come together to form the Oregon Cybersecurity Center of Excellence. The center was created by the state Legislature last year, as data breaches of the Oregon Health Plan and Department of Motor Vehicles exposed millions of Oregonians’ information, and ransomware attacks shut down the Curry County government.
The center will help local governments, state agencies, tribal governments, libraries and school districts address their cybersecurity needs. It will also work to coordinate workforce development initiatives and boost public awareness efforts across the state.
Birol Yeşilada, a professor in PSU’s Hatfield School of Government, will serve as director of the new center. He joins us to talk about the biggest cybersecurity threats facing Oregonians and how the center plans to address them.
This transcript was created by a computer and edited by a volunteer.
Dave Miller: This is Think Out Loud on OPB. I’m Dave Miller. Oregon State University, the University of Oregon and Portland State University have come together to form the Oregon Cybersecurity Center of Excellence. The center was created by the state legislature last year as data breaches at the Oregon Health Plan and the Department of Motor Vehicles exposed millions of Oregonians’ information and ransomware attacks shut down the Curry County government. The center will focus on helping state and local governments address their cybersecurity needs. It will also try to build up the state’s cybersecurity workforce and boost public awareness. Birol Yeşilada is a professor in PSU’s Hatfield School of Government. He’ll serve as a director of the new center, and he joins us now. Welcome to the show.
Birol Yeşilada: Thank you, Dave. Thanks for having me.
Miller: What was the impetus for this new center?
Yeşilada: Well, the center is a product of six to seven years of collaborative effort to bring this growing problem to attention and every year it is increasing. Cybersecurity, thanks to the digital world we live in, has become a major problem and a challenge for everybody around the world. So we also know that no single institution, whether it’s private or public, university or government, research sites and so forth can address the complexity of cybersecurity alone. This truly requires collective action, a systems approach to cybersecurity that is both technical and human in complexity. And the phase of changing technologies/computer science software is going far ahead of the ability of elected officials to catch up with the fast pace of technological innovations. That makes a huge gap in response, both legally and also technically and workforce awareness to the ability to fend off the bad guys.
Miller: In other words, the bad guys move faster, evolve more, in general than governments do?
Yeşilada: Absolutely, we’re always doing catch-up in this world and the cost is increasing.
Miller: Why do you think it took six or seven years to get funding for this?
Yeşilada: In terms of politics, it took a long time to get a coalition of public and private and university stakeholders to come together. The initial effort was six years ago, there was a report prepared about cybersecurity studies in Oregon. It didn’t go anywhere in the state legislature. But then Portland State University, for example, became a National Center of Academic Excellence in Cybersecurity Research, a designation by NSA and DHS. Three community colleges–Chemeketa, Mt. Hood and PCC– are also CAE institutions and we got a big, big grant to study the vulnerabilities of power grid in the Pacific Northwest region of the United States. Discussion of that, once the work got out, led to all of us coming back together and saying, hey, give us another opportunity to bring it to the attention of the state-elected officials. And Representative Nathanson took the lead, sponsored the bill during the middle of the last session.
That effort didn’t get us the funding, but we came back with tremendous support from local governments, private sector, regional governments, universities, community colleges, school districts. And we had tremendous leadership in the legislature in the joint committee on Information Management and Technology led by Senator Woods and Representative Nathanson and it finally got through and passed last summer. And we are now able to set it up. It’s going to be a consortium, it’s not just going to be the three founding universities forever. This will grow. The vision is to expand to include other universities and community colleges to serve the entire state in cybersecurity, both education, workers training, providing supplementary activities to the State Chief Information Officer and the much longer tasks listed in our mandate.
Miller: If you were the state’s cybersecurity czar, say, as opposed to the leader of this new consortium, which is gonna help out public institutions and help out the workforce and do various adjacent things. But if it were on your shoulders, to be in charge of cybersecurity for the state, what would most keep you up at night?
Yeşilada: Cyber attacks are going through the roof. Every day around the world, there are more than one billion cyber attacks and it’s increasing. What keeps me awake is the very poor level of preparedness the public has in general. In addition, the state of hardware, software and training [that] our local regional institutions have, in terms of their ability to stand off cyberattacks. Hacking is one of the top problems in this area and it costs the world - let’s see, in terms of total cost - over a trillion dollars because you have to take into account hours lost work, et cetera and so forth.
Miller: You led with people, not with hardware and software. I’m curious why that is? Where are the gaps in terms of public awareness or public actions that enable these attacks to be successful?
Yeşilada: Well, social engineering is right now listed by many cybersecurity experts to be the number one threat in cybersecurity. And when we talk about cyber security, we usually look at where hacking takes place, which local government is shut down and things like that. However, we need to also consider the fact that over 80% of these problems are caused by human error. It starts with email. It starts with social media. The bad guys start befriending people, the ghost accounts and so forth. And once you gain the trust of a person or gain their mindset to agree with you, you can then have an entry into the workplace they’re at and you can get in through the back door. This happens a lot.
So the easiest thing, for example, password, keep changing your password. But people tend to use simple passwords and use them on multiple sites which makes them even more vulnerable. And the ability to find out if the email is genuine or not that you’re receiving from your bank, there are ways of checking this very simple, but most people don’t know these things. And even people who are experts, who should know better and have gone through security awareness training, keep making mistakes over and over again.
Miller: There are plenty of stories of various information or security services themselves getting hacked in the US and in other countries, the places that theoretically would be the most secure digital sites on earth. They too can be victims of attacks.
Yeşilada: Absolutely. That happens all the time. And this has gotten more complicated in the last three years with remote working. If you’re using your home computer and logging into your company or university network, are you using their VPN to make sure you’re going through a secure link? And a lot of people I ask questions about they say, oh, no, I never thought about that. And even when it is mandated, people get relaxed about it. And then of course, as this technology moves forward and we get more and more smart gadgets in our homes, the more vulnerable we tend to become.
Miller: Because we are creating more doors through which bad actors could enter?
Yeşilada: Absolutely.
Miller: My guess is that many people listening to us who work at least medium-sized, certainly larger employers, will at this point be familiar with some kinds of regular data security training. Those are sort of often employer-based trainings. But if you’re saying that that our biggest collective vulnerability remains humans, remains Oregonians in the state context, will your Center for Excellence be doing efforts to reach out to all of us or is it still in the end, going to, say, be up to the Curry County government to reach out to their own employees?
Yeşilada: Both. In our mandate, we are required to hold public awareness programs. This is going to take place in partnership with the private sector as well as federal agencies and state agencies. We’ll be holding public webinars, we’ll be holding panel discussions, we’ll be holding speaker series and we’re gonna be expanding this throughout the state. And at the same time, the center is mandated to become an information collection site for incident reporting and then sharing that with stakeholders. This will enable us, through different mechanisms, to work with local regional governments, anything that is listed as a public institution.
At the same time, we will be hearing of their needs through the advisory council of the new center whose appointed members are appointed by Governor Kotek. We are literally in the beginning stages of this center. We are hiring our staff currently working through that. I am the director. There are two associate directors, Professor Reza Rejaie at UO and Professor Rakesh Bobba at OSU. And we work collectively. We are constantly meeting, and we also meet with the state and we will be holding our first meeting with the advisory council on February 2nd.
The advisory council represents all areas of Oregon’s public agencies. Six members are appointed, they are non-voting members from the state agencies and the other 15 voting members represent local governments, regional governments, school districts and so forth. And they will be able to bring to us, their constituencies, their organizations or the people they represent, all the problems they are seeing. And as we look at these challenges which are growing every day, we will be able to collectively bring together our experts from the universities and also work with private and public partners to address the issues.
Miller: We just have about a minute and a half left but briefly, what are you going to be doing to increase the cybersecurity workforce in Oregon?
Yeşilada: Two ways. One is we will be assessing and assisting universities, community colleges and high schools in cybersecurity education programs. We will be holding meetings on that as well as trying to bring together collaborative efforts for educational institutions. At the same time, we will have nontraditional student certificate programs. There is one right now at PSU for local government, cybersecurity resilience that is funded from the federal government. Senators Wyden and Merkley provided us direct funding and it’s on resilience and it’s free of charge. We hope to expand these in collaboration with other schools. OIT is another site where this will take place and it will expand to other universities in different geographic regions of the state along with community colleges.
The vision for the workforce training for nontraditional strategies to have programs for different levels of target audiences. Some have no background, others have, let’s say, some training in cybersecurity but would like to get more training. So it’s a pretty expansive program with different ideas of providing expertise.
Miller: Birol Yeşilada, thanks very much.
Yeşilada: Thank you very much.
Miller: Birol Yeşilada is a professor in Portland State University’s Hatfield School of Government and the director of the new Cybersecurity Center of Excellence for the state.
Contact “Think Out Loud®”
If you’d like to comment on any of the topics in this show or suggest a topic of your own, please get in touch with us on Facebook, send an email to thinkoutloud@opb.org, or you can leave a voicemail for us at 503-293-1983. The call-in phone number during the noon hour is 888-665-5865.