Cyber Civil Defense Coalition Members Spotlight Free/Low-Cost Cybersecurity Tools and Services at Organization’s Anniversary Event

Top Row (left to right): Aspen Digital’s Cyber Workforce and Education Senior Advisor Nicole Tisdale; Center for Long-Term Cybersecurity Executive Director Ann Cleaveland.

Bottom Row (left to right): The Shadowserver Foundation Alliance Director Tod Eberle; Global Cyber Alliance President and CEO Phil Reitinger; CyberPeace Institute Chief Strategy Officer Francesca Bosco.

Leaders from Consumer Reports, the Center for Long-Term Cybersecurity, the CyberPeace Institute, the Global Cyber Alliance, The Shadowserver Foundation and Aspen Digital  — organizations that are a part of Cyber Civil Defense — discussed the free and/or low-cost tools and services they provide to nonprofits, businesses, schools, universities, municipal governments, U.S. government and law enforcement agencies and hospitals that monitor, detect, report and address cybersecurity issues and consumer attitudes about cybersecurity during a Zoom event that commemorated Cyber Civil Defense’s second anniversary on May 29, 2024. 

Craig Newmark, founder of Craigslist and Craig Newmark Philanthropies.

Craigslist founder Craig Newmark, who started and funded the initiative with a $100 million commitment through Craig Newmark Philanthropies, made brief remarks, telling participants, “We got to do what we can to protect each other.” He also referenced World War II when people defended and protected their families, homes, people and the country when it was under attack at the online event, which was hosted by Craig Newmark Philanthropies (Newmark’s private foundation) and Aspen Digital. 

Full disclosure: The writer’s laptop computer screen froze around 32 minutes into the event and she missed about 13 minutes of the presentation.

Consumers and Cybersecurity Experts Think Differently

Stacey Higginbotham, policy fellow with Consumer Reports and former technology reporter, kicked off the gathering by sharing findings from the Cyber Readiness Review, an annual report that tracks Americans’ attitudes about cybersecurity, which the Global Cyber Alliance and Aspen Digital produced.

While cybersecurity experts are focused on preventing attacks and “locking down infrastructure” so hackers can’t shut down municipal water plants or insert ransomware into a hospital chain and ground its operations to a halt, insecure smart home products and botnets that take down critical infrastructure, consumers are concerned about feeling safe and protecting their data and privacy in the cloud and on their IoT home devices, according to Higginbotham. She referred to data from Parks Associates that U.S. homes with internet access had 17 connected devices as of September 2023.

“But what we've learned through our research at Consumer Reports is consumers don't think about cybersecurity that way. They think about it simply as security is feeling safe and they think mostly about their data, which is stored on millions of computers in the cloud or on smart home devices. And they wanna know that no one can use their smart home devices to spy on them or infiltrate their home network. Consumers want to protect their data….But to get consumers to take action, we have to make it easy for them and we have to give them a reason to want to do it,” Higginbotham said. 

She cited passwords, “password services,” efforts from manufacturers to force consumers to change their passwords on their devices and multifactor authentication as easy methods consumers have adopted to protect their devices and privacy.

“We've seen that 87% of consumers have changed the default password on their router, probably because it's forced. 83% of consumers password-protect access to their phone using some kind of PIN or biometric. And that's also because it has become increasingly easy for them to do that. A little more than three-fourths of consumers — so that's 76% of us — are using multifactor authentication. We may not want to, but a lot of device companies and services are forcing it. And 67% of us are using different passwords across each of our services. This is an incredible win, and it has come because consumers or because manufacturers and governments have realized that to talk to consumers, they needed to make it easy and I would say unavoidable.

So forcing the change, making it easy by helping push things like password services. And you'll see with multifactor authentication data that consumers increasingly choose the easiest way to do it. And so we see with multifactor authentication, 82% of consumers choose SMS texting or some sort of text-based adoption. And they do that because they've got their phone right there where they're trying to log in. 50% will use a multifactor authentication app, which kudos to everybody else. And then usage drops off incredibly after that. 26% will do a verified phone call and only 6% will use a physical security key. So the key that we've learned from both password adoption and the way that consumers choose their multifactor authentication is that forcing it, understanding that consumers wanna protect their data and drawing a clear line between that data protection and a good password has helped,” Higginbotham stated. 

The Consumer Reports Policy Fellow also shared that the U.S. Cyber Trust Mark program 

might help safeguard consumer devices and emphasized that it should be easy to implement for consumers and protect their data and privacy. Launched last year by the FCC, the “upcoming” voluntary program will enable qualified IoT manufacturers to label their devices with a Trust Mark logo, an indication they participated in a cybersecurity certification program to ensure their equipment is secure.

“So we did some research around what consumers want here. And with the Cyber Trust Mark program today, as it stands, it requires to obtain a mark, companies have to do about five cybersecurity things and they have to disclose how they handle passwords. They have to tell consumers how to securely configure the device. They have to disclose the update strategy. And give consumers a support timeframe that those updates will be given to them. So how long that their device will actually stay secure in their home. And then they need to let consumers know if it has a list of hardware or software used in the device like an SBOM or an HBOM. Now most consumers probably won't go that in depth. But what I think would add a lot of value to this program, those prior elements help prevent access and keep a device secure, which is a total win from a cybersecurity experts perspective.

From the consumer perspective, I think it's a little harder sell unless we start talking about protecting their data, which is something they care deeply about. We did research with consumers about this program and 67% of consumers that we interviewed about cyber labels named understanding who has access to their data as the top priority. That was followed by the length of time that the device will get security support. So yay. So I think what we can take away from this is that as we're building out this program and any other cybersecurity program designed to appeal to consumers that get them to adopt things that we need to focus on giving them ease of implementation and something that helps them draw a clear line between implementing the program and protecting their data, which is actually what consumers really want,” Higginbotham explained.

The Center for Long-Term Cybersecurity  

Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley and the co-chair and co-founder of the Consortium of Cybersecurity Clinics, discussed deploying university-based cybersecurity clinics that provide cybersecurity services to organizations that don’t have an IT or cybersecurity professional on staff like small businesses, small nonprofits and small critical infrastructure providers, including municipal governments.

“So, think of a clinic in a law school that provides pro bono legal defense to clients who can't afford representation. A cybersecurity clinic is that model just applied straight to cybersecurity. So our students and there are soon going to be over 30 cybersecurity clinics nationwide. So students in several dozen states are taking a class and providing cybersecurity services and assistance to organizations in their communities that otherwise wouldn't have access to these services. It's a win-win.

….it is a win-win because these critical organizations in our communities get cybersecurity services and then our students get that hands-on learning, which helps prepare them better for the workforce, puts real-world experience on their resumes and teaches them about cybersecurity for defending critical public infrastructure and community organizations. So we think this is a really exciting model. As I said, we now have a nationwide consortium of cybersecurity clinics that is even expanding internationally thanks in large part to Craig's support. And our goal is to have at least one university, college or community-based, community college-based cybersecurity clinic in every state in the country and the District of Columbia by 2030,” Cleaveland explained.

The Shadowserver Foundation

Tod Eberle, alliance director at The Shadowserver Foundation, shared that this nonprofit organization is the world’s largest provider of free quality cyber threat intelligence.

Through its staff at a data center in California, the Foundation collects massive cyber threat data through malware collection and analysis, scanning the internet 150 times a day and other methods. The organization then shares this information free of charge with network owners who sign up for its daily reports.

“And these reports will tell network owners what we see from an external vantage point about their networks. And so therefore we're providing them with what their attack surface looks like to a cyber criminal. And so we can point out to network owners where we see exposed devices, unnecessarily exposed to the internet or misconfigured devices, vulnerabilities, vulnerable devices, compromised parts of the networks that need patched or cleaned up. So, we serve about 8,000 network owners around the world. And this is small, small networks with single IP addresses or single domain to large networks run by internet service providers and governments. We service every type of organization from local, state and federal governments, K through 12 school districts up to universities, non-profit organizations, critical infrastructure, hospitals.

We also provide that data every day to national CSIRTs in 175 countries. So national CSIRTs designated to be responsible for the networks of that particular country. So in the United States, for example, every day we provide our data to CISA, the Cybersecurity and Infrastructure Security Agency, which involves hundreds of millions of events that we're seeing every day. We also provide free assistance to law enforcement. And this is a benefit to the public because it means law enforcement agencies don't have to spend taxpayer money on technical assistance that they need for their investigations. And so earlier, just actually a few minutes ago (on May 29, 2024), it was announced that by Department of Justice, that Shadowserver was part of an investigation to take down one of the world's largest botnets with the support of the FBI, DOJ and other partners,” Eberle said.

The CyberPeace Institute

Francesca Bosco, chief strategy and partnerships officer at the CyberPeace Institute, discussed the organization’s CyberPeace Builders program, an international network of hundreds of corporate cybersecurity volunteers who help 283 nonprofits defend themselves in cyberspace. 

“So thanks to this program, we also started seeing the increasing frequency and sophistication of cyber attacks. And nonprofits often being, I would say kind of like virtually blind to what goes on in their network as many other organizations. So within the Builders’ framework, we launched two specific services very recently to help them better protect themselves. For example, we partner with Cloudflare to block phishing actions. And as at the Institute, we basically we give a view on the ongoing campaigns. We are also able to alert the community into time. And for example, another example of like a collaboration with cybersecurity peace providers, like, for example, indicators of compromise. For example, with Microsoft, with BitSight and similar entities, we gather all the data that they have about nonprofits we support in one place.

So we are able to alert the nonprofits whenever they have, for example, the credential leaked or a vulnerability on a webpage and so on and so forth. The difference just with the, let's say with the alerting is that other than being free for the nonprofit, we're also able to use the volunteers mentioned in the CyberPeace Builders Program to help the nonprofit in order to address the situation. So not just to know about it. And often they feel helpless. So we actually provide the human resources to do it. And lastly, we are also leveraging AI for a variety of purposes, but specifically to improve both the matchmaking processes and drive up basically the volunteer engagement, ultimately increasing cybersecurity for nonprofits, but also for example, to train nonprofits, for example, I mean recently we helped with the help of AI, we are training nonprofits on how to negotiate ransoms,” Bosco stated. 

The Global Cyber Alliance

The Global Cyber Alliance President and CEO Phil Reitinger talked about the Alliance's set of five cybersecurity toolkits for small businesses, individuals, elections officials, mission-based organizations and journalists that are designed to help people, using language that is accessible and easy to understand.

“We, a couple years ago, launched the first cybersecurity tools wiki, which is at

act.globalcyberalliance.org, which now contains 2,500 tools that are designed to help people do the specific things they need to do, and are specifically designed to reach people in vulnerable communities. So, what are the tools that are needed by nonprofits? What are the tools that are needed by parents and families? And deliver them in a language that's usable to them. The other thing I'd say about that actionable cybersecurity tools wiki is it's all done on an open content license. So anybody is free to take the stuff that we've done and assemble and use it and putting together their own services, because this absolutely is a broad community effort that requires everybody to be involved,” said Reitinger.