The University of South Florida named former National Security Agency director and retired U.S. Navy Vice Admiral Michael McConnell as the new executive director of Cyber Florida, the state-funded organization housed at USF that works with the 12 schools in the State University System and private businesses to strengthen Florida’s cybersecurity sector through education, workforce development, research, and community outreach back in February -- before the outbreak of COVID-19.
Recently, he spoke by phone with Christopher Curry of 83 Degrees
about his vision for Cyber Florida, the state’s cybersecurity industry, and the increased risk to cybersecurity in the midst of coronavirus.
Below is Curry's Q&A with McConnell.
83D: You already know the Center very well, having served as the chair of its Board of Advisors. As the executive director, what are your top priorities and your plans for working to achieve them?
McConnell: The main thing is to take it to the next level. The mission is simple, cybersecurity education, which translates to a lot more people entering the field. When Cyber Florida started there weren’t any cybersecurity undergraduate degrees offered across the State University System. The academic process is very methodical, the wheels often turn slowly, so creating those degrees took some time going through accreditation and the Board of Governors.
When we did a survey a few years ago, we were producing 100, maybe 150 graduates. By comparison, the shortfall in Florida of skilled cybersecurity professionals was 24,000 or 25,000. Across the nation, it’s 500,000. So, if you do the math, we have to increase Florida’s output to around 5,000 graduates a year just to catch up.
The main thing we have to do is get all 12 universities in the State University System, as well as the state’s other universities and the two-year colleges, to be in the action. We have to increase degrees and enrollment.
Another priority is outreach. And that starts, quite frankly, as early as grade school and carries up through businesses. Because 80 percent of the problem could be eliminated with just good cyber hygiene. We have to start thinking of ways to reach K-12, not just universities. We need a broad reach. When you have a program like this, you have to increase your impact. You have to find a way to increase the funding available to enhance educational and outreach programs and initiatives. We’ve done some of that but we need to do more.
83D: Government agencies, political parties, and major corporations have all been hit by very large and well-publicized hacks in recent years. Talk about the vital role Cyber Florida can play in addressing those threats.
McConnell: A lot of people think cyber threat and they think of criminals because that’s what makes the news. But we have nation-states that are cyber threats. There’s Russian malware in the U.S. electrical grid today. The Chinese are taking intellectual capital to bring back to China, where the workforce is educated but receives much lower wages. So, they can produce products more cheaply than we can in the United States. The United States is a capitalist society. That means the free market. That means innovation.
Many of the devices we use and take for granted today didn’t exist just a few years ago. That was mostly innovation out of Silicon Valley and other places where good ideas met investment capital. The Chinese for years, since the ‘80s, have wanted to capture that intellectual capital. They have learned it is relatively easy through cyber means. So, we have nation-state cyber issues.
We have an innovation, intellectual property protection issue and we are woefully short across the nation in the skilled people who can protect it. We have to move from months to seconds in detecting these things. It is a national issue of strategic importance and we have not yet as a nation focused on it as we have on other issues of this magnitude.
83D: The cybersecurity industry is growing across Florida and in Tampa Bay specifically, how do you see the center helping to continue and expand on that growth?
McConnell: The main thing is if we can get Florida universities to produce more graduates with these skills, more businesses will be attracted to this area. The ones that are here already, and there are a number of them, including large banks and other institutions, have their data centers here. They need more people.
I was in the cybersecurity business at the federal level before I retired and the competition for talent was unbelievable. The vendors and contractors who did that work for the government were constantly fighting over skilled people. It’s economics 101, supply and demand. There’s huge demand, there’s a limited supply.
So, what happens? Salaries increase. People move around. We just have to increase the number of skilled people to fill the void. That would benefit not only the Tampa Bay Area but the state. Tampa is particularly attractive. The international airport is a great infrastructure. You have supportive city management and the presence of the University of South Florida. It’s a hub that can support not only the local area but, through education and research, can support the whole state.
83D: You already had an established connection with USF as the chair of the Cyber Florida’s board of Advisors and the recipient of an honorary degree. How impressed are you with the way this university has built its academic and research profile in recent years and how do you feel its status as the home base of this center has contributed to that? How do you see it increasing the university’s statewide and national profile moving forward?
McConnell: It was founded in 1956, which is not long ago for a university. Early on, the focus was on building up a campus and getting established. It’s now ranked 44th nationally among public universities, which I would call rapid progress. The endowment is building. The alumni are contributing. It’s been incredible progress in a very short period of time and the pace is picking up. Momentum is picking up. There a lot of people engaged. I’m very encouraged that the University of South Florida and, more broadly, the Tampa area are on an upward trajectory.
Probably the University of South Florida has grown in standing and stature as much as any institution in the country. The new president [Steven C. Currall] who came in 2019 is very aggressive in addressing the growth, standing, and stature, particularly in academic research. I know one of his goals is to become a member of the Association of American Universities (AAU).
In Florida now, there is only one AAU university and that is the University of Florida [in Gainesville]. We want to work to get USF into that group. The reason is research funding. There are 65 AAU universities, MIT, Harvard, Stanford, who you’d expect, and they get 60 percent of the federal funding. So, we want to become a member of the AAU and increase the interest from the federal level in cybersecurity research.
83D: A lot more people are working remotely because of the coronavirus outbreak, please talk about that from a cybersecurity perspective.
McConnell: I was in the military 30 years, worked for the federal government and then became a contractor for the federal government. As the capability to work remotely grew, some supervisors were reluctant to let go. Culturally they want to see the worker in his or her seat, doing their job. In the military, the phrase was iron majors. A younger military member sees something that needs to change, leadership agrees with it, but the iron major resists. There’s been a little bit of that with working remotely. I think this coronavirus is going cause so many people to work remotely, that hold outs will see the capability.
But it’s also going to create incredible vulnerabilities. We’re a society of services. If most of those services start to be delivered from home through remote networks, there’s going to have to be a better understanding of cybersecurity threats to build a more secure cyber posture. I look at the example of the Target breach of 2013. That compromise hit the accounts of roughly one-third of the country, over 100 million customers. They got into the system through the heating and air conditioning vendor that was connected to the network and then worked their way through the network.
You have to look at that lesson with a broad number of people working at home. If you’re an attacker, you only have to find one way in. If you’re a defender, you have to block every way in. So, it’s going to increase the need and the pressure for enhanced cybersecurity as we work more remotely.
83D: NASA recently sent out a memo to employees that nation-states and cybercriminals are using the increase in remote work during the coronavirus outbreak to ramp up attacks on that agency and other federal employees. There are also reports that cybercriminals as well as Russia, North Korea, and China are using phishing emails to try and access the business network. How significant risk is this for national security as well as for private businesses?
McConnell: The risk is significant for individuals, businesses, and national security. The thirst for information concerning COVID-19, coupled with millions of relatively novice users, has created a perfect storm for cybercrime. From a national security standpoint, plenty of government employees are working remotely for the first time. It’s already been reported that a House Oversight Committee hearing on April 3 was “Zoom-bombed” three times. The unfortunate reality is that many organizations simply were unprepared to convert operations this quickly on so many fronts, and that leaves gaps for cybercriminals to exploit.
83D: Many private-sector workers are working remotely, households are increasingly shopping and banking online, and students from kindergarten through college are taking classes online now, often with parents playing the dual role of teacher and cybersecurity person. What threats do people working, making financial transactions, or going to school online now need to look out for and what do they need to do to protect themselves?
McConnell: Right now, cybercriminals are using people’s desire for COVID-19 information and relief, as in fake test appointments, stimulus check status, even unemployment claim assistance, against them. There are fake apps, fake websites, phishing emails, text messages -- you name it -- all claiming to address some aspect of this epidemic as a ploy to steal information. Be suspicious of any online communications related to COVID-19.
To help people better navigate these challenges, Cyber Florida has launched an online threat advisory center, at cyberflorida.org/cac, that provides both technical threat advisories and non-technical safety bulletins warning citizens of specific types of scams and what to do to stay safer. You can also follow Cyber Florida on Facebook, Twitter, and Instagram, where we share our non-technical safety bulletins as well.
My first piece of advice is to navigate directly to only trusted sources of information. Don’t click on links or open attachments.
Next, only conduct financial transactions with known retailers and institutions. When conducting financial transactions, use a credit card rather than your debit card or bank account information whenever possible and look in the address bar to ensure the website is using basic security protocols. A small padlock in the address bar accompanied by the URL beginning with https rather than just http indicates that the website is more secure. Retailers should not be asking for your social security number or anything beyond the details needed to make the purchase.
Third, use strong, unique passwords for each site and service. That way, if cybercriminals do infiltrate one account, they cannot access other accounts by using the same password. Consider using a password manager program, such as LastPass, to help generate and remember strong, unique passwords.
Fourth, if you are hosting a video teleconference meeting, use the password protection option to ensure only invitees can access the meeting. For many platforms, you can also set a “waiting room” feature that allows the host to approve attendees before they can access the meeting.
Finally, change the default password on your WiFi router (find instructions on the manufacturer’s website), and use a Virtual Private Network (VPN), which encrypts data as it travels from one device to another. Many employers provide remote employees with VPN software, or you can purchase a subscription for yourself.
83D: People are rightfully nervous and bad actors appear to be taking advantage of that by setting up bogus coronavirus websites and sending out malicious emails purporting to contain coronavirus-related information. What are the warning signs we need to look for to spot those threats?
McConnell: Some warning signs include:
Responses have been edited for length and clarity. For more information, visit Cyber Florida.
- Poor spelling and grammar and/or unusual phrasing. Many of these scams originate outside of the U.S. by nonnative English speakers.
- Mismatched addresses and links. Use your computer’s cursor to ‘hover’ over the name of the person or organization claiming to have originated the email. … that will reveal the actual identity and/or email of the originator, and, if it does not match the one claimed by the email, DO NOT respond.
- Don’t fall for the urgency. Scammers create a sense of urgency to get you to click on links without first investigating their legitimacy. Beware of any communications that say you “must” do something or threatens legal action or financial loss. In the case of COVID-19, beware of any communication that says you or someone you know may have been exposed and requires you to provide personal information and/or click a link or open an attachment to learn more or take action.
- Be suspicious of any unsolicited email, texts, and phone calls, especially if they relate to COVID-19. Stick with trusted sources of information and navigate to websites separately from emails and texts.