Global Cyber Resilience: Lessons from Former White House and CISA Leader Jeff Greene

(SPEECH)
[MUSIC PLAYING]

(DESCRIPTION)
SLIDE. Text: Wednesdays with Woodward (registered trademark) Webinar Series. The logo appears on a laptop screen sitting on a desk next to a red mug with the Travelers umbrella logo on it in white. Logos: Travelers Institute (registered trademark), Travelers.

Jessica Kearney speaks to us in the corner of the slide from her office.

(SPEECH)
JESSICA KEARNEY: Good afternoon and thank you for joining us. My name is Jessica Kearney, and I'm Vice President for Public Policy here at the Travelers Institute, standing in for our host today, Joan Woodward. Welcome to our webinar series. We're so glad you're here with us today.

(DESCRIPTION)
SLIDE: About Travelers Institute (registered trademark) Webinars. The Wednesdays with Woodward (registered trademark) educational webinar series is presented by the Travelers Institute, the public policy division of Travelers. This program is offered for informational and educational purposes only. You should consult with your financial, legal, insurance or other advisors about any practices suggested by this program. Please note that this session is being recorded and may be used as Travelers deems appropriate. Logos: Travelers Institute (registered trademark), Travelers.

(SPEECH)
Before we get started, I'd like to share our disclaimer about today's program.

(DESCRIPTION)
SLIDE: Text: Wednesdays with Woodward (registered trademark) Webinar Series. Global Cyber Resilience: Lessons from Former White House and CISA Leader Jeff Greene. Logos: Travelers Institute (registered trademark), Travelers.  Master’s in Financial Technology (FinTech) Program at the University of Connecticut School of Business. MetroHartford Alliance. American Property Casualty Insurance Association, (APCIA). Insurance Association of Connecticut, (IAC). University of South Carolina Darla Moore School of Business. Big I, (Independent Insurance Agents & Brokers of America). National African American Insurance Association, (NAAIA).

(SPEECH)
I'd also, as always, like to thank our wonderful program partners who helped make this possible and join and promote to their members and networks and students. We have the Master's in FinTech Program at the University of Connecticut School of Business, NAAIA or the National African American Insurance Association, the MetroHartford Alliance, the Risk and Uncertainty Management Center at the Darla Moore School of Business, the Independent Insurance Agents and Brokers of America, or the Big "I," the American Property Casualty Insurance Association, APCIA, and the Insurance Association of Connecticut. Welcome to all of you and your members.

(DESCRIPTION)
SLIDE. Logo: Cyber (registered trademark): Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark), Travelers. Text: Since 2016, the Travelers Institute has hosted 73 cybersecurity education programs. 13 Webinars, 60 In-person events, 42 Cities.

(SPEECH)
OK, let's get started. So today, we're going all in on cybersecurity. And as you might know, October is Cybersecurity Awareness Month, and I am very proud to say that here at the Travelers Institute our cybersecurity education extends all year round. So, thank you for those of you who've joined us in the past and earlier through the year. Through our event series that we call Cyber: Prepare, Prevent, Mitigate, Restore, we help small and midsize businesses, as well as public sector organizations improve their cyber readiness. And that will be the theme of today, as well as getting a real update on where we stand with the state of cybersecurity.

We launched this series in 2016. And today, I'm proud to say this marks our 73rd program, reaching tens of thousands of participants along the way, both in person and virtually. Throughout this initiative, we've made it a keystone to collaborate with government agencies who are tasked with defending our nation from cyberthreats. One of those agencies is the Cybersecurity and Infrastructure Security Agency, or CISA, a relatively new agency under the U.S. Department of Homeland Security.

(DESCRIPTION)
SLIDE. Text: Speaker. A smiling photo of Jeff Greene. Text: Jeff Greene: Former Assistant Executive Director for Cybersecurity, Cybersecurity and Infrastructure Security Agency (CISA); Former Chief of Cyber Response and Policy, National Security Council; Distinguished Fellow, Aspen Institute; Founder, Salty Coffee Consulting.

(SPEECH)
With that, I am honored to introduce today's speaker, who has held top leadership positions at both CISA and in the White House on the National Security Council. Jeff Greene is the former Assistant Executive Director for Cybersecurity at CISA. He is the former Chief of Cyber Response and Policy on the National Security Council and a distinguished fellow at the Aspen Institute. And we'll get to hear more about what he's up to these days as well.

He has led the development of cybersecurity policy at the highest levels of our federal government, and he's here to share all of that information with us today and insights from his unique vantage point. He's been instrumental in constructing U.S. cyber defenses against nation-state actors and has helped improve the cyber resilience of critical infrastructure here in the United States. We'll start out with a presentation from Jeff, and then I'll join on the other side for a discussion, and importantly, to take your questions. We've gotten literally hundreds of questions in already. Jeff, welcome so much to the program. I'm pleased to turn the floor over to you. Take it away.

JEFF GREENE:

(DESCRIPTION)
SLIDE: A photo shows a view of bridge suspension cables from below.  Text: Cyber Threat Landscape 2025. Jeff Greene. www.cybershorthanded.substack.com/. Jeff now speaks to us from the corner of the slide, seated in front of a blurred background.

(SPEECH)
Great. Thanks, Jessica. Thanks, everyone for joining today. I really appreciate the opportunity. I'm going to open a bit by talking about the cyberthreat landscape.

(DESCRIPTION)
SLIDE. Text: Adversaries: nation states, criminal gangs, nation states that act as criminal gangs, criminal gangs that may act on behalf of nation states, activist groups.

(SPEECH)
First, who are the adversaries? We're looking at they're obviously nation-states out there. There are criminal gangs. That's what you see with a lot of ransomware and other extortion attacks. Nation-states that act as criminal gangs, and sometimes you have criminal gangs that can act on behalf of the nation-states.

It's not always easy to know who is acting on a certain-- why they're doing something, whether it is, in fact, a criminal gang that's being directed, or as I said, sometimes you'll have nation-states that will masquerade as a criminal gang to try to hide who they are. So you also, unfortunately, do have some activist groups that are out there that can use cyber to try to gain either publicity for their campaigns, funding or other events.

Criminals can also have a pretty significant impact on our national security space. If you think back to 2021, that summer, there were a couple of big ransomware incidents. I think the one that folks probably remember the best was Colonial Pipeline in the mid-spring that year that shut down a pipeline that served most of the East Coast. But another one we dealt with in the White House a few weeks later, around Fourth of July, was JBS Foods. That created some stress about whether people were going to get their hot dogs and hamburgers for the Fourth of July and what it was going to cost.

So while in the government, we are primarily focused on the nation-states, we're very much aware that these criminal gangs can have a big impact on our national and economic security as well. I think for many of you on the phone, you're probably mostly going to be dealing with criminal gangs, whether through business email compromise, ransomware or other extortion activities, but I encourage you to think also about the potential a nation-state activity could have on some of your customers and clients. I'll get into that a little bit.

(DESCRIPTION)
SLIDE. The "Big Four": Russia, China, Iran, North Korea. The flags of the four countries are shown.

(SPEECH)
When we talk about nations, the “Big Four” is the way we talk about it. We have Russia, China, Iran and DPRK, North Korea. So starting with Russia, Russia historically was seen as one of the most sophisticated cyber adversaries out there. They were very stealthy, very effective, focused on both espionage and disruption. And when I talk about disruption, I mean the ability to break physical things, to stop machinery, to change settings and devices in the real world. Russia was very active in both of those fronts.

Since their invasion, the full-scale invasion of Ukraine, they've been very focused on that conflict. So we haven't seen as much activity, but you still need to think about them, particularly in the espionage. In the lead-up to the war, I was in the White House, and we were extremely concerned about the potential for Russian disruption of critical infrastructure in the West if we ended up in a war and sanctioning them. So their capabilities are pretty significant.

Iran is historically less sophisticated, but two things. No. 1, they are getting much better with their effort. They've put a lot of money into it over the past 10 to 20 years and have improved dramatically. But one important thing to think about in cyber is you don't have to be that good to create significant problems. If you think back about 10 or so years ago, there were denial-of-service attacks on many major U.S. banks, which were thought to be an Iranian retaliation against a reported U.S. and Israeli activity against Iranian nuclear facilities. That was unsophisticated, but it was very effective.

One thing I like to say in cyber, there's a saying that we don't want to be fighting the last war. Unfortunately, in cybersecurity, we need to continue fighting the last war because the vulnerabilities that our adversaries can exploit persist. So we need to fight both the last war and the next war at the same time.

The DPRK, North Korea, is largely focused on stealing money. That's a lot of what they do-- not all of it. They do have some espionage and disruption activity regionally, but primarily they are a nation-state that acts as a criminal gang through ransomware and other scams designed to fund their weapons program. One of the least known but big moneymaker for them is fake IT worker scams, where they will place workers in companies and collect their salaries, and also gives them the capacity to conduct disruptive or ransomware attacks there if they want.

But I'm going to spend most of my time drilling down on China, the PRC. Historically, they were thought to be very active, but also very noisy, relatively easy for defenders to detect. In the past five to 10 years, they have improved dramatically. We talk about them as a near-peer adversary. They are very quiet. They also have an enormous operation, dwarfs anything we have in the West. It's hard for us sometimes to get our mind around it.

They also have a very significant pipeline for training new cyber operators, both in the military and elsewhere. I saw an article a couple of weeks ago, the top 10 research universities in the world. There's Harvard, and then there are nine in China. So they have a pretty strong capacity to train new experts. The Chinese are active in both disruption and in espionage.

(DESCRIPTION)
SLIDE: Text: Joint Cybersecurity Advisory. TLP: Clear. Product ID: AA24-038A. February 7, 2024. Co-Authored by: Logos: CISA, NSA, E.P.A., TSA, Australian Government, Australian Signals Directorate, Communications Security Establishment, Canadian Centre for Cyber Security, National Cyber Security Centre, a part of GCHQ. Below is a photo of a dock with semi-trucks, and a ship loaded with shipping containers. An airplane flies above. Text: PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure.

(SPEECH)
So, I'm going to bring up first-- talk a little bit about disruption.

This is a campaign that CISA and our partners in the U.S. government and around the world first reported on in early 2023. This is the banner of the advisory we put out. But there's been a lot of reporting since then. Generally, this is referred to as Volt Typhoon. That is a Microsoft label that kind of stuck. So we in the government ended up using it, even though we had our own descriptors of what these folks were doing.

They have burrowed deeply into critical infrastructure across the United States and have the capability to launch destructive cyberattacks at their time of their choosing. Our belief is it would be in the run-up to a conflict. In the Director of National Intelligence Threat Assessment in 2023 and 2024, she described the "why," and I'm quoting here. "These attacks would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic and interfering with the deployment of U.S. forces."

If you think back to the Colonial Pipeline incident I talked about, in that summer, there were runs on gas stations, even though the pipeline and the government and everyone else was saying, we will not have a gas shortage. Ultimately, we did, but it was caused by panic, not by a problem with the pipeline. There were videos and images of people filling garbage bags with gasoline, which is obviously incredibly unsafe, which led to public service announcements saying, don't put your gasoline in a trash bag, but it happened. So our adversaries see that, and they understand how they can use cyber effects operations to create panic among the U.S. population.

When I was at CISA, we found and eliminated this threat actor Volt Typhoon in a variety of different sectors, including aviation, energy, water, telecommunications. So you can draw from that, the type of disruption they could have caused. They take advantage of devices that are widely used and, unfortunately, are deeply insecure to gain access to their targets. Because of this, and because of other information, we have high confidence that what we found is just the tip of the iceberg. And moreover, we have very low confidence about whether we can keep the adversary out of these systems if they make a really diligent effort to get back in.

So once they get on, they use techniques where they're basically taking advantage of tools that are on these systems, so they look like normal users. It's incredibly hard to find them, and it's easy for them to hide and go silent. As I said, we have found them in a variety of places and have come up with techniques, but they're always evolving. What concerned us the most about Volt Typhoon, though, is the targets that they were going after. These were operations that had no value from an intelligence collection standpoint.

The only reason that you would take over or pre-position on these systems is so you can cause disruption when you want to do it, and that was particularly worrisome. That was new to us and what led to a fairly robust government response to it. But the Chinese are also pretty actively engaged in espionage. What I put up here is an advisory that came out late last year from a group, also the Microsoft name known as Salt Typhoon.

(DESCRIPTION)
SLIDE: Text: Joint Cybersecurity Advisory. TLP: Clear. 25 seals and logos appear below, including: CISA, NSA, E.P.A., TSA, Australian Government, Australian Signals Directorate, Communications Security Establishment, Canadian Centre for Cyber Security, National Cyber Security Centre, a part of GCHQ, NUKIB, S.U.P.O., and BND. Text: Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System. Executive summary.

People’s Republic of China (PRC) state-sponsored cyberthreat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging and military infrastructure networks. While these actors focus on large backbone routers of major telecommunications providers, as well as provider edge (PE) and customer edge (CE) routers, they also leverage compromised devices and trusted connections to pivot into other networks. These actors often modify routers to maintain persistent, long-term access to networks. This activity partially overlaps with cyberthreat actor reporting by the cybersecurity industry—commonly referred to as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others. The authoring agencies are not adopting a particular commercial naming convention and hereafter refer to those responsible for

(SPEECH)
Salt Typhoon compromised some of the major wireless providers in the United States and were able to get on their networks in a place where they could collect data on the activity of millions of different devices-- phones, iPads, tablets, etc. And if they could correlate device to a person, they were in a place where they could actually collect data as it transited to and from that device. So if you were not using encrypted communications, and if you were one of the few people targeted, they could collect off of your phone.

They also broke into the back end of some of the systems that the providers used for cooperating with law enforcement when they're served with subpoenas or other information and were able to steal a fair amount of data from there. This was particularly illuminating for me. We started to get hints of something going on when I was at CISA, and it was terrifying but educational to see how our understanding of a campaign this significant evolved. It was literally changing hour by hour as we got different breadcrumbs and worked with different partners. But it was also really rewarding to see how government worked across agencies.

At CISA, we're regularly in touch with the intelligence components, with FBI, with others, and we really teamed up to take advantage of what resources each agency and what relationships each agency had. There was none of the territoriality that I had seen in government when I was in the Hill 10 to 15 years ago. The partnership with the private sector was also particularly good in a few cases. Verizon in particular deserves an enormous amount of credit. They were a victim, but they were also incredibly forward leaning in helping the government to understand what was going on and to respond to it.

(DESCRIPTION)
SLIDE: Text: Secure by Design. It's time to build cybersecurity into the design and manufacture of technology products. https://www.cisa.org/securebydesign.

(SPEECH)
So this brings me to the question of, what can we all do? How do we make ourselves more secure? And starting with at the corporate level, at the top level, we need to start by improving our technology. We have to expect more out of the technology we use. I think back to a conference I went to when I first started on cybersecurity about 15 years ago, and not because of anything I learned there, but because of a T-shirt I saw somebody wearing, and it said, there's no patch for a stupid user.

I thought that was really funny. And I came back and I told all my colleagues about it, and I still think it's a little funny. But as I got into this, I realized that that concept, that mindset is coming at this problem entirely backward. The problem isn't that people are going to click on a link or open a document or do whatever. All of us will do that. There have been con games from the beginning of time. The problem is that we are relying every day and in every possible way on software and hardware and technology that was built with flaws that allow bad actors to take these very human mistakes and turn them into these broad compromises and steal someone's life savings, or breach a corporate network or disrupt the water, the transportation, aviation I talked about, or steal our national security secrets.
It's like we're buying cars that have known but undiscovered deadly defects. And we know that the manufacturer may or may not fix it, depending upon how their quarter has gone. We would never accept that with machinery or technology, but we've come to accept it with software, and we need to get past that. So when I was at CISA, we were pushing this Secure by Design initiative.

I'm really pleased that this web page is still up. The new administration has, if not using the same words, has been pushing this concern about insecure devices. It is the foundational way that we can get ourselves more safe. And what we were really asking vendors to do is build in some basic security into the things they're building, things that we have known for decades will prevent intrusions. There's a class of defects that have been labeled the unforgivable vulnerabilities. That term is 20 years old. And you still see those vulnerabilities being shipped in new products today.

So, as I said, the new administration is still going forward with Secure by Design, and I hope you all will get behind that as best you can, whether with your vendors or even with your policymakers, letting them know that this matters. But individuals can also be part of this. So, one thing I like to close with is letting people know what they can do to make themselves more secure.

(DESCRIPTION)
A cartoon shows a man with a fearful expression running, being chased by a bear. Text: You don't have to be faster than the bear.

(SPEECH)
There are things you can do in your personal life.

Most of us will never be targeted by a nation-state. So if you do the basics in security, if you patch and update your software, if you use a VPN, if you have some type of security suite, if you're careful about links you click on, a little bit of healthy skepticism, you can make yourself secure against 99% of the bad guys out there. Because the old saying is, if you're being chased by a bear, you don't have to be faster than the bear-- you just have to be faster than the next person.

(DESCRIPTION)
A smiling man is added to the cartoon, running in front of the first man. Text: You just have to be faster than the next person.

(SPEECH)
If you do these things, you will be locking your doors. So when the criminals going down the digital street, they'll knock on your door. It's locked, and they'll go to your neighbor. And so I want to end with that point that don't take from anything I've said that things are helpless or hopeless. You can secure both yourself and your organizations. Things like what we're doing today, Travelers Institute for putting this on, are the way that we can all improve a bit. But thanks again. I look forward to conversation and any questions you all might have.

(DESCRIPTION)
A split screen shows both Jessica and Jeff side by side, each seated in their own spaces.

(SPEECH)
JESSICA KEARNEY: Jeff, thank you so much for that opening presentation. I think absolutely set the serious tone of the conversation today and the things at hand. And certainly, you talk about all the different sectors you named: aviation, energy, water, telecoms, all those things that intersect with our U.S. critical infrastructure. But I also appreciate your last point just on not all is hopeless. There's things that we all can do, and I know we'll dig into that in the hour ahead on this program.

I also appreciate the callout for the bright spot of the private sector collaboration and appreciate everyone dialing in today to do their part from their respective organizations as well. So Jeff, just off the top here, I mentioned your impressive and extensive experience across the federal government and beyond. But I feel like even in those few words, we’ll probably only scratch the surface, and I'm wondering if you can help share with our audience a little bit more about your background and where your career started in cybersecurity to give us a little bit more of a color of where you've come from.

JEFF GREENE: Sure. I was actually on the Hill working-- I was a lawyer. And then I ended up in government working on the Hurricane Katrina investigation, 2005. And I migrated to a few different jobs where I was focused on counterterrorism and homeland defense. And in 2009, really randomly, one of my colleagues asked if I could help out on one small piece of a cyber bill, because I was a lawyer, and they needed a lawyer. And within a month, I had transitioned all of my other issues away, and I was working cybersecurity full time.

So it was an interesting time. In 2009, cybersecurity was very important from a security standpoint, but not well understood in really the government or the private sector. So I still feel like a newbie to this when I work with people like Rob Joyce, my old boss Anne Neuberger and others. But I've seen the evolution of this from a back-burner issue to a front-burner national and economic security issue.

The one little anecdote I'll say in terms of how much this changed, the legislation I was working on in 2010 through 2012 would have created an organization like CISA. But the big debate we had was, should it be a cybersecurity-only agency, or should it be cybersecurity and physical infrastructure? We landed on just cybersecurity because if it was combined with the physical side, no one would care about cyber because no one wants to think about it. Today, CISA has both a cyber and physical mission, but very few people, if they know of CISA, even know that there's a physical security mission either. So we've come complete, full circle just in that time.

JESSICA KEARNEY: Actually, on that on CISA, and I gave a brief overview in my opening comments. But I know from the Travelers Institute side, and we've hosted cybersecurity education programs all across the country, and we at every program invite a local CISA representative to talk about their capabilities and how they partner with business. I'm wondering, oftentimes, we will go and see businesses in the area who haven't heard of CISA yet. So I'm just wondering if for our audience, you might take one minute and give a little bit of a history of CISA and their mission.

JEFF GREENE: Sure. So CISA as an organization stood up in November of 2018, bipartisan legislation signed by Trump during his first term in office. It took parts of cybersecurity offices that were already in DHS, consolidated them and created the way we refer to it as an operational agency. Before that, the Office of Cybersecurity, and I will spare you the acronym, sat near the front office of DHS. It lacked the ability to work as directly with the private sector and with other agencies.

They had that effort, but it was not the same. So it stood up. And where CISA differs from other federal agencies, who are equally important and very essential to our national security in cyberspace, is that CISA is team defense. The only mission that CISA has is defending either federal networks, or assisting in defense of critical infrastructure, or helping companies and developers understand their vulnerabilities. That is what CISA's mission is.

So we have a lot of different divisions, but the big ones that stick out for this call, one is defending Federal Civilian Executive Branch, the FCEB. Every agency is in charge of their own defense, but CISA provides resources, funding and an overwatch, which since the SolarWinds attack in 2020 has become very sophisticated. When I was there, I was seeing us detect and prevent sophisticated nation-state intrusions that we would have missed two and three years before.

For the benefit of the folks on this call and your customers and clients, CISA has a regional workforce of both protective security advisors and cybersecurity advisors. And they can assist organizations with improving their own security, understanding the threat landscape. Sometimes they will be out knocking on your door. We have the capacity to sometimes see ransomware. I keep saying "we." I mean CISA. I guess old habits die hard-- often are able to see ransomware attacks as they're beginning or evolving.

And the hardest thing is not to stop them. It's to get someone at these companies or organizations to trust us and even to pick up the phone sometimes. But by the time I left, we had stopped in the thousands of ransomware attacks. Some were on the verge of launching. Some were just beginning their efforts.

JESSICA KEARNEY: Well, I know when we have the regional cybersecurity advisors through CISA at our programs, always one of the biggest takeaways we hear in attendee feedback is, I'm so thankful to have met in person somebody at CISA that I can now call or reach out to and ask questions. You do tabletop exercises, all of that. So we saw that very much on our end as well. So you mentioned your time in the White House and National Security Council at CISA, what's it like getting the call to serve your country, really at the highest levels on an issue like this, at a moment when cyber is at the forefront of national security?

JEFF GREENE: I mean, for me, the first thing that happens is the imposter syndrome kicks in. My assumption is that they can-- there's someone who can do it better, and they can find someone who's better, but you get past that. I used to joke I would never hire anyone who didn't have a bit of imposter syndrome. But it was very humbling when I went to the White House in February of 2021. So I was a career employee at NIST, the National Institute of Standards and Technology. And I was detailed down, so a fully career role.

Never imagined that we would be working on something like preparing for a ground war in Europe. And then fast forward to when I went to CISA, the idea of stepping in to manage this division of 1,200 people on the day-to-day was both terrifying and exciting. And I had really come in the years I'd been in the White House and after to appreciate not the top-level work that CISA did, but the kind of stuff you're talking about, the limited, the small engagements, either with a small agency in the federal government or with companies across the country.

When we started preparing for the Russian invasion of Ukraine, we were extremely worried about-- very credibly worried about the possibility that Russia might try to sabotage critical infrastructure in the U.S. We worked with companies-- CISA really led that charge. In the White House we were the encourager, but CISA did the work with FBI, with individual agencies, EPA, etc. But what we saw was companies and agencies coming together to do things that years before they would have said, not that they would not do, but they could not do. Suddenly when there was a very real threat, the barriers came down.

We dramatically improved security, and we did not see any Russian efforts to go after our critical infrastructure, even after the sanctions went in place. And I believe that part of that was because they weren't sure what was going to work because we had done such an effective and public job in pushing our security levels up. But yeah, I mean, it was-- I still kind of-- hard to believe that I was there doing these things, but it was the honor and privilege of a lifetime. I would go back into government in a heartbeat.

JESSICA KEARNEY: Thank you for sharing that with us. And the imposter syndrome, I think we talk a lot about leadership and management on our programs as well. So

(DESCRIPTION)
They both smile.

(SPEECH)
that's a really insightful window. And so you just mentioned some of the really critical work that was happening during your time in these positions. Clearly, we're all seeing cyber in the headlines day in and day out. And you mentioned some of that in your opening presentation. Could you go a little bit deeper on some of those instances from your work at the White House and with CISA that still really resonate with you?

JEFF GREENE: Yeah, the thing that I always try to stress to people-- well, two things, one, where I ended, which is you at an individual level, for yourself and for whatever organization you work for, have the ability to influence and improve the security of yourself and your organization. So never think it's too hard or you can't do it. And that kind of leads to the first thing is that the movies and TV has created this image of the hooded hacker sitting at a computer typing away with someone else on the other end, sometimes countering it.

There is technology involved in a good exploit, but there is often at least as much, if not more, psychology. So, it is the human element of these compromises. So what we are seeing evolve is often how the criminals and other adversaries are going to trick someone into doing something they would not otherwise be able to do, as opposed to come up with some new novel effort on how to hack. When I talked about the unforgivable vulnerabilities, the reason those still work often is because you're able to get a human to download a piece of software, click on a link, go to a web browser.

The caveat, though, the one thing I need to amend, and I have been amending how I talk about this, because this effort that I talked about with Vault Typhoon, I didn't use these words, but the edge devices, these routers that-- and you can look at CISA's website to see the alerts for the different companies that have manufactured these devices and look at what we've done across the federal government. That is the more classic television hacking, in the sense that they don't actually need to trick a human.

Some of these devices, we believe that our adversary knows how these things work and were built better than the people who designed them. So they know where all the flaws are. So every time we find and patch one, they can go to another one. And what they're effectively doing is just logging in using usernames and passwords that are out there. They're not having to trick people. That isn't a different and much harder problem to solve. We get at that through the Secure by Design.

So interestingly, as I think about your question, the evolution I've seen is to some degree, moving back towards the stereotypical TV and movie version of how these attacks are happening. And that's what we need to get at long term. And the only thing we as individuals can do is demand better from our policymakers and from our manufacturers.

JESSICA KEARNEY: Is there anything-- just kind of following up on that devices piece of what you said, is there anything that consumers can do when they're purchasing these devices in terms of knowing what to purchase or the level of safety?

JEFF GREENE: Yeah. If you can do a little bit of research, and here's where if you use AI, ChatGPT effectively and intelligently, you can make good use of it. I recently bought new routers for my house, and I was using it to compare different brands. And also, I knew which ones I wanted to stay away from, from having been in government, but I used it to pull up, tell me the security specs of these. Let me know how it works. So you can do some quick research.

You should look at what data the devices collect. Also, make sure when you set up a device, if it has a default password, if it comes with one, make sure you change that immediately. It is shocking how often that those are still unchanged. Check to see if there are automatic updates. And if you see them, patch them. One thing, if you want to get a little more in the weeds, and this may sound a little counterintuitive at first, but you can look on these government websites. It's called the Known Exploited Vulnerability, the KEV, or the CVD, the Common Vulnerability Database.

See how many vulnerabilities a company has self-reported. And the more you see, the more likely you should use that company's products. Because what that tells you, assume all of them have vulnerabilities. The good companies are the ones that are looking for them and fixing them. And for Secure by Design to work, we knew there would be a spike initially in self-reported and we saw that in some of the companies that pledged. But that was leading to two things. One, fewer vulnerabilities in the products that are out there, and two, a belief that they're not building those vulnerabilities into the future.

When I was in the White House, we worked on an executive order that tried to create a pilot program for a consumer label. It's really hard to do, and it would be voluntary. There's some efforts out there, you can look for that. Most of those will focus on the privacy settings. The other thing, this is going to sound hard, but also trust your government a bit. When we're warning about devices or products or applications, there's usually a reason why.

I mean, I'll mention TikTok. Whatever is going on in the back end, one of the things that concerned me about TikTok is it was collecting more information from your device than it really needed to, to be effective at what it was doing. That was a red flag to me as to why it would do that.

JESSICA KEARNEY: That's helpful. And the piece you shared about being counterintuitive, the more reporting of the different threats that, that's fascinating and something important to think about. You mentioned in your opening presentation the Big Four and the countries that you see some of the threats coming from. You talked a little bit about the threat landscape. Are we seeing similar threats? Have they changed in the very recent last year or two, including methods? I know you talked a little bit about that. I'm wondering if you could dig a little bit deeper. I know you mentioned the fake job applicants. I think to our business audience here, I'm sure that's something that definitely makes their ears perk up.

JEFF GREENE: Yeah, the job scams are something that is unfortunately not super new but becoming better known. I think back to pre-COVID, my wife was a software developer, and she remembers saying to me, I think we hired someone and then someone else showed up for work. And she described the situation where they did all video and audio interviews, and they had someone who was very good, fluent English speaker. Not a native, but very fluent, knew all the technology. Great, they hired them.

Day 1, this person shows up. Barely spoke English and did not know how to use any of the tools that the interviewer or interviewee had said. And I remember she said it was a different person, I'm like, that couldn't have happened. But that is actually a very active scam, and it can lead to a lot of problems, not the least of which is you're paying money often to these North Korean individuals who are captive workers, and almost all the money goes to the government.

But you also now have a verified authorized user on your system, who can log in, could be a launch point for ransomware or other attack. So that type of human operation, and the North Koreans are very smart and adept at figuring out how to break in. The cryptocurrency-- the use of cryptocurrency theft and the way people are using it has, in two ways, really hyper-charged crime, both stealing cryptocurrency because it's so valuable, but also it is allowed for these-- the ability to transact. You can't use a credit card to pay off a crime, but you can use cryptocurrency.

The evolution, though, that you asked about, the biggest thing for me is this-- the shift towards these living off the land and edge device attacks, where unfortunately, the attackers don't have to rely on human frailty as much as they used to. Well, human frailty in the sense of an individual, the human frailty they’re taking advantage of is that these devices aren't being built well or patched well. I wish there had been more evolution. The reality is that most attackers do not have to evolve much, and that's why we see the same type of vulnerabilities.

JESSICA KEARNEY: Going back to the fake job applicants-- and that's a fascinating story from-- that you just shared with us-- what can businesses do to protect themselves?

JEFF GREENE: The first thing I'd encourage you that the FBI has some great resources. We talked about CISA's regional offices. Also get to know who your regional FBI team is because they can be incredibly responsive and helpful if something comes up. You have to revert to the old-school verification of employees, use the database, have some background checks in place, know where the scams likely are coming from. Unfortunately, you can't use a ton of technology in the initial interviews because they have laptop farms that can be in the U.S. or elsewhere. So it looks like you're interviewing someone in that location.

But really educate yourself on what the latest techniques and tools are. The old cliche is, if it sounds too good to be true, it probably is. If someone who perfectly suits your needs pops up and is willing to work for below-market value, it might not be the bargain you think it is.

JESSICA KEARNEY: Yeah. You mentioned a few times just tricking a human, human frailty. We have a bunch of questions coming in, one of them from Lindsey in California. She wants to know, wire fraud and social engineering is plaguing my clients and their clients. Is there any way to stop the attempts?

JEFF GREENE: So I hate to say no, but it's kind of a no. You definitely can't stop the attempts. The best thing you can do is educate the people on what's coming in. The wire fraud, the phrase you'll see in the law enforcement reporting, a business email compromise. It's usually not emails anymore. Education there is essential. There is a debate in the cybersecurity world about whether education is effective. And people throw around statistics of the limited percentage, 10%, 15%, 20% who actually improve.

I personally view that as a pretty big success. If we can string together a variety of different tools that can educate 10%, 15% of people at the time, then we're going to put some security. So when you're talking about educating people is make sure your clients know that what criminals thrive on is that sense of urgency. They're pushing you to do something before you stop and think. And one of the ways to prevent that is to have procedures in place on the back end that don't allow things to happen that quickly.
Pick up the phone. Do an out-of-band communication. When I was at a think tank, I got a text on my personal phone from someone claiming to be from a government agency. I did a little research, and in fact, it was. And the reason they were contacting me out-of-band was they were concerned that the networks on my employer were compromised. Thankfully, they weren't.

But don't just use the type of communication you get. And also, if someone emails you an attachment, don't reply to it and say, was this really you? Because you're probably then communicating with the adversary, with the attacker at that point in time. Pick up the phone and go old school or send a text. So the question was, are there ways to stop them? There's really no good ways to stop the efforts. What you have to do is put in layers of defense that will catch it, different steps along the way.

JESSICA KEARNEY: Just tagging on to that, we have another question coming in from Kathleen in California. How should organizations establish out-of-band communication? And how do we effectively train executives alongside those incident response teams to bake that in on the front end?

JEFF GREENE: Personal phones is usually the best way. Depends upon how the organ-- there's no simple, single answer because it depends upon how the organization is structured. If everyone's using BYOD and your personal phone is your work phone number, it's not going to be as easy. But it is good to have whether through Gmail or otherwise. A lot of times it's going to be if you know someone a bit out of work, but it is good to have that procedure in place, so you have a separate way to communicate.

In the government, when we were worried about some compromises at one point, a while ago, we issued separate phones to everyone. So they had the capacity to do a third way of communicating beyond personal and your traditional work phone. Executives are a really tough nut to crack because their time is so limited. In my experience, the way to get through to them is when you can give them very concrete examples concisely and make it feel very real.

That bore out, I think, in the Ukraine war prep time. The reason we were able to do things both with government executives and private sector executives was because all of a sudden, it felt real but simplified as much as possible for the executives, is what I would say. Make sure you get in touch with whatever support staff they have, they need to know it equally well.

The last thing I'd say, and this is true both for individuals in a company and for their security team, you have to have a culture where it's OK to question. Because if someone's going-- afraid they're going to get slapped down for saying, “Is this really you?” you're more likely to have a culture where that wire is going to go out because the person was afraid of the response. The security teams need to be able to go in and say, sir, you can't do this, ma'am, you can't do that without fear of retribution.

JESSICA KEARNEY: I think that's a really critical point. I'm glad you took a few minutes on that, because we've gotten just a bunch of questions coming in around, how do you convince people that the threat is real? So thank you for sharing those. So I just-- continuing down this thought about some of the things that we all see and interact with every day. So I feel like I'm getting multiple texts a day from numbers that I don't recognize asking to grab lunch, telling me I've got parking tickets or the DMV. What are we supposed to do about that?

JEFF GREENE: The famous “Hi, how are you?” text that keep coming in?

JESSICA KEARNEY: Yeah.

JEFF GREENE: Yeah, I get several of them a day. Actually, I wrote a piece about this in a Substack that I call “Cyber Shorthanded” to try to simplify cyber issues. And you can't really stop them. Apple and Android have gotten better at creating some filters, although, paradoxically, some of the European privacy regulations have made it hard to put those filters in place. So ideally, if those filters go in place, you'll be seeing fewer of them.

But the most important thing is to do nothing. Do not respond at all because once you engage, you're No. 1, encouraging the people on the other end, and No. 2, you can start a chain of communication you don't want. There's a great video of-- I think his name is James Veitch-- of someone who engaged with one of these stereotypical Nigerian scams. And it's funny, but that won't come out as well for most of you.

The other thing to understand about these is at the back end, and this is what I wrote about, human trafficking is at the core of a lot of these scams. There are people who are trafficked into these boiler rooms and are required to meet quotas of the number of people they scam. There's nothing, unfortunately, any of us at this end of it can do except try to ignore it to take out the profit margin.

I'm out of practice, but one of my favorite lines for dealing with cyber criminals is, it is a business, and we need to drive up the cost of doing business. The harder you make it for them to connect, the more you drive up the cost of doing business.

JESSICA KEARNEY: Yeah, that's great advice. And thank you for mentioning your Substack. I think we just dropped that in the chat. So I would encourage everyone to take a look. I think I was reading through some of your recent posts, I think just putting everything in plain English for people to understand, I think it was fascinating, eye-opening. I'm wondering if you could share any comments on the current state of CISA within DHS. We know the federal government is tightening its belt, cutting spending across agencies. What are your thoughts today?

JEFF GREENE: In a word, concerned. I worry that we have lost a significant volume of particularly young cyber talent that my predecessors had brought in. At the leadership level, I think CISA has done well. The nominee for director is terrific. The person who's in place who has my job as EAD of Cyber is fantastic. What worries me is that Nick and Sean don't have the tools that I had, because a lot of young talent has left and more folks are leaving.

We talked about the cybersecurity advisors and the protective security advisors. There are far fewer of them than there used to be, and those people, whether the advisors or the people in HQ, were already pretty significantly overworked given the threats to federal networks, the Salt Typhoon and the others. So I am confident that as of fairly recently, having talked to friends there, the quality and rigor of the work is still up there. It's still really good. But people are really tired, and they need some relief because you can't go at the pace that they've been going at, particularly losing people forever.

I don't know that we'll ever be able to track a specific incident to a cut here or cut there, but it'll happen. It is, and I-- where I finished is some of the really young talent that had been recruited to the mission, you're taking a significant pay cut as a fluent Chinese cyber expert to come work for the U.S. government, as opposed to one of the big cyber companies, but you do it for the mission and for the appreciation, and we've lost a lot of those people. And as I said, I have a ton of confidence in the leadership now. I just hope they can get the tools to keep the mission going forward.

JESSICA KEARNEY: That's helpful color. Thank you for sharing that, Jeff, with your such unique vantage point as formerly being within CISA. Could you tell us a little bit about what you're up to today? What are you working on now?

(DESCRIPTION)
Jeff smiles.

(SPEECH)
JEFF GREENE: Sure. So, I'm writing my Substack. It's the first time in I can remember where I don't have anyone telling me what I can and can't say. So I'm able to share some of my core views. I've set up a consulting practice with a former colleague of mine from the White House, and we do some of the things you talked about is we help organizations, both local government and companies, take a hard look at what their security practices are, where they can improve, kind of starting with, What is the threat unique to your organization? And then are you meeting it where it is today, and where it's going?

And as I said before, it's important that in cyber, we have to both fight the last war because those vulnerabilities persist. But we have to be ready for the next evolution. So we try to help companies and other organizations be ready to do that. And then the last thing we try to do is translate it into simple terms. If we're working with the chief information security officer, help them understand, here are ways you can present it to your board or leadership to make sure they understand the importance of what you're doing.

And it's been rewarding and interesting. I've kind of pulled together my work as a lawyer, my work in the private sector and the work in government, but a lot of it really comes down to the human side, the messaging, simplifying it so people can get it and it becomes personal, as I said. But it's a new challenge. I've never started anything like this, and luckily, it's going pretty well for now. But tomorrow's a new day.

JESSICA KEARNEY: Yeah, that's wonderful. That's wonderful. And you mentioned the importance of simplicity. We're just going to pull up a slide. These are the five cyber resilience best practices that I know we talk about in a lot of our cyber education programs.

(DESCRIPTION)
SLIDE. Text: 5 Cyber Readiness Practices. Logo: Cyber (registered trademark): Prepare, Prevent, Mitigate, Restore. Travelers Institute (registered trademark), Travelers. Text: To help protect your organization, Travelers' cyber experts recommend five practices that can help provide strong cyber defense. Multifactor Authentication (MFA), Endpoint Detection and Response (EDR), Back up Data, Update Your Systems, Incident Response (IR) Plan.

(SPEECH)
I'm wondering if there's any color or commentary you want to put in on any of these five best practices for cyber resilience?

JEFF GREENE: I mean, when I was talking to you all before this, you really-- you hit for the cycle here with the most important ones, and particularly having the incident response plan on there because too many organizations don't. The only footnote I'd add there is make sure you do even a basic exercise with that incident response plan. I was working with a fairly big organization a week or two ago who got an email from a criminal gang that said, we own your data, deal with it. You're going to have to pay us.

They had an IR plan, but their first few minutes of panic were so intense that they didn't pull it out. So partner-- what does your IR plan say to do? It gave them that first step. Once they went down that first step, everything flowed more smoothly. It was still terrifying. It was busy. It was crazy. But having-- knowing what to do, having a little bit of muscle memory is essential. So I was so pleased to see that you guys have that, and I encourage everyone to. It can be super basic.

You can get ChatGPT to write you a basic incident response plan. There are free ones out there that some of the big cybersecurity companies put out. But that's where knowing your cybersecurity advisor, your local FBI, you can cut off minutes that can help lower the cost of a recovery.

JESSICA KEARNEY: That's really helpful, and I think just very practical for everyone in the audience. Speaking of, I want to get in some audience questions because they're flowing in, many of them having to do with AI, which you've mentioned several times throughout the course of the last hour. Can you offer your perspective on AI opportunities as well as concerns when it comes to cybersecurity? I know you've recently written about some interesting facets of this.

(DESCRIPTION)
Jeff smiles.

(SPEECH)
JEFF GREENE: So, I am a late convert to AI. I was very skeptical of it when it first came out. First time I ever used it was before I was going to moderate a panel on it, and I figured, I better know what this is. And I was blown away in the capabilities, but I still didn't really get to using it that much. But now I think the one thing I would say, I'm skeptical of this AI is going to solve every problem we've ever had in society.
At the panel I moderated, I said, tell me what AI is going to help us do that's new, not a different version of what we're doing today. Don't tell me it's going to cure cancer. So I think what AI can help us do is a lot of the work we're doing more efficiently. In the current state of AI, I think it is very much benefiting the defenders, not the attackers. It's always a cat-and-mouse game, but I think used effectively, AI is still going to be a force multiplier for defenders.

The flip of that is you need to be incredibly suspicious of anything, particularly the public large language models tell you. You can use it very targeted for yourself in an organization where you've built your own narrow model. But I used AI. The story you mentioned is I was writing something, and I wanted an example of where CISA had partnered with a company to do what we call a responsible disclosure of vulnerability.

I said, write me up an example, and it spat out this beautiful example. I read it, and it was describing activity that supposedly happened when I led the Cybersecurity Division at CISA. I'd never heard of this company. I'd never heard of the cybersecurity advisor or the advisory, and I had to approve them all. So I said, is what you just told me true? It came back, and what it said was, I pulled up some of the quotes, "The cybersecurity bulletin, which was based on a fabricated example, is likely incorrect and led to an error."

And then it talked about the fabricated cybersecurity advisory from CISA does not exist. I was so taken aback. I just shut down, I'm done. I'm going to write something. And then I got angrier and I went back and I actually asked it, why did you do this? Why did you give me fake examples? The answer was basically I couldn't find anything good, so I wanted to give you something. So I made it up, and I made it look like something real.

Quote, "I fabricated a specific example--" and I hate this first person of a computer, but still I fabricated a specific example. My takeaway from that, as a child of the Cold War, President Reagan was fond of, trust but verify. My tagline is never trust and always verify. Coincidentally, a friend of mine had told me a week or two before, huge AI fan, but he said no matter what he searches, the next question is always, Is what you told me true? Because that will force it to go back and check.

I do that regularly now, and it regularly corrects what it does. So if you are using AI intelligently, you can have great success with it, but you really, really-- I knew intellectually not to trust it, but it drove it home for me. Since then, I think I was looking for a flight, and it told me a flight that didn't exist.

JESSICA KEARNEY: Wow.

JEFF GREENE: And it's on different models. So I think from an organizational standpoint, if there's one tip I have for you all, as you're working with your clients and customers, ask them whether they have put clauses in the contracts with their vendors on what they can do with their data. Because if you're not careful, you're ending up putting proprietary data into a training model. I've seen that happen with a few folks with whom I've worked.
As I said, personally, I'm a huge convert now, but I'm incredibly skeptical. I don't know how I'll ever trust it. We're talking now about what people call agentic AI, and that will be a future blog post. We call it agentic AI, and we make it hard to understand what it is. It's AI that will make decisions and do things. I don't know when I'll ever get comfortable with this AI doing things as long as we have these so-called hallucinations happening so regularly. So it has to be very narrow, tailored uses. But footnote or last point, it's here. We have to learn how to deal with it effectively. We can't try to uninvent it.

JESSICA KEARNEY: Fascinating and terrifying. Luckily, you're in a position to be able to know to double-check that. Not all users will be in that same position. I'm going to get to some more questions, lightning round, because we've got a bunch coming in. A question from William, and we've actually gotten a bunch of questions on this topic. He asks, Is it time for people to take a serious look at scaling back their non-business use of social networking platforms?

JEFF GREENE: Personal answer, yes, be very careful of it. Longer answer is as long as you understand what you're getting yourself into, you're putting a lot of information out there that could be used by an adversary if they want to profile you, but is almost certainly being used by corporations around the world to create profiles of you. So understand what you're doing and the type of vulnerabilities you create.

But I think that is another horse that's out of the barn. I think it's good to teach some humility in how we use it. I worry more about or equally about the addictive element of it, even among U.S. adults, than as much as I do about adversarial use. But it is definitely a huge platform. I wonder where I guess it was, William would think, where does LinkedIn fit in that? I never used LinkedIn much until I left government. At the end of this, I had a LinkedIn profile. And literally within hours of when I started at the White House, before it was publicly announced, I had dozens of new friend requests.

When I dug in, many of whom had had accounts for days or hours. So don't trust anything on it if you're going to use it. So I hope I answered William's question. It is something to be very suspicious about because, what do they say? On the internet, no one knows you're a dog.

JESSICA KEARNEY: OK. Question coming in from Tom. He asks, what emerging threats in the next few years will most test our resilience?

JEFF GREENE: So, No. 1 is this edge devices, routers and the living-off-the-land techniques. The other issue that I think we are sleeping on is quantum computing and the impact that's going to have on cryptography. That is a slow boil. We had actually been-- one of the reasons why I was so AI skeptical is we were just getting traction on dealing with this post-quantum cryptography problem, and then AI blew up. And that's all people wanted to talk about.

So when there are AI computers at scale, all of our current cryptographic algorithms are going to be vulnerable. Thankfully, it's only going to probably be nation-states that can use these computers initially. There are new algorithms that my old agency NIST has put out. It is a long and slow process to deploy those algorithms. It's not something we'll be able to do in a rush, and I'm worried that when we reach Q-Day, or whatever you call it, it's going to blow up and we're going to be trying to put Band-Aids all over a big wound.

So if you can work with your organizations, ask them, do they have a plan to migrate to post-quantum or quantum resistant cryptography? NIST has put out the algorithms. There are products out there that use them. You have to do a significant amount of groundwork ahead of time to understand where and how you're using cryptography and where the algorithms are. But do that so you're ready to go so you're not caught flat-footed if that day comes.

JESSICA KEARNEY: That's helpful. I think we're getting lots of good practical checklist items. A question coming in from Rudy in Pennsylvania, what do you think are some of the most overlooked cyber issues for businesses? Maybe you've already touched on some, but--

JEFF GREENE: PQC, post-quantum cryptography I think is the biggest. I think the training people in the human side of it is the part that-- I don't know if it's overlooked, but it's the one that I think we need to double down on. Patching and updating is another big one, which we all talk about, but none of us, myself included, are as rigorous as we should be.

If we’re talking-- I'm going to go really nerd out. If you're talking about a information security function in an organization, the one tool that's out there that is phenomenal, my old agency-- so I'm bragging-- they created it without me. It's called the Known Exploited Vulnerabilities database. There are-- you get alerts every day if you're in the cyber world about be scared of this, be scared of that. This is the new thing. If something goes on, it's called the KEV, on the KEV. That means that it is a vulnerability that we know bad guys are exploiting, and that should immediately go to the top of your list. Get that done as quickly as possible.

When I started at CISA, we had just-- we turned it into a-- now we just KEVed a vulnerability. I had a briefing from our team, like 48 hours later, and they walked in and said, we are only at 94% patch rate across the federal networks. I'm like, what do you mean only? Ninty-four is freaking great. Like, no, no, no, we need to be at 99% at this point, because these things are so high risk that we were driving it so hard. When I got out into the private sector, I was surprised how few people realized the significance, either of the KEV or some of the alerts that we put out from CISA.

JESSICA KEARNEY: That's very helpful. Thank you for sharing that. And I am looking at the clock, and we are almost at the top of the hour. I feel like we could keep going for another two hours. But I want to close, is there anything that you do individually in your personal life to keep yourself cyber-secure that maybe we haven't already touched on yet? And are there any other-- besides your Substack, of course-- any other best resources out there that people should be in tune to to stay up to date on cyberthreats?

JEFF GREENE: So in the last point, Krebs on Security is a phenomenal-- he goes in deep in the weeds, but the first couple paragraphs, and you'll get good updates if you follow him on various social media. Most of the cyber companies Mandiant, MIL Company, Symantec have a pretty good blog post. And then pay note, when my old agency puts its label on an advisory, we put a lot of rigor into making sure that we were only labeling something if we had practical advice to give, and it was a real threat. And you'll often see us along with FBI and others.

In my personal space, the biggest thing, I try to ramp up my paranoia, but no matter-- I still click on something at least every few months. I realize as my fingers coming up, I'm like, what did I just do? But I have the security tool on my phone I have on my computers. One thing that I have gotten much better at in the past few months is using a VPN, a virtual private network, when I'm on unknown Wi-Fi. It can sometimes create some connectivity issues, but unfortunately that is still a vehicle that attackers are using. And just be suspicious of things that either sound too good to be true or anything that tries to get your blood pressure up immediately. That is the criminal's tool, whether it is street crime or cybercrime.

JESSICA KEARNEY: Jeff, thank you for your presentation. Thank you for your time and all your comments. This was, I'm sure, eye-opening, as I mentioned, had so many questions coming in. We really, really appreciate it. And thank you. We'd love to have you back in the future.

JEFF GREENE: I'd love to come back. I appreciate the opportunity.

JESSICA KEARNEY: Thank you.

JEFF GREENE: Take care.

JESSICA KEARNEY: All right.

(DESCRIPTION)
Text: Wednesdays with Woodward (registered trademark) Webinar Series. Take our survey. Link in chat.

(SPEECH)
So thank you to all of you for joining us today. I hope you enjoyed that as much as I did. Really eye-opening and fascinating stuff on cyber, and hopefully you got some good, helpful and practical tips for your organization, and as we just closed, in your personal life as well. As always, we're going to drop a link to our survey in the chat about today's program. So take a look and let us know what you thought. Give us some comments and also let us know about the topics that you'd like to hear about in the future for a future session.

(DESCRIPTION)
Upcoming Webinars : Oct 15: Mastering M&A: Risk Management in Manufacturing Transitions. Oct 29: Strategic Connections: Short-Term Negotiation Tactics for Long-Term Success. Nov. 12: Dynamic Risk, Strategic Response: Property Insurance for Today's Market. Nov. 19: Beyond Benefits: Building Personalized Mental Health Support at Work. Register: travelersinstitute.org.

(SPEECH)
We also have some great webinars coming up to close out the year, and we hope you'll join us for those. October is also National Manufacturing Month. And on October 15, we're going to have part 3 in our series on mergers and acquisitions, this time with a close look at the manufacturing sector. So please tune in to that.

And if you've ever struggled with confidence while trying to negotiate or just want to improve your negotiation skills while being mindful of long-term relationships, we'll hope you'll join us on October 29, when Joan's going to sit down with Dr. John Burrows from the University of Chicago for a mini masterclass in negotiation strategy. That's been a really popular topic on past programs.

On November 12, we'll be joined by VP and National Lead of Property Insurance, Angi Orbann, for a deep dive into the evolving property insurance marketplace. That will be a great one. Angi's terrific. And the following week, we'll have the CEO and Co-Founder of Spring Health, April Koh, and Travelers’ very own Greg Landmark for a conversation on how employers can play a proactive role in improving mental well-being in America and what employers and frontline managers can do within their teams to promote mental well-being at work. That's a topic that we've talked a lot about through our Forces at Work initiative. So we hope you'll join us for that as well.

(DESCRIPTION)
Logo: Travelers Institute Risk and Resilience. A red microphone. Logos: Travelers Institute (registered trademark), Travelers.

(SPEECH)
Lastly, you can listen to our webinar series on the go as well as new original episodes on our Travelers Institute Risk & Resilience podcast, which is available on Google, Spotify and Apple. Thank you again for tuning in this Cybersecurity Awareness Month, and we hope you have a great afternoon.

[MUSIC PLAYING]

(DESCRIPTION)
SLIDE: Text: Wednesdays with Woodward (registered trademark) Webinar Series. Watch: travelersinstitute.org. Logo: LinkedIn. Text: Connect: Joan Kois Woodward. Listen: Wherever you get your pods.

Logos: Travelers Institute (registered trademark), Travelers. Text: travelersinstitute.org.