The Global Forum for Cybersecurity Excellence (GFCE)

 I got an invite to speak on a panel at the Global Forum for Cybersecurity Excellence's Annual Meeting last week. It was my first time in DC since I went on a trip there with Air Cadets in the 1980s, so it was an exciting prospect. More so when I saw it was going to be taking place in the Organization of American States' building.

Attending these things is a high wire act for me as it looked like I was going to have to self fund my way there, but then the OAS's Cybersecurity directorate got in touch and asked if I'd sit on one of their emerging technology panels for the region of the Americas pre-GFCE meeting too, so I got hotel and flights covered.

I got in on Sunday and my hotel was in Georgetown, so I got out and about and soaked up some Washington area history - the place is thick with it! 

That night I met up with Dr Juan from Mexico who I did a presentation with in June and we enjoyed some Potomac wings at the local Irish pub (as you do) and caught up. The last time I'd seen him was as we passed through US customs on our way back from Ghana last year, so we had a good chat. The opportunity to solidify these connections was impressed upon me as an important consideration later in the week. Never underestimate the appreciation inherent in making an effort to see people live, especially post-pandemic.

Day 1

The next morning, after breakfast at the Fairmont (!), we walked to the Organization of American States building only to discover it was the wrong one. We ran into Alex from Ghana who was on the OAS panel with me later that morning and he knew where we needed to go, so we backtracked four blocks to where we should have been in the first place.

I got there sweaty (DC got up to about 30°C each day) but cooled off and our talk that morning about emerging technology impacting cybersecurity was wide ranging. Kerry-Ann, our moderator, surprised me with a question about how approaching cyber challenges as a technician gives me a different (and valuable thanks to how she framed the question) insight into the rapidly changing state of things.

Talking to engineers and the legal experts doing policy is one thing, but talking to the trades people who do the operational work of keeping the lights on does offer an interesting angle. I'd been expecting to talk about quantum technology emergence, but an opportunity to speak about the value of hands-on, applied skills in the field was appreciated and well received.

Many of the panels focused on the clear and present danger in cyber at the moment: artificial intelligence. From the automation of big data analysis that humans never excelled at on the defensive side to how criminals are leveraging GenAI to produce customized phishing material well beyond grammatically incorrect emails (stretching to include deepfake video, voice, photos and other digital media), these talks were designed to assist policy makers with understanding what has come out of Pandora's box of AI.

One theme that resonated with me was how people don't want deep technical explanations of these emerging technologies. What they want is an easy to grasp explanation of how these technologies will impact the digital spaces they work in. This remains a problem in cybersecurity and an even bigger one in the quantum world where I just finished my secondment. The urge for academics to obfuscate and complicate their explanations of these rapidly emerging technologies doesn't make them ideally suited for presenting on them, especially to the operations and policy people who are entirely focused on real world impacts and couldn't care less how the maths looks.

I've gotten a lot of static for how I've simplified deep technical details in quantum in order to get concepts across, but you honestly don't need to start neck deep in linear algebra any more than you need to have knowledge of the metallurgy involved in casting your car's engine in order to drive it. Guess what background is really helpful in bridging this information divide: 22+ years as a teacher! Early in my career I came across a quote that described teachers as, "public facing intellectuals" and took that to mean we're not about ivory towers and knowing more and more about less and less, but about the democratization of knowledge. Part of that comes with knowing what to keep out of the mix in order to help people get a handle on emerging technologies.

My age is also handy. Being a genuine digital immigrant who remembers a time before personal computers and the internet (I got my first PC, a Vic 20, in 1979 when I was 10), I have a big picture outlook that those who have always lived in this chaos find helpful. My other secret weapon is a university background focused on thinking and communications (philosophy & English).

After the OAS event we had an evening meet and greet at the Museum of the Americas right behind the main building, which had a permanent collection of powerful pieces looking at colonialism and culture. Upstairs they had a Spanish diaspora collection featuring the people who fled Spain during the Franco period; powerful stuff.

At the meet and greet I got to introduce Juan to Michelle and Nina from CyberLite, one of my favourite international cyber education organizations. We did an around the world webinar with them for Safer Internet Day in February, but it's always nice to see people in 3d rather than on a screen, and introductions like this are what GFCE is all about.

Another good example of this networking was running into Christina from Global Affairs Canada. From our talks I've come to understand the complexities and difficulties of international cyber policy. I'm also particularly aware of how important it is to shed better light on the work our federal government does internationally. Some of this needs to be kept on the down low for security reasons, but much of it (and especially on the diplomacy side) needs more media coverage so Canadians better understand the work that their representatives are doing on their behalf. Being purely insular and defensive doesn't work in sport and it won't work in cybersecurity either. If we can help other countries develop better cyber capacities, we all win, and that starts by doing the hard work and developing trust.

Day 2

The next day we were up early again and this time took an Uber to the right building (kind of, it still took us to the wrong one first), and began the Global Forum for Cybersecurity Expertise Annual Meeting.

Our panel came up quickly and Juan brought in a fantastic angle focusing on the Global South and the formation of a 'quantum divide' that will, like the digital one, further separate developed countries from everyone else. I've seen this happening with tightening restrictions on public facing quantum education resources. In some cases this may be under the auspices of national security, but the end result remains: countries that have the resources to develop quantum technologies will have capabilities that the others can only dream of.

There is also an academic ownership of quantum that favours those with the resources to spend most of their lives in post-secondary. Quantum mechanics is how the universe works, yet most schools stick to Newtonian physics because it's intuitive and easier to deliver, except that Newtonian truth is a fiction caused by our scale. If you look closer, it is (as Brian Cox says) quantum all the way. We need to demystify our best understanding of how the universe works so that everyone can grasp the technologies that are emerging out of this science.

Our panel couldn't have happened without a secure internet because our moderator was virtual in Europe and one of the panelists was in Central America. This highlights the importance of the awareness I've been doing in Canada and beyond around quantum encryption readiness in cybersecurity. In a few years that secure internet may be a thing of the past.. After we wrapped up our panel I showed Juan the William Gibson quote about the future already being here, but not evenly distributed.

The idea of a growing quantum divide is another indicator of the state of maturity of rapidly improving quantum computers. I'm motivated to continue my 'technology literacy for all' approach (which includes quantum and AI) because no one should make the technologies that have the best chance of helping us save ourselves from ourselves proprietary. I also have a nagging urge to help everyone reach their maximum potential regardless of how much they have in their bank accounts.

The end of day event on day two was both uplifting (it was a retirement party for founding GFCE president, Chris Painter), but also profoundly insightful. When someone with extensive, top draw international research resources tells me that they aren't worried about AI taking us down because climate collapse will get us first, I listen. Moments like this make me vividly aware of just how fragile the house of cards we're standing on is. If we don't come together to make it accessible, secure and safe, that house of cards is coming down.

This observation feels even more perilous because of the book a colleague suggested that I'm two-thirds through. Advocating for long term thinking in human societies that only reward short term gain is a challenge, but the most recent chapter is about how all civilizations collapse. Historically this happened regionally (Roman Empire, etc), but the global civilization we've built this time is going to crash harder, and when it collapses we're going to be wishing we had made some of Asimov's Foundations in order to recover more quickly (assuming we don't make our only habitable planet uninhabitable in the process). That's the thing about attending a GFCE event - it makes you reflect on the big things (kinda like Tamara's book recommendations).

Day 3

All of the delegates from dozens upon dozens of countries coming together in DC to make digital transformation secure and accessible.

Day three began with the women in cybersecurity breakfast. The moderator at our table told hair raising stories of her being in the first female engineering cohort in South Africa and the overt sexism they faced. I told them about Canada's tragic history with this kind of sexism, which the table found astonishing - Canada is considered forward thinking until we're a bit more forthcoming about the dark currents in our history. I also told the story of the quiet sexism that made founding the first all-female cybersecurity team in our school so difficult. It amazes me that half our population experiences these systemic prejudices and that equality isn't something we're likely to get to before the 22nd Century.

These GFCE events are thick with insights and opportunities that lift your head out of your personal context and prompt you to consider the big problems we face. I've tried to cover the main pieces here, but there are so many more that I'm still subconsciously noodling on.

The emerging tech panel on AI towards the end of the day was another of those eureka moments. The policy expert from France's advanced technologies department had a good response to my question about how we devise policy for near future AIs that will have the agency and resources to ignore them, not out of spite, but because even considering them isn't in their programming. She referenced the US Section 230 law that let social media run rampant and pointed out that if we recognized this cautionary tale we'd be able to better direct AI use now. A sharp response, but I think the AI horses are out of the barn and will shortly have the capabilities to do real damage to our digital infrastructure. I remain curious as to when AI policy to try and restrict development turns into defensive policies designed to mitigate the damage that self-directed AIs will do to our piecemeal global network.

I ended the event having lunch with Abdul, my swimming buddy from Accra, and Juan, my co-conspirator. What do you talk about at a Nigerian/Canadian/Mexican table? Abdul told me he is in 'legacy mode', which is a great way of framing your closing professional years. I enjoyed our talks in the pool at Accra City Hotel because Abdul always seems to see beyond the horizon. Taking a minute to soak up that wisdom is never wasted time. He was going to see his friend's grave and visit his cousin after the event. These seemingly technical meetings can be profoundly human, if you let them be.

We wrapped up our time at the OAS HQ, but we weren't quite done yet. At the museum event Monday night we met a Spanish attaché and that prompted an invite to the embassy for a Wednesday evening networking event. It was a short walk from the hotel and I talked to a lot of people but really got into it with Jose Manuel who runs telecoms and startups in Spain including a new one that helps you park your boat in a marina you haven't visited before. Besides travel, work life balance and entrepreneurship, we also had a good chat about the innovative quantum key distribution research around mesh networking QKD into live networks that he is in the vicinity of. I'm hoping to follow up and develop some transatlantic connections that move us all forward.

***

I must have covered 20+ kms on foot over the week (in dress shoes!), but I have no regrets about the schlepping or having to self fund some of this. Hope is hard to find in 2024, but the GFCE exhales it like plants give off oxygen. Just as the GC3B in Ghana did last fall, my mind is left turning over the complex challenges and opportunities that this meeting highlighted. If you're looking for organizations that improve your practice, expand your context, and challenge (and enable!) you to take on the seemingly insurmountable global issues we face, meeting the OAS and experiencing my second live GFCE event has done just that.

DC looking like a postcard on the ascent out of Reagan Airport.

Just over 500kms as the crow flies from DC, I was back in The Six before I knew it!

The Serious Play Conference and a Canadian Solution to Cyber-Education

The Serious Play Conference took place in August at University of Toronto's Mississauga (Erindale) campus. Even though I'd fallen off the end of my secondments, gamification has also been a central tenant of my teaching practice and I've been actively researching cyber-education using immersive simulations for the past four years, so I took this opportunity to present what I'd found.

Paul Darvasi runs this conference. I met him last summer when we did a quantum training week together at UBC in hopes of building a quantum game that takes the academic privilege out of how the subject is presented. That hasn't yet come to be, but I did manage to recently get our quantum arcade idea funded (from Finland because finding that kind of support for emerging technology education in Canada isn't easy). Canada likes to be surprised by emerging technology in education rather than getting in front of it.

Quantum Arcade Pitch Deck for Unitary Fund.pptx

Games have played a central role in my life. I got into Dungeons & Dragons in a big way in my teens and my first long distance road trips were with friends to GENCON in Milwaukee in the late 1980s (where I got to play a tournament round of D&D with Gary Gygax!!!). As a result my teaching practice has always been informed by those early years dungeon mastering. If I have an opportunity to create a simulation or immersive gaming experience in my classroom, I'll go out of my way to arrange that rather than falling back on worksheets peddling dimensionless knowledge transmission. My experience has shown me that suspension of disbelief can be a powerful learning tool if the gamified learning experience is pedagogically viable.

My presentation at Serious Play was specifically about how immersive simulation can help learners tackle subjects that might scare them into disengagement. By using suspension of disbelief, subjects like cybersecurity can be approached without out the risk aversion prompted by worries about breaking technology almost no one understands because we seem to have given up on modern media literacy about two decades ago.

I've put students on Field Effect's Cyber Range in classrooms across Canada. In some cases they were competitive CyberTitan teams containing students with the top 1% of digital skills in the country, but in most cases it was with the other 99% who had never touched cybersecurity at any time in their learning journey. With the right scaffolding and support even the newest of n00bs can get their hands dirty iteratively learning essential cyber skills in this digital sandbox:

Engaging Canadian education with cybersecurity remains an uphill struggle, but cyber sandboxes like Field Effect's Cyber Range offer a solution.

The Serious Play Conference had a wide range of educators working in digital and analogue simulation across a staggering range of subject areas. From museums engaging patrons to a think tank designing war games for the Canadian Forces, it was a tour de force of what immersive simulation and gaming can do to engage and teach in every learning context.

I was absolutely thrilled to learn that our all Canadian made simulation that offers a key to cyber-education - one that is more advanced than the systems we use when our CyberTitans take part in CyberPatriot south of the border because it allows for interactive networking between virtual machines instead of just putting students into isolated desktop VMs - won the gold medal for K12 immersive learning simulation.

ICTC and Field Effect have worked hard to get this world class immersive learning opportunity in front of Canadian students. The trick now, as it has always been, is to get insular Canadian education systems who have taken a head-in-the-sand approach to cyber education to pick up this federally funded, world-class tool we've built and use it to get past their own fear and ignorance and begin teaching essential defensive 21st Century digital skills.

***

Sign up for CyberTitan, Canada's national student cybersecurity competition, is open until October. Teams of girls and other under represented groups in the field are fully funded. The early rounds are on individual virtual machines through CyberPatriot in the US, but if you push on you eventually get to Field Effect's Cyber Range and get a taste of the future of cyber-education.

Check out the interactive team signup map here. You can ask yourself questions like, why one of Canada's smallest provinces (New Brunswick) has more student teams than Ontario and Quebec combined, or wonder why Saskatchewan and Nova Scotia have no teams at all. Perhaps they don't use the internet?

The vast majority (over 90%) of cyber attacks on Canadian systems depend on user ignorance to succeed. We can't build a secure Canada if oblivious Canadians keep opening the doors and letting criminals and foreign state actors into our house. You don't have to pretend it isn't happening, building this essential media literacy can start here now:

Join the competition and sign up student teams of 4-6.
There are middle and high school divisions and community groups are also welcome to participate.

Turtles all the way Down

What have I learned from working inside the AI black box with Aman & Henry?

I've been working with generative artificial intelligence with students in my computer technology program since 2018 when we were fortunate to get a new grade 9 whose dad was on the team that brought IBM Watson to Jeopardy. That got us connected to IBM cloud and building AI chatbots five years before the "AI revolution" everyone has been caught out by.

That wasn't our first point of contact with AI though. I'd been keeping an eye on AI dev as far back as 2015 because we launched our gamedev course then and getting handle on building intelligent responses to player actions in our games immediately became our biggest challenge. Thanks to Gord and IBM we were able to get our juniors familiar with AI prior to asking them to take on significant software engineering challenges with it in the senior grades.

I presented on AI use in the classroom at the ECOO conference pre-COVID in fall of 2019. Gord from IBM even came all the way down to Niagara Falls to offer world class suppport. The room was all but empty:

This is how many Ontario educators (already interested in edtech because this is ECOO!) you get in an introduction to gnerative AI in 2019 (yes, it was four in an otherwise empty room). Ahead of our time (again)? Four years later it's an emergency and suddenly there are education AI experts everywhere. I wonder where they were in 2019.

If you ever wonder why education always seems two steps behind emerging technologies that will have profound impacts on classrooms, here's a fine example. Except you won't even see four people sitting in an empty room in 2024 because all edtech conferences like ECOO focused on teacher technology integration have evaporated in Ontario.

***

OK, so I've been banging my head against pedagogically driven AI engagement in education for almost a decade only to see it swamp an oblvious education system anyway, so what's happening now? I'm ressearching the leading edge of this technology to see if we can't still rescue a pedagogically meaningful approach to it.

In the summer Katina Papulkas from Dell Canada put out a call for educators interested in action research on AI use in learning. I've been talking to Aman Sahota and Henry Fu from Factors Education over the past year looking for an excuse to work on something like this, so I pitched this idea: De-blackboxing AI technology and using it to understand how it works.

Our plan is to use the Factors AI engine that Henry himself has built and Aman administrates to build custom data libraries that will support an AI agent that will interact with students and encourage them to ask questions to better understand how generative AI works. As mentioned before on Dusty World, GenAI isn't intelligent and it's important that people realize what it is and how it works to demystify it and then apply it effectively. Getting misdirected by the marketing driven AI hype isn't helpful.

So far we've built modules that describe the history and development of AI, how AI works and the future of AI. In the process of doing this I've come across all sorts of public facing research material that breaks down generative AI for you (like Deep Learning from MIT Press), but it's technically dense and not accessible to the casual reader.

During the last week of August Factors had a meeting with interested educators through UofT OISE (their AI system came out of the OISE edtech accelerator). I demonstrated in the presentation how the AI engine might be used to break down a complex article for easier consumption through agent interaction. The example was WIRED's story on how Google employees developed the transformers that moved generative AI from a curiosity to real world useful in the late teens. I picked this one because it explains some of what happens in the 'blackbox' that AI is often hidden in.

With some well crafted prompting and then conversational interaction, students can get clear, specific answers to technical details that might have eluded them in the long form article. The reading support side of GenAI hasn't been fully explored yet (though WIRED did a recent interesting piece on cloning famous authors to become AI reading buddies as you tackle the classics which is in the ballpark).

What have I learned from working in the engine room (BTW, that image at the top is Adobe Firefly's AI image generator) building an AI data library and then tuning it? AI isn't automatic at all. It demands knowledgable people providing focus and context to aim it in the right direction and maximize productive responses with users. An interesting example of this was finding documents that provided relevant data on the subjects we wanted the AI to respond to. When I couldn't find specific ones Henry suggested using Perplexity, an AI research tool that coalates online sources and then gives you concise summaries along with a bibliography of credible sources.

I thought I was being perverse asking Factors to design an AI that expalins AI using AI, but Henry's always a step ahead. His suggstion is to use an AI to build a library of information to feed the AI engine that then uses AI to interact with the user... about AI. It's turtles all the way down!

It's a War Out There

In the beginning of July the Communications Security Establishment (CSE-CST) produced two news briefs that many Canadians remain oblivious to. On July 9th a warning was published describing a Russian government backed foreign interference project that uses artificial intelligence to create false social media output from many different countries designed as propaganda for Russian state interests. By using these tools Russia hopes to direct national discourse in democratic countries, including Canada, in its favour.

The day before, on July 8th, CSE posted a warning about Chinese state sponsored cyber intrusions across public and private networks in many countries, including Canada, designed to give the Peoples Republic access to sensitive state and industry data. What is most concerning about these warnings is that they aren’t unique, they aren’t even rare.

We have come to depend on networked digital information in all aspects of our lives. For many this means social media on their phones, but our dependence on networked digital information runs far deeper than that. Essential systems like the power grid and water supply (and regular classroom activities) are managed through networked digital systems, as are our supply chains. This offers us tremendous opportunities for efficiency and oversight, but it also brings with it the danger of cyber-attack, and not by the stereotypical lone hoodied hacker.

Incredibly, in 2024 most Canadian schools do not teach any cybersecurity education at all. With the exception of New Brunswick there is no curriculum in Canada that even mentions cybersecurity. This has put us in a difficult situation as Canada faces a generational shortage of cyber-talent. But the real danger isn’t our failure to get students interested in working in the field, it’s the apathy and  ignorance Canadians seem to revel in.

The vast majority of successful cyber-attacks depend on user ignorance to find a way in. Canadian defensive technologies are world class, but if the people using them are dangerously oblivious, that’s where the opportunity for abuse lies, which is why Russian and Chinese government organizations are focusing their attention there. If you want to destabilize a democracy, you create division in its people, and with most people going online wearing a blind fold of apathetic ignorance, it’s the easiest opportunity.

If you provided your military with state-of-the-art weapons but didn’t train any of them in how to use them, you wouldn’t have a very effective fighting force, yet that is how we approach cyber-readiness in Canada. Connected digital technologies have become central to most aspects of life, yet the vast majority of Canadians take no responsibility for the dangers these digital opportunities present.

Meanwhile, countries with vested interests in Canadian destabilization have created enormous offensive cyber-attack groups. China’s offensive cyber military arm - just their offensive cyber personnel – number more than the entire Canadian Armed Forces. But the threat doesn’t end there. In addition to large cyber-military capabilities, many foreign powers have also hired private companies to conduct foreign cyber-espionage. If you think the threats we face online are lone hackers trying to make a buck or two you’ve failed to grasp how cyber operations have evolved in the past decade.

Allied Western powers have built defensive systems in partnership with industry, but our ability to perform cyber-attacks on the scale that Russia and China do is anything but equal. If this were a ‘hot’ war the map would be dominated by those countries while Western responses are minimal. Unlike a conventional war there would be no lines with safe zones behind them. In cyber-warfare you see malevolent skirmishes happening in every region of Canada; nowhere is safe because connected infrastructure is everywhere.

Around the edges of these state sponsored cyber-attacks partner organizations are leveraging similar tools for cyber-crime, often in an effort to fund the state sponsored attacks. The ransomware attack your company just paid to try and resolve may well be going to fund the next round of state sponsored digital violence.

Thinking that this is all someone else’s problem is one of Canada’s greatest weaknesses. ‘Loose lips sink ships’ was a common reminder during World War Two. It reminded people that you never knew who is listening and that your blabbing may well get people killed. The Twenty-First Century equivalent is ‘careless clicks can hack everything you depend on.’ Not as catchy, but terrifying.

One of the scariest parts of attending a cybersecurity conference is listening to the people trying to hold Canada together talking about how razor thin that line is. I’ve heard people who are defending against these wildly asymmetrical attacks say things like, “I’m amazed the lights are still on”, and “in the next five years we will have a cyber-attack that takes out critical infrastructure for weeks at a time.”  Perhaps when we’re all sitting in the cold and dark wondering what happened we’ll also start to wonder why we didn’t so something about it when we had the opportunity.

Saying it’s a war out there isn’t hyperbole. Thanks to artificial intelligence many cyber attacks have become fully automated. These A.I. automated attacks iterate their approaches allowing even the most digitally illiterate criminals access to leading edge cyber incursion tools, and many foreign powers are more than happy to support that chaos for their own ends.

What’s a democracy to do? Start taking cyber-education and digital citizenship seriously. Instead of graduating students that only add to the cyber skills gap, we should be making all students (and the families they come home to every day) aware of this secret war we’re all on the battlefield of every time we pick up a device and access the interwebs. How many times have you amplified a social media post that may well have been written by a Russian A.I. bot with the intent to damage Canadian interests? Time to stand up to this hidden war.

I presented on using state of the art cloud based cyber simulation to teach essential cyber skills at the Serious Play Conference at UofT Mississauga this month. We have the tools to address the cyber-literacy gap in Canada and make our country cyber-secure, we just have to make using them in classrooms a priority.

You can sign up for CyberTItan now - it's Canada's biggest student cybersecurity competition. There are divisions for middle and high school students and youth groups can all join up. Teams are 4-6 students and you learn real world defensive cyber skills. Support is also provided if you need mentors. www.cybertitan.ca

Want to read more?

Why State-Sponsored Cyber Attacks are a Global Threat

It's not human error if it's wilful ignorance.

Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure

National Cyber Threat Assessment 2023-2024

Cyber Operations Tracker

The Cost of a Breach: 10 Terrifying Cybersecurity Stats Your MSP’s Customers Need to Know