Zac: 0:00

Hey friends, it's Zac. Thank you for joining us for this episode. What a lot to be covered here. We have a fantastic conversation with Michael Klein around the importance of cybersecurity in schools. We touch on its importance for educators. We talk about how students can learn about it the most. We talk about what angles from a parent's perspective we can start to do to help people figure these things out. All of it working together. We hope you enjoy and stay tuned for the entire episode because it's just chock full of great information. I'm Zac Chase.

Stephanie: 0:41

I'm Stephanie Melville.

Zac: 0:43

And our guest this episode is Michael Klein, the Senior Director of Preparedness and Response at the Institute for Security and Technology and also just an all-around good human being. Michael, hello.

Michael: 0:56

Hey, it is so wonderful to be here with my fellow fellows and friends.

Zac: 1:01

Michael, there's a piece in the news that is what led us to talk to you. But we're going to talk about a bunch of things around cybersecurity, cyber preparedness, those kinds of things. You're bread and butter, but there's a sun setting law that is due to sunset in September. Can you give us a brief explanation of what that law is and what it does? And the best part about this episode for folks who are listening at home is this is also an area of expertise that is not my bread and butter, nor is it Stephanie's bread and butter. So all the questions you muggles, can we say muggles? Like, can we, can we still reference JK Rowling? You

Stephanie: 1:40

know, it's fine.

Zac: 1:41

Yeah, she doesn't get any money every time I say it. So yeah, if you were a muggle to the whole cybersecurity and preparedness world, Stephanie and I are your proxy for this one to help make sense of it. Michael, what is the law that is... Because we are muggalicious. What is the law that's sun setting in September?

Michael: 1:59

Absolutely. And by way of introduction, I'll say I am still somewhat of a muggle to the cybersecurity work as well. Because I started as a teacher. I taught third, fourth, and fifth grade in Brooklyn and Harlem. And when I started teaching, we were using Palm Pilots. and our students didn't have computers. So it was a long time ago. He's 80, everybody. Exactly. I'm actually 80 years old.

Stephanie: 2:22

That's why we get along so well.

Michael: 2:24

Exactly. But what I'd say is I came from teaching and then I got interested in how tech can be helpful for teaching and learning, which is really Zac's bread and butter. And then from there, I became an IT director in a school district during the pandemic. And from there, I went to work at the Department of Thank you so much. and private sector organizations to share information with the federal government that would be helpful for protecting federal networks and just for protecting in general our internet from cyber threats. And it also allows companies to share information between each other without fear of prosecution, right? And so that is like core to everything we do in cybersecurity because threats are not just to one individual. All of us are connected on the internet. And so this law really enables us to be able to share quickly information between different kinds of organizations to stop threats from happening in the first place or to mitigate them when they do happen

Zac: 3:49

and is the is the fear on the corporate level like an antitrust piece like insider information sharing without this law to like to clearly articulate no you can talk about this kind of information without fear of of Right.

Michael: 4:05

So I think that's part of it. And I think it's also fear of prosecution for a number of other reasons, right? Because as you are sharing information about things that might be proprietary, you might be worried about discovery of that information in court. So this provides kind of a legal shield to companies that are acting in good faith to share information, to allow them to do that, to tell the government, here's what's going on, and to collaborate with each other on things that have become really popular, which are called information sharing and analysis. So this

Zac: 4:40

reminds me of what I talk to my kids when they have done something that they don't want me to find out about. I tell them, it is better for you to tell me what happened than for you to try to hide it and me to find out later. And so this is basically like a, you know, global corporation technological version of that of like, we just want to make it this is a safe space for you to tell us something went wrong, and we will help you. And we'll deal with what we need to do afterward. Is that kind of the gist

Michael: 5:09

of it? It's a big piece of it. Yeah. And it's a safe harbor, right? It allows organizations to share this information without being worried about getting in trouble. And the other important piece to this is that while the federal government has a lot of control in a lot of places, the internet is mostly owned and run by private institutions. And so they have way more information about most of the things going on online than the federal government does. And so this allows them to share that information to be able to do that collective defense work.

Zac: 5:36

Fantastic. That is what got us curious about all this.

Michael: 5:40

One last thing I should say about this is that literally no one is against this. This is a law that literally everyone agrees that at least this thing should be reauthorized. There are people who think we should tweak it in this way or tweak it in that way, but no one thinks this information should not be shared. Everybody who lives in the world of defending, whether you're at the federal government or in states or in private companies, everybody Right. And

Zac: 6:06

what we are seeing is that Congress, not unlike every student I ever taught, is continuing to wait to do its homework until the night before it's due. And so there are Congress people who are saying, you know what, we will tweak it later. Right now, we just have to get the thing reauthorized. And other people are saying, no, no, let's tweak it now. And they're saying, no, no, we need a continuity of coverage here. So that's fun. It's just people's information. It's not Not like it's valuable. Okay, so here's a question for you. And we're going to start real broad. Cybersecurity. Why does cybersecurity matter to school districts? And I know that that may seem silly to some people who work in this sector, but I think that, you know, on its face, cybersecurity is apparent. Like, I don't care if they see my kids' essays. Some people might, but like, why does this matter?

Michael: 6:58

So I would say it's not a silly question, actually. It's one of the main challenges that I think we as education systems and also more broadly companies have is this tends to be thought of as a technical nerdy thing that only technical people can understand. But actually, this is a lot like other kinds of risk. Cybersecurity is about understanding risk and then managing risk, right? And it's the same with financial risk. You don't want just anyone to have access to your finances. You don't want anyone to be able to make any choices with your finances. That's why we have people in charge of finances in every institution, making sure the right things are happening, and then we audit it to make sure there's not fraud and other things like that. Cybersecurity is similar. So the kinds of risks that we worry about in schools, I'd say, are two or three different types. So the first kind of risk, I think, is that schools actually won't be able to open, right? So that's one kind of risk that comes with cybersecurity.

Stephanie: 7:52

Can I pause you there? What do you mean? Why would schools not be able to open?

Michael: 7:55

In the last five years or so, there's been a rash of ransomware attacks. And so at its most basic level, this is when a bad guy gets control of a school district's network and can shut that network down. So basically, you wouldn't be able to do a number of things that could include you wouldn't have any internet in the school building, which means you often wouldn't have phones or other systems that are connected to the internet. It might shut down your ability to do lunch service or school buses or things like that. And no school district can open if you can't do those things. And so if one of the concerns we have is ransomware being able to stop schools from operating, that becomes a really big challenge. So I say that That's the number one concern is when a school shuts down, it means that parents can't go to work. Kids aren't getting the services they need. And it really stops a whole town or city from functioning. You've disrupted the

Zac: 8:44

economy. Exactly. Right. Let alone the kids not being able to get the learning. Like the ripple effect there is pretty huge. I'm also thinking about, you know, there are a lot of computer operated security systems in schools, too. Right. So being able to lock the doors or open the doors, just that piece could could keep a school from being able to feel

Michael: 9:08

like they can open. There's tons of information about their learning, including if they have an individualized education plan for special education, and a lot of really sensitive data on health and learning. And that data should stay private. So that's one really important piece of the puzzle as well as the privacy of that data. And that's really what cybersecurity is

Zac: 9:55

about too. Getting access to data that we don't want people to have in general, right? Like things that should be private that maybe we don't always think about. Oh, a school district has that on file. Our social security numbers being one of the pieces.

Michael: 10:18

And then I would say there's one more thing and then I can tie them all together. The third way that we're worried about cybersecurity is what we call business email compromise, but that's really a fancy name for fraud, right? This is essentially when you convince someone to give you information about like a routing number, or you convince them to pay the wrong person. And we've seen school districts lose millions and millions of dollars, which is a huge impact in terms of like, I don't know, maybe a teacher, right? Like you can't pay a certain number of teachers if you lose millions of dollars, right? And so we have challenges with that combination of ransomware, the fear of shutting down schools, which has happened in many school districts. We have data breaches, right? So the confidential data that we don't want going out into the world. And Well, that all sounds horrible. So cybersecurity

Zac: 11:29

is important to school districts. You have cleared up A lot of misconceptions about cybersecurity in education. Is there anything else that people, we muggles, don't know about that you're like, I wish families knew this. I wish the regular people knew this. I wish educators knew this. And maybe you've covered those three with the height of things that frustrate you.

Michael: 11:56

I would say there are a couple of things that are important that I wish more people understood. One is that most school districts in the country are relying on a few key vendors to make sure that schools can open every day. Those are your vendors for things like a student information system that holds all of that really important student data, your bus routing systems that make sure kids get safely to school, your food service systems that make sure kids get warm lunches every day at school. And those systems are not things that districts are creating themselves, right? They all rely on two or three vendors. So there's a lot of risk and concentrated risk. And so even if you as a school district are doing everything right for the things that are on your school district network, all the computers that you have, the wireless that you run, all of those things, and you avoid things like ransomware, there are huge risks out there from these what we call third parties, these other organizations that hold all of this really important information. And what we saw in January when I was at the department still was the biggest cyber incident ever in the United States, which was the Power School data breach. And so this was a situation where you had one company that is in charge of the student information systems for 4,000 school districts. This is a third of the country. And so that vendor got attacked. Someone was able to log in with a username and a password, and there wasn't any more protection on that system. And from there, the bad guy, who was actually a 19-year-old student from Massachusetts, was able to log in and steal the data of 60 million students and 10 Right. And the school districts in that context had no control over what was happening because that's all managed by that third party company. You could imagine if you're a person at home that this is like if Google were hacked. Right. You have no control over Google security systems. You only control your username and password for the system. Right. And so I'm not this wasn't actually Google. This was PowerSchool. But it's a similar kind of challenge. And so that's one of those things that I think we should really understand is that. School districts rely a lot on these third parties. And so when these incidents happen, people get frustrated and might say, oh, the district did this thing wrong. But in this case, it wasn't the district. It was actually a vendor that the district and every other district relies on. So that's a really big challenge.

Zac: 14:19

And I will say, and all three of us have worked at the district level, and we have probably been a part of the procurement, like the buying and contracting process. And there are lots of legal protections that districts put in place that require companies to show that they have done you know as much as required as they can require to keep those those data safe right so people are with power school because power school is very big and and they do these things but they're also with power school because everyone has agreed that these are the the protections that will be put in place we're just also living in a landscape where thieves and attackers are just constantly getting better um thank goodness i watched the movie hackers when I was a kid and sneakers. So that I, I maybe, maybe I'm not a muggle. Like I've seen Angelina Jolie hack into a computer. I've seen Dan Aykroyd. You've

Stephanie: 15:17

seen oceans eight. You've seen Rihanna do it. You know, that's true. Yeah.

Zac: 15:21

For Phoenix. Like, okay, nevermind. I know everything about cybersecurity.

Stephanie: 15:25

We know everything we need to know. Right. We're experts. Yeah.

Zac: 15:29

Also, I know the cheat codes for many NES games. So, maybe I'm a hacker.

Michael: 15:34

And that is absolutely hacking too. And I think, you know, all you really need is a black hoodie and intense look on your face and staring at your keyboard screen or staring at your keyboard and being able to say, I'm in. And then you're good. I think that's nice.

Stephanie: 15:46

Sweet. Okay. So with the rise of remote learning and new technologies like AI, how has that changed, you know, the cybersecurity challenges for schools?

Michael: 15:56

I think I would answer that kind of in one basic way, right? So when we think about cybersecurity, we're thinking about managing risk, right? And when we think about what remote learning did, it meant that we needed a lot more devices. So every student could have devices. We had a lot more internet access, including at school and at home. And we had people accessing new systems in ways they never had before. And so that adds risk in a whole bunch of different areas, right? Because now you're trying to address so many more devices, so many more systems, and so many different ways of connecting that sometimes the school district does not have total access over, right? And And so that's one of those big things that, you know, there's a fancy name we call attack surface, which is essentially just like what is available for the bad guy to attack. And so what happened is we expanded the attack surface quite a lot, right? Because we have way more things to protect. We have a bigger footprint. Exactly. Exactly. And with AI, I'd say the other thing, I mean, there are so many ways that AI can be impactful here. We would be in trouble if we didn't talk about AI somewhere in this conversation. But the thing that I think is most interesting with respect to AI on the offensive side is that for the bad guys, now if you get a giant data breach, you can now dump that information into a large language model or something like that and now have it match up. Who are these people? Do some research online. How do I get in touch with them? How do I find this stuff? And so it will allow you to much more rapidly take data that has gone out the door and use it for nefarious purposes. So I think it makes the reconnaissance and the ability to use and exploit that data much faster. But hopefully on the defender side, over time, AI will also allow us to patch things more quickly or find vulnerabilities that are in the systems and deal with them quickly, right? So I think there's, anytime you see kind of technology move forward, oftentimes you'll see first an advantage for the attacker because the defenders aren't ready yet and the attackers can use these things to exploit. And then you start to see the defenders catch up and eventually have an advantage because the technology overall will allow them to defend the network more effectively.

Zac: 18:02

Well, this is all terrifying

Stephanie: 18:05

yeah but you know what there's got to be like a way that we can as as parents or caregivers kind of like be a little bit more aware of what it is you know that that that we can do or that our schools or districts are doing right like we've talked about why school cyber security is important to families and caregivers you know just from a from a personal identifiable information leak you know like where you live what your kids social security numbers are their medical information who's allowed to pick your kids up you know like all all that good stuff but what what questions can we ask of our schools cyber security policies or practices like they're i feel like being informed is a good thing yes

Zac: 18:54

premise of podcast

Michael: 18:57

overall for anyone doing stuff for their own their own cyber security or for others. There's one thing like multi-factor authentication, right? So this is like when you are going to log into an account, you're probably familiar with this in your bank. Once you put in your username and password, you're not in and good to go. You either have to receive a text message or use an app on your phone, or even in the fanciest versions of this, you have a little thing you plug into your computer that says, hey, this is me. And that really stops a lot of cyber attacks, right? Because you can't just get in with a username and password you need another thing that is likely on a phone of the person that you don't have access to. And so for the systems that we think about in our schools, one of the most important questions we can ask is, are we using multi-factor authentication in these systems, right? Because that will stop a lot of the breaches from happening. And so that's really important. I think another way that families can be involved is to understand how are you teaching students about cybersecurity and how are you teaching teachers about cybersecurity? Right. Because we hope that school districts are doing some kind of digital citizenship or other kind of program that's helping kids understand this is what it means to use technology. Well, these are the risks and also helping teachers to understand, wow, you have a lot of data that you have access to. Do you understand how we're managing that risk and how not to put students data in places that it shouldn't be and things like that? So I think those are a couple of things that families can do to better understand how school districts are doing.

Zac: 20:31

You've got a kid.

Michael: 20:32

I do.

Zac: 20:33

Your kid goes to school.

Michael: 20:36

She does.

Zac: 20:37

So what are the questions you, what do you know about your kid's school?

Michael: 20:40

So one, in terms of the school district, I knew right away what are the technologies that they're using. So I can be keeping track of whether there's an incident or whether there are issues involved, right? So for me, that was like just a major part of my job because like I was working in cybersecurity in schools. So I was already thinking about that topic. But I would say with respect to my daughter specifically, She is someone who is incredibly curious. And so from a really young age, we have talked about what does it mean for something to be private to you? And what are things you feel comfortable sharing, right? And how do we decide whether we want to share something or not, right? So I think a lot of these things can be in much more basic concepts than the technological ones that we often use. A lot of this stuff is just normal, kind of good parenting practice. And then when it does come to the technology, you know, her iPad has a passcode. We talk about why we use a passcode. And so just getting used to those kinds of things, I think is a good and normal part of kind of growing up with the internet, right? Especially for kids today that have devices all the time. And so I think from the cybersecurity side, that's one thing. Then there's a cyber safety side, which is kind of different, which also is super important.

Zac: 21:52

My kids are flummoxed that I will not tell them the passcode to my phone. And they will say, you know, what secrets do you hide on there? All of them. Our parents never had to talk to us about cybersecurity. They should have. I was definitely on AIM or in AOL chat rooms, Prodigy chat rooms, pretending to be people I was not. Again, I was a hacker. See? No, that's not what that means. Are there books for kids that families could, for people who are coming to this conversation new, that just boil it down to what you're talking about? Or does it just have to be worded like, oh, I listened to this podcast and they were talking about this? Is that

Michael: 23:07

how we're going to get this done? This is a huge cultural shift. One thing I will recommend is my favorite book, honestly, on this topic, which is not really for kids, but it could be, is called How the Internet Really Works. I

Zac: 23:40

love that book so much.

Stephanie: 23:43

And it's amazing. How have I never heard about it?

Michael: 23:45

It is the best book. And it has basically pictures of and like there's a little cat and the cat is like navigating the space. So it's like incredible drawings, but it's super, super well done by like professionals. And I learned a ton from it as well. So that's like one thing I would recommend to all the parents out there because most people don't really understand how the internet works. It's really complicated. And so that one's super helpful. And the more I think about it, Zac, and the more I think about my child growing up and the more I think about raising... like an amazing kid has so much to do with boundaries, relationships. So all the things that we think about in the kind of physical world and physical interactions and physical safety, which is something that unfortunately we do have to think about a lot. It's like, how do you help your child understand how to have friendships, how to have relationships, how to set boundaries and keep those boundaries, right? And the digital world is another place to do that work. And it all comes back to trust and it all comes back to your ability to share things when you feel comfortable sharing that. And I think for me, that is the most important piece of the puzzle. Back to your kid's question about why can't I have your login or your passcode? It's because, well, this is private to me and I'll share pieces of it with you when it's important and we can have a shared place where we put that. And there are different things that I'm always happy to share with you, but just like you have a journal in your room that I wouldn't go and read, this is a part of our world that allows you to see so many different things, track your location, take pictures, do all different kinds of things. And so being able to set boundaries on what's private and what's not and who can have access is just a part of living in a democracy. It's part of living and growing in a place where we can think our own thoughts and become full people.

Zac: 25:31

This hits me in the place where the conversations around digital literacy and AI literacy and all these, there's a new literacy. And if you look at those, you realize, oh man, if we just did literacy right, which we have I was

Stephanie: 25:47

going

Zac: 25:50

to say, we don't. They were doing what they wanted to, how to set those boundaries. Then an online piece. I think the difference that strikes me, and I see it in our own home, is the lack of a physical embodiment with the other, right? So in online spaces, the avatar I'm facing in Fortnite isn't real. And so the people who are controlling those characters in Fortnite must not be real either, right? I know they are, but they don't seem that way. So it's much easier for me to give myself stuff my information to them so the cyber security kind of breaks down there like whereas if a stranger came up to me and said to my kid and was like where are you what's your address when were you born those kinds of things they wouldn't they would be like no way weirdo um but that the the kind of online aspect of it i think makes it a different conversation there's a there's an added level of complexity

Michael: 27:09

absolutely and i think in that case zach one of the best things we can do as parents and as adults is to help children children see the connection between what we would do and expect in a real world physical setting, and how that relates to this online setting, right? What you just did there of describing, I would never do this in this context. Why would I do it here? Just letting kids come to that experience of like, even role playing with them, right? Like, I'm a stranger, I'm gonna come up to you and ask you for the stuff, right? Like, I think there are ways that kids would one, find that fun and silly. And two, it would make clear like, oh, in my head, when someone starts asking me for this stuff, even though I can't see their face, this is creepy or like this is not appropriate. Sorry. I always take us to cybersecurity kind of necessarily takes you to a bad place, but hopefully we're going with positive versions of like what we can do from the bad place.

Zac: 27:57

Absolutely.

Stephanie: 27:58

Okay. So, so what are the top three things you would say all student facing educators need to know and do to improve cybersecurity?

Michael: 28:09

So I think in general, and this is my own frustration in the world, having been an educator and also having been an it director, and then having worked in federal policy. We're asking school districts every day to defend themselves from transnational criminal gangs. We don't ask towns to do that

Zac: 28:27

with

Michael: 28:27

physical security, right? Like we don't ask a local police force to like defend themselves against an invading army, right? And so what we're doing is like we are pushing down onto under-resourced organizations the expectation that they defend themselves against really challenging threats. And so I think like At a high level, what I would hope is that we understand there's a role for the federal government to both resource, provide the necessary resources to help people defend themselves at the state and local level, and also do the protecting as well. And then for the state departments of education and state agencies, which many of them do, to provide many of the resources that school districts would need, because many of our school districts are very small, like a 600-student school district where the superintendent drives the bus and fixes printers on the weekend is not well positioned to defend themselves against really challenging cybersecurity threats. But I think school districts should be able to, number one, make sure that multi-factor authentication, so that other thing than just a username and password, is turned on on as many systems as possible for as many people as possible. Not necessarily for kids because that gets really complicated, but if you hack a kid's account, for the most part, you can't shut down a school district. You can get their information, that's not great, but I think from a risk perspective, multi-factor authentication on as many systems as possible, certainly for administrators, certainly for teachers. The second thing, make sure that anything that you have in your district that touches the internet is patched, right? Patching first. We're updating by that. Sorry. So every system... has defects in it and we find those defects over time and that's when you have to like update your iphone so that it like gets its newest version got it right and so it has a security flaw you just like turn it off turn it back on again for an iphone and then boom it's updated right um similar for technology in school districts and anything that touches the internet like outside your district can be seen by bad guys and if there's a vulnerability or a bad thing in the software or a bug they can get into your system so patching is number two so multi And I think the third thing is user education, right? So how are we helping teachers and students understand what the threats look like? This is what a phishing email looks like. This is what happens when you click on a link or download something you shouldn't, right? So those are the three things I think every school district should really be responsible for, right? Because that's stuff that they control directly. For teachers, I would say the things you should be most concerned about are one, does my school district know I'm using the thing that I'm using? So that's

Stephanie: 31:00

actually- Quite an

Michael: 31:03

important question. And respectfully, having been both a teacher and an IT director, I'm not saying you should never use things that are not authorized by your school district. I don't want to be the person saying that necessarily. But it's hard to manage the risk of the technology we're using if you are just signing up for a random thing, we don't know what it is, and then putting student data into that thing. So there is a tension there. We as teachers really want to do the right thing, educate our students, get them the newest and most interesting thing. But we need to balance that with the risk of putting sensitive student data into those systems, right? So I feel like that's one thing to really consider. Another thing to consider is, do you know what to do when something bad happens on the internet in your school, right? So do you know who to contact in IT? Do you know how to help escalate something if you see something bad happening, right? I think in the same way that we do fire drills for our physical security in buildings every year We should be doing cyber fire drills, right? Everybody should know what is my role. If I see something bad happening with the technology in my school, how do I bring it to the right person to get that problem solved? So I think the third thing that teachers should be thinking about or asking is how can they make cybersecurity work? real and meaningful to their students? How can they help them understand what it means to be learning online together? And I think that doesn't need to be super technical. That's just helping them to understand when we're engaging physically, like sitting in our classroom here and having a conversation, this is how we interact. And when we're online, we need to think about how we're interacting, what we're sharing, right? So there's that context of being able to help students find their way into society and practice democracy using the technology.

Zac: 32:47

This makes me think, and I've seen these exercises done with And I think it would be really interesting, especially in like a high school classroom that hasn't instituted some draconian cell phone ban to say, all right, just saying, all right, I want everybody to unlock their phone and pass it to the person two seats down. Don't actually have them do that. But just imagine the response that would happen in that classroom, because I think that gets you to the place of, all right, that's why cybersecurity is important. The things you were just worried about is why cybersecurity is important. And all your phone is guarded by is, you know, a picture of your face or your thumbprint or some alphanumeric code. But those conversations are not hard to have. And I love the point you made earlier about how do we start to have conversations about privacy in general with younger kids so that by the time things get more complex and we're talking about cyber related privacy, they have some sort of foundational premise there?

Michael: 33:51

Our society tends to take a very punitive approach to people tinkering and trying things, especially with technology. And hacking can be for good. And because that's the case, the earlier we can see students trying and testing those boundaries and direct them towards positive ways to channel that, the less likely they will be to get into a situation where the FBI shows up at their door because they've been going to a place they shouldn't and hacking at things. Which is just

Zac: 34:17

the same as all psychological development that we know about boundary pushing. So this continues that like if you do it right in the physical non-digital world, your chances of mitigating risk in the digital world are

Michael: 34:30

great. And the thing I'll say about this specifically is that there is a group, I mentioned the hacker who was 19 years old who got into the power school, right? The biggest kind of like breach we've ever had. There's a group that are like jokingly called AP teams, like advanced persistent threats, but they're teenagers that are really good at this, that are mostly actually English speaking based in the US and the UK that are doing what's called social engineering, right? This is like phishing. This is convincing people to give you information that they shouldn't give you so you can get into their system. And so they're not even really hacking so much as like gathering information and then using it to do the kinds of things that other hackers would do. And this is like groups of teenagers that are loosely associated online. So the more we can help kids steer away from that version of this world and steer towards using those powers for good, to help secure systems and protect their families and protect their communities, I think we can be moving in a much more positive direction. And there are some countries like the Netherlands that actually have programs that are alternatives to incarceration for these kinds of situations, where for a first offense for this kind of thing, you then have the opportunity to get mentorship and learn from people and change directions on this, rather than going down the kind of cyber crime route. So I think there's some really interesting opportunities there in terms of the All right,

Zac: 35:53

last question. Does these things. Maybe I might too. I think I know what the other one is going to be, but you go ahead and I know what the next one's going to be, but tell me and I'll tell you if I was right.

Michael: 36:28

Yeah. I assume you're going to know what my next one is. So I use a password manager. So I use one password, which is a password manager, but a password manager in its most basic terms is a really effective place that you keep all of your passwords and it is really well protected and you have one password that that opens the vault that has all your other passwords in it. And you have this live in your browser on your computer. And then it will, as you create your passwords, auto-fill them for you when you go to log in to other websites. And it creates complex passwords for you. Because the problem that this is solving for is that the number one way that people get hacked is through valid usernames and passwords that have been reused or that have shown up in a data breach. And all of us, all of our data has shown up in data breaches, including user names and passwords people tend to use the same password across many many accounts and it's impossible to remember complex passwords for all of your accounts it's just not what we were made to do as people right that's not how our brains are structured and so we need technology to help us with that and that's what a password manager does is it's a secure place to keep all of your user names and passwords including other things that are helpful you can keep identity documents in there and other things like that so when you're on this travel website it'll just auto fill it for you from a secure place, and it'll generate a random password for you. So that's my number one tip would be use a password manager, but don't overwhelm yourself by doing it for everything at once. Get it. Start with just your email and your banking information, the stuff that would be most vulnerable, and then go from there. As you go to log into other things, then change those passwords too. But it can feel overwhelming. So to start with one or two really important ones is a good place to start.

Zac: 38:17

And you're talking about 1Password. Is this similar to what I know Chrome... And like Google offers a similar password manager. I know Apple products offer a similar password manager. Are those the same thing or not? So

Michael: 38:31

those are different. And again, that is way better than using the same password everywhere. So if that is a good first step for you, definitely feel free to use the kind of password that's kind of in the browser through Google or through Apple. But ideally, having a separate password manager is something that provides you another layer of security because there are hacks at this point that are able to pull passwords from browsers, depending on the extensions you have in them and stuff like that. But I would say, again, that's better than having the same password everywhere. The other thing I'll say in terms of cyber hygiene for me is on both my Apple device and on my Google account, I have set up what's called advanced protection. And so for Google, what that is, you go into your Google accounts, you go into the security settings, you'll need something called a YubiKey or like a physical token. And I I would buy a couple of them. And what this does is it makes it much more secure for your Google account. People can't just reset your passwords. They can't get into your account as easily. There are a lot of advanced features that will protect your account against hackers and things like that. For me, that's an important thing because I've been in environments where it's important for me to have something like that. But I think it's a good practice for everybody. And on your iPhone, there's something similar for iCloud. If you turn on iCloud advanced protection, especially if you're political world that we live in and now and everything. When you do those things, it does what's called end-to-end encrypt them. So what it does is it makes the data that's on that device and in your iCloud inaccessible to anyone except you. And so it's locking those things down in a much more secure way. And it's turning off features that are often used by hackers to get into those devices. That said, the most important thing you can do for your computer, for Chrome, for anything else is just update, right? Anytime you see an update thing pop up, Do it or if possible, just turn on auto updates because no one wants to remember that stuff. And so the more you can just have things happen automatically for security, the better. For your iPhone, it's literally turn it off and turn it on again and you're good.

Zac: 40:35

Michael Klein, you have been very helpful. Well, let me say this. We've had a number of episodes where we talk to very smart people such as yourself and ask them questions. And there's a lot of like, oh, the world is burning. And I thought this was going to be one of them. Stephanie, I don't know about you, but I don't. It's like more of like the world could catch on fire, but I feel like we've got some really good practical stuff that folks can do

Stephanie: 41:05

to kind of tamp out those flames. Yeah. Yeah.

Michael: 41:09

Absolutely. Rather than assuming we can keep all the bad stuff out, we have to be resilient against the things that we know are going to happen. We have to assume that these things are going to get through. We're going to have these issues and we need to know like when that happens, what's our responsibility? right

Zac: 41:24

thank you michael

Stephanie: 41:24

thank you

Michael: 41:26

thank you

Stephanie: 41:32

Thank you so much for joining us today on this episode of Academic Distinctions. We promised you a good time and we hope we delivered. And until our next episode drops, be sure to follow us on Instagram at academicdistinctionspod. Find us on Blue Sky at fixingschools or find us on Facebook. As always, this is your call to action to share the podcast, like us and subscribe. You can find us online at academicdistinctions.com. Have a question for the pod or a topic you'd like us to dig into? Email us at mail at academicdistinctions.com. Until next week, friends. This podcast is underwritten by the Federation of American Scientists. Find out more at fas.org.