Retired Colonel Eric Toler joined Augusta University in 2018 as Executive Director of the Georgia Cyber Innovation and Training Center (aka Georgia Cyber Center). Toler previously served in the U.S. Army as a Military Intelligence Officer, retiring with over 27 years of leadership and national security experience. In addition to seven combat tours in Afghanistan, Iraq, and the Balkans, Toler pioneered and developed cyberspace operations capabilities for the Army and Department of Defense, serving in key positions within Army Cyber Command, U.S. Cyber Command, and the National Security Agency.
In his role as Executive Director of the Georgia Cyber Center, Toler is responsible for fulfilling the Center’s mission to create an ecosystem of collaboration among government, academia, and private industry partners that helps solve the state and nation’s most challenging cybersecurity problems through innovative education, training, research and development, and practical applications.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Eric Toler, the executive director of the Georgia Cyber Innovation and Training Center. They discuss the importance of bridging the gap between cybersecurity education and workforce development.
Toler shares his background as a retired military intelligence officer and his experience in developing cyberspace operations capabilities for the Army and the Department of Defense. He explains the mission of the Georgia Cyber Center, which aims to create collaboration among government, academia, and private industry partners to solve cybersecurity problems through education, training, research, and practical applications.
Toler also discusses the need for inspiring and introducing students to cybersecurity at a young age, the importance of relevant education and training, and the role of experiential learning and work role-focused education. He emphasizes the need for collaboration and integration of cybersecurity into various subjects and the value of real-world projects and research in preparing students for the workforce.
Toler also highlights the center’s initiatives, such as the CyberPatriot program and the cybersecurity assessment and training program for small businesses and local governments. He concludes by discussing the future of cybersecurity education and training, including the integration of cyber fundamentals into all subjects, remote teaching, shared resources, and research projects focused on real-world problems.
Listen to the episode
A complete transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today our guest is Eric Toler, executive director of the Georgia Cyber Innovation and Training Center. We’re going to be discussing Bridging the Gap, Cybersecurity Education and Workforce Development. Before I bring Eric in, let me give you a little bit of his background. So retired Colonel, Eric Toler joined Augusta University in 2018 as executive director of the Georgia Cyber Innovation and Training Center, also known as Georgia Cyber Center. Mr. Toler previously served in the US Army as a military intelligence officer, retiring with over 27 years of leadership and national security experience.
In addition to seven combat tours in Afghanistan, Iraq, and the Balkans, Mr. Toler pioneered and developed cyberspace operations capability for the Army and the Department of Defense serving in key positions within the Army Cyber Command, US Cyber Command, and the National Security Agency. In his role as executive director of the Georgia Cyber Center, Mr. Toler is responsible for fulfilling the center’s mission to create an ecosystem of collaboration among government, academia, and private industry partners that helps solve the state and nation’s most challenging cybersecurity problems through innovative education, training, research, development, and practical applications. And we will hopefully learn more about each of those. With that, welcome Eric. Thank you for joining me today.
Eric Toler:
Yeah, thank you for having me Steven. Good to be here.
Steve Bowcut:
All right. This is going to be fun. I’m already intrigued just reading through your bio. There’s a lot of interesting stuff here and I’m looking forward to digging deeper into that. But before we get there, let’s learn a little bit more about you. I think it helps the audience to understand who it is that they’re listening to and that I’m speaking with. So tell us how you got to where you are as the executive director of the Georgia Cyber Innovation and Training Center. And so what things in your history created that path to get to where you are?
Eric Toler:
Yeah, so you read my bio knowing I was an intelligence officer, really my specialty was signals intelligence, so exploiting foreign communications networks, which was a lot of fun. And so as cyber evolved in the military DOD I got to be at the of the forefront that and riding some of the initial construct policy, getting capabilities integrated into DOD. I got to serve in many what became cyber jobs, mostly offensive, but got to do one defensive job. And of course, as you know, defense is a lot harder than offense by the way. And so I got to do those jobs. You can imagine being a new capability in the army, it’s almost like being a startup with inside this large bureaucracy.
And so when the opportunity here in Augusta rose, it was a natural fit based on my experience of hey, how do you create this new thing that we’re starting really from the ground up. And ironically, I just finished up command at the National Security Agency, Georgia here at Fort Eisenhower, deployed to Afghanistan for my third tour. Was not planning on retiring at the time, but got an email and said, “Hey, we know you’re on active duty, but would you be interested in this job?” And I was like, it is a once in a lifetime opportunity. So I applied for the job, got accepted, and then put my retirement paperwork in and finished up my tour in Afghanistan and ended up here and have loved every minute of it.
Steve Bowcut:
Excellent, thank you. I especially liked that you focused on the idea that defense is much harder than offense. So as the old saying goes, and I’m sure you’ve heard a million times that maybe it’s a new idea to think about, something to ponder about for our audience is that in defense you have to be right every time. In offense, you only have to be right once, right. So there’s a big disparity in how you go about that.
Eric Toler:
Yeah, so true.
Steve Bowcut:
When did you first get interested in cybersecurity? Well, when you spent 27 years in the military, so what probably happened at some point when you were in the military or was it even before that?
Eric Toler:
Yeah, it was really probably a little… Well, right at 20 years ago is when we really started focusing on what we call computer network operations. At the time we didn’t. Cyberspace was not really a military term until about 2007, 2008. But as we were looking at capabilities to exploit internet communications, protect ourselves from adversarial capabilities, there started to be a focus. And at the time we really didn’t have a capability in the military to sustain that. And so that’s when we started moving towards the entire development of a new capability into the military. And as a signals intelligence person, I mean what we were doing was really what is offensive cyber operations minus the creation of an effect at the end. But you have to gain access to the networks in order to exploit them, take the information. So if you were to create some effect where you were to break a computer or cause impacts into your critical infrastructure, that’s beyond what the intelligence community does. But gaining access is essentially the hard part of that mission.
Steve Bowcut:
Right. Okay. Thank you. All right, so let’s talk about the cyber or the Georgia Cyber Innovation and Training Center. Tell us about its core objectives, mission statement, what it does, that kind of thing.
Eric Toler:
Yeah, I’ll start with the creation of the center and why we’re here. It was really what I call a challenge that led to an opportunity. So the challenge was the Army decided to move Army Cyber Command from Fort Belvoir, Virginia to here at what was Fort Gordon now, Fort Eisenhower. And that decision was made in late 2013. And so there were senior military leaders that came to our governor at the time, Nathan Deal, and said, “Hey, we’re excited to move to Georgia, but we don’t think that you’re ready for us because we’re going to have to have a trained and sustained workforce. We’ll need assistance and capabilities, development, research and development and things.” And so that’s when Governor Deal took them pretty seriously. When you think about the impact on our economy that Fort Eisenhower makes, which is estimated about 7 billion a year now, contributed to our local economy for the state of Georgia.
This was, I don’t want to say it was a no-brainer because it was actually a pretty aggressive contribution to donate what became a little over a hundred million dollars to build our campus here in downtown Augusta. And it was really our name training and innovation center was to hit the two things that the Army was asking for. That was the innovation piece and the training. Now our mission is much larger than just Army and just the training and innovation, although those are our focus areas. And so getting into the vision when I came on board, you have this scar tissue or this experience. For me, it was working in the Pentagon from 2006 to 2009, and I worked on the Army staff working for the G2, which is the senior intelligence officer in the Army.
And during that time period, like I said, that’s when we defined cyberspace as an operational term or as a military term. And we did all the foundational work that led to what’s now US cyber command, a career field for cyber in the army. And so that was a pretty important time. But now 15 years later, I would argue that we still haven’t fundamentally changed the way we recruit, train, and retain talent, certainly in the government, but also some in the private sector. The way we do capabilities development as a normal seven year acquisition process doesn’t work for a hundred lines of code that you need today to counter the latest version of malware. Or the way we fight as a nation, which is really where some of my passion lies is how do we defend ourselves against these nation state cyber threats? Who’s responsible? Well, no individual entity is or has the authority or the capability, so we’ve got to work together to figure this thing out.
Our vision when I came on board was we’re evolving, we’re moving forward, we’re progressing, but not fast enough. We’re getting outpaced by what I would say is our greatest strategic threat right now in China. And so we wanted to move faster. So our vision was to lead a revolution in cybersecurity through this unprecedented collaboration of having these entities of government, academia and private industry in the same building, on the same campus working together. And so that was our vision. From a mission standpoint, we will go through these, but really it’s leveraging this ecosystem to do five specific things. One was to provide affordable and relevant education and training. Those are very specific words. Develop our region’s workforce, that’s the region of Augusta, but also the southeastern United States region. Solve complex cybersecurity challenges, provide advice to our leaders and our policy makers. And then finally facilitating actual services, cybersecurity services and information sharing. We didn’t originally envision that, but it’s something that we’ve seen as a big gap that we’re starting to tackle as a challenge right now.
Steve Bowcut:
Interesting. And I really don’t know the answer to this. I probably shouldn’t ask a question I don’t know the answer to. But what a lot of people, I think, and particularly young people who maybe haven’t had a lot of exposure to how the military works, you think of the military as being self-contained, right? So they come into Augusta that they’re this self-contained group, they bring their own personnel with them and it wouldn’t have that big of an impact other than the fact that the people they bring we’re now going to be buying goods and services from the community. But that’s probably not the right picture. When the military moves into a community, they don’t bring all, some of their leadership people with them.
They don’t necessarily bring all the people that are going to work in that environment. They pull from… And that’s why they needed you to do the… Build that workforce is because they pull from the both in civilian employees and then also recruits, I assume. And how much of which, is it mostly civilian employees that they’re looking for that they need you to train? Or is it people that they’re looking to recruit into the armed services? Some of each, I presume?
Eric Toler:
Yes, it’s exactly right. It’s both.
Steve Bowcut:
Okay.
Eric Toler:
We certainly need more people in uniform and they’re having trouble, like I said, recruiting and retaining those that have these special cyber skills because they’re so marketable on the outside. And then there’s a large civilian workforce as well that supports them, whether department of Army, department of Navy civilians or Department of Defense civilians that work in our intelligence community and other places. So it really takes that team. And what’s interesting about our ecosystem and the area here is because there’s no armor or infantry units on Fort Eisenhower, they’re all Signal Corps or communications IT folks, they’re-
Steve Bowcut:
I didn’t know that. Okay.
Eric Toler:
They’re cyber and they’re Intel. There’s more intelligence soldiers on Fort Eisenhower, I think, than any other place on the planet. Four brigades of Intel doing 24-hour operations every single day. So that’s the talent pool that we have here. In order to sustain that, they realize that it can’t be just this self-contained entity anymore. They have to engage with the community. They have to engage in our K through 12 programs in order to inspire students and get them interested in a career in the military or support to national security. So that’s where we come in as a partner to help with some of those initiatives to make the connections. We train service members, we train civilians, and it’s really been a lot of fun to have this growing community of military and the rest of the civilian population.
Steve Bowcut:
Interesting. All right. So let’s see if we can explore a little bit how this cybersecurity training actually gets to the end of the row. How do we actually get the training to the students or the early career professionals who need it? What programs and those kinds of things are in place?
Eric Toler:
Yeah. That’s a great question. When we first opened, just to frame the problem a little bit, right when we first opened, we would do field trips for middle and high school. So we would bring in 30 or 40 students. We’d ask them, “Hey, who’s interested in the career in cybersecurity?” And no hands went up. Maybe the one kid that their parent works at NSA or something. And we’re like, “Why? Why would you not be interested in this great career field?” And they’re like, “Oh, it’s too hard,” or, “There’s too much math.” Or they have this impression of a 24-year-old white male in a hoodie working in his basement coding 14 hours a day and drinking a lot of Mountain Dew and Cheetos, which is appealing for some people, but not all people or all demographics. And so as you start introducing them to the 52 different work roles that are in the nice cybersecurity workforce framework, you let them talk to the people doing the work.
Whether that’s what is unique about our ecosystem is, “Hey, you want to talk to a digital forensic investigator from the Georgia Bureau of Investigation? They’re here. You want to talk to a security operations center analyst, they’re here. You want to talk to a cyber operator from the military? They’re here.” So when you start talking about what they actually do, then that’s when the lights come on and they’re like, “Okay, maybe this isn’t so hard.” And because we have such a diverse workforce here locally, every single person can see themselves and someone else and see them doing that. So that is a backdrop. What we’re working on is really… We call the overarching program a pathways to pipelines. So if you look in Georgia education system, they have what’s called pathways. And so you have computer science pathway, a cybersecurity pathway, other technology, other non-technical pathways.
And there are really three courses that have a certification at the end that set you up to either go directly into the workforce or go into a further education program and in college or university. And so leveraging those pathways, we really have a huge focus on K through 12. Like I said, in order to solve our workforce challenges on the back end, we’ve got to increase the output out of our high schools by about a factor of 10 is what we’re estimating. And to do that, you first have to inspire them, you have to introduce them. It’s hard to aspire to be something you’ve never seen before. And so in many cases, students from rural schools or other disadvantaged communities, they don’t know what cyber is, they don’t know what the opportunities are. So that’s what we’re trying to do is introduce them from elementary school all the way through high school.
The other challenges is with the teachers. Most of our teachers are not computer scientists or cybersecurity professionals, so we have to help them. We have to teach the teachers. And then back to the students, it’s really promoting all these extracurricular activities, camps, programs such as CyberPatriot, I’ll talk more about that. Cyber Start America, Gen Cyber. We host our own cyber Georgia STEM Fest twice a year. So those are the type of activities where you get to bring the students in a very interactive environment, and that’s really what gives them that spark to want to have the interest. And so if you take that pipeline, bring it into a college or university setting, your programs really need to be what we call relevant. And so they need to align to what is actually needed in the workforce. And so I think here we have both Augusta Technical College and Augusta University.
I think both institutions have done a great job of understanding what is needed both in the public and the private sector, and then adjusting their programs accordingly. And then the other component of that is experiential learning. So that within our two buildings, we’ve got currently 92 student assistants slash intern positions where students are doing real work, getting paid for it. Not answering phones or getting coffee, but they’re SOC analysts, they’re cyber range developers, et cetera, et cetera. And then beyond that, it’s for professional development, providing additional training, whether that is through industry certification training, whether that’s through exercises, Capture The Flag type events, et cetera. And so we’re really trying to look from inspiration through true education and then work role based education and training. So when they graduate, they’re work ready for specific work roles within the cybersecurity framework.
Steve Bowcut:
Interesting. I love that. So that answered a lot of the questions that I had. So that pipeline will take them all the way through to actually being ready to go to work in the field. But I guess it raises another question. So the amount of collaboration that I think that it must take between all of these partners, so you’ve got academia, you’ve got the government, you’ve got private industry, you’ve got all these entities with different even… Well, let’s hope they don’t have different agendas. They’re all looking to accomplish the same thing, but they come at it from a different perspective. So how does that all come together? How do you make sure that you’re training the right people in the right aspects, teaching them what they need to know that you’ll have what you need? This is a year’s long, you’re talking to K 12 students, so we’ve got some time in there that it’s going to take to get those people ready.
Eric Toler:
So that’s the frustrating and the fun part, mostly fun. Most organizations or individuals are not naturally collaborative. It’s not really a cultural thing. And then as you alluded to, every organization has a different culture. Every industry partner that we work with has a different culture. There’s different cultures within government institutions. And so it’s really finding commonality amongst those different organizations that we can work together on a specific project. I’ll give you a great example that’s education focused where we talk about bringing partners together. So CyberPatriot, I don’t know if you’ve heard of CyberPatriot.
Steve Bowcut:
I have. But talk about it a little bit in case our audience isn’t familiar with it.
Eric Toler:
So it’s a phenomenal program that is sponsored by the Air Force Association and Northrop Grumman. It’s essentially a turnkey solution to teach kids how to build a network, defend a network, and all the cyber hygiene skills that you need. There’s a year long session that goes with different groups and mentors training. And then what we do here at the cyber centers, we host two camps every summer. One for a beginner camp and one is an advanced skills camp. The camp we’re hosting, as we speak, is the largest CyberPatriot camp in the history of CyberPatriot. We’ve also won the CyberPatriot Center of Excellence for the nation two years in a row. Why did we do that and how do we do that? Well, the why is because of the need of our local students locally and the need for the workforce to get them interested in this career field.
The how is We have a nonprofit here that’s actually is the advocate for Fort Eisenhower, so the CSRA alliance, that’s the central Savannah River area, which we’re in the seven surrounding counties around Fort Eisenhower. So the CSRA alliance for Fort Eisenhower, a non-for-profit. Again, advocates for all the units on Fort Eisenhower. They also have a committee for K through 12 education because again, we’re starting to try to inspire and recruit those students while they’re still in high school. So that’s why he oversees this program.
We have industry sponsors that help pay for it to include not only private industry, but our own Augusta University. So the kids come to the camp for free, their meals are paid for, their T-shirts are paid for. They get computers that they don’t have to buy, they can bring their own or we’ll provide them one. The instructors are some of the best of the best from NSA Army Cyber Command, Navy’s information operations group, my staff, some of our industry partners, AU faculty and advanced students. And so it’s like if you’re equate it to your 16-year-old son or daughter getting taught to drive by Dale Earnhardt.
Steve Bowcut:
There you go.
Eric Toler:
Yeah. So we have the best operators in the world training these middle and high schoolers. So that’s just an example of how this ecosystem comes together for a common purpose that really is directly focused on our middle and high school students.
Steve Bowcut:
Excellent. So that begs the question in my mind. I had intended to ask this later, but maybe now is more appropriate. So is what you’re doing most relevant only to people who live in the Georgia Augusta area? Because eventually the programs we’ve talked about that you’re spearheading here, those people need to live in that area at the end. So they could live in Pennsylvania now, I guess, and take advantage of some advantage of that, or is it so much of it they need to be in Augusta, Georgia area now?
Eric Toler:
So yes and no. Certainly if you’re here, the impact is greater because if you’re here in person, you get to interact with all these professionals from all these different sectors. From an educational standpoint in person is in my opinion, the most effective way. But it doesn’t work for everybody. So what we’ve developed, and even before covid, I mean Covid brought this to the forefront, but all of our training, for example, is normally a hybrid format where we’ll have people here being trained, but we’ve also got people participating from all over the world in some cases. And so our… IT is suitable so that you can log into any of our training. All of our classrooms have cameras and all the right technology we need to accommodate that.
I’ve actually taught a class where I had half the people in the class and half of them online, and it’s actually pretty effective and it’s still interactive, and I think you still get the value of that. We also have our own cyber range, so our own cloud computing capability here where all of our content is hosted. So we host Capture The Flag events. We’ve done one recently that was a… It’s an NSA and Department of Homeland Security Centers for Academic Excellence Program where we developed a Capture The Flag and hosted it on our range. We had a hundred teams from 69 different universities participate in that event. We’ve also had other Capture The Flag events where we had teams from all over the world participate. And so again, ideally it’s good to be here, but you don’t have to be. And we collaborate with other universities across the nation, some foreign universities, and certainly on the training, we can reach out to anybody anywhere in the world as long as you have an internet connection and a browser.
Steve Bowcut:
Got it. Okay. Thank you for that. And that set up the next question because I would like to get some advice from you for students that are trying maybe to decide what they want to do and whether cybersecurity fits into that. So maybe specific degrees or certifications that you think they should consider or how they might get involved in the Georgia Cyber Center? What would be a pathway for them to get there? And then of course, we would have to talk about people who live in Georgia and then people that maybe don’t.
Eric Toler:
Yeah, the best advice I can give in general is just find something that you love to do. Find your passion as they say, whatever that is, and pursue it with everything that you have. If it’s technology that you’re passion and you don’t really know where you want to go, again, depending on where you grow up or what school you’re going into, you may have different opportunities. Certainly talk to your career counselors, but seek out advice from those that are in the profession if you can. Again, that’s a role that we play. If you don’t have that, you can call us and we’ll give you some advice on that because I think when you talk about degree programs, the specific degree you’re in initially may not mean as much because there’s much overlap in some of these programs, whether you’re in computer science, cybersecurity, information technology, we have a cybersecurity engineering degree, we have a spot cyberspace operations degree.
You can thread the needle on that as you find your interests. But we have a lot of students that may start off in computer science, but they like the coding aspect of it, but they like the security more. So they’ll end up majoring in cybersecurity and minoring in computer science. If you’re going to follow this career field, you need to understand networking. You need to understand some level of computer languages and coding. I mean, those are just baseline skills. And then as you get into the different work roles, whether it’s digital forensics, penetration testing, cyber defense analyst type work roles, you can get more aligned to that specific work role. So if you’re a student coming into through high school into the college scene, I wouldn’t be too worried about knowing exactly what you want to do. Again, we can help you along the way.
What we’ve seen is as they get into class and then as they get into the experiential learning and actually having jobs in a work role, that’s when they really find out where they want to focus and then they’ll go on that path. As far as the certifications go, I’m not a real big fan of industry certifications. I think if you’re applying for a job and you know what work role, that job posting will tell you what certifications you need, but in most cases, they’re pretty generic, and in my opinion, they’re not a great bang for your buck. But some jobs mandate them and we can provide all those. We can do COMPT security plus, network plus. We can do Cisco Networking Academy courses, et cetera. But again, I wouldn’t pursue those unless it’s a requirement for your job. Yeah. So does that answer your question?
Steve Bowcut:
It does. Thank you. I appreciate that. One of the things that I really like to see us focus on this show is a very wide net. And you’ve already alluded to this a couple of times, that you don’t have to be only interested in coding, sitting in front of a computer writing lines of code. You do have to have, as you’ve termed it, this baseline knowledge of networks and programming and how that works. But you could be interested in artificial intelligence. There’s a big need for people in cybersecurity that understand artificial intelligence. You could be more interested in social engineering and what makes people do what they do and why they do those things. And there’s a need for people with that kind of an interest in cybersecurity. So the net is pretty wide. You can be interested in just about anything and still find a home in cybersecurity. And I think that’s part of what is you’re telling us. Yeah.
Eric Toler:
Well, and I’ll go one step further and just say even in the social sciences, the integration of that with technologist is very powerful. When you talk about social influence and the ability to influence target audiences and a lot of the misinformation, disinformation that’s out there, it’s important to have that social science aspect alongside your technologist to be able to counter some of that or to use it to advantage if you’re doing marketing or those type of things.
Steve Bowcut:
Yeah, absolutely. All of our lives are being greatly affected by algorithms these days, and we need people who understand the kinds of algorithms that are being used, not just in social media, but in all kinds of what might be termed propaganda in one sense or another.
Eric Toler:
Yeah, social engineering is off the scale right now with the machine learning and AI support.
Steve Bowcut:
Absolutely. So are there any successful projects or initiatives that you’d like to highlight? Maybe have we touched everything in that area that you wanted to talk about, or are there some other things that you’d like to maybe highlight a little bit more?
Eric Toler:
Yeah, I think there is one more that, again, it’s really both a workforce development program, but it’s also a service provision program. And so we had this idea of creating this national culture of cybersecurity. We talked about cultures and that challenge national… So that’s a huge undertaking, huge problem. So you got to take one bite off the elephant at a time. So we had this idea, we were looking at the challenge that small businesses and local governments have. We were the left behind entities, as I call them, because they don’t have the expertise locally. A lot of the service providers, some of your better ones don’t really go down to that level because of the return on investment, so they’re stuck at the bottom. And so we had one of our academic partners here in the university system of Georgia called the Georgia Institute of Technology. You may have heard of them, actually known as Georgia Tech.
So they were looking at an economic development administration grant opportunity to use artificial intelligence to make manufacturing in Georgia more efficient, resilient, and secure. So they reached out to us to be the security partner on this grant. They said, “Would you be interested?” “Yes, of course.” And they say, “Here’s a rough budget. Tell us what you want to do, and we will write that into the proposal.” And so what I was looking at what was needed was these smaller companies, manufacturers, they need to understand what their true risk is, not from somebody that’s trying to sell them a product, but from an unbiased entity that can come in and do what would normally be an assessment for some accreditation. But we don’t want to do that. We just want to use that same framework. So we use the NIST cybersecurity framework using industry partners that we have for their automated AI enabled tools to do a technical assessment of these companies networks.
And then we provide the CEO and their leadership with an assessment of what we saw versus their true network configuration based on their critical systems functions data, their bottom line of their business and the current threat. And we provide that information with recommendations to that entity. We also provide them training. We’ll do a workforce wide training, a cyber awareness training. We’ll do a professional training for their IT and cybersecurity staff if they have one, and then a tabletop exercise for their leadership based on their current network configuration and vulnerabilities. So we build a scenario based on their current situation, and then we’ll walk them through an incident response type event or events so that all their team can react and either execute their plan or give them information in order to build a plan.
Some of them don’t have responsibility. The service part, the workforce part is we’re doing this with university students, so the entire workforce minus our project lead who’s a subject matter expert that did this in the military for 30 years, or university students who are cybersecurity computer science majors. And then we put them through a five-week training program, and then they help run those assessments, help with the outbriefs doing all the information. And so they’re getting to talk as a university student to CEOs of companies. So pretty cool. So that’s-
Steve Bowcut:
About a real problem in a real environment. I love that.
Eric Toler:
Exactly. And this coalition that Georgia Tech’s running, it’s 13 different partners, the state with academic industry, government. It’s a fantastic example of this collaboration that we’re doing here in Georgia.
Steve Bowcut:
Wow, that is incredible, commendable. All right, so we’re getting a little short on time. Couple of things that I do want to touch on though before I let you go. And the first one is influence on policy and legislation. I don’t know if that’s something that you get involved in. So let me pose that in the form of a question. How much do you need to get involved in influencing policy and legislation to achieve the things that you are trying to achieve? Are you working with lawmakers and policy people to make that happen in Georgia or in the military, or is that not really a challenge?
Eric Toler:
Yes, of course. It’s a challenge. And again, we’re not trying to necessarily push policy, but we’re trying to inform policy makers because as you can imagine, most of our elected officials are not technology experts. And so they need some trustworthy, competent people to help them with their decisions. Now, I am on the Governor’s Cybersecurity advisory board, and I can talk about a lot of the great things we’ve done for state agencies. I was on the Department of Administrative Services, workforce board for IT, and cybersecurity work roles. We’ve made a lot of progress on improving those processes in order to attract talent to, again, state jobs. But it’s also about if a legislator reaches out and wants some advice or ask a question, we want to be able to provide a good response.
And it’s not just Eric Toler or Georgia Cyber Center. What do our partners think about this, whether it’s other government, academic or private sector partners, how would a new bill that’s being introduced impact their ability to do business or to do research in the state? So that’s the advice that we’re providing. We’re also working with our Army cyber partners and others in order to shape certain policy decisions when it comes to cyber education or how do we need to better support our K through 12 schools, things like that.
Steve Bowcut:
Okay. Well, and that’s reassuring to me. So you’re more of a resource to policymakers, legislators so they can have informed information rather than trying to influence them. What I was hoping is that we, in our culture, in our country, we’re at a place where everyone knows that there are threats and there are risks. You’re not out there trying to convince people that, oh, there’s a problem and we need to have cyber experts looking out for our wellbeing. So we’re past that in our cyber landscape. Everyone, that’s a given, but they still need information. They need to know what’s real and what’s not and what some options are for mitigating threats that might come. So that’s reassuring, I think.
Eric Toler:
Yeah, I’ll caveat that and say a lot of people get it now. There’s still a lot of people that-
Steve Bowcut:
Really?
Eric Toler:
Yeah. There still… Yeah, I’m sorry.
Steve Bowcut:
No. Well, that’s true. And I want a real view of this, but I was hoping that maybe there aren’t very many people left that don’t understand that this is a real threat that needs to be dealt with as soon as we possibly can.
Eric Toler:
Yeah. When you look at national security threats, it’s always threat equals capability plus intent. So our adversaries certainly have the capability to do devastation to the United States through this cyber domain. What they don’t have right now is the intent to do that. But that’s right along-
Steve Bowcut:
That could change, right?
Eric Toler:
That can change in a blink of an eye. So if China were to decide to invade Taiwan, they would certainly use their cyber capabilities to disrupt us and our response to intervene in that conflict. If Putin feels like he’s losing and is going to lose and the US is providing all this support to Ukraine, he could retaliate. Same thing with Iran. So you’ve got these nation state actors out there with capabilities. You’ve probably seen the FBI director recently talk about the Chinese access to our critical infrastructure. So nothing big has happened yet, but it could happen at any moment. And if you just use the examples of here locally, Colonial Pipeline, that was a ransomware attack on the business network of that company that impacted the flow of oil because they stopped the flow because they were losing money. And there was a panic, and people here couldn’t get gas. I mean, there was a week period where you just could not get gas. So that’s the impact of a cyber type thing. And that was not even on the critical infrastructure. That was on the business network.
Steve Bowcut:
Okay.
Eric Toler:
Sorry.
Steve Bowcut:
No, no, that’s all right. I appreciate that. All right. So let’s end with a future looking question. I think you’re in a unique position to give us some perspective into what you think the field of cybersecurity education and training over the next few years, what it will look like. And if you want to compare that, I guess what it needs to look like, if there’s a disparity there, then let’s talk about that as well.
Eric Toler:
Yeah, I think hopefully we’re helping drive some of these changes in a positive direction. That’s our goal. But at a K through 12 level, I really see a need and hopefully a move towards integrating in cyber fundamentals into all of our subjects at all grade levels. So for example, if you’re teaching a math class, let’s teach a simple Python script that can help you-
Steve Bowcut:
There we go.
Eric Toler:
…solve the area of a circle, right? At the end of the day, we have got to develop a more digitally literate society and what better place to start than with our young people. I also see cybersecurity potentially becoming its own core subject at some point somewhere to math and English and history. I think it’s that important for us to be able to operate within this digital environment safely and effectively. But if we’re not educated to do that, we’re going to be vulnerable.
I don’t think we’re going to solve the teacher problem when it comes to having dedicated computer scientists or cybersecurity professionals, but I think we can greatly enhance their capability, not only by teaching them, but by having shared resources. So right now you’ve got teachers that get the state standards, then they have to build their own curriculum to meet those state standards. That’s difficult. So we could host common curriculum on a common cyber range environment that they can access. So all that curriculum is available to anybody. People can contribute to that, they can use it. So shared curriculum, I think we’ll see more remote teaching. So I mentioned those hybrid environments where you can teach students in class, you can teach students remotely. I think at a high school level, you can have more teachers that come in and teach from a remote location into the classroom where you’ve got a teacher in the classroom that’s facilitating and managing.
But you’ve got the expert that’s coming in through a Microsoft Teams or Zoom type video teleconference. I think more experiential learning is needed, particularly in our university programs, but also in high school. I think more work role focused education instead of this generic theoretical degree that a lot of universities provide that are, in my opinion, not real effective. It’s really more focused on specific work roles with hands-on experience, again, so that when you graduate, you’re work ready. I think having universities and colleges reach out again to their local community in order to understand the workforce needs. And then that’s where you determine what work roles you’re going to focus on for your education programs. Getting them more integrated into your education program. So you may have a professor who’s teaching, but you can bring in experts from the private sector or government to teach some courses for you, make that more interactive.
And then finally, our passion here is putting students to work while they’re still in school. And so most students are going to work while they’re in college. Some of those are going to work at a fast food restaurant. Some of those are going to work at retailers. They want to have them work in a career that they’re going to pursue and so what we do is we have students that are engineers, developers working on our cyber range. We have our entire frontline of defense in our security operations center for the university active live SOC with 20,000 endpoints are university students. The George Aim team that I mentioned, doing cyber risk assessments, all students. We have students working for our industry partners. We have students working for Army Cyber Command, for NSA, et cetera. And then the last thing I’ll say is more from a research perspective than education, but it goes hand in hand, is focusing our research projects on real world problems. And so if you’re doing a senior design project for Army Cyber Command, and I’ll just use this as an example because we just did it.
The value to the student is incredible because you’re solving a real world problem and getting mentored by experts in your field. You’re not just coming up with a crazy idea and maybe you can get through it and get an A, but you’re really not learning much and you’re really not contributing. But we just had… The Army cyber had a problem of how do we predict zero day exploits before they happen through these cyber scripts. So what they did was they, hey, we’re going to sponsor two teams of four students. We’re going to give you this data that was from previous zero day attacks.
We’re going to allow you to build a environment in your range, run that data back through in order to get clean data that we can use to then train AI models that can then predict potential zero days. So the students did that for a year. They just did the outbrief a few weeks ago for their graduation project. And I’ll tell you, it’s one of the best presentations I’ve seen, and I’ve seen hundreds of senior DOD level technology presentations. I mean, it was that good, but that’s the type of programs that we need to adopt nationwide in our schools so that these students are working on real world problems.
Steve Bowcut:
All right. Well, thank you so much. That is very sound advice. There’s a lot of wisdom in that, and I really appreciate you sharing that with us. And I hope with all of my heart that you’re successful at what you’re doing. That the message that you have is getting to where it needs to get. So this kind of thinking proliferates across the country, not just in Georgia, but across the country, because that’s what we really, really need. I’m particularly struck by this idea of using subject matter experts in education. Even in high school. There’s no reason you couldn’t bring in a subject matter expert. They may not be a professional educator, and that’s fine. The professional educator can sit in the background and keep things on course, but they have the expertise and the experience, that coupled with giving students at a high school or college level real hands-on experience doing what it is that they’re going to be called upon to do after graduation is just so invaluable. So thank you so much, Eric. I really appreciate it. This has been a great conversation and I appreciate it.
Eric Toler:
Yeah, well, certainly my pleasure. Thank you for what you do. Again, you’re helping us get that word out, so anytime we can-
Steve Bowcut:
Well, I hope so. That’s our objective. So thank you and a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide Podcast.