Reema Moussa  0:01  
From the Internet Law and Policy Foundry, this is the tech policy grind podcast. Every two weeks, we'll discuss recent developments and exciting topics in the technology and internet law and policy space. I'm Reema Moussa, and I'm a member of the fourth cohort of the Foundry Fellows.

The Foundry is a collaborative organization for internet law and policy professionals who are passionate about disruptive innovation.

Welcome to another edition of fellow highlights where we chat with ILP Foundry fellows about their careers and current projects. This week, I chatted with Rikki George, the ILP Foundry class for president about her work leading a cyber exercising wargame program in the financial sector. We also discuss what's coming up with the Foundry. Hi, Ricky, how are you?

Rikki George  1:03  
I'm doing well. Reema. Thanks for having me on.

Reema Moussa  1:05  
Absolutely excited to chat with you about your career and also everything going on with the Foundry. So I want to start with you. What got you interested in the field of tech and internet law and policy? And cybersecurity in particular? As that's your, your field of expertise. Just walk us through your career journey.

Rikki George  1:39  
Yeah, absolutely. So I really kind of got my start, in many ways fell into cyber. I started as an intern on the brand protection team at JPMorgan Chase was an undergrad, and really what that involved was doing investigations of intellectual property infringement, so sending cease and desist letters. And that's where kind of the law on the internet really bridged for me. And then shortly after joining that team, we got moved internally into the cybersecurity department. So I got my first taste of cyber threat intelligence and doing kind of more traditional cyber investigations and, and cybercrime, deterrence. And I really just, like fell hard for that. And that's kind of how I got, you know, got started. And I've always kept an interest in law because I, you know, think back to the times, early on, as an intern doing brand protection, where it was such a struggle to use the legal resources at our disposal to actually combat some of the Cybercrime that our firm was experiencing, or that was targeting our customers and, and employees. And so, you know, it's been an interesting journey. But I've definitely kept locked in to the both of course the cyber side, but the, the legal side of things as well.

Reema Moussa  2:55  
So what are you doing now for your current work?

Rikki George  3:00  
Yeah, so my current job is to run the cyber exercise and wargame program at a large financial institution. And really, what that means is that I look at the cyber kind of threat landscape, and then look at, you know, where my organization is going from a business perspective, and then come up with realistic or what we call extreme but plausible cyber attack scenarios to run us through. And I do that at a variety of levels. So we do it at a technical level, where actual, you know, hands on keyboard incident response folks can, you know, look at a piece of malware that we may have come up with and fabricated and evaluate how effectively you know, we'd be able to detect it and report upstream what it's doing to our environment and how it affects our business operations. And then we also do it at the executive level with our senior most executives. So everybody kind of just south of the CEO gets involved. And we look at how they would evaluate things like reputational risk and customer communications and, and regulatory disclosures. So it's a really kind of fun permutation of what I was doing before, I'm still very much involved in what are the cyber threats. But now I'm also focusing on how do we manage the risk that the cyber threats pose to my firm, which is part of kind of the critical infrastructure here in the United States. So it's, you know, a fun but also heavily regulated space to be.

Reema Moussa  4:27  
Cybersecurity is a new career field, relatively speaking, and it's growing really quickly. What got you initially interested in running a cyber exercise program? And why is such a program important to a business?

Rikki George  4:51  
Yeah, I think, as with many people in cyber, that we don't always like know where we're gonna land in the long term. I think if I looked back Given a few years, I don't know that I would have, you know, known that cyber exercises was, you know, on the horizon for me. But what really jumped out to me about this job was understanding that you can prepare an organization for that worst day, right, like a large scale cyber incident that may, you know, cripple you know, 75% of its business operations, you can prepare and practice that before it actually happens in the real world environment. And so that was really exciting to me to see how that whole process unfolded, I jokingly call myself a cyber crisis party planner. But it is an important thing to do, because the regulatory framework in the United States, especially for the financial sector, is extremely detailed. And it does require that financial institutions such as the one I work for, and all the major banks and exchanges, actually do these type of tests to help, you know, keep the US financial sector resilient. It's just a regulatory requirement. But I think it's also business necessity, to be able to understand, you know, where the weaknesses are and an ability to respond to a large scale, breach or large scale ransomware incident or insider threat scenario, whatever it may be. So it's a it's an interesting place that sits kind of at the the junction of regulatory requirements, cybersecurity best practice, and then also like emerging threat analysis.

Reema Moussa  6:31  
Someone who's familiar with the cybersecurity field might have heard the terms such as tabletop exercises, war games, etc. which are components of a cyber exercise program. But what do these actually look like? Could you walk us through maybe an example of what these games might look like in practice?

Rikki George  7:03  
Yeah, absolutely. I think it's really interesting, because there are so many different types and, and that the type that's best at any given moment is really driven by the participants, the maturity of what we're trying to exercise, if it's a brand new incident response plan, you know, doing something that's heavily involved, may not be the best use of resources in, you know, in comparison to a workshop, or something like that. But to, you know, walk you through a scenario. If we were doing a technical, technical drill, for example, we might, you know, come up with a cyber attack scenario, let's say it's going to be a software supply chain compromise. If we think back to Solar Winds or something like that, that's certainly a hot button issue that people are continuing to discuss coming out of the past couple of years. But software supply chain compromise, we might come up with our own fabricated piece of fake piece of malware that simulates a, you know, a compromised piece of software that could have been deployed on our network. And we will give that malware to our incident responders so that they can do forensic analysis of it, and identify, you know, what is that malware trying to accomplish? What do we think in terms of attribution? What can we do to mitigate the risk that this piece of malware may pose if it was actually on our network? And so they may determine that it's targeting our customers or clients, and here's that list of clients. And then they provide that to senior level management to make the decision around, when do we tell our clients that we might have a malware issue that could affect you know, the integrity of them doing business with us. And so that's kind of how a technical exercise plays out. But at an executive level, you might actually have a team of executives in a room, with then a group of folks down the hall or next door in another room prepared to answer any of the executives questions, right? They're going to ask you, what is what's happening? How's it affecting the business? What are our options to recover, and you need to really use a lot of people across an organization to make an exercise successful, because you need that one person who has nuanced business knowledge, to be able to tell, you know, the executives that here's how we can recover and be operational again. Or you also need the person who has that very strong technical cyber knowledge to explain what happened and why it happened, and how we can stop the bleeding and in that regard, so you might have two conference rooms full of different groups of people all working together to support the exercise and one of them being a group of players and the other one being what we call a sim cell or planning team. But that's kind of how some of the exercises are framed. And then they can be much more simple as far as you know, everybody's on a bridge doing a workshop just talking about you know, the strengths and opportunities of a brand new playbook.

Reema Moussa  10:06  
Sounds intense, but also sounds potentially fun.

Rikki George  10:13  
It is it is, I think it's, it's never a dull moment as you try to figure out all the different ways that you know, different personalities that play in an exercise might go when presented with a cyber incident. Everybody, you know, you have to manage a lot of characters and and think about them as much as the cyber attack scenario and what you're trying to accomplish. So it's definitely rewarding and exciting space.

Reema Moussa  10:40  
Definitely sounds like it. So I want to get into what other projects you may have going on. You're involved in a lot. And you're definitely involved with a lot with the Foundry, which we'll get into a little later. But what other projects or organizations are you involved with outside of work?

Rikki George  11:10  
Yeah, absolutely. Um, so I've done you know, a couple of fellowships, which have been exciting. I finished one earlier this year, with Alexander Hamilton Society, the Security and Strategy Scholars Program, which was really focused on looking at strategic competition between the United States and some of its, you know, primary adversaries. So there I focused on on Russia, which was pretty exciting. And I did that as I kind of got into the Foundry. I also am a member of WiCyS, so Women In Cybersecurity, as well as joining, you know, a couple of cybersecurity mentorship groups. And I serve as a mentor for a program called Rainier Scholars, which is for minority students. In the Seattle area where I grew up, I myself was Rainier Scholar starting in fourth grade. And so I had the opportunity to mentor, a scholar in his senior year of college as we helped him plan his first job in engineering, which is really exciting, and rewarding. So I kind of tried to volunteer and give back and then of course, enrich my own knowledge of, you know, cybersecurity, geopolitics and law.

Reema Moussa  12:22  
Great, yeah, I think mentorship is really, really a key part of this community of tech law and policy in particular. Of course, it's a part of, I think, any career field, but especially as this field emerges, so dynamically and changes quickly. Having that mentorship opportunity can be really impactful and staying abreast of what's going on and understanding how to navigate it. So it's great that you've served as both a mentor and have been mentored by others throughout your career.

Rikki George  13:12  
Yeah, absolutely. I feel like I'm the perpetual mentee, I just like I am, so it took me a while to figure out like how I was going to lean into trying to be a mentor in some way. I think maybe it was a little nervous, or something like that. But I realized that, you know, it's just everybody needs someone, whether you're like a senior executive or somebody like myself, who's more kind of early to mid career, I have something to offer to you know, folks that are, you know, just stepping into the field and even into other fields other than my own. So I try to, you know, do what I can to give back and because so many people have helped bring me along the way to where I am now.

Reema Moussa  13:53  
Absolutely. So, what's next for you? What are you looking ahead towards whether it be in the cybersecurity field or specifically within your career? What do you think is the most exciting, perhaps challenging, opportunities that are on the horizon?

Rikki George  14:21  
Yeah, that's something I definitely have thought a lot about. I think COVID gave us a lot of time to reset and recalibrate and think about what's next. I left consulting to take my current job during the pandemic, and that was really intentional to set me up to be able to go to grad school. So I'm starting at Brown in their Masters of Science and Cybersecurity program, this fall, where I'll be kind of in the policy track, which is I'm really, really excited about it's taken me you know, almost a decade, it seems it's crazy to say that to get back to grad school from undergrad because I just feel like I've been having so much fun in cyber and the work was so demanding and rewarding. But that's something that's probably I'm most excited for in the short term. And then I think longer term, there are some, you know, other programs like evening law school programs and PhD programs that I'm like in the early stages of looking at, that I'd like to pursue after getting my masters. And then I would also say, you know, like, just from a career perspective, I'm really kind of at this precipice of moving up in terms of levels of seniority. So I'm, you know, navigating that those challenging waters as well to figure out, you know, where I want to go to next. But I really liked doing the cyber exercises, I really enjoyed doing cyber threat intelligence and brand protection. So I think somewhere in that arena is probably going to be the right the right fit for me. And then hopefully, you know, being able to ascend to a more senior level position and in the next couple of years, I think would be a big milestone to to accomplish as well.

Reema Moussa  15:53  
Well, that's incredibly exciting, huge congrats on grad school, and excited to see how that goes and your, your career path in the future, I think they'll be fantastic to, to learn and watch your experience. So something else that's very exciting, and shifting gears a bit, you were recently elected to be the president of our fourth class of fellows here at the Foundry. So if you've been listening for a while, you might be familiar with the Foundry. But Rikki, could you give us a rundown on what the Foundry is, what the Foundry Fellows Program is, and how your presidency has been going so far?

Rikki George  16:49  
No. So the Foundry is, you know, a community of, you know, students and early to mid career professionals that are really, you know, interested in and focused on driving forward, internet law and policy discourse. And we do that globally, which is so great, right, we have this global class of fellows. And I think class four is one of the largest that has ever, you know, been assembled, which is awesome, as well. And, you know, the Foundry Fellows have a, you know, a term and usually two years to go about, you know, accomplishing as much as we can in the space, whether that's through events, and through this podcast, which is great. And, you know, we want to be able to just drive forward the discussion, have our voices be heard, so that we can, you know, make the Internet and the law and policy that help govern it as strong and inclusive as possible. I was really excited to be elected our class president, but it's so great that we have such a strong executive board that I get to partner with, and, of course, different committee and, and regional chairs. So it's been going really well, I think we have so many different work streams going on at the Foundry, which is really exciting for I think, what we're going to accomplish, not only throughout the rest of this year, but I think 2023 is going to be a really big year for the Foundry. And I'm looking forward to continuing to lean in and work alongside everyone.

Reema Moussa  18:18  
Same here. I think it will be a really fun couple of years for us as fellows, but hopefully can can create some impact for the entire ILPF community. So what's going on right now with the Foundry that our listeners can keep an eye out for or engage with?

Rikki George  18:44  
I think we have, you know, a couple of things that are taking place right now that are really exciting. And I would say you know, the first is our writing competition. So those that may be familiar with the foundry already may already know of the annual Hackathon that's been taking place with the Foundry. This year, we launched a writing competition to pair with the the Hackathon. We've already opened that up. So folks that want to submit it's open to undergrads, grad students, folks that are getting like professional education, as well as anyone that's two years post completion of any of those aforementioned degrees. They can, you know, submit a paper and our theme this year is "Into the Metaverse" so we're really looking at trust and safety, privacy, security, as well as even Equity and Inclusion challenges that the metaverse kind of poses. I think it's a really important topic. A lot of people are talking about Metaverse, and that's great. I'm really excited to see what some of the younger folks and peers that are more you know, coming into the space in terms of internet law and policy have to say because we are going to be the people that are running these different verses for years and years and years to come. If this is something that hangs around. So I'm really excited for that. And then we also in August are hosting our first live podcast taping, which is exciting as well, on August 18. And so that's something also for folks too in the DC area to look out for engaging with us on. I think there'll be good opportunity for our fellows to get to meet people in person, meet each other in person, the pandemic has really made that difficult. But as well as kind of take what we're doing to the next level and, and have some amazing subject matter experts that you know, want to be in person with the folks that also support the Foundry's programs as well.

Reema Moussa  20:34  
Absolutely, I think it is a really exciting time for the Foundry and so many ways to engage. So definitely check out the writing competition, as well as the upcoming live podcast taping which we'll be sharing some more info about as it gets closer, but you can also check out some info in the show notes. So I want to look ahead a little bit what can our listeners look forward to as far as the Hackathon whats to know there?

Rikki George  21:14  
The Hackathon is, you know, it's coming together, it's gonna be I think, really, really engaging, as I said, we're doing the writing competition, at the same time we're kind of in partnership with that this year, which is new. So folks can also participate in the Hackathon, which will be in October, same theme, so "Into the Metaverse" and exploring some of the similar challenges, but really in a team format, which I think is is amazing, especially for those that might be students or early career professionals to be able to partner up with a team of other folks who are really interested in this space as well to come up with some policy solutions to the challenges that the metaverse poses I think is going to be really compelling and rewarding. And we'll also be doing some events ahead of the Hackathon. So you don't have to be a technical expert. You don't have to be a legal expert or privacy expert to feel like you can add value. We're going to have some events taking place ahead of time in September, that will serve as training of sorts just to give people kind of a nice base level of knowledge around what the Metaverse is what some of the privacy challenges are, trust and safety, and a variety of other things. And then we're also exploring doing a potential kind of networking event as well in the Metaverse. So look out for that, as well as when it kind of the opportunities to engage with us ahead of October for the Hackathon. But it should be great. We're looking forward to topping the participation that we had last year. We had strong participation and really good submissions and, and final papers from the different teams at the Hackathon. So we're just going to carry that forward this year as well.

Reema Moussa  22:53  
Definitely sounds exciting. I can't wait until I get to learn all about the Metaverse because thus far, it's one of those concepts that I hear about all the time and know very little about. So I think that it'll provide a great learning opportunity for anyone interested in emerging tech and getting to know what's happening in the Web3  Metaverse space. So Rikki, before I let you go, I would love to hear what are you reading or listening to right now?

Rikki George  23:35  
Yeah, so I am a big podcast listener. I think I, every day, I'm consuming something. I would say you know, some of my favorite podcasts that I'm listening to right now, are Vice's Cyber Podcast, I find it just to be really, you know, interesting and compelling. And you know, not you know, super long podcast episodes. So it's just nice something to listen during lunch break or walk, walking the dog in the evening. I also listened to Darknet Diaries, which I think is really fun, I find myself recommending it all the time. And it really covers different elements of cybercrime, and, you know, illicit activity on the internet. So I find that to be really interesting. And then Lawfare. I love listening to Lawfare podcast, I think that's a really good one. And one of our class four fellows also is on that podcast quite frequently. So I recommend that to check him out as well. That's a good one. And then in terms of reading I right now I'm reading "This is How They Tell Me the World Ends" which is a book about kind of cyber espionage and it's written by a journalist and it's you know, I'm really started liking it and getting into it a little bit more. And then also "Putin's World" I think, you know, it's everybody's aware of, you know, the the happenings on in Ukraine that are so unfortunate and as I come out of my prior fellowship that was really focused on U.S.-Russia strategic competition, reading and rereading that book has been rewarding for me. And that's by Angela Stent. So I definitely recommend that for anybody that's interested in geopolitics and wants to apply it to something that's happening in the world today and unfortunately, the conflict in Ukraine.

Reema Moussa  25:21  
Thank you for sharing that. A lot of great content and resources that our listeners can check out. I know, "This is How the World Ends" is definitely on my list. And Darknet Diaries is one podcast I've listened to, for some time, and a lot of great content there as well. In addition to, to your feed of the Tech Policy Grind, some great podcasts to check out for sure. Well, thank you so much for joining us, Rikki.

Rikki George  26:04  
Yeah, thanks so much for having me. This has been been fun. And I hope everyone that's listening gets involved with the Foundry and wants to partner with us. Feel free to reach out if there's anything we're not doing. You know, we'd like to partner so I'm always here for that. Gotta make that shameless plug. And all of that.

Reema Moussa  26:21  
Always got to make the shameless plug. Thanks for listening to this episode of The Tech Policy Grind podcast by the Internet Law and Policy Foundry. Be sure to check out the Foundry on LinkedIn and Twitter, as well as our writing competition open now. You can find this info on our website, or in the show notes. If you enjoyed this episode, leave us a review and give us a five star rating. It really helps out the show. If you're interested in supporting the show, reach out to us at: foundrypodcasts@ILPfoundry.us. You can find our email in the show notes as well. The Tech Policy Grind podcast comes out every other Thursday. See you next time. The Tech Policy Grind podcast was created by the fellows at the Internet Law and Policy Foundry. It's produced and edited by me, Reema Moussa, with support from the incredible Foundry Fellows of class four.

Transcribed by https://otter.ai