The State of Cybersecurity
In an exclusive interview, Palmer discusses:
- The current state of cybersecurity in the U.S.;
- Which critical skills are necessary for people pursuing cybersecurity careers;
- The mission of the Institute for Advanced Security.
Palmer, Director of the Institute for Advanced Security and Chief Technologist of Cybersecurity and Privacy for IBM, in these roles, he has broad responsibilities for initiatives and technical directions in the security and privacy areas across IBM. Charles is also is Senior Technical Advisor to the Institute for Information Infrastructure Protection (I3P) which is managed by Dartmouth College. Founded in 2002, the I3P is a national consortium of 28 universities, nonprofits, and national labs that is focused on doing funded research for the US Government in the area of cyber-security. Charles is also an adjunct Professor at Dartmouth College where he teaches CS38 Security and Privacy to the grads and undergrads and works with students on individual projects.
TOM FIELD: What's the state of cybersecurity, and what's new in careers in cybersecurity? Hi, this is Tom Field, Editorial Director with Information Security Media Group. We're talking about this topic today with Charles Palmer, the Director of the Institute for Advanced Security, as well as the Chief Technologist of Cyber Security and Privacy with IBM Research. Charles, thanks so much for joining me.
CHARLES PALMER: Hey, it's great to be here. I enjoy it.
FIELD: Just to get us started, Charles, how about you tell us a little bit about yourself, and your work with IBM, please.
PALMER: Well, having been with IBM, gosh, a long time now, my wife and I both do cybersecurity research, and have been for quite sometime. I guess in the early days, the first interesting thing I did around security was starting ethical hacking for IBM, back in the mid-90's, and since then I've moved on to more broader issues around cybersecurity and usability issues, and so on, like that. It's been a fascinating trip so far.
FIELD: Well, it's a long trip for you. It's something you've been talking about for a long time. But what we've seen in the past year is the President has made cybersecurity a national initiative now. In your opinion, what's the state of cybersecurity in the U.S.?
PALMER: Great question. I was certainly, like everyone else in the industry, tickled to hear our President spend as much time as he did last May talking about this stuff, and a lot of things are going on, and clearly the focus is still there, and real, and really awaiting the next steps. I've already met with Howard [Schmidt, the national cybersecurity coordinator] a couple of times, and I think we've got the right man on the job there, and I think things are definitely headed in the right direction. What's the state of cybersecurity in the U.S.? Well, you know I don't want to sound alarmist, but some of it is pretty doggone good, and some of it is less so. The thing that I think gets me the most - and it goes to the institute's definition of cybersecurity - is as everything on the planet gets more connected, more sensors and more intelligent, everything is getting, well, smarter, some of these things have never been connected to anything before, whether it's transportation systems, water systems, power, oil and gas, and pipelines, and so on. All these things, as they get connected to be more efficient, have to also be focusing on being more secure. Because, now they are facing risks that they have never had before. And to me that is what cybersecurity is all about. It's about scope. IT security is always important, and will continue to be important, as it is a part of cybersecurity. But the impact of a website going down, or a financial system taking an unexpected "break" is very different, as far as scope of impact, than a power problem, or a transportation problem, water treatment problem, and so on. So, to me, it's an issue of scope. And as far as the state of cybersecurity, if that is my definition of cybersecurity, I am a little concerned. While industries are making great strides to improve their cybersecurity, there is a lot to be done, and we need to do it pretty soon.
FIELD: Well, a two-part question for you. When you look at this connectivity you talk about, where do you see that we are best protected?
PALMER: Well, of course, if I stand up and say "Industry X is very well protected," I'm painting a target on them. And so we should be careful when we ask, you know, "Who is doing good?" Generally speaking, I think financial services companies and organizations are doing pretty well, as far as protecting themselves, because they sort of invented the whole idea of security; they've been at it a long time. Certain industries outside of those have done pretty well, like the chemical industry has done very well, and oil and gas, and others, are working really hard at it. A lot of the smarter industries, though, the real physical world stuff, they are having to struggle with the balance between the physical demands, whether it is keeping the wires off the ground, in the power distribution business, or making sure that you can fix a water distribution system when it physically breaks. Balancing that with the move towards better connectivity is a big challenge, and one where they really haven't figured out what is the right balance. So, financial services are doing pretty good, chemical is okay. Others really do need to keep firing away.
FIELD: Well, here is the other part of the "paint the target" question. Where do you see that we are least protected?
PALMER: Well, again, that's a very scary question. I mean, if you look, and a lot of people immediate point at power, for example, and say, "Oh, gosh, terrible things could happen." Well, that's true. Maybe they could. But the truth is also that a well-placed squirrel can wreak almost as much havoc as a cyber attack on a power grid. So, I would say that in general, we are least protected when it comes to people. Because the ultimate critical infrastructure are people. They make the decision whether to do something securely, or not, regardless of what business they are in. And so, to me, the biggest scary exposure is in security usability, security awareness, and just trying to .... Well, the way I described it yesterday at a conference was: The gauge to normal ratio is plummeting, particularly in security, and we have to do something about that. If you go out to hire, you know 100 or more, security professionals, unless you can print money, you probably are going to have a hard time filling those positions. There's not enough of them, and the ones that are out there are going to the highest bidder, and unfortunately, we need a lot more. So, to me, the place where we are the least protected is the people, the critical infrastructure.
FIELD: Well, that's an interesting segue, because I wanted to ask you about careers in cyber security, and certainly with the President's initiative, there are a lot more jobs open now. And, as you say, it is hard to fill those positions. What do you see as the critical skills that are necessary for an information security professional that wants to pursue a career in cyber security?
PALMER: Well, it may sound like a pat answer, but curiosity is probably the best thing. You know, when I was doing ethical hacking, everybody and their brother wanted to work with me, not because I'm that interesting, but because the topic is just so sexy. And the problem there is ... that anybody can be a hacker. I mean, granted, some of the hackers in the world are really skilled people, but pretty much anybody can break stuff, or try to cause trouble, or try to do something and not be caught. It's a much tougher challenge to be on the, not on the dark side, to be on the good side of the force, and try to make sure that you can think about what the bad guy might be able to do, and think around the corner, to what he might be able to do next. So, creativity and problem solving. People who like puzzles, bridge players. Musicians, believe it or not, are some of the best computer security people because of the pattern recognition and the skills that they have developed over the years. A lot of people run away from computer science because of the math. Well, in some parts of computer science, math is a very important topic. In others, like security, it's less so, until you start getting into, you know, big analysis systems and stuff like that. In general, a clear understanding of networking, how stuff works together. My students at Dartmouth have a background in operating systems. Again, I don't ask them to have built one, I ask them to understand what they do. So, a basic understanding of computer science, clear understanding of operating systems, and capabilities, and networking. And now, increasingly, people are worrying about application level security, because while a lot of the operating system problems might still be there, the bad guys are moving up the stack, and beginning to exploit problems in the applications. And so, a general curiosity about how things work, and how they might not. If you're good at breaking stuff, that's always useful. But, those basic areas of operating systems, networking and general curiosity are pretty much the best things I look for.
FIELD: Well a follow up question to that. It sounds like there really are broad opportunities. Why, then, is it such a challenge to find people to fill these roles?
PALMER: Well, there's a couple of factors going on here. People started running away from computer science, in general, several years ago, for lots of reasons. Fear of the math, for one, fear of outsourcing as another, which was sort of a very misplaced fear, I thought. Both of them, really. Now, part of the problem is, while computer science enrollment and studies related to security are improving, there is still a shortage, particularly in the government. And the big challenge there tends to be one of, well if someone is going to weigh the options of working for the government for one salary or working for the private sector for a somewhat higher salary, you know, unless they were really mission-focused, and thank God a lot of people are, but not all of them, they may go back to industry, instead. And, similarly, government has a lot of issues with retaining people, as well. One very encouraging sign is the centers around the country that have been designated as Security Competency Centers by the NSA and the Education for Service programs that are around. Increasingly, those are producing security professionals who can walk into a government job and be productive that day. And that is very reassuring that those programs are full. And I'm really glad to see that, and I'm encouraging them to move further.
FIELD: Charles, let me give you a chance to advertise a little bit here. Tell us about the Institute for Advanced Security. What's your mission?
PALMER: Well, the goal there is really all about people. It's not so much about how people use systems. It's the fact that IBM, I mean, I've been there 20 -- what is it? -- twenty-five years now, but IBM has been doing security long, long before it was fashionable. From day zero at IBM, security was important, maybe not with the typewriters, who knows. But, from, from the earliest days of the general purpose computing devices, security has been something IBM has cared about, and customers know that. What we have ended up with over the -- now we've got however many hundred thousand employees. There are security professionals around the world at IBM. And somebody said, "Charles, you're standing at this institute. Are you going to bring them all into one place?" And I said, "Absolutely not. I don't want a building. I don't want an office. I want people to stay where they are, because that's why security at IBM works. All those smart security dudes and dudettes are where they belong, in the product divisions, in the services organizations." That's where they need to be. So, what do we need the institute for? These folks are all over the world. They're scattered. If we want to encourage collaboration, we have to have a way to get to them. So, one of the key aspects of the institute is not just to talk about all the smart people we have, but to give them a way to interact with government folks, and others who have the real problems. Because, you know, the thing is, especially with my research colleagues, if you tell them, "Go off and write a paper on so-and-so," they'll do that. They'll happily wander off and do it. But, I you tell them, "Talk to this client over here, because he's got a really strange problem," they will jump through their hats to get to that one. They love that. That's why we have such a strong analytics business, and that's why the Security Institute or the Institute for Advanced Security is so popular, both with our podcasts, webinars, white papers, it's all about collaboration. It's all about the public/private collaboration that we've got to move towards. It's all about getting the word out that security is something that everybody needs to understand a little better.
FIELD: Charles, where can people learn more about the Institute?
PALMER: Well, that's pretty easy. The easiest place is on the web, IBM.com/federal/security. And all of our resources are there, our upcoming events are there. Whether those events are webinars or face-to-face conferences, it's all there, and you can certainly contact the Institute there, as well. On the right hand side, there is a little button that says, essentially, e-mail us, and I will get it.
FIELD One last question for you. For somebody that wanted to start, or even restart, a career today in cybersecurity, what advice would you offer them?
PALMER: Well, there's no shortage of books on the topic. It seems like a few years ago, everybody was suddenly a security expert. I wouldn't bother so much with the books that have the word "hacker" in the title. While many of them are pretty good, they also tend to sensationalize things a little much. And the majority of the work is not there. I would look more towards the basics. Understanding networking is a great place to start. Not just one company's networking, or another, but the basic concepts of TCP/IP and communications in general. That's a great place to start. And then, start looking at languages. You know, how do you build systems, whether it's an operating system or an application? How would you think about building them securely? And so, books on security engineering, or security designed in, would be a very good idea there. In fact, you just gave me an idea. I think we need to put on the Institute website a bibliography of "here's some books you might look at." I think that's a really good idea. Thank you.
FIELD: Sure. Well, Charles, thank you for your time and your insight today, it's been excellent, and I wish you well in your role with the Institute.
PALMER: Great. Thank you for the opportunity.
FIELD: We've been talking with Dr. Charles Palmer, the Director of the Institute for Advanced Security and the Chief Technologist of Cyber Security and Privacy for IBM Research. For Information Security Media Group, I'm Tom Field. Thank you very much.