Cybersecurity: critical thinkers defend and secure
Keeping ahead of cyber challenges requires keen minds and an active defense. Cyber experts agree that networking is key, and have strong words about the future
“We must reduce incentives for malicious behavior. No single organization, enterprise or government can do this alone.” – Neal Ziring, NSA
By Arthur Schurr
Shortly before his State of the Union address on February 12, President Obama signed an executive order, “Improving Critical Infrastructure Cybersecurity,” and issued presidential policy directive PPD-21, “Critical Infrastructure Security and Resilience.” Both address national cybersecurity concerns.
Cyber crime is as old as the Internet, but continues to evolve. No organization is free of risk, and all must deal with it actively and aggressively.
Industry experts chime in
“Today, corporations and government agencies need to enforce basic security measures consistently across all enterprise assets,” explains Neal Ziring, information assurance directorate technical director at the National Security Agency (NSA, Fort Meade, MD). “These include strong authentication, audits, patching and updates, basic configuration control, and privilege limits. They should employ execution whitelisting wherever technically feasible.
“In the long term, we must reduce the positive incentives for malicious behavior. No single organization, enterprise or government can do this alone. We’re going to need visibility across whole sectors; efficient means for sharing tradecraft and mitigations at machine speed; and means for coordinated response, recovery and attribution. And we need to create the technical and policy foundations for this now.”
Carrie Gates agrees. Gates is a distinguished engineer and director of research for CA Labs, part of CA Technologies (Islandia, NY). But she adds that cybersecurity solutions transcend the technical.
“Traditionally, cybersecurity in the corporate world centers on three things: confidentiality, integrity and availability. And you achieve that through authentication, authorization and audit. You want multiple layers of protection within your organization. And it is vitally important to assess your risk level and identify the technical threat model to generate an appropriate level of security response,” she explains. “But people are a critical element that should not be overlooked.
“Cybersecurity is about creating a culture of security and trust, as well as technical capabilities. People need to understand why a security policy is important and why they should follow it,” she notes. “Ultimately, we use security to help people get their jobs done.”
Education, job satisfaction, diversity: the best lines of defense
“More attacks are happening from the inside. So people really are a critical component,” continues Gates. “Typically it’s an unhappy or disgruntled person on the inside who can do the most damage. So, how do you make employees care? You should look at your work environment.”
Since people are as important to cybersecurity as technology, diversity’s role becomes even more critical. A diverse work environment can be an effective tool in promoting cybersecurity. NSA office of recruitment chief Cindy Smith says, “Our employees work every day to protect our nation’s security. To successfully operate in a global threat environment, we need a dynamic, agile workforce that reflects diversity in its broader context.”
Central Intelligence Agency (CIA) spokesperson Todd Ebitz echoes this view. “CIA seeks to attract talented individuals from diverse cultural backgrounds because the agency needs that blend of experience, knowledge and skills. We can’t succeed in our intelligence mission without a workforce chock full of sharp creative people who understand the world’s nuances. More and more, this mission relies on bringing together diverse teams of experts with a range of backgrounds and specialized know-how to solve complex problems.”
Defending the virtual battlefield with the NSA’s ATAO
Dr Aaron J. Ferguson is technical director of the NSA’s Analytics Tradecraft Automation Office (ATAO), part of the agency’s information assurance directorate. He provides technical direction to ATAO’s mission priorities in response to customer analytic requirements. Ferguson has been with ATAO since its creation in 2011. He sees the NSA as a level playing field for him to carry out his mission.
“In every position I’ve held at NSA, I’ve been empowered, respected, technically challenged, and appreciated. The vast majority of people here do not care what color you are. They just want you to contribute in positive ways. These are the reasons I plan to stay at NSA,” he says.
Ferguson earned a BSEE in 1987 from Howard University (Washington, DC). He has a 1992 MS in operations research from the University of New Haven (West Haven, CT), and a 1997 MA and 1999 PhD in applied math and statistics from the University of Delaware (Newark, DE). He is a Certified Information Systems Security Professional (CISSP) and holds a Security Plus designation.
Ferguson is also an adjunct faculty member at Howard University and the University of Maryland-University College (Adelphi, MD), and was the NSA visiting professor at the United States Military Academy at West Point (NY) from 2003 to 2006.
According to Ferguson, essential components of his work include a thorough knowledge of TCP/IP, machine learning techniques and methodologies, and the software engineering and development process. But he got into cybersecurity for a more personal reason: the opportunity to make a difference.
“In the cyber world, the challenges are tremendous, but so are the opportunities to save lives and protect U.S. interests.”
LTC Deitra Trotter leads the U.S. Army’s first cyber battalion
“Our battalion is growing. It started out as a detachment a decade ago, but it’s evolved alongside the growing need for cybersecurity,” explains U.S. Army Lt. Colonel (LTC) Deitra Trotter, commander of the 781st Military Intelligence Battalion, U.S. Army (Fort Meade, MD). “It’s an ever-changing field, but that’s what keeps my job exciting.”
Trotter enlisted in the Army in June 1990 as a signals intelligence analyst, expecting to complete only her four-year hitch. She served as a linguist in the Russia office of a military intelligence brigade, and was named the intelligence and security command’s 1992 “soldier of the year.” She was recommended for officer candidate school, and commissioned in January 1994. As she rose through the ranks, she gained critical skills and experience.
She earned a BA in 1992 from the State University of New York and an MA in political science in 2000 from the University of Hawaii (Honolulu). She’s a graduate of a long list of Army schools and courses, and has earned commendations and medals. And she helps mentor at-risk kids at a Fort Meade middle school.
Commanding cyber mission forces
Trotter’s focus now is her role as commander of the nation’s first Cyber National Mission Team for the U.S. Army.
“We’re the first such team for the Department of Defense, and part of the first cyber mission forces that General Keith B. Alexander, the U.S. CyberCom commander, is building to defend the nation in cyberspace,” she explains. “We cast a wide net in terms of skills needed for my unit, including computer science majors, engineering majors, IT majors, anyone who has an interest in the field. Above all, I look for candidates with an intense desire to learn and a willingness to think outside the box.”
Trotter credits the army for its advanced diversity structure. “One reason I enlisted was the Army’s pay scale. There wasn’t one pay scale for men and one for women; there was no gender gap for pay. If you’re a given rank and have served a given number of years, that’s what you earn. If you’re willing to work hard, the opportunities are there for you.”
Devon Bryan maintains the integrity of ADP’s client experience
After serving as deputy associate chief information security officer for cybersecurity at the IRS, Devon Bryan joined human capital management solutions company Automatic Data Processing, Inc (ADP, Roseland, NJ) in May 2011. He works in its Alpharetta, GA office.
Before the IRS, Bryan spent eleven years engineering, securing and managing enterprise data networks for the U.S. Air Force. Today, as senior director of client and vendor security management, he is responsible for creating ADP’s “trusted client experience” as well as its third-party security management program.
“I handle all aspects of client security lifecycle interactions. Basically, I serve as ADP’s global evangelist for internal and client security and privacy issues and concerns.”
Bryan holds a 1992 BS in applied mathematics from South Dakota School of Mines and Technology (Rapid City) and a 1996 MSCS from Colorado Technological University (Colorado Springs). He’s a CISSP and a Certified Information Systems Auditor (CISA), and holds Certified Information Privacy Practitioner certifications with both USA and EU designations.
As an information security veteran with twenty-two years of experience, Bryan feels cybersecurity programs must balance enterprise risk with legislative and regulatory compliance and key business objectives. He subscribes wholly to the cybersecurity triad: to protect, detect and respond.
Sharon Mudd helps keep Symantec internally secure
Sharon Mudd joined global computer security software company Symantec (Mountain View, CA) in August 2012 as senior manager of security governance, working in global information security. As an internal department responsible for information security, her team handles governance functions including information security policy, standards, guidelines, application security governance, security architecture, risk remediation management, metrics and reporting, security awareness and training. Though her mandate is not specifically technical, Mudd’s background has proven a plus.
“My group doesn’t do hands-on technical security. But it’s helpful to have a technical background in order to understand what types of policies, requirements or remediation will strike the right balance between business needs and acceptable risk.”
Mudd got a BA in information and computer science in 1990 from Covenant College (Lookout Mountain, GA), and an MS in information assurance from Norwich University (Northfield, VT) in 2008. Her certifications include CISSP, CISP, and risk and information systems control.
One cyber professional’s perspective
Though Mudd believes cybersecurity will always be technical, she also notes additional dimensions. “We will always need technical security operations staff, but we also need management leaders who understand how security should be governed within an organization. The future of this field is in the continued involvement of information-risk professionals in business decision making.”
The field is changing in another positive way, according to Mudd. “Women in this field used to be few and far between. In the last five years, I have seen more balance in gender diversity within our customer organizations. And increasing diversity in the workplace is intentional at Symantec.”
Mudd cites the value of employee resource groups that support diversity at Symantec, including the Symantec women’s action network, SymPride, the Symantec black employee network group, and the Hispanic outreach and leadership affinity group.
Symantec director of global diversity and inclusion Ellen McLatchey agrees. “As a technology company, innovation is key to our business success,” says McLatchey. “Diversity in our workforce provides unique and invaluable perspectives that foster innovation and strengthen our business, so we can recognize and develop better business solutions for our customers.”
Alex Attumalil defends the SI Organization against cyber threats
Alex Attumalil of the SI Organization, Inc (the SI, Valley Forge, PA) uses his background in networking, security and digital forensics to proactively defend the company’s network. That’s been his job since joining the Laurel, MD office of the systems engineering provider in 2010 as threat intelligence and mitigations lead.
He believes that a successful defense can only be achieved through a thorough understanding of attack vectors and current threat developments, and the capabilities of cutting-edge security tools. He uses intelligence gleaned from available and open sources, as well as close industry and customer relationships.
“Defending an enterprise requires jack-of-all-trades-type knowledge and access to key resources,” he says. “In many ways, cybersecurity is a game of chess, a long-term strategic battle where you must outsmart your opponent. It takes patience, team effort and diligence.”
Attumalil graduated from the University of Maryland-College Park (UMD) with a 1997 BS in biological sciences. He moved into cybersecurity after earning his MS in information technology from UMD in 2004, and holds many advanced certifications.
On defense and diversity
Though Attumalil notes the importance of a solid technical foundation in cyber defense, he believes equally in the people part of the equation. “Proactively defending an enterprise is an arduous process. As you face asymmetric threats, your tactics and techniques need to be flexible. Establishing solid and mutually beneficial relationships within the industry is an often-overlooked component of network security.”
Attumalil feels that diversity is a critical element, but with diversity comes a measure of responsibility. “As Americans we are afforded the same opportunity to reach our goals, regardless of our race, culture or color. Whether we take advantage of it or not is a choice we are free to make.”
Kelly Jones, vice president of human capital solutions at the SI, explains the firm’s belief in the advantages of a diverse workforce. “As a leading provider of systems engineering and integration capabilities to the defense and intelligence communities, we rely heavily on the inherent value diversity offers to support our customers’ missions: new approaches, creativity, innovation and team collaboration.”
Victoria Crognale uses her expertise to help CACI catch cyber villains
Victoria Crognale is a forensic analyst specializing in audio/visual and mobile device forensics. She’s an information security specialist 3 for CACI International (Arlington, VA). Crognale joined CACI in 2011.
“Our computer forensics lab supports criminal investigations conducted by our client agencies. Analysts need in-depth training to acquire and analyze evidence without compromising the integrity of that evidence. Analysts must also triage and parse high volumes of digital evidence for potential use in judicial proceedings,” she explains.
Crognale earned a bachelors in graphic design from Old Dominion University (Norfolk, VA) in 2004, graduating cum laude as a member of the Phi Kappa Phi honors fraternity. She has numerous certifications, explaining that, “forensic analysis requires very specialized training on a regular basis because the technical environment is constantly evolving.”
Technology for a human cause
Crognale always remembers what underlies her work in this field. “One aspect of my job involves acquiring and analyzing footage that has been captured via CCTV cameras at our clients’ sites. Video clarification can be helpful in providing license plates, physical features, and a number of other distinguishing characteristics that can help catch criminals,” she says.
“That footage is a reminder that people are risking their lives for a mission, and my analysis has the potential to provide information that could prevent future occurrences.”
Thorne Graham leads cyber situational awareness for the NRC
Thorne Graham is a senior technology security officer for the Nuclear Regulatory Commission (NRC, Rockville, MD). He leads the development and management of the NRC’s cyber situational awareness effort supporting NRC cybersecurity programs. In addition, he serves as the organizational focal point for the NRC’s computer incident response management, containment and reporting. He’s been with the NRC since 2008.
Graham believes that broader technical understanding leads to greater overall security. “I cannot overemphasize the need for practitioners to become knowledgeable in areas such as cloud computing, computer virtualization and mobile computing. This does not mean you must be an expert in all these areas, but you need enough knowledge to determine if the security controls in these technical areas align with organizational security and governance policy.”
Graham earned a BSCS from Park University (Parkville, MO) in 1986. In 1989, he got his MBA in information systems from the University of Southern California (Los Angeles). In 2012 he completed the Federal CIO certificate program at the University of Maryland-University College; he also has a masters certificate in project management from George Washington University (Washington, DC) and other critical technical certifications.
Seeking to even the playing field
Though he credits the NRC for its fairness, Graham believes that the playing field has not always been so level. “My professional career began in 1974. As a person of color, specifically an African American, I have always faced the need to excel in order to be accepted or listened to,” he reflects. “I look at organizational structures in both the private and public sectors and note the continuing underrepresentation of African Americans in positions of leadership. We need to look at new ways of changing perceptions and providing opportunities.”
Ron Layton keeps the Secret Service’s cybersecurity on track
Deputy chief information officer Ron Layton has served the U.S. Secret Service (Washington, DC) for twenty-one years. He began his law enforcement career in his hometown, Pittsburgh, PA.
“I was a police officer for a number of years. Then I went to school for engineering and worked as a systems engineer. After that I taught physics at the University of Pittsburgh’s Upward Bound program. At Pitt I met a Secret Service agent who told me that I could use my technical background at the agency. And that’s proven to be true,” he says.
Layton earned a BSEE in 1989 from the Montana College of Mineral Science and Technology (Butte). He got a 2001 MBA and a 2003 PhD in EE from Central Pacific University (Honolulu, HI). In 2007 Layton earned an MS in management from Johns Hopkins University (Baltimore, MD), and in 2014 he will earn his second PhD, in business administration, from Northcentral University (Minneapolis, MN). His research area is social media technology and precursors to radicalization.
Layton began his USSS career as a special agent in the Philadelphia field office, but has always found ways to use his technical skills. Now he focuses on financial areas and staff development. He’s concerned with “empowerment on behalf of the technical mission,” as well as on being “the architect of data collection that has never been done before.”
Changes in the field, from one point of view
“Fifteen years ago, cybersecurity meant updating antivirus software or physically securing a computer. Today the working definition of cybersecurity has morphed quite a bit,” he says. “But I’m not the wires and pliers guy anymore; my people are. Now my focus is more about seeing the whole picture and knowing where potential landmines are, and guarding against them.”
Layton credits the Secret Service as a “wonderful organization that’s afforded me tremendous opportunity.” But in previous settings, he faced some challenges.
“I’ve had an extensive academic career, and some professional situations, where I’ve been the only African American in the room. Did I notice it? Of course I did,” he reflects. “As a result, I use any personal time the job allows to reach out to people, particularly African Americans, to get them involved in the sciences and technical fields.”
DRS systems engineer Tommy Tang tackles a wide range of critical tasks
Tommy Tang is a systems engineer with DRS Technologies (Arlington, VA), a supplier of defense electronic systems to government and commercial markets. He works in DRS’ Gaithersburg, MD office, doing work that ranges from integrating and testing projects for the Navy to completing networking and information-
assurance tasks for border security. On the cybersecurity front, his responsibilities range from encryption to security and group policies to intrusion-detection software.
A thirst for knowledge
In 2009, the same year he joined DRS, Tang received his BSEE from the University of Maryland-College Park. Currently he’s working on an MS in systems engineering information assurance at Johns Hopkins University (Baltimore, MD), and expects to graduate this year.
Meanwhile, his thirst for knowledge defines his passion for his work. “The thing I enjoy most is the endless amount of knowledge and experience I gain from my work,” he says. “Technology is always changing. As an engineer, I want to stay on top of these changes. By understanding the logic and vulnerabilities in the cyber world, I can better protect and secure confidential information.”
Tang believes that the evolution of cloud computing will be next on the cybersecurity horizon. On the ground right now, though, Tang credits DRS for providing an open and fair environment to explore the latest cyber developments.
“I have always pushed myself to perform above and beyond. I want to learn from my work experience and at the same time work for a company that delivers great products and solutions. DRS offers both. They value people for their work and productivity,” he notes.
Liz Fricke, director of talent acquisition at DRS, corroborates Tang’s perspective. “DRS is committed to being the employer of choice of a highly qualified, diverse, dedicated and effective workforce.”
CNA’s Daniel Jen analyzes cyber systems for the U.S. Navy
The advanced technology and systems analysis division of CNA (Alexandria, VA) draws on Daniel Jen’s expertise as a research analyst to help the U.S. Navy secure its assets in the cyber world. Since August 2010, Jen has utilized a number of critical skills in this effort at CNA, including knowledge of systems, software, protocol, and computer network analysis, as well as computer-operations forensics. He combines his technical savvy with creativity, attention to detail, and communication skills to find creative solutions.
CNA is a nonprofit research and analysis organization that works primarily with government clients. “I’m often expected to think outside the box,” Jen says. “But solutions and ideas must be communicated in a variety of ways to audiences who have different levels of technical competency, including everyone from programmers to ship captains,” he says.
Jen’s education appears to qualify him to do that well. He earned a BA in philosophy from the University of California-Los Angeles (UCLA) in 2002. In 2009 he added an MSCS from UCLA. He entered UCLA’s computer science PhD program soon after, but fate had something else in store.
“I won the 2010 best paper award at the International Passive and Active Measurements Conference. My paper about Internet anomalies attracted some attention and CNA asked to speak with me,” he recounts. “I joined CNA after that.”
One pro’s cyber prediction
Jen feels that at a minimum, cyber defense requires a basic understanding of cyber attack vectors, common defense methods, and historic attack incidences. But effective cyber defense only starts there.
“That opens up the possibility of thinking beyond what has already been discovered,” Jen muses. “One very possible future world involves a cyber attack or attacks of significant impact, which will give government bodies the political backing they need to enforce game-changing policies and regulations over the use and operation of the Internet as we know it.”
Chung Pi helps CherryRoad keep its clients secure
Chung Pi joined systems integration and consulting services company CherryRoad Technologies (CherryRoad, Morris Plains, NJ) in 2006. As a technical manager, Pi is responsible for security, system administration, infrastructure, interface development, conversions and customizations required for the PeopleSoft suite of applications.
“There are many levels of security involved in PeopleSoft implementations: network, database, application, file encryption and workstation. I work primarily at the application level using PeopleSoft’s security tools,” Pi explains. “PeopleSoft Human Capital Management modules provide a robust set of tools to protect employees’ confidential data and ensure that only those with correct security credentials can get access.”
Pi received a BSCS in 1989 from the University of Texas-Austin, and an MS in computer science in 1993 from Southern Methodist University (Dallas, TX).
Client and employee satisfaction are key
Since starting out as a PeopleSoft developer in 1996, Pi has grown to believe that technical experts must never lose focus on what data often represents in the non-cyber world: actual business processes. “My work is all project-based. My client’s satisfaction after a successful implementation is my biggest reward.”
He has found that CherryRoad provides an exemplary work environment. This sentiment is reinforced by CherryRoad human resources director Shirley Batista.
“At CherryRoad, diversity is a way of life,” says Batista. “We embrace an environment where all employees are valued and respected, and have equal opportunities to develop to their full potential. Each person’s unique skills, talents and experiences broaden the range of approaches to the IT solutions we deliver. It’s what fuels the collaborations within our organization and with our clients.”
DIVERSITY-MINDED ORGANIZATIONS SEEKING CYBERSECURITY EXPERTS
See websites for current openings.
|Company and location
|ADP (Roseland, NJ)
|Integrated computing and business outsourcing services
|CACI International (Arlington, VA)
|Information solutions and services
|CA Technologies (Islandia, NY) www.ca.com
|Carnegie Mellon University Software Engineering Institute (Pittsburgh, PA)
|Cybersecurity and software engineering for DoD, DHS, government agencies, industry
|Central Intelligence Agency (Washington, DC)
|CherryRoad Technologies (Morris Plains, NJ)
|PeopleSoft solutions integration and optimization
|CNA (Alexandria, VA)
|Research and analysis for U.S. government clients
|DRS Technologies (Arlington, VA)
|Integrated products, services and support
|National Security Agency (Fort Meade, MD)
|Cryptologic protection of national security
|Raytheon Company (Waltham, MA)
|Technology for defense, security and civil markets
|Symantec (Mountain View, CA)
|Computer security software
|The SI Organization (Valley Forge, PA)
|Systems engineering and integration
|U.S. Army, 781st Military Intelligence Battalion (Fort Meade, MD)
|Cybersecurity and intelligence
|U.S. Nuclear Regulatory Commission
(Rockville, MD) www.nrc.gov
|Oversight of civilian nuclear technology
|U.S. Secret Service (Washington, DC)
|Federal-level law enforcement
Back to Top