#313 – DAN SHOEMAKER – FUTURE OF WORK – CYBER SECURITY – INTERVIEWED BY HOWARD WIENER

Dan Shoemaker, PhD is a Professor and Director of the Graduate Program in Cybersecurity at the University of Detroit Mercy, were he has worked for over 35 years.  He has also spent fourteen years as the Principal Investigator for the National Security Agency’s Center of Academic excellence in Cyber Defense at UDM’s Center for Cyber Security and Intelligence Studies.  He has worked for the Department of Homeland Security and helped to author the DHS Software Assurance Common Body of Knowledge and has also written some of the leading textbooks on Cyber Security.  (You can see Dan’s complete bio here.)

We provided him with our Drivers of Change 2020 list and then asked him to respond to the following questions.

  1. What’s your reaction to this list? Is anything missing that is relevant to your profession?

It’s comprehensive to say the least. I can tell you that I sincerely believe that the advent of the internet will be viewed by history as utterly instrumental in shaping our perceptions and norms, as much as the invention of the printing press irreversibly altered society six hundred years ago. The difference is that the transition from the pre-internet reality to the present virtual way of doing business has been something like thirty years (not three hundred – assuming the industrial age marks the beginning of the next incarnation). So, any projections about norms and perceptions are just guesses (who would have thought that Amazon would be where it is twenty years ago?). From a cybersecurity standpoint we have so far overreached in our rush to virtualize everything in our way of life, that we are now, without intelligent safeguards, about as exposed as toddlers wandering around in the middle of a freeway. And rather than developing a measured plan to stave off the Armageddon that one lonely Unabomber type could drop on us, we continue to rush to exploit the potential of cyberspace to open ourselves further to attacks. So my recommendation with respect to thriving is to make friends with the Amish – because sooner or later we are going to have to learn to live without electricity.

  • What drives the business model of your profession?

Assuming you are referring to cybersecurity. The current field is based around electronic control (e.g., virtual) responses to attacks, which are becoming increasingly effective – particularly as AI drives them. The problem is that electronic losses only constitute about a third of the problem. The other two thirds come from human and physical exploits which are simply not part of the normal definition of an appropriate area of accountability for the profession of cybersecurity. It seems a bit reckless to draw a distinction between a loss to electronic causes versus one to a physical, or human exploit. But that’s the current situation as it exists in the field. There is an increasing awareness that cybersecurity has to deal with the complete problem as a whole and that has been promulgated in two important standards, the NIST Workforce Framework and the CSEC BOK for Education.  However, a fully integrated understanding of cybersecurity as being oriented toward full and comprehensive protection is still running into the old-fashioned perceptions that it is a computer discipline. Given the annual losses to cybersecurity attacks, which totaled two trillion dollars worldwide in 2018 and are expected to double, or even triple by 2021, it seems like sooner-or-later we will start to approach the problem holistically. However a change of perception in the procession as a whole will have to take place first.

  • What major changes have you seen over the past few years and do you see coming in the next few?

That might be an appropriate question for somebody in a different profession. But in the case of a field with a history of perhaps twenty-five years (on the outside) the amount of change between 1995 and 2020 has been simply inconceivable. I realize that the thinking dates back to the 1960s but that was a different situation. Now, in an era where dDOS’s [distributed Denial of Service attacks] are powered by household gadgets and Alexa is listening in on your daily life, the internet is a game changer. There will be no stopping the acceleration of events because there is too much money to be made exploiting cyberspace. So it is useless to speculate what the future will look like. But keep in mind that the advent of everything from IoT to the Cloud has all taken place in the past fifteen years. Nobody thought about that back in 2005 because most of the technology didn’t exist and God only knows what it will be like in 2025. Given past history it will be profound and perhaps game changing for society.

  • Which of them do you think will be the most impactful? In the near-term? In the longer term? Which will be most difficult to navigate and why?

You are talking about virtual technology in a global environment. The world-wide-web bestows many blessings. But because we only have a hazy understanding of the consequences of falling down the latest technological rabbit hole, the exposures are profound. We are essentially reaching Rosseau’s ideal of the community of man because all geographic and social boundaries have been eliminated and we are all together in one virtual milieu. Whether that community is going to be an enlightened ideal, or a mob looking to cut off the heads of the organized State is yet to be determined. But all you have to do is spend time in the darkweb, or Facebook for that matter and you will get the impression that a bunch of folks with pitchforks and torches are headed your way. From a commercial standpoint, it has to be understood that the virtual world is doing business in a town without a sheriff, or any real ability to protect itself from the bad guys. In fact, because there is no effective law enforcement the wise person will start from the assumption that they are going to be attacked multiple times in many different ways and prepare their defenses accordingly.

  • How do you think your profession will have to change to adapt?

The cybersecurity profession will have to stop fighting the last war and begin to accept the simple reality that a loss, is a loss no matter which attack surface has been penetrated. That response must be anchored at the C-Suite or with the Board because IT is not in a position to either understand the problem or enforce all of the varied elements of the solution. The field itself is huge, much broader than is being portrayed by the conventional thinkers and we will either adapt or die. That’s because there are so many creative paths a hacker can follow to get at your system. For instance, no hacker in their right mind would pound their head on an unbreakable firewall when they could bribe the system manager, who is notoriously underpaid and over trusted, to simply let them in. Thus the profession is going to have to take its electronic blinders off and start looking at the problem proposition as a whole. Once they do that, we might be able to devise strategies to counter the current wide array of highly creative fellows out there in cyberspace who view us all as little wooly lambs and they’re the big bad wolf. The sheep who consider themselves as safe are only fooling themselves. The wolf just hasn’t gotten around to eating you yet. So, adapting a highly diversified response to the threat environment is a must if we want to survive.

  • What advice would you give to anyone contemplating entering or remaining in the profession?

The field is red hot and there’s gold in them their hills. That’s the good news. The bad news is that there is very little informed leadership and most of the responses are both disorganized and ad-hoc by definition. That’s because the elements of the organization that are accountable for cybersecurity are either limited in scope, or even worse, don’t know that they are part of the solution (physical security for instance). The field is looking for a visionary leader who’s willing to tell the emperor that he’s naked. But there are a lot of folks with a dog in the fight who have plenty to lose if we shift focus to a different set of norms. Hence, the war between the true believers in technology as the solution and the people who want to approach the problem top down as a strategic control issue will probably rage on for a few more years. If you don’t mind playing whack-a-mole with the black-hat community then you can settle into a nice technological rut and enjoy the current situation playing with all of the fun technologies that pop up like mushrooms after the rain. If you like substantive success you might get a little frustrated since the loss statistics are increasing logarithmically and there’s no sign that there’s help around the corner.

Leave a Reply

Your email address will not be published. Required fields are marked *