A Cry In The Cybersecurity Wilderness

I have spent the last decade talking about problems. I suppose the reason is because it seems to have gotten me a lot of attention. It wasn’t like that at first, but it eventually turned out that way.

Let me explain…

Back in 2007 I decided that security was going to be my full-time job. I suppose what drew me to this was the explosion in connectivity, and having to spend a lot of my time, as a CIO, figuring out how to defend ourselves against attacks from all over the world. I became somewhat fascinated by the brazen geeks that seemed to have no end of interesting ways to penetrate my networks. I decided it would be fun to get into the security business.

My first project in my new role in technology was protecting a medical device from counterfeiting, using a combination of highly secure computer chips and Public Key Infrastructure (PKI). It took a while to get everything working well, but in the end, it all worked out. That company still uses that same solution a decade later.

I sensed an opportunity here, and went forth into the world trying to convince anyone who would listen (and hopefully buy from us) that PKI was an absolute must in any connected device. I ended up with a lot of painful dismissal, mostly in the form of polite “thank you…we’ll let you know if we need anything like that” replies, and the more than occasional “we are not really interested in security” slap in the face. As it turned out, nobody seemed to think security was their problem. It was always someone else’s problem, and the few jobs we did get was when we ran into that “someone else” that had a problem. 

Ahhh yes…those were the days of four for a dollar ramen noodles and store brand sodas. My how things have changed for the security professional.

What I discovered was I first needed to focus on pointing out the problem, and latched onto the security research community (aka hacker community) for some insight on where things were going. I’m not talking about sitting around with a bunch of folks with multiple piercings and fluorescent hair, enjoying pizza and sodas while they figured out ways to break into things. I am talking about working with researchers that were funded by academia, like Dr. Kevin Fu, who made the news by hacking into a defibrillator while at a university in Massachusetts, and presenting a paper at an IEEE conference (I was there when he presented it). I got to chat with Jay Radcliffe, who made headlines hacking an insulin pump, and the late Barnaby Jack, who turned heads by hacking…everything. I hung out with Dr. Charlie Miller and Chris Valasek, who made national news by hacking a Jeep remotely while it was being driven, and buddied up with Billy Rios, who jointly delivered some vulnerability reports with me to DHS ICS CERT. I used the knowledge from these interactions to build my case, and certainly enjoyed the lifestyle it allowed me to live as the world of cybersecurity became a spectator sport. It was, and still is, a good time.

Back then, in the early days, we all would sit back and wax poetic on what was to come. We all knew it back then. We were researching the world of cybersecurity day and night, and we all knew it was going to get really bad someday. As things got progressively worse, we revelled in our sometimes public and often silent “I told you so’s”. I mean, who doesn’t like being right?

Then things started to change…at least for me. As things started to get really bad I began realizing that being right about how bad things are was no longer as fun as it once was. The attacks were getting bigger and far more serious, and I realized that pointing out the problems was nothing more than pouring salt into what had become a gaping cybersecurity wound…or perhaps even just several million small cuts, which are just as bad. Moreover, I noticed people began listening to my advice…that same advice I tried giving a decade ago. This made me feel good.

It occurred to me that the world was ready to consider solutions, and it was time for me to make the move back into the solutions space. Some of the folks I knew at DigiCert began recruiting me, and I decided I was ready to come back to where I began. Here was an organization that was actively delivering what I knew everyone needed a decade ago, but this time everyone we spoke with knew why they needed to solve the problem. In the end, it is better to be loved, to be sure.

I am thankful for the time I got to spend with the research community, and those ties will never go away. It was that community that helped me get the message out, and many of those, who began their lives as thorns in the sides of many connected industries, are now focusing on solving the problem. Charlie Miller and Chris Valasek are helping the auto industry secure vehicles. Billy Rios is building products and services to help clients address security issues. I am now working with the world’s leading trust company to help others implement better and more robust security.

Those early days were hard, and lonely, and nobody seemed to listen. I wouldn’t have wanted it any other way, in retrospect. While the world slowly came to the realization they needed our help, we continued to hone our skills, and now are ready to work with the industries that need to secure their systems and devices. It may take a while, but we will eventually get this all under control. After all, it was part of the plan all along.