How Gregory Touhill became the first CISO of the USA
Security veteran tells us about on-the-job learning, the importance of preparedness and why nobody is a cyber expert
Run with military precision and strict regiment, life in a 1980s air force base rarely brought any great surprises. Monday's mail day brought a modicum of excitement as soldiers eagerly checked their pigeon holes for a letter from home, but anything out of the ordinary usually meant bad news.
That's why joy struck Gregory Touhill when he realised the contents of a package delivered to his division's headquarters. Gathered around the package, soldiers of varying ranks exchanged inquisitive looks, all searching for someone who knew what the peculiar box was. "Wow, we got a computer," Touhill said enthusiastically. In typical military fashion, his boss, the lieutenant colonel, turned to him and said: "You know what this is, you are now in charge of it."
And so Gregory Touhill became the second lieutenant assigned to deciphering this box that had made its way over to his headquarters at McChord Air Force Base.
The lieutenant colonel's reaction wasn't at all unusual this was the prevailing attitude towards computers at the time. Just a few years after the advent of the internet as we know it, Robert Morris released the Morris Worm, the first computer virus that resulted in a criminal conviction. The case notes are enlightening: The internet was just referred to as "INTERNET" no "the" preceding it and the term also had to be accompanied by an explanation of what it was, wherever mentioned, which perfectly encapsulates the level of understanding of this new technology.
At a time before the World Wide Web or any ISPs, which didn't appear until 1989, this INTERNET was a veritable mystery to most people including Touhill's boss. For tech enthusiasts, though, it was a time of excitement and opportunity on a totally new frontier.
After being assigned as the computer's keeper, Touhill embraced the new technology with fervent gusto. "I learnt everything I could about it," he tells IT Pro. "As I learnt more, I also figured out how I could defeat the automated systems, so baking-in security became a priority for me. I was fortunate to work with great airmen who helped me become a highly-skilled cyber practitioner."
Despite his fierce determination to learn how to operate this new machine and bolster his bandolier of skills, this military man first joined the force to fight enemies in front of him, not those behind a computer screen. The learning curve was steep and very hands-on.
"I learned as much as I could about how things worked in the cyber business. I coded, pulled cable, created and administered networks and I automated functions in my squadron and across bases. I did every job I could to sharpen my skills.
"I contend that anyone who says they are a cyber expert isn't. It's too broad a discipline to master everything and it's constantly evolving. That's why, while I'm a highly skilled practitioner, I'm still learning every day."
But it wasn't until Touhill hung up his air force uniform that his career really took flight. You don't become the first-ever CISO of the United States' Government without having first made a name for yourself in protecting national infrastructure on a grand scale; Touhill has done this and then some.
An evolving role
Although Touhill was a distinguished airman, a professor at Georgetown University, is a celebrated author and an advisor to some of the industry's leading security companies, it's his work at the Department of Homeland Security (DHS) that has cemented his legacy.
As deputy assistant secretary of cyber security and communications, he coordinated a budget just shy of $1 billion, led a team of over 1,500 people and acted as the director of the National Cybersecurity and Communications Integration Centre (NCCIC). It was in this particular role that he would gain first-hand experience of a range of high-profile cyber threats and "many others that didn't hit the nightly news".
Although the total number of people he managed was large, the groups that fought cyber attacks were comparatively smaller. "The size of teams varies depending on the mission, scope, and complexity of the organisation," he says. "Some organisations have hundreds of cyber professionals, while others have less than a dozen."
Even though we've been put through our paces and scared senseless in a simulated cyber attack we don't really know what it's like when it comes to the real deal. Touhill tells us that teams are typically coordinated with military precision and discipline, with a goal-focused mindset that doesn't wane until the mission is complete.
"When a cyber attack occurs, the best teams already know what to do because they've practised for that bad day. Practising for the really bad day minimises your risk."
Fortunately, cyber teams aren't left to their own wits and devices when it comes to monitoring network traffic for suspicious activity. The old saying "a man is only as good as his tools" rings true for cyber defence crews: They're armed with sophisticated pieces of software to help them exercise their mastery in real-time network analytics, which get "finely tuned" by the "razor-sharp workforce", according to Touhill.
"While most folks hope their security event and incident management (SEIM) tools will detect and alert the security operations center (SOC) team of an attack, sadly many go undetected due to cleverly evil attackers. Often, the first sign of an attack is the knock on a door from a law enforcement official or that dreaded call from the FBI asking to come in and speak to you about a 'sensitive matter'," says Touhill
One such incident is the 2015 breach of the US Office of Personnel Management. This saw over 21 million sensitive records stolen over the course of nearly 12 months by suspected Chinese hackers and was detected by a third party, which notified the Department of Homeland Security (DHS).
In these kinds of cases, Touhill says, attackers put in plenty of groundwork researching their target.
"They use social media, search engine sleuthing, and a host of other means to learn as much about you and your networks as they can. They use scanning tools to find weak spots in your defences, much like checking the doorknobs on houses to see what is unlocked. They identify your high-value assets and determine the best means to gain access to them," he says.
"Once they complete their reconnaissance, they launch their attacks. Contrary to what you see in Hollywood productions, they don't usually launch a zero-day attack because they are expensive, while inexpensive tactics, techniques and procedures often work on the unwary.
"Over 90% of successful attacks start with a phishing email. Once an unsuspecting victim clicks on the phishing link, the adversary gets into the network, elevates their privileges, gains control, moves laterally, and then goes into hiding to accomplish their mission. Attacks can take place over a couple of hours or over a couple of months, often without the victim detecting them until after the attack has concluded."
Getting ready for a really bad day
The stressful stuff doesn't just begin when danger strikes, though and the team is always hard at work, honing its craft and lying in wait for the time of attack. "While not responding to an incident, the most effective teams perform daily operations, train to maintain and grow their skills, hunt for potential bad actors in their networks and practice for the 'really bad day' when a cyber event occurs. You want a team that is ready to execute the mission at any time, so realistic training is essential."
Touhill, who is now living a civilian life as a board director of ISACA, says one of his favourite examples is "Cyber Storm", a series of exercises the US government carries out on a biennial basis with organisations that provide and oversee critical infrastructure within the country.
"Over the course of a year, planners from the government, industry, and academia collaborate to identify potential cyber threats and methods to best deal with them. They then create what often turn out to be elegant scenarios with numerous rabbit holes, twists and turns, to help participating organisations better identify what their high-value assets are and the threats to them."
During the exercise, the teams learn skills that will help them become better cyber practitioners and they'll also learn how to pick themselves up again after an inevitable small failure in the fight. After the exercise is complete, participants receive feedback, share notes and the best get paraded as top performers
A wider view
Security reports are released almost weekly from various researchers all claiming they've found the next big threat and with the advent of new technology, new threats start to present themselves.
With 5G and IoT, there is concern around the poor security provisions that come with IoT devices as standard. Many come with default passwords which are never changed, for example, or common encryption keys across all devices thanks to poor practice from the manufacturer. Adoption of IoT devices both consumer and industrial will soon start to accelerate even more with the more widespread availability of 5G technology and these weak devices can provide attackers with easy access points to an organisation's network.
Touhill, however, thinks there's a greater threat afoot.
"Many folks believe the key attributes of cyber security are to maintain the confidentiality, integrity and availability of information. Early cyber attacks targeted availability, such as denial of service attacks and more modern ransomware attacks. Later, as attackers became more sophisticated, attacks on confidentiality increased, such as the OPM attack that exposed the records of millions of Americans," he says.
"I fear that the next earth-shaking attacks will feature attacks on the integrity of data where attackers will tamper with data, shaking trust and confidence in processes and systems. Such attacks could be catastrophic in critical infrastructure sectors."
It's unclear what the future of cyber security looks like but as rewards rise for successful attacks, so will the attempts. Attackers are drawn to data like moths to fire so priorities number one, two and three must be better security practises among organisations and enterprises, especially those that protect the most precious of data.