Director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, Frank Cilluffo frequently advises senior decision-makers in the US government and various international organizations on cybersecurity policy and strategy. In our two-part interview with Mr. Cilluffo, he paints a vivid portrait of the cybersecurity threats that the country and private sector are currently facing, and what can (and can’t) be done about it.
This is the first part in a two-part interview with Frank Cilluffo.
You have an impressive bio, having worked on cyber issues in the White House, with NATO, with Europol, and with the UN. You established the first World Executive MBA in Cybersecurity program at George Washington University. You’ve testified before Congress more than 30 times. What first fired your interest in matters of security and cybersecurity?
Oh, I actually started out studying international affairs. During my junior and senior years I interned for the Committee on Foreign Affairs on Capitol Hill, and from there I went to a think tank, the Center for Strategic and International Studies. Even while studying, I was not always the best at reading what was required but would find footnotes on issues that I found really interesting. So I did a lot of work initially on what I guess you could say in the vernacular was “drugs, thugs and bugs,” whether cyber or biological. It was focusing on more of what we would refer to at that time as “non-state threats.” Sort of the dark side of globalization, with a focus on transnational crime, terrorism and cyber. So I guess some of the first cyber work I was doing was more looking at transnational crime, Russian organized crime and their use of cyber, some of the cartels and how they were using information security and technical means to advance their tradecraft and do their business to evade the good guys. I did a lot of work on counterterrorism and homeland security-related matters. And then 9/11 occurs, and I got the opportunity of a lifetime to serve my country in the White House [as Special Assistant to President George W. Bush].
From there, you went to a post at George Washington University. Tell us about the program you set up there.
I set out to create an environment that went beyond the “think” of a think tank. I didn’t want to simply assess and evaluate the threat, but wanted it to be grounded in the real world and speak to the practitioners that actually have to do things. I loved what I was doing at GW, but I more recently had an opportunity to take it a step beyond just admiring the problem, and joined Auburn University, where I run the McCrary Institute for Cyber and Critical Infrastructure Security. Here, I can not only admire the problem but I have a very deep technical bench providing solutions to some of the big problems. That’s the differentiator for the McCrary Institute. Being tied in with the engineering program will allow us to apply solutions in real time. So in a nutshell, we try to marry up theory and practice, focus on issues at the edge of policy and technology, and marry up policy, research and education. So, we try to provide more of an end-to-end set of solutions around one of the pressing matters facing our country, whether it’s our national security or our economic security and prosperity from a private-sector perspective. An actual “think and do tank.”
When you speak to some of the highest decision-makers, there’s still a bit of a learning curve to really know what to focus on first and what matters the most.
That’s interesting. That evolution makes a lot of sense. You're at a point now where you’re making the rubber meet the road.
That’s the concept, yeah. And we’ve got some amazing people and really cool technology. This is not meant to be pejorative, but sometimes in academia you find pockets of excellence doing amazing work but they don’t always tie it to and calibrate that work to real-world problems. But Auburn has a very practical mindset, so one of the things that we’ll do is marry that up.
Even with all your previous experience, it’s probably eye-opening work.
I do have a better appreciation for what keeps people up at night, what their primary headaches are, what their primary challenges are, in government and critical infrastructure-owner communities. And then we bring the horses into the stable to be able to provide some of those solutions.
So you’re helping provide solutions both to government and to the private sector?
When we look at cyber, the issues facing the government are at the top of the list. But if our critical infrastructures aren’t up and running, those that underpin our economy and our country, we’ve got to look at it beyond merely a government lens and try to bridge those gaps as well, public and private sectors.
Just looking broadly at the notion of cybersecurity as it relates to national security, do you think the topic gets the attention it deserves in the press and in public consciousness?
You know, I think awareness is high and becoming higher almost every day. Not necessarily for any other reason than people realize that the threat is growing pretty fast and almost exponentially. You blink and you miss the hack du jour. So I think awareness is increasing. What I do think we still lack is the “So what?” And by that, I mean not all hacks are the same, not all hackers are the same. Intentions vary. Capabilities vary. The tools, tactics, techniques and procedures vary. The adversaries vary. Russia is not China. China is not Iran. Iran is not North Korea. North Korea is not a foreign terrorist organization, which differs from a criminal enterprise, which of course differs from a hacktivist or anyone with an axe to grind in the cyber domain.
The solutions will not come from the cyber ninjas alone. You ultimately need the CEOs and most senior policymakers to see how these pieces come together as well.
How does a failure to understand that nuance translate to insufficient policy responses?
I kind of equate it to when I coached all my kids in soccer over the years. When they're pretty young, they're all swarming the ball, chasing that shiny object, when in reality they’ve got to step back a little bit and try to get a sense of the landscape or the field, and spread it out and start putting together policies, procedures, governance structures, to actually make sense of the situation. So I think right now, awareness is high. But if you were to read a media story, it tends to sometimes blur what I would call sort of “graffiti” in cyberspace from real-deal significant cyber events and incidents. And so to be able to better delineate and understand that landscape, you have to understand the adversary and what their intentions and capabilities are. You have to understand your own vulnerabilities. If everything’s critical, nothing’s critical. So what are our most critical infrastructures? And I would focus on our lifeline sectors, those that our economy and country and public safety and national security are fully dependent upon. We’re starting to get to the point where, in some of the expert community, that’s starting to settle out. But when you speak to policymakers, when you speak to some of the highest decision-makers, there’s still a bit of a learning curve to really know what to focus on first and what matters the most.
Can you offer an example where policymakers still have to overcome that learning gap?
Take the election meddling that we had a couple years back. Is that a Russia problem or is that a cyber problem? It’s kind of both. And yet we still have communities that live in their own silos. So you’ve got an amazing group of people who understand Russia’s political leadership and intentions and motives. And you also have a group that really appreciates and understands the cyber domain. But the two need to come together.
That’s interesting. I think a lot of us really do struggle to figure out how to categorize cyber.
Right. Because cyber is not only its own discipline, its own domain. And it is its own domain, like air, land, sea, space. But it also transcends all existing domains. In other words, you don’t deter cyber, you deter Russia from engaging in bad cyberactivity or bad cyberwarfare or whatever. It’s not this or that.
Yeah. It seems like if you said the word “cybersecurity” to 10 different people on the street, you might get seven different legitimate ideas about what cybersecurity means. “Oh, that’s making sure you have password protections or use a password manager.” “No, that’s when people hack into a company and hold its data hostage for a ransom.” “No, that’s installing antivirus software.” “No, that’s when people steal personal information and commit identity theft.” It’s so much.
Are we even using the right language? Is “cybersecurity” too broad of a term? Should we be breaking it down more, or is it just a matter of making sure that people understand the umbrella nature of that term?
It’s kind of both. The reality is that obviously you need to be able to drill down. I mean, even if you were an investor in a cybersecurity company, endpoint security is not the same as threat intelligence, which is not the same as forensics and incident response. I mean, you do need to break down the landscape and segment it into manageable functional areas. But I think you also need to be able to have the big picture, to understand it from a governance perspective.
The smart adversaries are exploiting the weakest link, and often that’s through the workforce.
Speaking of the big picture, when someone like you considers the national-security threat posed by cyber, what kind of broad solutions are you looking for?
Well, the solutions will not come from the cyber ninjas alone. You ultimately need the CEOs and most senior policymakers to see how these pieces come together as well. There was an executive order signed [recently], the White House trying to grapple with the 300,000-person-plus gap in the cybersecurity workforce in the United States, and the federal workforce in particular. When you start thinking about how you educate all of these folks, I mean, you do need those “Special Forces,” you need the ninjas, you need those that can out-duel anyone. But you need more than simply the Special Forces. You also need the big army, meaning that you need everyone. You need a much broader constituency and community of people to be part of that cybersecurity workforce. And then you need the blockers and the tacklers. Everyone needs to be cyber-aware.
That’s no small thing, especially given the “ain’t-my-job” mentality, or people saying, “Well, I’m not very tech-savvy.”
Right. Nor am I though, in some ways. But the smart adversaries are exploiting the weakest link, and often that’s through the workforce. Often that’s through phishing expeditions and other sorts of campaigns. So right now, your workforces are in some cases the weakest link. How do you flip that into becoming the strongest asset of any company? And that is not just to have the CTOs and all your cybersecurity team up to par. It means you need to have your entire workforce cyber-aware and cyber-savvy, if not fluent. A lot of people think cybersecurity is the “IT Guy’s” problem. That’s doomed to failure, you know? Not to suggest you don’t need that. You do. But you need much more.
Check back on June 6 for the second part of the discussion, in which Mr. Cilluffo discusses the cyber threats posed by various nation-states, and what the US -- and the financial services sector -- should be doing about them.
Frank J. Cilluffo is the director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. Prior to that, he served in the Office of Homeland Security as a principal advisor to Director Tom Ridge. At George Washington University, Cilluffo established the Center for Cyber and Homeland Security and launched the university’s World Executive MBA in Cybersecurity program. He continues to serve as a member of the Department of Homeland Security’s Advisory Council, and routinely advises senior officials in the executive branch and the armed services on national and homeland security strategy and policy. Cilluffo works with U.S. allies and organizations such as NATO and Europol and has published extensively in academic, law, business and policy journals, as well as magazines and newspapers worldwide. He currently serves on the editorial advisory board for Military and Strategic Affairs, and previously served as an on-air consultant for CBS News.
Return to 74&W Exclusives.
Copyright 2018 74&WEST LLC All Rights Reserved.
Do not reproduce without written permission from 74&WEST LLC.