Articles

Chuck Brooks on Cybersecurity: The Weakest Link Will Always Be the Human Element

Cybersecurity expert Chuck Brooks talks about where we stand in what many people call the "wild, wild west" of cybersecurity.

by / March 2, 2016

If you're in the cybersecurity business, you know the name Chuck Brooks.

He is an advisor to the Bill and Melinda Gates Foundation Technology Partner Network, chairman of CompTIA's New and Emerging Tech Committee, subject matter expert to the Homeland Defense and Security Information Analysis Center, “passcode influencer” for The Christian Science Monitor, on the Board of Advisors for CyberTech, and on the Board of Directors at Bravatek and the Cyber Resilience Institute.

Brooks also has authored numerous articles focusing on cybersecurity, homeland security and technology innovation for such publications as Forbes, Huffington Post, InformationWeek, MIT Sloan Blog, Computerworld, Federal Times, NextGov, Government Security News, Cygnus Security Media, Homeland Security Today, The Hill and Government Executive.

I recently got a chance to get Brooks' take on where we are today in what many people call the "wild, wild west" of cybersecurity. Here are his thoughts.

Q. You wear many hats and certainly have been focused on cybersecurity for some time now. So tell me, who is Chuck Brooks and what is he trying to accomplish this space?

A. You are right, over my career in government, corporate and academia, I have worn many hats. There have been some strong common threads [of] science, technology, national security, and legislative and executive policy in all my various roles. Thankfully, I selected a professional vocation of government relations and marketing that encompasses all those threads.

My passion for cybersecurity issues was first established over a decade ago during the time I spent at the Department of Homeland Security’s Science and Technology Directorate. Back then, the threats to our critical infrastructure were not as pronounced as they are today. Of course we were just beginning to experience the smartphone era. The field of cybersecurity has evolved exponentially along with the technologies, networks and connectivity that make up the cyberecosystem. And the ecosystem is quite diverse and expansive, comprising software, hardware, monitoring, forensics, governance and more. All these elements make it an exciting area to explore since there is always more to learn from strategy and technology perspectives. Also, it certainly blends my common career threads.

For anyone’s career focus, studying cybersecurity makes [sense] since it touches everything work- or personal-related. In both the public and private sectors — just about every CIO survey — cybersecurity is the top concern. And of course, along with data analytics, cybersecurity is a annually a budget priority of federal spending. DHS Secretary Jeh Johnson recently described cybersecurity and counterterrorism as the two top priorities for the protecting the homeland.

What I want to accomplish in this space is to continue being a subject matter expert in cybersecurity; I enjoy writing and speaking about the varied aspects of the topic and especially in educating others on how it can impact their lives. My advisory and board director roles with organizations are a reflection of that interest. When I retire (which is a long way off), I hope to join academia again in a part-time role. I spent two years at Johns Hopkins University SAIS [School of Advanced International Studies] teaching graduate students homeland security and found it very fulfilling. 

Q. You have one of the most active groups in LinkedIn under the heading of the Department of Homeland Security. How has this helped both yourself and DHS in feeling the pulse of the cybersecurity industry?

A. I do operate a half dozen groups that focus on homeland security and information security on LinkedIn, including a few of the largest groups: “U.S. Department of Homeland Security, DHS” “Information Technology (Homeland & National Security)” and “Homeland Security.”

In all, these groups include about 60,000 people. Among the members are a host of well-known cybersecurity professionals who often post and comment on issues of the day. Also, as any news on data breaches or cyberincidents occur, they are often posted in the LinkedIn groups.

Moderating these groups certainly keeps me updated and in tune with the pulse of policy. It has also served as a great networking venue to share ideas and information with some of the best security minds around in both the private and federal sectors. Many senior-level executives in the federal government are on social sites such as LinkedIn, GovLoop, Facebook and Twitter. There are an estimated 1.5 million federal government employees who regularly use LinkedIn, including over 65,000 from DHS. Because of the growing need for public/private-sector collaboration and interface, being actively involved in social media makes a lot of sense.

Q. What is Sutherland Government Relations and what do you do for the company?

A. Sutherland Global Services is a global provider of business processing services, contact centers, IT service desks and management consulting serving government and U.S. leading corporations across multiple industries, including health care and insurance, technology, mortgage and loan services, finance and banking, retail, and travel. Sutherland has 36,000 employees and annual revenues of over $1.2 billion, [and] was listed in 2015 as one of the fastest growing private companies in America by Inc.

I work for the recently created Sutherland Government Solutions as VP of Government Relations and Marketing, where we are at several agencies and are known for integrated services for citizen service needs and digital government. Our cybersecurity operations at Sutherland Government Services are internal, but we do have a practice in customer relations management after a company or agency has been breached. Our cybersecurity practice is led by Glenn Schoonover who has a deep technical background. He is a former chief information security officer for the Army and was responsible for providing network security to the Department of the Army headquarters. He is also a former senior technology strategist for Worldwide National Security and Public Safety at Microsoft. 

Q. I see you are active in both the public and private sectors when it comes to cybersecurity. What are the similarities and differences between these two sectors?

A. The biggest difference is that government is motivated by mission, and the private sector (for the most part) is driven by profit and loss. The R&D efforts, innovation sector and skilled technical expertise in the private sector has been more robust than in government. Industry is more agile and able to react to threat trends.

On the federal side, the landscape has really changed over the past few years. [The U.S. Department of Defense], of course, has had the cybersecurity war-fighting mission and continues to build upon new requirements for operations and for systems. On the civilian side, DHS takes an increasingly larger role in cybersecurity. Presidential and congressional directives have mandated that DHS play a growing and more primary role, especially with protecting critical infrastructure (transportation, health, energy, finance) that is mostly owned by the private sector. DHS has to step up its activities in assessing situational awareness, information sharing, and resilience research and development plans with stakeholders. This has led to a trend in public-private partnering for sharing threat information and in creating standards and protocols. In both the public and private sectors, training of the next-generation cybersecurity technical and policy [subject matter experts] is a major priority. 

Q. To date, there seems to be a stand-off between Apple and the federal government when it comes to iPhone security. What are your thoughts on this, and can this bring about some lessons learned for the cybersecurity industry?

A. This is the topic of the day, and it is a complicated issue relating to government requesting a corporation to provide software to allow access to data. My thoughts may be a bit different from some of the others in the industry. While I recognize the importance of privacy and the dire risk of an Orwellian surveillance state, I consider protecting innocent lives as a mitigating circumstance. What if that data that the FBI is seeking on the terrorist's encrypted phone uncovers a deeper terrorist network planning more horrific acts? In my opinion, this is a mitigating circumstance.

What should be done is to establish protocols between industry and law enforcement to cooperate in these type of instances (with proper warrants and assurances) so that company Internet protocol can be isolated and privacy issues for the company’s customers can be best addressed. I am quite sure Congress will be looking closely at this case to establish legislation to create a working formula. The lesson for cybersecurity is that there is a balance between privacy and security that has to be constantly reviewed in accordance with the threats at hand. 

Q. With billions of Inernet of Things devices on the near horizon and zetabytes of data projected by 2020, can we secure and control our digital processes, or are we headed for a digital train wreck?

A. According to Gartner, there will be nearly 26 billion networked devices on the Internet of Things (IoT) by 2020. Moreover, it will keep expanding as the cost of sensors decreases and processing power and bandwidth continue to increase. The fact is that most of these IT networks will have some sort of an IoT-based security breach. We could be headed for a digital train wreck if IoT security standards are not adopted. We may have a digital train wreck even if they are adopted. Standards will have to be developed industry by industry. Protecting a network of medical devices in a hospital will require different sets of standards than protecting utilities with SCADA [supervisory control and data acquisition] systems that make up the electric grid. There are a lot of questions, including who enforces compliance? And what are the liabilities of an IoT breach?

Cybersecurity expert Chuck Brooks' master list of cybersecurity tech areas, priorities and emerging trends

Emerging Technology Areas:

// Internet of Things
// Wearables
// Drones and robots
// Artificial intelligence
// Smart cities
// Connected transportation
// Quantum computing

Priorities: 

// Protecting critical infrastructure through technologies and Public/Private cooperation

// Better encryption and biometrics (quantum encryption, keyless authentication)

// Automated network-security correcting systems (self-encrypting drives)

// Technologies for “real-time” horizon scanning and monitoring of networks

// Diagnostics and forensics (network traffic analysis, payload analysis and endpoint behavior analysis)

// Advanced defense for framework layers (network, payload, endpoint, firewalls and antivirus)

// Mobility and BYOD security

// Big data

// Predictive analytics

// Interoperability

Trends:

// Informed risk management

// Emergence of public/private sector partnerships 

// More information sharing and collaboration between the public and private sectors

// Shared R & D spending 

// Increased spending for cloud computing

// Consolidation of data centers

// Expansion of hiring and training of cybersecurity workforce 

// Tech foraging

The real danger is that the Internet was not built for security at its inception; it was built for connectivity. There is some truth to the notion that your network may someday be betrayed by your toaster or refrigerator. One thing is for sure: the Internet of Things will pose many challenges to cybersecurity and data analytics, much of which we have yet to contemplate.

Q. You've had the opportunity to review many cyberdefense technologies. Are we really finding new solutions that can handle this explosion of digital processes, or are we still playing the game of catch-up and patch-and-pray cybersecurity?

A. New solutions are continually evolving with threats, but there will always be a need for better encryption, biometrics, analytics and automated network security to protect networks and endpoints. It is a perpetual game of cat and mouse between hackers and protectors, and there is really no such thing as being invulnerable.

In a sense, we are continually playing catch-up and reacting to the last incident with patches. The weakest link will always be the human element. However, there are many new interesting technologies that could significantly impact cybersecurity in the near future. There are technologies and algorithms coming out of the national labs, government, and from private-sector R&D and startups that have the potential to be disruptive.

Q. Any final comments? And are there any speaking engagements or events you are participating in that you would like to announce? Could you also offer a good source for information on the subject of cybersecurity that you would suggest for our readers?

A. Please check my regular posts in the media and social media, join my LinkedIn groups and follow me on Twitter @ChuckDBrooks. I do have some future blogs with the National Cybersecurity Institute on my agenda. Also, in addition to social media, which I highly recommend, there are many excellent outlets for cybersecurity information including the Homeland Defense and Security Information Analysis Center. A great site that aggregated cybersecurity news daily is The CyberWire.

Larry Karisny

Larry Karisny is the director of Project Safety.org, an advisor, consultant, speaker and writer supporting advanced cybersecurity technologies in both the public and private sectors.