Interview extracts from the first volume of an oral history of cybersecurity practitioners.
Soldier, Marine, cop, professor, Chief Information Security Officer—there are not many jobs Samuel Liles has not had. He has an enviable track record of success in both military and civilian, academic, and commercial domains, and he is probably the most influential practitioner you’ve never heard of. His story is a reminder that while cybersecurity is important, it’s not as important as we think, and the best and brightest, as well as the most experienced, might not always be where they’re needed the most.
Sam Liles: The average day starts by getting situational awareness of what happened overnight. I accomplish that in the early morning. We have a worldwide operation, so I must gain a good understanding of what the security team, the DevOps team, and the operational teams have done. That includes going through a news feed about issues that may not have impacted us directly but may have an indirect impact or may affect us in the future. Then I start trying to get with directors and team leads to understand what they’re doing to get the op tempo of the day.
We don’t seem to have very many major incidents, but we do have events that happen now and then . Maybe on us , maybe on things that happened with customers that don’t have anything to do directly with us, but because we’re supporting them we help them out. That’s the first two hours of my day. After that I have several collaboration meetings. I try to get all my decision cycles out before 1:00 p.m. so I can spend the rest of the day on future issues and forward-looking things. I’ve got to segment my day somehow, and I like to take care of the ‘big rocks’ kind of stuff in the morning because we have an Asia presence. At 7:00 p.m. my time, when their day starts, I need to make sure I communicate to them whatever we came up with during the day here. So, I’m looking at engaging the team in Asia from 7:00 p.m. to midnight. That’s not every day, but my Friday is their Saturday, and my Sunday is their Monday, so we try to balance things out.
How did you actually get started in security? Take us take us back to the beginning.
I’ve done a lot of security operations work. I joined the Army National Guard and later transferred into the Marine Corps. I’ve been a correctional officer, and a tribal police officer—all operational security roles but not always information security. Back in the late ‘80s, I was trained by the Marine Corps on how to operate computers, basically, the old microcomputer courses that were common then.
One day while sitting in the corrections bureau of Pierce County, Washington, they said, “Hey, you know about computers.” I told them that yes, I know a little about computers. They responded by handing me this computer that had belonged to a bookie, and they asked if I could find anything on it. I like a good challenge, and I had nothing to lose, so I said okay. So, in a nutshell, I looked around on the computer they gave me, and I found a file the bad guy had used to keep track of phone numbers as well as all other elements of his criminal enterprise. That was the state of computer forensics at the time.
Flash forward about four years, and the FBI made a bust in Pierce County that was similar to the earlier case I had worked, and they asked me to help. That brought me to the attention of some people in the computer industry, so I helped build computers and other related equipment. A regional Internet Service Provider (ISP) asked me to help reengineer their network, so I built all the equipment and set up the software necessary to run an ISP and a bulletin board system (BBS.) This was before anyone really knew what the Internet was, and at the time, their big concern was not about security as we think about it today, it was about getting paid for the services they provided. With the Internet in its infancy, it was often easy to find backdoors into an Internet service provider. The ISPs wanted to make sure that Internet users were not able to access their services without paying.
My work with that ISP led to other things, and by the mid 1990s I was doing a lot of consulting. I like to say that I’d do anything for money as long as it was mostly legal . I stayed in law enforcement until 1993, when I moved to the Fort Myers area of southwest Florida and did a lot of computer consulting for just about anybody who would ask. My services included networking, operating systems, development, and security, although nobody really cared about security that much at that time. In 1993-1994 it just wasn’t on the radar for anyone but nation-states. Network security consisted of installing Checkpoint firewalls or your favorite stateful firewall/router on your network.
By the late 1990s I was running major programs, engineering programs that included security as a primary component. I ran the Year 2000 (Y2K) customer premise remediation program at MCI/WorldCom with approximately 6,000 people worldwide. We were remediating all the customer premise equipment, which meant we were doing security and engineering while cohesively looking at these issues from the customer perspective. I went on to do that same thing for Sun Microsystems and several other corporations. I did some work with the National Laboratories and the White House. Then, in 2003 the head of supercomputing at one of the National Labs said that I should try academia, and a federal agency offered to pay for a Ph.D. if I were to pursue one. In 2005 the National Security Agency (NSA) gave me a full-ride scholarship to get my Ph.D., and the rest is history. I worked at the National Defense University (NDU) to work off my service commitment. I lectured within the United States at all the US War Colleges teaching security and information technology (IT) operations. But it all started with that first case back in the mid 1980s.
You spent time in industry and academia. In fact, you’ve gone back and forth a couple of times. What was it that drove you to the academy, and what was it that drew you back out?
I had visions of academia as the “ivory tower” and all that kind of stuff. I didn’t take a college class until I was 28 years old. By then I knew several senior academics . I’d been exposed to various information security luminaries like Eugene Spafford (Spaf) at Purdue. Most of these people I was working with all had PhDs, and they were like, “Why don’t you have one?” I said I’d always wanted one but never got around to it. So, the head of supercomputing at the lab said, “You know a lot of universities have a ‘grow your own program’ and will give you the support and time to get one.”
I got into a program at Purdue called CERIAS, which allowed me to do research and help fill in gaps in my knowledge, because based on the way I had advanced in the computer security arena, I knew I had gaps. I went in as a nontraditional academic, getting my PhD and working on a tenure track at the same time.
I actually got tenure very early in my career. I was an academic for only five years when they granted me tenure in a R1 university system. At the time they tenured me, I only had my master’s degree, which is nearly unheard-of. I actually finished my PhD a few months after I started at National Defense University.
However, academia at an R1 wasn’t fitting for me. The things I was doing were so “applied” that as I moved further up the academic ladder, my research was getting less and less traction from scholarly perspective. That led me to give up my tenure and leave Purdue, and go teach at the NDU. I found an applied environment I really liked, but then government sequestration happened, and they cut the faculty at NDU by 45 percent. One thing I will say is that working at NDU was one of the best experiences in my life. In a twist of fate, the G7 who killed the budget, Maj General George Flynn, is a colleague at my new job. Good or bad, what he did to meet sequestration led to all kinds of new opportunities.
I had talked to Purdue and they were willing to take me back, no problem. Purdue is a great environment with great people, but once I got back I still wasn’t quite fitting in. As the saying goes, it wasn’t them, it was me. They had rules that said if you wanted to be a full professor you had to do this. Well, I didn’t want to do that. I was running the cyber forensics laboratory with Marcus Rogers, working with Spaf on very applied programs, and producing results for national security programs. I was working cases as a commissioned law enforcement officer, teaching law enforcement officers how to chase pedophiles and solve computer crimes and doing very applied things. More and more, what I was doing wasn’t fitting with the university’s mission, so it became harder and harder to keep up my research, to the point where they were cutting funding.
That led me to leave academia to become the first CISO for the Army Corps of Engineers, where I went from working in a university with a $7 billion budget to one of the largest military commands with a budget of $22 billion overall, and a security program that was almost $60 million and 75 people.
I wrestled with that move quite a bit. It was a very emotional thing to give up tenure a second time, only to take on the most infamous role in an organization, the Chief Information Security Officer (CISO), who is the designated firee upon notice of breach. I did the CISO gig for almost a year, and I was wildly successful at it. In fact, I made it exactly three months longer than my mentors said I would, at which time I took a promotion and went to work for the Department of Homeland Security (DHS). At that time, I had offers to go back to academia to run major programs—director, dean, officer-type positions—but I was gun shy about going back and being told that applied research didn’t fit in. What I liked wasn’t just applied, it was service research, actually doing practical things, which is something a lot of places don’t do.
While there, I became the Senior Intelligence Officer for the Department of Homeland Security‘s cyber program. First I was a subject matter expert and then the acting director. My big win was that I was the guy who helped lead, and was the face of, the government’s cybersecurity work related to threats to the election. I was the one who briefed Congress over two dozen times about what the Russians are doing, and my testimony appeared on Fox News and CNN for weeks.
Apparently, being identified as a Russian investigator was not a good career move, but I figured it was better to sacrifice myself on the altar of public opinion than to put one of the actual career intelligence officers in that position. I had a public career and the background to withstand the scrutiny and whatever came down the pike from a political perspective, but you take someone who’s spent their career in the shadows and toss them out there—that would not have been cool.
What skills have helped you navigate and be successful in so many different domains?
When I was a young guy, it was the ability to take a punch. I was more than willing to lead with my chin and be very, very bullheaded about things that I had to get into . That really did translate well when getting into cybercrime because when chasing bad guys around in cyberspace, it can be difficult and time consuming, but you can’t just give up.
Technical skills. I’ve built my technical skills through both formal and informal training, and I had the opportunity to work alongside some pioneers in cybersecurity. All those things really contributed to my success in this field.
Business acumen. I’ve started businesses, operated businesses, and I got divorced because of a business. I’ve been through the entire hierarchy of business roles and life cycles. I structure security programs to support business operations because a security program that does not support the business will soon become an unfunded security program.
Finally, at some point in my career, I went from being a total techno-weenie, knowing and being able to rip apart every operating system, and disassembly of applications, to where I am now … talking about culture and history and innovative organizational change. The technology part is easy; the people part is hard. I’m not even sure when that happened in my career, but I see that shift has happened. All that previous experience, that sense of determination to get the job done and being able to withstand the stress—those are the things that form the bedrock of my success. I’ve also learned a lot from my failures. Failure is a tremendous teacher because you have to listen or continue to fail.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.