Interview extracts from the first volume of an oral history of cybersecurity practitioners.
Bob Gourley is the founder and Principal at the cybersecurity consultancy Crucial Point. He began his career in the Navy as an intelligence officer. Years of service aboard ship and ashore led to positions of increasing responsibility and a fairly normal career path, until he was offered the chance to become the first J2—chief intelligence officer—of a new multi-service unit called the Joint Task Force-Computer Network Defense, the predecessor to the U.S. Cyber Command. The rest, they say, is history.
Bob Gourley A day in the life for me starts with reviewing the latest threats and trying to identify any new tactics threat actors are trying to use. From there, every day is different. It could be some kind of business development effort or being heads-down on a project for a client, or managing members of a delivery team. The best part of my day is any time I get a chance to work on something that helps clients stay ahead of the threat.
I first got involved in information technology through games. There was a game at a bar I used to work at. It was called Pong (laughs). It was fun and addictive and made me seek out other games, including those that would work on home TV’s (these were so horrid to view but were the first devices where a home user could really interact with a monitor). When I got to college, I started programming on a mainframe for coursework, and of course, simple games, when I could get away with it. The mainframe had a version of a Star Trek game in BASIC, that I changed so I could always win.
My first career field as a naval intelligence officer was analyzing all-source intelligence data in operational environments. We called it OPINTEL. It is all about analyzing data, a lot of which was computer generated. “Data processing” in those days. That data had to be protected, but in those days that mostly meant all of us promising not to steal secrets and then backing that up with physical protection, focused on guards, guns, and dogs. There were many early technical security measures as well, like automated labeling of data to match its classification level. There were all sorts of new challenges to deal with, like how do you mark classified documents in a database?
My baptism by fire came in the late 90s at the Pentagon. As a staff officer in the Joint Staff Intelligence Directorate (J2), I had been working projects associated with tactical intelligence systems interoperability. This was all about information sharing and functionality of tools for tasking, creating, and sharing intelligence. Two co-workers in another part of the J2, Joel Harding and Arnold Abraham, told me about the results of a major Joint Staff-sponsored exercise called Eligible Receiver 97 (ER97). ER97 included a demonstration by an NSA red team that proved many DoD networks were unsecure. The red team demonstrated that they could go from the public Internet onto classified DoD networks, which was not supposed to be possible. They also demonstrated that once they were in those networks, they were able to run amok and do things like access databases used by the military medical and logistics community. If an adversary had been able to do that during an armed conflict, it would have had a serious impact on our warfighting ability. And I remember saying to Joel and Arnold something to the effect of, “Man, this is important, but I’m glad someone else is working it.” Unbeknownst to me at the time, an effort had been kicked off to form a unit that would deal with things that were exposed by Eligible Receiver, as well as another event—a real-world one—called Solar Sunrise. The Joint Task Force for Computer Network Defense (JTF-CND) was going to be the go-to unit to help respond to these kinds of things. A few days later I got call from my boss asking if I wanted to be the J2 (chief of intelligence) for this new unit. My immediate response was, “No thanks, I’m happy doing what I’m doing,” but after about ten minutes it occurred to me, “This is an operational intelligence role in a brand new, wildly important mission. When am I ever going to get a chance like this?” So, I called my boss back and said, “I changed my mind; I’ll take the job.”
I didn’t study computer science in college. I was a chemistry major but also took some biology and physics. Later, I got a master’s degree at the Naval Postgraduate School in scientific and technical intelligence, which was a mix of hard science and a big dose of thought-expanding, more mushy liberal arts. I also got a degree in military history at the Marine Corps University. At the JTF, anyone who didn’t have a background in computer science got a crash course from a variety of subject matter experts. This included things like TCP/IP and the other technologies we would deal with, along with some basic hacking courses so we would understand the fundamentals of attack and defense. Later, a number of us at the JTF also got Master’s degrees in information security, which was very helpful. A lot of us started out as novices, but we got up to speed quickly. We had to.
What influences how you think about security problems?
I was lucky because my career was always adversary focused. I always knew there was someone out there in opposition to us. They were smart and dynamic, and I had to focus on countering them in the most effective way possible. Before the JTF, I had always worked in the operational Navy, where you’re working for very demanding decision makers. Consumers of our intelligence included leaders making continuous operational decisions in the face of adversaries doing the same thing. Think of a commanding officer on a ship in direct engagement with an opposing navy and his tactical considerations, and then also his boss, an Admiral with more operational decisions. In this type of intelligence job, you keep taking more intelligence from any source you can think of, and you’re flooded with information, a lot of it contradictory. All of it has to be analyzed, but the situation is always very dynamic. Our forces are moving, the adversary is moving, everything is changing. I learned how to work well in that kind of environment, and it drove home a key point: You never have perfect information, and you can never fully understand a thing, you can only understand it well enough to make operational decisions. It really helped me to have mentors who worked in the trenches who can enhance your understanding of the domain. On the cyber side, at JTF-CND we met guys like Jim Christy, who had been involved in one of the original cyber espionage cases. Jim came at things very much from a law enforcement angle, but he was able to impart lessons directly from his investigations and explain how hard it is to investigate cybercrimes. I also learned a great deal of benefit from veterans in the intelligence community. Guys like retired Admiral Mac Showers, who had been an operational intelligence officer in World War II. He really imparted to us the importance of thinking like your adversary. What are they going to do next? How can thinking like an adversary help improve your defenses? He and other mentors like Bill Studeman and Rich Haver also always imparted to us the greatest good for intelligence. We exist to steal adversary secrets and create knowledge that drives decision. This attitude drove our intelligence approach at JTF-CND. We set a vision that we would 1) Architect for a fight, ensuring we have all the intelligence we need for cyber defense, and 2) Intelligence would drive operations, meaning we would have intelligence of such quality that it would set the course for our defensive operations.
Outside of security, I draw influences and inspiration from my reading, in particular, science fiction. There are so many lessons we can learn from people who write science fiction, people who are very forward-looking and imagining things other cannot, or at least not yet. Even the term “cyberspace” was brought into popular culture through science fiction, through the works of people like William Gibson. His description of cyberspace as being this infinitely complex consensual hallucination was an expansive way to think, and it’s important to think like that when it comes to security.
It has been said that we have a talent shortage. It has also been said that we don’t have a talent shortage, we’re just not managing the workforce effectively. What’s your take on this?
Look at the world through the lens of the PC. One point two billion PCs in the world, client-server, serving three billion users. None of it is secure. Nothing we’ve done in the last two decades has had a significant impact on any of that. We’ve helped to varying degrees, but we’ve not managed to significantly reduce the threat or dramatically reduced risks. Things are getting worse. That’s the PC world, which is trailing behind us as we move into a more mobile environment: phones, tablets, cars, aircraft, drones. Computers were in an office; now they go with you. It’s a totally different architecture that is not anywhere near as secure as the PC architecture is, which is saying something. We’re talking about the lack of talent in the PC world, which we are never going to solve, and we’re racing headlong into a new world which is even more underserved, from a security talent perspective. Something has to change. We can’t keep throwing bodies at it, even if that were possible. We need to leverage technology. Maybe that’s more automation, ML and AI, other ways we can’t envision right now. If we suddenly had enough people address the PC world, we’d still be screwed.
I think you also have to think of the impact we’re having and how that might influence people looking at the field. If you take a talented person who is considering a career in security or, say, cancer research, I’m not going to blame someone for wanting to cure cancer, especially when they look at each field and consider the impact they might have on the world. We haven’t cured cancer yet, but we’ve made progress. People live longer. In some cases, people live, period, when ten or twenty years ago they did not. You can’t really say that about security.
There are things we could be doing better in this industry. If you look at a mid-sized enterprise, let’s say 400 total employees, and maybe 5 of them are working on IT. Small and medium-sized companies (those of any size doing under $1 billion in revenue annually) are the backbone of the economy. An executive in an enterprise like that can read about best practices and get advice about what to do, but then they read that none of that is going to stop a determined attacker. What’s a decision maker in an enterprise like that supposed to do? Imagine him going to the yearly RSA security conference, the largest event in our field. He’s going to see 500 vendors on the expo floor. Let’s say he finds one vendor out of all of them who has what he needs, and he’s feeling good about them; they’re going to quote him a price point that’s outrageous, unaffordable. What’s he supposed to do? These are hard problems. There are bright points of light and things that give us hope, so we should probably mention them. They include cloud computing, software as a service, security as a service. These approaches let someone else worry about the technical issues and talent issues, so you can focus on your business.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.