Interview extracts from the first volume of an oral history of cybersecurity practitioners.
Security research—finding flaws in software—is a sub-discipline fraught with controversy. Finding and fixing flaws should be a good thing, but it tends to be the bane of a manufacturer’s existence, and paints the researcher alternately as villain or hero, depending on how they operate. M. Carlton‘s technical knowledge, skill, and the results of her work put her in the top tier of performers in the field. Her focus—the Internet of Things—puts her squarely in the vanguard when it comes to combating some of the most serious threats we face today.
M. Carlton: The average day in the life for me varies a lot depending on what stage of a project I’m involved in. So, if I am deep in the weeds of a technical project, I basically wake up, start working, and emerge some twelve hours later. And then if I’m not deep in the weeds of a technical project, then it’s more meetings, preparing presentations, and more higher-level issues.
You went to MIT, but not for engineering or computer science, which is what most people would assume given what you do for a living. Why was that? And what is it that got you away from what you studied, into security?
Well I was, and still am, fascinated by political science. I did not go to college thinking that I would major in political science. I had expected to go into brain and cognitive science or computer science. But I took a class my freshman year—American Foreign Policy—which explained a lot about the world that I’d observed but didn’t have a framework for. Suddenly everything sort of fit into this model, and I was hooked.
After a few years of doing internships and exploring various aspects of the field, I realized that while I’m really interested in the subject, there wasn’t any career that comes out of political science that particularly drew me. So, I took a year off after college, so to speak. I did some internships and explored different fields and talked to people about their jobs and tried to figure out what I really did want to do. One of those conversations resulted in me applying for an internship, which I got, which in turn led to a full-time job in software security. The rest is history.
So, you can’t talk about research without talking about disclosure policies. On the one hand you have full disclosure, and on the other you have responsible disclosure. Where do you fall out on those two options, and why?
In terms of releasing information, definitely responsible disclosure. After you release the details of a vulnerability, you don’t get to control whose hands that falls into, so it’s important to allow manufacturers a chance to release a patch for the problem, and to give users the opportunity to install patches. It prevents harm to people who don’t have any other means of recourse.
What about things like what Muddy Waters did? There is an argument that market forces are really what drives change. People don’t care about device security because people don’t know or understand the technology or the implications of a vulnerability being exploited. Companies don’t want to improve security because that costs money. and there’s no demand from consumers. Money talks, right?
Yeah, I see both sides of the argument, and I really hate to choose a side because I’m so much on the security side, so I feel like both sides have very valid points. I think in terms of what they released, the odds of the vulnerability being exploited were pretty low, but also, the means for preventing an attack were quite difficult. And I guess the frustration at the inaction of manufacturers, that’s understandable but it is also unconscionable to put patients’ lives in danger.
This is a field that is pretty much dominated by men, and you are a woman. The issue of men behaving badly towards women in this field has been a growing issue for a couple of years now. Pre-#metoo movement, have you run into a situation where people were treating you poorly because you were a woman, and how did you deal with that? How do we change this culture of ours?
Well, it’s interesting because nobody actually in this field ever asks me that question; it’s always people from outside the field, but yeah, I’ve had issues in the past, more so at the beginning of my career. And recently and whether that’s because of changing attitudes or learning how to better handle difficult situations , I don’t know. I definitely haven’t always dealt with it perfectly. It’s very difficult to do, so I think we’re not really taught how to deal with these kinds of situations. Nobody is. We aren’t told, “Here’s how you react. Here’s what you say. Here’s the best thing to do to lead to a constructive conclusion.”
I think one method they’ve shown that works well is teaching everyone how to intervene when they see something wrong happening. And I think that the more people learn about what to do to inhabit the kind of work places that they want to work in and how to navigate difficult situations, how to stand up for themselves as well as others, the better our environment will be.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.