Interview extracts from the first volume of an oral history of cybersecurity practitioners.
When most people think about cybersecurity, they think about the very technical. But there is a much more academic, even abstract, element to the field that is less widely studied or appreciated. If it is, it is often derided as not serious or practical. Jason Healey is one of the few who have operated at all levels of the field, and who believes that through study at layers above silicon, we will come up with the ideas and theories that will bring about meaningful change. After all, the computer was an idea until the difference engine was actually built.
Jason Healey: As a senior research scholar at Columbia University‘s School of International and Public Affairs, I’m in an interesting position because I’m kind of split into three. I’ve got a fair amount of teaching responsibilities. That doesn’t sound like much when it’s one class per semester, but because I’ve come into this job as a practitioner, I really make a point of working a lot with the student—trying to get the skills they need, trying to get them hired—I take that pretty seriously.
So this semester we were teaching a class on cybersecurity tech law and policy. I’m teaching it with Matt Waxman from Columbia Law School, one of the top lawyers in national security law, and with Steve Bellovin, who’s an eminent computer scientist—part of the generation that helped invent firewalls. We’ve got nine international affairs public policy students from my school and nine law students and nine computer science students, and we’re throwing them all together in one class and putting them into teams and groups to help solve problems in common. And you know, it’s never been done before. Yesterday we were teaching about the history of cyber conflict and how it’s changed and what have been some of the big events that have helped shape the field, that they need to know about as they go out and write about it or try to change it for the better.
I spend about a third of my time as a researcher, and I’m really lucky to be working with an eminent political scientist here named Bob Jervis, who has written a lot on the security dilemma, the role of perception and misperception, and emotions and rationality and irrationality in international affairs. We’re doing a three-year project on the dynamics of cyber conflict and how they’re different from conflict in other domains like air, land, sea, and space; and where they’re similar and how the dynamics are different at the tactical and technical level, where most practitioners spend 99 percent of their attention, and how it’s different from an operational strategic level. For example, some of the important dynamics like network speed, or difficulty of attribution, kind of fall away at the at the higher levels, and so that’s going to be a three-year project, and hopefully a lot of papers and reports come out from that. I’m also a project director, which means that I spend a fair amount of time convening, talking with senior policy makers, trying to generate interesting content in meetings, and convening to bring interesting people together to talk about these issues of cybersecurity.
How did you first get involved in this sort of work?
I came in as a practitioner—I was going to say “like so many of us”—but frankly, that’s not true anymore. I was at the Air Force Academy, getting ready to graduate, and I had planned on being a fighter pilot, and I made the decision that I was going to be a pretty crappy fighter pilot. And in fact, I was in no mood to be a fighter pilot at all. So I made the decision, which was pretty unique at the Air Force Academy, then or now, that I was going to turn down my pilot training slot so I could compete for a job in intelligence. And I did get into intelligence, and I got my absolute last choice of disciplines, which was signals intelligence. It was my last choice because they talked about how, you know, you need to know this level of Fourier transform, and this level of detail about astronautical engineering and so on to be a good signals intelligence officer, and that sounded terrible to me. I knew those things, but I didn’t want to do them. And it turned out it was just a terrible description, right, because the job was much more about management and understanding signals in the environment but not, you know, you weren’t sitting there with your slide gonking out.
And so, I ended up in the signals intelligence field, which is a very technical field. You’re trying to break other people’s codes, listen to their communications, and trying to protect your own. And a lot of people that were coming into signals intelligence that time were being exposed to what we called “information operations” or “information warfare,” or what we now call “cyber.” And a book came out in 1990s called War and Anti-War by Alvin and Heidi Toffler, that talked about this new field that was coming together. That book was influential to me and others, like Greg Rattray, and we said, “That sounds really cool. I don’t know how, but I want to do that.” And so, I really made the decision to try and get involved in that kind of work somehow.
It took me a couple of years, but in 1998, I was finally able to switch over into the field by helping set up the first joint cyber command, an organization called the JTF-CND, which was the predecessor to today’s Cyber Command. Cyber Command is passing 6,000 people, and Army Cyber Command has 20,000 people, or something like that. And it started with twenty-five of us in the very first Joint Cyber Command.
At the JTF, I was working for the J2. Prior to us coming on the scene, the top intel person that I could tell that was full time looking at operational cyber issues, certainly at the joint level, was an Air Force staff sergeant named Bob Goede, and that was it. He was assigned to the DOD CERT—which was called ASSIST—at DISA.
My boss, Bob Gourley, came in; he was a Navy Commander. I came in as the second person assigned full time, as an Air Force captain, and we worked with the people at the DIA for longer-term assessments, but we were it on the operational level. After doing that for a couple of years, I went on to create the Computer Emergency Response Team at Goldman Sachs and got much deeper into the finance sector as vice-chairman of the Financial Services Information Sharing and Analysis Center, or ISAC, which was sharing information amongst all of the big banks and with Treasury and Department Homeland Security. I went to the White House for a couple of years to do cyber infrastructure protection and rejoined Goldman to do crisis management business continuity information security out of Hong Kong, and came back to the U.S. in 2009, and that’s when I started to do much more writing and saying, “We’re not making progress. The same bad ideas are there. They’re not being chased up by good ideas. We still get the same lousy processes; we’re not making progress in our framework concepts and thinking.” I went to work for a think tank, the Atlantic Council, and helped set up their Cyber Statecraft Initiative. I love that name. That was in 2011, and I’ve been doing that kind of work now, since 2011. And now doing it at Columbia University— a little less fundraising pressure and more time with students.
So you’ve had a lot of jobs in this field. Do you view your career as a progression moving upwards, or moving laterally between different sub-disciplines? Did you plan it that way, or is it just kind of how things ended up?
No, I didn’t plan it. I’m much more of an improv guy. Jumping back and forth between the fields ended up putting me in a pretty unique position. I’m someone who’s done the policy and the technology. I’m less technical than some, more technical than others. I don’t really have imposter syndrome as such, but it’s interesting because if you compare me to the other academics—because I am an academic, my title is senior research scholar—you know I’m not a successful scholar, right? Here you judge a person either by the size of their citation list or their peer-reviewed publications, and boy, you know I don’t measure up on either of those. I’ve had success as a policy maker, but others have been more successful policy makers. So I’m really kind of in this in between role of being able to go between the two worlds, of being a bridge between them, which has been interesting because it a unique place again. Sometimes when I think about all the negatives of that, I think there are much, much more positive aspects to how things have gone.
You mentioned the book War and Anti-War. What other resources or people have influenced your thinking on cybersecurity and the things that you’re trying to accomplish?
Well, you be you’ll be ecstatic to hear that last night, to this class of law students, computer science students and international policy students, I spent about 10 minutes telling them about a guy named Clifford Stoll and his book called The Cuckoo’s Egg.
I spent about ten minutes telling them about this case study from 1986, about how this astronomer at one of the national labs was able to discover he had a hacker on his system that was looking for information on Star Wars, the Reagan-era Strategic Defense Initiative. And how he was able to, mostly single-handedly, track him down and identify him as a guy named Marcus Hess, who was hacking out of Hanover, Germany, and selling the information on to the Soviet KGB. It’s one of the first things I read when I got into the field. I wonder who told me about it?
It a great case study. Cliff does a wonderful job of telling the story. And what’s great about it is that even though the technology has moved on so much from 1986, the tactics, techniques, and procedures—everything he talks about in that book, is still absolutely relevant today. And it’s something that I absolutely recommend people to read.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.