Scott Tousley, deputy director cybersecurity division at Department of Homeland Security Science & Technology, is an advocate of integrating cybersecurity education into all disciplines of IT and business and risk management. “We don’t want to teach cybersecurity as a stovepipe, but to do it so that it makes sense in overall teaching,” Tousley said. In that vein, Threatpost spoke to Tousley during Thursday’s Advanced Cyber Security Center conference in Boston where he cautioned that IT investments and innovations are rapidly outpacing security, especially in areas such as embedded systems. As corporations and critical infrastructure providers renovate these systems, they need to tread carefully and consider security.
Threatpost: Can you explain your concept of IT and systems renovation, especially around embedded systems?
Scott Tousley: My background is in a number of different areas of engineering. I’ve been a teacher of physics at West Point. I often will drag out an analogy for a while and see if it makes sense. Everybody has done renovations; neighborhoods, your own house. I think that analogy is worth thinking about. We’ve talked a lot with the power grid and heavy infrastructures. When they make an investment in X-Y-Z, it’s not for two years, it’s for 20. We’ve got lots of increasingly networked and embedded pieces of infrastructure. You have to ask yourself the question, if we found this thing and it starts to have an impact, how would you retrofit it? What things that we’ve installed in the past should we be pushing to update versus what we are going to have to leave in place. A lot of that is physical infrastructure, wired versus wireless. To my mind, the idea of renovation is relevant to do we have a re-investment system and is that the right way to think about it as some of these improvements come into play?
Threatpost: What are the security challenges you hear most around embedded systems?
Scott Tousley: The most powerful force in the universe is momentum. People don’t realize how long it will take to change or stop something. If you look at investment and improvements, there is a deployment load that rolls into place. The economy is not strong and interest rates are low; there’s a lot more investment going on that people don’t realize. Are we putting the right security stuff in as part of that investment? How long will it takes us to make a big shift in the way things tend to operate now. That to me is complicated, moving a lot more inexorably than most folks realize. That makes it more imperative to judge the right re-investments to make improvements in security.
Threatpost: There’s a lot of pressure on critical infrastructure to innovate, especially with smart grid, smart meter technology. Yet on the backend, we still have vulnerable industrial control systems and SCADA systems. Do they have any choice at this point but to be reactive?
Scott Tousley: Well, there are places in the world that are controlling societies to build security in from the start. We’re never going to be that, wouldn’t want to be that. Our perpetual challenge is to keep building and re-building an open society to do all the good things we want to make society better where in this domain, the asymmetries are such that it’s a real challenge to keep up with the security weaknesses you’re creating as you build something in. One of the things I’ve been pushing for in our local school board is to shift from a historical mathematics curriculum only of ‘When are you taking calculus?’ That makes sense if you’re trying to graduate people to send them to the moon or have a 1960s timeframe. But in this day and age, you need as many high school graduates to know statistics as you do calculus. The whole question about distributions, probabilities and Type 1 or Type 2 errors and infrequent events is central to the cybersecurity area where you might be operating a system for a week and never see thing, see a two-second blip and five or six system resets that also cause blips. It’s not easy to expect someone to recognize the very infrequent security issues that pop up. It’s a big challenge because we live in an open, successful and commercial society where it’s easy to hide the negative security blips among all of the activity and noise in the system.
Threatpost: Information sharing, meanwhile, has almost become a cliché. So many organizations are concerned about the privacy of information, and legal and liability issues. What are some sharing mechanisms you’ve seen that work, as well as common barriers? Are they all legal barriers?
Scott Tousley: I don’t think it’s the legal barrier, it’s just the natural structural inertia of organizations where it takes time to do things when they run against the grain of what’s habitual. It’s easy to share information within the usual structure of an organization. It’s hard to share information when you’re not sharing it in line with the traditional management structure of an organization. I think information sharing is a problem of isometrics where push and push and while you’re pushing it works, but the moment you stop pushing and the system relaxes, I’ve seen many information sharing things work because there’s a need and someone made it happen and work, then six months later, some of the people have changed, or it can’t be funded or someone who made it happen moved to another job, the agreement stops happening against the grain, it tends to relax. There are a lot of examples that work. But it’s hard to find one where the cultural stuff has really shifted and changed.