By Andrew Whitaker
When Eliud Kipchoge beat the marathon world record this year in Berlin, my jaw dropped. He ran a marathon in 2:01:39! This beat the previous world record by 78 seconds. So, in about the same time that you sit down to watch a movie and snack on popcorn, someone else can run 26 miles. What makes this even more remarkable is that he was so fast that his pacers could not keep pace with him. Eliud had to run almost half of the race alone due to pacers dropping out.
I look at Eliud and think, here is an unbelievable athlete that stands alone, running against soreness, determined with each step to not only win a race but be the best of all time. As he ran alone, it is easy to remark on how he accomplished this all on his own. How he, alone, without help, achieved greatness no one ever dreamed was achievable.
Not to compare being a cybersecurity professional to being a record breaking athlete but I am going to do just that. In many organizations, it is easy to look at the security team and say, it is up to them to make sure we are secure. As the person responsible for cybersecurity in the City of Seattle, I am often stopped in elevators and hallways with the half-joking question, “So, Andrew, are we secure today?” people ask with a smile. They mean it to be a casual remark, but every time I hear that question it reminds me not only of the honor I have to carry this responsibility, but also of the mindset of others that security is always someone else’s problem. Yet, security is everyone’s problem. They think we can snap our fingers and wipe out hackers. As much as I would like to think that we are as powerful as the all-powerful fictional character Thanos, that just isn’t the case (That was a very nerdy reference to a superhero movie. To the twelve of you reading this that got the reference, you are welcome.)
When Eliud beat the world record, he did not do that that alone. He is part of the NN Running Team. He had his coach, Patrick Sang. He had medical assistants. He had physical therapists. He was part of a running team with some of the top athletes in the world, including Kenenisa Bekele and Geoffrey Kamworor, and many others that, collectively, claimed a staggering 52 victories in the first 12 months of the team’s inception. There were his pacers and there were the staff that operated behind the scenes supporting communications, marketing, finance, and operations. You get the point. While it may appear that one person did it all, it took many supporting the goal to achieve success.
For the City of Seattle, or any other organization for that matter, to achieve success in cybersecurity, it can not be up to a team labeled as security professionals.
This October marks the 15th anniversary of National Cybersecurity Awareness Month. One of the key messages for this year’s cybersecurity awareness campaign is “Tackle it Together.” Cybersecurity is a cross-cutting, cross-sector problem and must be tackled together. We are all connected in this thing we call cyberspace and each of us have a role to play in cybersecurity.
What does this mean for you?
- This means reporting suspicious phishing emails to your security team so that they can make sure others are not receiving the same phishing scam.
- This means stopping the individual attempting to tailgate behind you without badging in and saying, “Would you mind badging in?”
- This means following security policies, even when it would be easier not to follow them.
- This means locking your workstation every time you get up from your desk.
- This means taking the time to read regulatory compliance requirements if they pertain to your job.
No single security team can accomplish cybersecurity on its own. Like Eliud, we may get the attention when there is success, but we also recognize that success is only because of the many individuals who helped behind the scenes to get us there. To the many, many individuals who help the City stay secure without any expectation of acknowledgement, thank you. We cannot do it alone, and we recognize every day that we stop threats only because of those vigilant, security-minded individuals like yourself that take that extra step to report those threats to us.
As we conclude this three-part series of blogs for cybersecurity awareness month, I want to put a twist on ending with three tips. Rather than leave you with three security tips, I want to leave you with three quick biographies of cybersecurity heroes that have inspired me in my growth as a cybersecurity professional:
- Dark Tangent (AKA Jeff Moss) I cannot give a list that does not recognize this Seattle great whose handle is known among hackers around the world. Jeff launched the first Defcon hacker conference in the early 90’s. In 2018, this conference had over 27,000 attendees doing everything from social engineering competitions, hacking medical devices, finding new vulnerabilities in automobiles, cracking safes, and cracking complex cryptographic puzzles. This last Defcon, Emily Skinner, an 11-year-old girl, demonstrated her ability to hack into a voting system to modify election results in under ten minutes. No other conference in the world has done more to encourage cybersecurity research, raise security awareness, and find innovative ways to tackle security threats. And no other conference has done more to bring together misfit rebel computer geeks to a place where it is socially acceptable to go to a party and talk about ROP chains, heap overflows, Z-Wave spoofing, and malware obfuscation packers as if those were cool topics. Jeff Moss had the drive to create a safe place to foster security research, awareness, and honest discussions to find solutions to today’s challenges.
- Woz (AKA Steve Wozniak) Many people know Steve Wozniak as the co-founder of Apple (or his Samba performance on Dancing with the Stars). What many do not know is that Woz, at his core, is a hacker. He started out as a “phone phreak”, a term for people who hacked phone networks (I’m sure it was a cool term at the time). In the 1970s he was known as “Berkeley Blue” and would create “blue boxes” that would allow him to hack into phone networks and make free calls. Woz learned how to make these blue boxes from another phreaker, Captain Crunch, aka John Draper. John discovered that the whistle that came in the Cap’n Crunch snack boxes generated a tone at exactly 2,600 Hz, and could be manipulated to generate the exact tone needed to trick pay phones into entering a mode that allowed for free calls. Now, as the CISO for the City of Seattle, I do not condone hacking illegally. Woz himself has said many times that he never once hacked a computer “for real”, but rather was trying to figure out how technology worked, how to find holes in security controls, and how it could be manipulated to do things it was never meant to do. He would read electronics journals for fun, build TV jammers, and trick friends into giving up credentials. But it was never about committing crimes. What Woz taught us all was that we should never take technology at face value. Never trust a vendor’s promises completely. Security research that discovers a bug will only benefit everyone (when following responsible disclosure). He taught us all that the technology we use is built by fallible humans like all of us, and that testing the technology to see if it can act in ways it was never intended to do was not only useful, it was best practice. He pioneered quality assurance, quality control, development operations, penetration testing, and reverse engineering well before his time.
- Al-kindi (AKA Abu Yusuf al-Kindi. Al-kindi) was a 9th century Muslim philosopher, mathematician, astronomer, medical doctor, and all-around genius of his time. Al-kindi is known as one of the great fathers of cryptography. What made Al-kindi so influential was not that he created advanced algorithms that are so secure they can not be solved today, but rather that he developed a formal approach to breaking cryptography. He flipped the hiding of messages on its head, and sought ways to reverse engineer cryptographic algorithms, and birthed a new study of cryptoanalysis. He is believed to have authored over two hundred books, and this is before the days of Wikipedia! One of his most famous books is called “On Deciphering Cryptographic Messages”, which was revolutionary at the time in cracking cryptographic messages. Al-kindi used frequency analysis, where he looked at the frequency of common letters and words. If you ever watched the game show Wheel of Fortune, you have seen Al-kindi’s cryptographic frequency analysis in action. Why do contestants often choose the same letters, such as R, S, T, L, N, and E? Because those are the most common letters in English text. On average, the letter E accounts for 12.7% of letters in English text, while J, Q, X, and Z combined add up to less than 1%. Now I’m oversimplifying Al-kindi’s work but think of him as the person who discovered that to win the game show you should pick those letters. Would you believe that Al-Kindi’s frequency analysis helped save Elizabeth I’s life? A codebreaker, using Al-Kindi’s approach, was able to crack a message detailing an assassination attempt on her life. Some have said that Al-Kindi’s work laid the foundation for the cryptoanalysis that cracked the Enigma machine in World War 2, saving thousands of lives in the process. For me, Al-Kindi’s story has taught me that you do not always need to be the one that builds the solution. The one who analyzes, discovers patterns, and breaks the code is equally important. You do not have to be the person who develops the software, architects the network, or builds the next disruptive mobile application that flips market trends. There will always be a need for that person that questions the norm, challenges what is accepted, and pokes holes in security. In doing so, new solutions can be made to further cybersecurity and cryptography, protecting everyone until the next cycle completes.
May we never forget the pioneers before us, and may we aspire to be those thought leaders and influencers that inspire future generations as those before us have inspired us.
Director of Security, Risk, and Compliance Andrew Whitaker leads information assurance, security operations, regulatory compliance, and IT policy across all City departments. His cybersecurity specialties include building lean security programs, integrating security into business processes, intelligence-driven threat modeling, and security awareness and training.
He has over 20 years of experience in both the public and private sector, leading consulting services for defense, federal, and intelligence agencies, all branches of the US military, and over a third of the Fortune 500 companies.