[01:30] Greg Touhill From CERT Division

Rachael: Our guest is credibly smart, incredibly accomplished. I'm just so excited that we have the opportunity to speak to Greg Touhill. He’s the new director at Carnegie Mellon University's Software Engineering Institute, CERT Division. He is a 30-year veteran of the U.S. Air Force.

Rachael: He's received a Bronze Star medal, the Air Force Science and Engineering Award. He retired from the Air Force with the rank of brigadier general. And now at CERT, he has said that CERT is a center of gravity for information sharing. I can't wait to have this conversation today.

Rachael: For our listeners maybe who aren't familiar with CERT, I've read it described as this amazing culture of innovation. You help government industry orgs develop and operate software systems that are secure and reliable. The center of the universe. Please tell our listeners a little bit more about that.

Greg: Thanks for giving me the opportunity to share a little bit about the team that I lead and the lineage behind it. The CERT Division at the Software Engineering Institute has been around since 1988. It was created in response to the Morris worm getting unleashed around the planet and season up computers, not only here in North America, but literally around the world.
 

A Federally Funded Research and Development Center Team

Greg: The United States government said, "Holy smokes. We really need to have a team somewhere as part of a federally funded research and development center team that can focus on securing computer systems and critical infrastructure." So in 1988, they formed the CERT, which at that point stood for the Computer Emergency Response Team.

Eric: How did they pick Carnegie Mellon?

Greg: Well, they picked Carnegie Mellon because Carnegie Mellon already had a federally funded research and development center. It’s called the Software Engineering Institute that was focused on software. Carnegie Mellon is the gravity center of the universe for computers. When the CERT was formed, the CERT was actually the birthplace of cyber security.

Greg: Here in Pittsburgh, we actually have an event every year called Cyberg, celebrating the cyber birthplace of securing the computer infrastructures around the world. But, as a CERT team, we've created such things as the Capability Maturity Model. So for those folks out there who get their CMMI ratings for maturity, process, and procedures, that was all part of the work done by the CERT.

Eric: I had no idea.

Greg: We're doing DevSecOps, we created DevSecOps as well. So a lot of great things have been done here at Carnegie Mellon and the Software Engineering Institute. CERT, and a lot of things are continuing to go on that are helping better harden our critical infrastructure.

The Paradigm Shifts With DevSecOps

Eric: We've spent a lot of time recently on DevSecOps. I really do believe it is a major thrust that will help secure our systems going forward. As a non-development security professional, you really didn't think that way until recently. I would say a lot of people still don't. But building it in from the beginning and some of the paradigm shifts with DevSecOps, it'd really make a difference. I had no idea.

Greg: Well, there's some of us, the really hardcore computer nerds and techies. We realized that the more complex you make it, the easier it is to break it. When it comes to developing code and taking a look at the lines of code and our weapon systems out there and airplanes, even in your car, if you once had a car that was built before 1972, it was all mechanical. Now, cars are computers with wheels.

Eric: You hear people talking about rebooting the car. Try a reboot. What? It's a car.

Greg: Turn it off, turn it back on.

Eric: It's a car. No, it's an electric computer.

Greg: And so, making sure that your code is secure by design is critically important. One of the big trends that we are concerned about and leading some efforts on is the provenance of the code. Where did your code come from? A lot of folks will reuse code. Carnegie Mellon, we were talking about that back in the '80s and to be more efficient, reuse code where you can, in modules.

Eric: Well, the whole idea of open source.

Do an Audit at Massive Scales

Greg: Yes. What we're doing now is we realized that it's really important to have a software bill of materials or SBOM. That way, you can better track where your code came from, who's touched it, what it does. Then, as you were looking to do an audit at massive scales, we're talking tens upon tens of millions of lines of code. 

Greg: Having that software bill of materials can help you better secure your code, improve software reuse. And from a security standpoint, it can also tell you whether or not somebody's tampered with your code.

Eric: How do you see that working? I've not heard the concept before, I can visualize it in a second. How do you see it working when, with globalization, you're reusing code that may have been created by somebody in a different country. Which was then passed onto somebody, you're pulling it out of GitHub or whatever. How do you document that bill of materials with any level of authenticity?

Greg: Excellent question. There's several folks that are working right now to try to get some standardization. It's already within the community of interests and with GitHub organizations and contributors to GitHub and other repositories. There are some standard conventions, as far as what you're supposed to do as far as marking, labeling, and such.
Eric: Remarks though? Like remarks in the code?

Greg: Even that. You take a look at some of the stuff that the federal government's now doing. I'll give a shout out to a guy named Alan Friedman who's been at NTIA. Alan's really been leading the charge and working with the National Institute of Standards and Technology and international organizations.

 

[10:11] Greg Touhill Takes a Look at Cybersecurity

Greg: They work to identify convention standards and norms. How to identify, label and secure that code that is being put into those different repositories that could be pulled out so that you can have accurate provenance measurements. It's still a work in progress, but I'm really heartened from the fact that it's now building up steam. And it's going to help the cyber ecosystem when we do have a more mature software bill of materials constructed.

Eric: I think that'd be great, as long as you can ensure you don't have somebody for espionage or sabotage purposes. Inserting something malicious in there and just commenting, remarking, you know this was done by Joe Smith of Carnegie Mellon.

Greg: That's really where you want to have the processes and the procedures, not just the technology. When we take a look at cybersecurity, it's about people, process, and technology. I'm a big believer in zero trust. We can talk about that a bit. 

Greg: But you want to make sure that not only do you have the technology, but you have the processes in a well-trained workforce to actually operate all of the above. And when you have that kind of depth and discipline, good things can happen.

Eric: So really going back to the old construct of Itel. Take you way back there, people process tech.

Greg: I don't have my cup of tea here to talk about Itel, but the Itel is a great model that came out of Britain.
 

What Compliments Technology

Greg: Certainly, I sent my fair share of officers and enlisted personnel to Itel training because it was valuable. We got a good return over it. I do think that discipline and process helps compliment technology. You want to make sure that your people are trained in both.

Eric: I'm going to ask you for a mass generalization, and then I'll let Rachel speak at some point today. On a one to ten scale, where would you say we are from a process perspective in cybersecurity or InfoSec? I know that's hard.

Greg: 5.217.

Eric: I was going with two. I got my fingers up here on the video, but I was going with two. You think we're halfway there?

Greg: Little over halfway.

Eric: You really do?

Greg: If you asked me that last year, I put it below five. But I think after the SolarWinds revelation, and then the ransomware wave that's been hitting, I'm heartened by more public officials, as well as corporate officials. As reflected in the national association of corporate directors, conversations that I've been involved in, people are starting to recognize, "Hey, we got a problem, Houston."

Greg: The problem isn't just the technology. It's also involving the people and the processes. I think the tipping point is the public leaders. Now we have the President of the United States repeatedly talking in a relatively cogent manner about cybersecurity. But we also have business executives around the world that are talking about cybersecurity as being a business imperative. That inflection point puts it over five.
 

We Saw the Dark Side

Eric: I've been saying the same thing. When the President of the United States gets involved in a ransomware campaign and starts talking about it openly, you've got a problem. Right? And we saw the dark side from the Colonial Pipeline.

Eric: We saw them basically disappear. I don't know if that was a, "Hey, we better get out of Dodge" or that was a Dodge disappeared on them. But we saw them disappear. When the President of the United States of America starts getting involved in your computer exploits, I would absolutely agree with you, Greg. There is more attention being paid at that point than prior.

Greg: You know, and the thing about it is we've seen presidents before talk about cybersecurity. We saw Clinton with the Marsh report where he put out a commission to take a look at critical infrastructure. The Marsh report during the '90s talked about how all the critical infrastructure was starting to become computerized and linked together.

Greg: Then during the Bush administration, we saw a lot of work done during the Bush administration. The President then said, "Hey, we've got to better secure our computer systems." Literally, in the military, we changed out our identification cards to what are now called common access cards. They had a little digital chip inserted in there so that we could in fact authenticate better who we were.

The Poorly Executed Good Move According to Greg Touhill

Eric: The vendor side, that was a nightmare, but just getting to accept them. But I'm with you. I think it was a good move.

Greg: It was a good move, but I would say poorly executed across the Department of Defense. During the Obama administration, holy smokes. I mean, Obama took what was done before and moved it forward. Cybersecurity has been largely apolitical. We've tried to keep politics out of cyber. As we've moved forward now into the Biden administration, I'm heartened from the standpoint of the current administration.

Greg: He acknowledges the good work that's been done by the Trump administration, Obama administration, Bush, Clinton, et cetera, but there's still a long way to go. They recognize that. We all have a lot more to do to better secure our infrastructure.

Eric: Yes, we do.

Rachael: If we can go back to the Obama administration though, you have a pretty notable milestone in there. You were the federal government's first Chief Information Security Officer. Where do you even start with a role like that? How do you get started?

Eric: What does day one look like? "Hey, you're the first CISO for the United States of America that we've ever had. Greg, good luck."

Greg: Well, it's not like I was a rookie.

Eric: It was brand new. Like, "Where's the bathroom? Where do I park?"

Rachael: You do build it from the ground up.

 

[16:06] How Greg Touhill Is Trained for the Role

Greg: But I'd been training for that role for 35 years, through my military service. I finished my military career leading the team that was awarded the Rowlett Award by the National Security Agency for the best cybersecurity program.

Eric: That was Transcom.

Greg: Yes, at Transcom. Retired Vice Admiral, Mike McConnell, he used to be the Director of National Intelligence and before that the NSA director. Mike, who's absolutely brilliant, he recruited me to continue my service as the deputy assistant secretary for cyber and communications at DHS. I hadn't even thought about becoming a senior executive in government. But Admiral McConnell made a very compelling case that that's where the country needed me.

Greg: I currently serve as the director of the NCCIC, like the National Cyber Center. The National Communications and Cybersecurity Integration Center, we called it the NCCIC. I didn't make up that acronym, by the way, I just had to live with it. For a while I would say, there at DHS. I also sat as a member of the Federal CIO Council as their cyber advisor. So I'd come in, the guy from DHS, the computer nerd in the corner.

Greg: So when we had the OPM breach, the U.S. CERT was working for me. The Industrial Control System was working for me. We were all part of that incident response. When we went back from the incident response and got into the real introspective cyber national action plan, we realized we didn't have a Chief Information Security Officer. I pronounce it CISO, but we really needed one to organize all the activities.

 

The OPM Breach

Greg: Because during the OPM breach, we literally had the adversary come in, breach OPM, but also move laterally across the government. It's publicly put out by a congressional report that they moved into a department of interior shared service site. When you have all these different departments and agencies operating as an independently owned and operated franchise, you really need somebody at the top level that can choreograph and synchronize all the security activities across the government.

Greg: I felt like I was really well-prepared, and I was honored when I was asked to serve in that role. When the President of the United States asks you for help in defending the nation, you say yes, and you show up. You don't care what the office hours are, you just go to get the job done. I think I launched it fairly well. You've gratified that the deputy that I hired, Grant Schneider, after I departed, stepped up into that role. The current CISO is Chris DeRusha, who used to be on my staff when I was the federal CISO. We've got a little bit of lineage there.

Eric: So look, continuity also.

Greg: A little bit. But Chris had stepped out and got some great experience working at Ford Motor Company, as well as the Chief Security Officer at the state of Michigan. So one of the things that we tried to do in our career field is try to make sure that our folks have breadth and depth.

We’re Getting In the Right Direction

Greg: You don't want to be nested in the same job forever because you want to have the aperture of seeing a whole lot of best practices from lots of different perspectives. I think we're getting in the right direction in the government space, but we're not where we need to be yet. Same as what I've seen in the industry as well.

Eric: I want to take you back to that first day still. How do you determine your top three priorities? I know you've been doing it, you're coming in. You've seen a lot of the problems. Nobody even knows what this job is supposed to do, initially. I'm assuming. How do you, okay, these are the three things we're going to do today, or this is where we're going to spend our time. How do you think through that, starting up a brand new position?

Greg: Well, there's a lot to think about.

Eric: It's what's blowing my mind right now.

Greg: The first thing is you have to state your vision and the strategy to get there. Then within that strategy, you put together goals and objectives. The things that you have to do to achieve your strategy, to get to where your vision is. I did all of that, but from a very practical standpoint. There were a couple of things that just had to be done and put up on the top of the agenda. I articulated the five points to the strategy and it got a lot of press. But underneath the wave tops, the first thing I did was I worked to create a Federal CISO Council, get all of the CISOs to the table.

Eric: I remember that.

They Needed the Community Greg Touhill Built

Greg: Within my first two weeks, I was able to get funding from the Federal CIO Council because the CIO Council is chartered under law and has a funding line. But the Federal CISO Council was just a new initiative. I was able to get it chartered and funded within two weeks. In our very first meeting, I had some Federal CIOs who are naysayers. They said, "Ah, you know, we don't need this. Nobody's going to ever show up." I had 77 Federal CISOs show up for the first meeting.

Eric: That says they all needed help. They needed a community because they were all experiencing similar type of problems, and they didn't have a voice, I guess.

Greg: They needed to have that ability to get together and know who else were CISOs and who they could talk with. I even brought in my friend, Gary McCallum, who was the Chief Security Officer at USAA. Come in from industry, talk about you as the very first Chief Information Security Officer and later, Chief Security Officer at USAA. He gave great coaching and mentorship to our team.

Eric: From what I've heard and seen over my career, USAA is pretty forward-leaning on security.

Greg: Yes. I'll throw a shout out to Gary McCallum who recently retired in March, Gary is terrific. Second thing that we needed to do, and we knew we needed to do a long time before, was to make sure that we were using multi-factor authentication on our privileged accounts. You know, the folks that had the system administrator privileges, the superuser privileges.
 

[23:42] Multi-Factor Authentication

Greg: When we started back during the Bush administration, which was the directive, I think it was HSPD-12, Homeland Security Policy Directive 12 where we said, "Okay, you got to use a PIV card. Then you're supposed to have multi-factor authentication before you get into privileged accounts. Right?" And we said in 2003 we're going to do that. We're going to have it all done by 2008, and they extended it.

Greg: Had that been in place, arguably, we would have made things a whole lot more difficult for the attackers with the OPM incident. So I said, "Look, here are all the metrics. We are at this level here, let's get to a 100% for privileged user accounts by the end of 2016. Or we shut them off and just make you have to come in and have a physical presence."

Eric: Meaning if you don't have multi-factor authentication, your privileged user account is no longer going to work.
 

Greg Touhill Gets Feedback From Subordinate CISOs

Greg: The only way you can get into your privileged user account is by physical presence. I got so much sniper fire from different departments and agencies. But what I did was, I met with the President's management council every month. I said, here's your metrics, but here's everybody else's too. So I leveraged their type A personalities, the deputy secretaries, nobody likes to be last, nobody likes to see a red mark.

Eric: You don't have any on that list.

Greg: Things started to move. Now, did we get to 100%? No, but we went from like 32% to well over 90. Was it even an accurate measurement because most of it was self-reported? Maybe not, but the feedback I was getting from the subordinate CISOs was, "Hey, this is really moving. So whatever you're doing, keep it up." Those are two more stories from that first couple of days on the job.

Rachael: That's today's episode. Thank you so much for joining us for part one of our conversation with Greg Touhill. We look forward to picking up next week with Greg, so you don't want to miss it. In the meantime, please be sure to subscribe, get a fresh new episode in your inbox every single week. Until next time. Be safe.

 

About Our Guest

 Gregory J. Touhill is director of the SEI’s world-renowned CERT Division, where he leads a diverse group of researchers, software engineers, security analysts, and digital intelligence specialists working together to research security vulnerabilities in software products, contribute to long-term changes in networked systems, and develop cutting-edge information and training to improve the practice of cybersecurity.

Touhill was appointed by former President Barack Obama to be the first chief information security officer (CISO) of the United States government. Previously, he served in the Department of Homeland Security (DHS) as deputy assistant secretary in the Office of Cybersecurity and Communications. Before joining the Software Engineering Institute, he was president of Appgate Federal, a provider of cybersecurity products and services to civilian government and defense agencies.
Touhill is a 30-year veteran of the U.S. Air Force where he was an operational commander at the squadron, group, and wing levels. He served as a senior leader of military cybersecurity and information technology programs, culminating as the chief information officer of the United States Transportation Command, one of the nation’s 10 combatant commands. A combat veteran, he is the recipient of numerous awards and decorations including the Bronze Star medal and the Air Force Science and Engineering Award. He retired from the Air Force with the rank of brigadier general.

Touhill received his bachelor’s degree in political science (minor in engineering) from the Pennsylvania State University, a master’s degree in systems management from the University of Southern California, a master’s degree in strategic studies from the Air War College, and a certificate from the Harvard Kennedy School.