Professor Daniel Shoemaker, PhD is known for telling whoever the emperor of cybersecurity is at the company to whom he’s talking that “You hath no clothes.” The venerated professor, having authored a dozen books and dozens more peer-reviewed articles while teaching and directing elite university cybersecurity programs for 40 years, has felt compelled to speak such truth to power often. Many security leaders, he says, are stuck in a past where cybersecurity was considered purely an IT function. That antiquated perspective riles him up enough at speaking events to stand atop his soap box and, as he tells it with a wink, rant at leadership to think outside the box.
“Call it a holistic solution: a complete and fully integrated control framework that is implemented at the top (e.g., under the auspices of the CEO – not the guy in charge of IT) as a strategic function of the organization, and if you don’t approach it that way you might as well not waste your money,” says Dr. Shoemaker, principal investigator at University of Detroit Mercy’s prestigious Center for Cybersecurity and Intelligence Studies (CCSIS), and director of UDM’s Centre for Assurance Studies. “The current cybersecurity establishment wants to lynch me for telling the emperor that he’s stark naked. But I have reality on my side and my sainted mother always told me that common sense counts for something.”
Researching and shaping cybersecurity standards and practices since the dawn of the field, Dr. Shoemaker was one of the first to publicly decry information security systems for their antiquated, stovepipe design. An IT stovepipe includes network security, but doesn’t consider things like background checks or defending against employee phishing attacks. HR, meanwhile, doesn’t see configuring the firewall or restricting facility access as part of their mandate. And physical security isn’t looking at bent insiders or system configuration. It’s a flawed strategic foundation that approximates the blind men and the elephant metaphor.
An effective information security management system must be conceived holistically. It’s an everyone-everything problem, not an exclusively IT problem, and must be integrated across the organization as such. And top leadership needs to take responsibility for it.
He has ruffled feathers, and it’s cost him some Christmas party invitations. But Dr. Shoemaker’s voice been part of the chorus of tiny voices (#HortonHearsaWho!) that have together formed a loud enough noise to open the new generation of leadership’s eyes to the need for change.
“It used to be, any time I would bring it up among the business types they would tend to call for somebody to have me removed,” jokes Dr. Shoemaker, who obtained his PhD in Information Systems and Strategic Planning form the University of Michigan. “In my (not so humble) opinion nobody over the age of 30 ought to even be involved in these information security conversations because the current leadership was educated and got all of their experience long ago and far away in a place that isn’t where we are living now (e.g., the 80s and 90s). Back in the pre-information age era, their biases held some water, but now they’re just pathetic. (They don’t like me telling them that which is why I don’t get invited to the parties where the cool kids hang out).”
Dr. Shoemaker has devoted his academic career to raising cybersecurity awareness. His most recent upcoming book, “Teaching Cybersecurity,” is to be published by Routledge this Spring and is meant to help high school teachers teach cybersecurity. Teaching Cybersecurity is a good example of his efforts to bring cybersecurity out of its IT silo and into a general audience upon a bridge made of good communication.
“Think holistically! And if you can’t… get out.”
Long ago, Shoemaker watched from an IT silo as the first defenses were mounted against the earliest cyberattacks. Shoemaker got started with punchcard computing in the 1970s, and then moved on to researching and teaching, establishing one of the first NSA Centers for Academic Excellence (#39) in the 1980s, before teaching IEEE standards in the 1990s at the university level.
He’s advised the Pentagon on topics such as supply chain risk over the years, and while there has been progress in integrated information system frameworks, he still finds it an uphill battle getting leadership to understand that security is not a purely IT problem. Maybe it once was, but it today demands a holistic solution with a human focus.
Times have changed and so has the game of cybersecurity. Securing state secrets is no longer the primary objective; huge troves of treasure and sensitive data are being stolen weekly by hackers, who are using increasingly sophisticated methods to reach out and touch all types of organizations and individuals.
They aren’t just breaching firewalls to do so, either. Bad actors use social engineering tactics to penetrate systems through phishing attacks, which have become even more prevalent during the pandemic-driven shift to remote work. The human element is by far the most common vector of breach, responsible for between 79% – 90% of breaches.
“It’s true that cyber used to be a more technical issue when the main challenge was national security, but losing two trillion a year to human and physical exploits kinda makes it everybody’s problem,” said Dr. Shoemaker. “Still, the powers-that-be can’t make the connection, or maybe they don’t want to because otherwise that hot potato would be their problem. Now they can just claim it’s a mystery that only IT can solve. So they have to be convinced to either treat the entire disease or let the patient die because IT isn’t going to do it for them.”
According to Shoemaker, cybersecurity solutions are an elegant design exercise with one single criteria for judging success: do valid avenues of attack exist that haven’t been covered by effective controls? If so, then you aren’t secure. Holistic strategic design is something that can only be done at the top under the aegis of a single coordinating authority, he argues.
More have come around to such a concept of strategic design. But leaders educated pre-millenium, he says, are stuck in an outdated worldview. Security, he argues, should be approached as a state, not a function: you’re either secure or you’re not secure. That approach forces you to consider IT dynamically, iteratively, and in its proper dimensions.
“It really is a binary condition. If I can find a way to get around your defenses to get to your gold, you cannot call yourself secure.”
An era of profound dislocation
“The era we’re in now is roughly equivalent to the era of movable type in terms of its impact on worldwide culture,” he said. “We’re in an era of profound dislocation. It has created chaos in another plane. In the physical plane, things are normal and it’s got a point of reference and things are moving along nicely and slowly and all that. But in our digital plane, which is where we all mostly live now, there are no rules and there are no points of reference.”
The chaos comes from the interchange of one world bleeding into the other. In any cyber-exploit, the three attack surfaces–electronic, human, or physical–effectively translates to, “If I want your stuff I can hack it, scam it, or just plain steal it.” Unfortunately, the current cybersecurity establishment only addresses the electronic attack surface which, says Shoemaker, probably explains why losses soared from $500 billion to $2 trillionfrom 2015 to now, and are projected to skyrocket to $6 trillion by the end of this year.
Dr. Shoemaker jokingly cites the “great cybersecurity guru, Sun Tzu , who said it best 2,300 years ago: If I know how you choose to defend yourself – then I know how to attack you… So, in my humble opinion, you either present a complete corporate defense (e.g., fully integrated controls that address priority threats on all attack surfaces) or you are throwing your money down a rat hole because my friends in the (serious) hacker community only look for the gaps.”
Dr. Shoemaker has watched games of 3-dimenssional tag play out between physical security teams, organizational leadership, and IT over the past 40 years. The goal of those games? Avoiding accountability, he half-jokes. Security pushed the issue of cyberattacks to IT. IT then takes on the technical perimeter and firewalls, but pushes responsibility for everything else to someone else. It’s a shoving match that knocks over whole organizations.
“Of course, the nerds all tell me that those other two attack surfaces are somebody else’s problem and I agree in the sense that the electronic attack surface is valid, and it currently does account for about 21% of the record loss (the other 79% is either human based or physical attacks) but putting IT, or any nerd, in charge of cybersecurity is just plain stupid.”
Talking about cybersecurity with Dr. Shoemaker is a sincere pleasure, between his candid insights and his wit. Both shine through in the following Q&A.
Q&A with Daniel Shoemaker, PhD
Hoxhunt: What are today’s biggest infosec challenges, failures, and successes?
DS: We have been successful making gadgets to address some aspect of the problem – I am not a Luddite in that I recognize the value of the technical side of the operation (it all needs to be there) but a successful system needs all the components to function successfully. Meaning that the other two attack surfaces must be addressed by viable controls in a fully interoperative and interactive array. No system works with parts missing. The failures are obvious – the losses have quadrupled from 2015-2020 ($500B to $2T) which is kind of an indication we are doing something wrong.
Hoxhunt: Indeed. You told me earlier that security is a binary condition. Are there measurable thresholds, at the technical and people layers, between the status of being secure and not secure?
DS: I believe it was the great American philosopher Yogi Berra (most of my students don’t know who he is BTW) who said “It ain’t over ’til it’s over” – same with security. The threshold is binary in that you either are, or you aren’t. You might say, “Well one third of the attack surface is covered.” But seriously??!! A determined bad guy’s only objective is to get your stuff, so if a direct electronic exploit doesn’t work the only question is, “What do I try next.” Hence you aren’t secure if you have an exploitable source of vulnerability – lately that’s been supply chains which is a governance problem (for instance).
Hoxhunt: Who is succeeding at getting the CISO in “the room where it happens,” e.g. in the boardroom; and why are so many failing to do so?
DS: The Brits seem to do it best – they assign the legal responsibility for breaches directly to the Board – but seriously, right now CISO means head nerd and you will never solve the problem with a technical person in charge. You need somebody who has that skill set but also the vision to build an entire system of controls and that ain’t a downward facing person (it would be like making an artillery major the guy heading up the invasion of Normandy – useful, yes… successful, no way!)
The solution is organizational placement, not title – the people doing the control system have to (and it can be a team) carry the aegis at the top whatever you call the guy who brings down the stone tablets (the latest tendency is to call that position “Head Architect”) – otherwise they will be ignored (like most of the organization presently views cybersecurity]
Hoxhunt: Do CISOs and CEOs have aligned incentives for optimal security? If not, what would that incentive structure look like?
DS: LMFAO – There are no current consequences for bad practice – look at the atrocities that have occurred just this year – SolarWinds is perhaps the worst national security disaster in the history of the country… In China there would be hangings – in the U.S. – “Well – you know how it is – security’s a bitch.” Nobody takes security seriously here because you can always pass it off as the will of God. I work for the Jesuits – I know these things.
Hoxhunt: Describe the key ingredients of a holistic solution.
DS: A complete system of interoperable and synergistically interacting controls that effectively protects all three viable attack surfaces in a dynamic and evolutionary fashion. That obviously implies that some things must be left out of the defense (unless you have all the money in the world), so it also involves prioritization decision making by the powers-that-be – every other solution (e.g., lacking some component) is not systematic (and therefore unsafe)]
Hoxhunt: How do you see the threat landscape continue to evolve?
Cybercrime is a growth opportunity – you all ought to get into it… Seriously, somebody in charge needs to take responsibility for how cybersecurity is managed and implemented, and they need to stop listening to the guys with vested interests (e.g., the consulting community – who are selling technical solutions – or protecting their turf like every academic currently is) – take out a blank sheet of paper and ask yourself how would I protect myself from all of the logical ways of robbing me blind and do that (hint – it won’t just be “install a firewall”) – you’ll see what I’m talking about (but the problem space will be huge)
Hoxhunt: How must security adapt and respond?
Just exercise a little common sense and view the problem as it really is – We need a much larger and more intelligent (e.g., big picture – strategic) approach particularly in ICT supply chain risk management – or we are going to end up as a large province of India, or China (other option is to go back to the 1980s and make it ourselves) — you get secure by design but the solution has to systematically address the whole problem – not part of it.
Dr. Dan Shoemaker received a doctorate from the University of Michigan in 1978. He taught at Michigan State University and then moved to the Directorship of the information systems function for the Medical schools at MSU.
He held a joint teaching and Department Chair position at Mercy College of Detroit. When Mercy was consolidated with the University of Detroit in 1990 he moved to the Business School to Chair their Department of Computer Information Systems (CIS). He attended the organizational roll-out of the discipline of software engineering at the Carnegie-Mellon University Software Engineering Institute in the fall of 1987, and he was already teaching a SEI based software engineering curriculum, which he established as a separate degree program to the MBA within the UDM College of Business Administration.
Dr. Shoemaker’s specific areas of scholarship, publication and teaching were the process based stages of the waterfall; specification, SQA and acceptance/sustainment. He was also a primary consultant in the Detroit area on the CMM/CMMI.
Dr. Shoemaker’s transition into cybersecurity came as a result of the audit and compliance elements of that body of knowledge, as well as the long established SQA/SCM elements of their curriculum. They were designated the 39th Center of Academic Excellence by the NSA/DHS at West Point in 2004, and they have tried to stay on the leading edge in the architectural aspects of cybersecurity system design and implementation as well as software assurance.
As a result of Dr. Shoemaker’s associations with NSA/DHS and his interest in software assurance, he participated in the earliest meetings of the software assurance initiative. He was one of the three authors of the Common Body of Knowledge to Produce, Acquire and Sustain Software (2006), and he Chaired the Workforce Education and Training committee from 2007-2010. He was Chair of Workforce Training and Education for the Software Assurance Initiative at DHS (2007-2012), and he was a subject matter expert for NICE (2009 and NICE II – 2010-11), Securely Provision. Dr. Shoemaker was also an SME for the CSEC2017 (Human Security).
He also published frequently in the Build-Security-In website.
This exposure led to a grant to develop curricula for software assurance and the founding of the Center for Cybersecurity where he currently resides. The Center is a free-standing academic unit in the College of Liberal Arts, which is the administrative locus for Research Centers within UDM. Dr. Shoemaker’s final significant grant was from the DoD to develop a curriculum and teaching and course material for Secure Acquisition (in conjunction with the Institute for Defense Analysis and the National Defense University). A book was subsequently published by CRC press.