Dan Shoemaker is a full-time professor at Detroit Mercy and the Director of the Master of Science in Information Assurance Program, specializing in cybersecurity.
He is also a Distinguished Visitor for the IEEE and a senior researcher at Detroit Mercy’s Center for Cybersecurity & Intelligence Studies. As the former chair of the Computer & Information Systems Department, Dan has played a pivotal role in shaping cybersecurity education and training at UD Mercy. He co-authored key documents like the DHS Software Assurance and IA Essential Bodies of Knowledge and was a subject matter expert for the NIST-NICE workforce framework.
Dan leads the Midwest CISSE Chapter, driving research collaborations with global partners, and has contributed significantly to the U.S. Department of Defense’s Software Assurance and Supply Chain Risk Management work.
Beyond academia, Dan is a prolific author, with over a hundred publications to his name. His books, including Cybersecurity: The Essential Body of Knowledge and Information Assurance for the Enterprise, are widely recognized as foundational texts in the field. He continues to influence the industry through his work on emerging topics like cybersecurity risk and controls, and vehicle cybersecurity — his expertise is sought after worldwide.
A summary of the episode
Dr. Dan Shoemaker is a professor at the University of Detroit Mercy and the director of the Master of Science and Information Assurance program specializing in cybersecurity. He has played a pivotal role in shaping cybersecurity education and training at UD Mercy. He co-authored key documents like the DHS Software assurance and IA Essential Bodies of Knowledge and was a subject matter expert for the NIST NICE Workforce Framework. Dr. Shoemaker emphasizes the importance of a holistic approach to cybersecurity, which includes technical, human behavior, societal, and regulatory aspects.
He also highlights the need for supply chain risk management and the challenges associated with outsourcing software development. Dr. Shoemaker has authored several books, including “Teaching Cybersecurity,” “Risk Management,” “Supply Chain Risk Management,” and “Building Cyber Resilience.” He encourages students to explore their interests within the field of cybersecurity and pursue specialized areas that resonate with them.
Listen to the episode
A full transcript of the interview
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide podcast. My name is Steve Bowcut. I am a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening
Dan Shoemaker:
Today. Our guest is Dr. Dan Shoemaker, a professor at the University of Detroit Mercy. We’re going to be discussing cybersecurity education at UD Mercy. I’m going to tell you a little bit about Dr. Shoemaker. I really am thrilled to have him on the show today. I think we’re very fortunate to have him with us and you’ll see why when I read just a short part of his bio. Dan Shoemaker is a full-time professor at Detroit Mercy and the director of the Master of Science and Information Assurance program specializing in cybersecurity. He is also a distinguished visitor for the IEEE and a senior researcher at Detroit Mercy’s Center for Cybersecurity and Intelligence Studies. As the former chair of the computer and information Systems department, Dan has played a pivotal role in shaping cybersecurity education and training at UD Mercy. He co-authored key documents like the DHS Software assurance and IA Essential Bodies of Knowledge and was a subject matter expert for the NIST NICE Workforce Framework.
Then leads the Midwest CISSE chapter driving research collaboration with global partners and has contributed significantly to the US Department of Defense’s software assurance and supply chain risk management work beyond academia, Dan is a prolific author with over a hundred publications to his name. His books including cybersecurity, the Essential Body of Knowledge and Information Assurance for the Enterprise are widely recognized as foundational techs in the field. He continues to influence the industry through his work on emerging topics like cybersecurity risk and controls and vehicle security. His expertise is sought after worldwide. With that, welcome Dr. Shoemaker. Thank you for joining me today.
It’s my pleasure. Thank you for having me.
Steve Bowcut:
All right, I’m looking forward to this. This is going to be a fascinating conversation, but let’s start where we would like to start on this show. Tell us about your journey, how you got to where you are, how cybersecurity became important to you, and if you would: Also how your journey, your experience affects or influences the work that you’re currently doing.
Dan Shoemaker:
Well, I mean I go back to the dawn of time in the field. 1968 to be exact when we were programming with cards and computers are kind of giant standalone things and so I’ve pretty much ridden the field to where I’m currently at. The Detroit Mercy portion of this was initiated by my being brought to campus to define a program in computing back in the eighties, which evolved eventually into a software engineering program. And then when security became an issue in the late nineties, I developed or actually prepared, I don’t know, developed, yeah, I guess that’s the right word. The beginnings of our National Security Agency certified information assurance program. They didn’t call us cybersecurity back then. It was called information assurance and cybersecurity came along as a name or as a title for the program. I don’t know, in the late two thousands, maybe 2010 and up to that time it was called information assurance. So our degree was information assurance and they tacked the cybersecurity on to the end of it to be kind of as a, I dunno if the right word is to be more descriptive. By that point I had reached the point where the pasture was looking much more and so I went back into teaching and lessons in administration and that’s what I’m doing right now. Also, the writing is sort of ramped up and so I’ve done an awful lot less program development at Mercy and an awful lot more just sort of putting my thoughts down for people to read.
Steve Bowcut:
Interesting. So I love, your background is so broad from what you said, so you’ve been able to see this develop over decades and I remember those days as well when computers were programmed with cards and they were these monster things that stood alone in an air conditioned room. So let’s talk a little bit about what’s available at UD Mercy and I want you to talk specifically about the Masters of Science and Information Assurance program because that’s your forte, but I don’t want to leave the audience with the impression that that’s primarily the only educational opportunity there. So I’m looking at your website, UD Mercy’s website and just some of the things that I’m seeing here. So you can get a BS in cybersecurity. There are courses designed for those students who just want to have a minor in cybersecurity. There’s a cybersecurity management and cybersecurity intelligence analysis both BS and MS degrees in those disciplines. So it looks like it’s a pretty broad offering. Would you agree with that assessment and can you make some comments about that and then talk to us specifically about the master of science and information assurance?
Dan Shoemaker:
Yeah, I mean that’s correct. Of course everybody comes from somewhere in this field. I mean cybersecurity, whatever we’re talking about here it is called whatever it is, it really kind of got its origins back in the late nineties. I was doing basically well into my teaching career in 1990 when these things called personal computers came along and I mean I don’t think people have any sense of how short the window is, narrow the window is in terms of how we’ve evolved in a very short period of time. But I mean the internet kind of changed the game. We were essentially teaching software engineering, which is kind of a program software development kind of orientation when the cybersecurity issues started to kind of pop up. Everybody in the education business is looking for a new direction, a new shtick kind of to pick up and that seemed like the right way to go.
We were actually teaching, at the time, fairly extensive audit-type information security audit type of courses and they were fairly easy to adapt to what was required in terms of what you needed to do for information assurance. And so they had a software engineering program spawned and we actually had to compete nationally for the designation of a center of excellence. NSA at the time was sort of the great mothership for programs of that type ones that kind of were specializing in information assurance and they had, I don’t know, I took three months out of my life to go through the mapping process that they required in order to basically kind of conform with their requirements, the government’s requirements for cybersecurity professionals. And so that’s kind of how we got the award and once we got the award, we were immediately a cybersecurity program. I’m using the wrong word here, it’s information assurance, but cybersecurity information assurance. Anyhow,
Steve Bowcut:
And it’s important to make that lack of distinction. So just anecdotally, as I’ve interviewed people for years now in this field, I’ve almost sensed people who are fairly new to this field look at the term information assurance as if it’s something wholly different than cybersecurity, as if it’s kind of a spinoff from rather than the roots from which the cybersecurity that we all know has grown. So I appreciate that you’re kind of pointing out that it was for decades information assurance and we just kind of rebranded it cybersecurity, and so younger people may only recognize the term cybersecurity and they may think, well, information assurance is something different than that, so thank you for that.
Dan Shoemaker:
That is an incredibly astute observation, which most people don’t get actually, I mean I was in the middle of all that and really during the formative period, like I said, nobody had any interest whatsoever in cybersecurity in 1997. By 2004, seven years later when we got our designation, it was the hottest topic going and really all that’s happened during, and I spent most of that time in DC was the terminology started evolving and they stopped calling it information assurance, which I think they stopped doing it only because the cyber geeks really didn’t like the word information in there, but that’s what you’re doing is protecting your virtual assets. But any rate that the term just kind of appeared, and I remember when they started using it saying to myself, okay, that’s not new, that’s just describing us, but at any rate, what you need to know and what you need to do is something that there’s been an awful lot of thought put into it, and that’s all expressed clearly in national and international standards for the field.
A lot of the problem in education is you get guys that say, well, I’d really want to teach cybersecurity. I guess I’ll just teach whatever I know about networks, and that’s so counterproductive. I can’t begin to tell you the general assumption, not the general. The fact is only about 21%, 29%, sorry, of the kind of exploits out there that lead to loss or even electronic. The rest are some combination of human behavior or some physical action like theft. And so the bottom line basically is that you don’t secure your computers or your information by putting some gadget on your network. You do it by a large scale process that involves a lot of different things you need to know and do really more than one individual can. I know when we’re teaching it, we force ’em to work in groups because you really need a group perspective and group effort to kind of just touch all the bases necessary to protect the band guys out there don’t care how they do it, they just want to get your stuff and so if an electronic attack doesn’t work, they’ll just turn around and social engineer you or something like that or maybe even just steal the stuff, steal your computer.
Anyway, bottom line basically is that it’s a much larger field than most people think it is, and the requirements to do it right basically are all there and if you don’t follow all those requirements, you’re going to get rated Just as an illustration of what I’m talking about, we’ve lost 500 billion in 2015 to cyber theft crime, whatever you want to call it, cyber exploits. By 2020, that quadrupled to $2 trillion and the estimate is by 25 it’s going to be in the neighborhood of $6 trillion that we’re losing. So basically we’re going to have to kind of get things organized to a point where we’re actually addressing the problem fully and completely because bad guys out there, they don’t care about elegance. All they care about is getting to where you need to get to and they’re killing us out there right now. So anyway, that’s kind of what the information assurance program is at UD Mercy is all about the response I’m talking about, meaning the complete set of countermeasures is called holistic response, and holistic just simply means that besides kind of getting the network security stuff in place, we also got training and education.
We’re following whatever cybersecurity regulations. There is all sorts of stuff outside of the field of basic nerd work down there at the bottom of the machine and almost the worst attitude you can take is to go into this thinking as a technical discipline. At some points it’s deeply technical, but at other points you’re talking about human behavior, you’re talking about societal issues, regulations and things like that. And so it’s not that sort of field and there’s opportunity there for everybody because you could really, really, really just binary and that’s sort of you speaking one’s and o’s, or you could be somebody who’s a big picture type who likes strategy, and all of those are essential parts of the solution.
Steve Bowcut:
Wow, that is so valuable. Thank you so much for that. That’s another one of those things that’s been kind of maybe a pet peeve for me because I’ve seen it over the years become so siloed and this is my personal opinion, but I think a lot of that is driven by the vendors in the market. So if you’re a guy who makes network widgets, then all cybersecurity is solved with your network widget or if you’re a guy who makes some software that you can run and it’s going to filter out all of the risks, then of course that is the solution to all cybersecurity, but it’s not nearly that simple, but that’s the message I think that gets propagated throughout the industry and people start to buy into that. I’ve seen young students actually get surprised by the idea that social engineering was an important part of cybersecurity that just didn’t seem part of what they saw. They saw everything you could do in cybersecurity, you could do from a keyboard. And so I really appreciate that you’ve kind of broadened our horizon there a little bit.
Dan Shoemaker:
Take the number 2 trillion and take 35% of that and that’s what you’re losing to social engineering.
Steve Bowcut:
So you don’t necessarily have to know anything at all about computers to be effective in the field of cybersecurity. And so what I’m gathering here is that in your Master’s of Science and Information Assurance Program, that is part of the message that your students receive, correct?
Dan Shoemaker:
Well, I mean, yeah, I was a subject matter expert for both NICE one and NICE two, the workforce framework, US Workforce Framework and I mean there are whole categories that have absolutely nothing to do with computers in the official statement of what cybersecurity is. And so I mean the idea basically is there’s, we need help in all sorts of areas, not just with the computerized stuff.
Steve Bowcut:
So earlier you mentioned just briefly in passing, you mentioned NSA Center of Excellence. The next question I wanted to ask you was about how at UD Mercy, how do you keep the curriculum current and relevant in this rapidly changing cybersecurity landscape? Maybe those two ideas can kind of go together. Can you address how you do keep the curriculum current and the influence that maybe the NSA Centers of Excellence has on that?
Dan Shoemaker:
Well, I’m going to make a statement to you right now. If you’re not an NSA, if you’re not certified by somebody external, you’re making it up. I mean, you might be right, you might be even better, who knows, but the point basically is no third-party has looked at what you’ve done and said, yeah, that’s what we want. I mean at the top there has been a whole lot of concentration on defining the field because everybody who is at the top knows that it’s not just a kind of firewall, but the bottom line basically is that it doesn’t trickle down far enough into education. And as you say, there’s a whole lot of folks out there who want to make a buck and they’d be happy to tell you that their solution is the only solution. This AI thing drives me nuts. I mean, I can spell AI but I don’t think anybody out there has the slightest idea what they’re really talking about in terms of the nuts and bolts of the thing.
But any rate, that’s another one of those things where you get a buzzword going and it is great to sell it. The NSA folks from the beginning and we’re talking about ’96, ’98, have had what the government at least considers to be the definition of the field, what’s required, and they promulgated as a set of requirements that you’ve got to meet in your curriculum, you’ve got to be teaching this stuff and prove that you’re teaching that stuff in order to be made a center of excellence. We were number 39 in the country back in 2004 and I think there are maybe 300 right now, but there’s 7,000 institutions of higher education and I don’t know what the other, I don’t know 6,700 are doing in terms of teaching stuff, but whatever they’re teaching, they’re making it up. It is based on somebody’s high opinion of themselves in terms of what they ought to be teaching.
I don’t do that. My only goal is to find out what the field thinks I ought to be doing, and then I try to comply with that because there’s a whole lot of smart people out there working on the definition of this stuff, and I don’t know whether I shouldn’t at this point sort to get off onto, but I mean that’s basically what’s going on out there is the various society fields, sorry, the various authorities are in the process of developing definitions that you need to be aware of and then implement if you want to teach. So I mean, I’m basically always looking at what’s going on out there. One of the things I didn’t mention, haven’t mentioned, has been the CSEC. The government is the government. They’ve got their own agenda. I lived there for 10 years, but it’s kind of government-oriented from the standpoint of the profession as a whole in terms of what we teach.
That’s always defined by the societies IEEE for software engineering, ACM for computer science and AIS for information systems people. And every curriculum out there in those fields is based on those society’s definition of what you need to teach, and they promulgate those requirements and that you call yourself a computer science program if you’re teaching the ACM requirements. All three of those societies came together because they’re as horrified as everybody else at how much like the wild west, the field of cybersecurity is. And basically, and I was on that committee too, basically define from the standpoint of the societies, meaning the people that govern how you kind of academia and the profession define what cybersecurity is, and that’s the CSEC. I don’t know whether that’s the CSEC part stands for, but it’s CSEC 2017, which you can pick up on the internet and that’s the definition of, that’s also one of my books I might add, but I mean the bottom line basically is that that’s what you need to know. That’s what you need to teach. That’s sort of what I referenced myself to because basically that’s what society is saying it wants. If you’re doing it based on without doing those sorts of contextual things in terms of paying attention to what the profession as a whole is telling you, then you’re probably not doing a good service to the people you’re teaching. That’s how we evolve stuff. Sorry.
Steve Bowcut:
No, that’s quite all right. And I appreciate that idea that we have to stop this wild, wild west mentality. There’s too many resources that are wasted going off in directions that are not going to have a profitable return on the intellectual investment. We need to do it in a more organized fashion. I
Dan Shoemaker:
Agree with that. I’ll tell you a little story, which is what I do when I do speaking gigs, kind of to introduce what’s going on out there. Right now in the field it’s six blind men on an elephant. It’s actually a poem from the 1800s six guys who can’t see are asked to describe an elephant. They do it based on what they’re touching, and so for one, it’s that trunk, it’s like a tree limb and the side is like a wall and tails like a snake and so on. And the end of the poem says in the end, they were all perfectly right and all perfectly wrong that’s going on in higher education right now is you get folks that are touching some part of the elephant and that’s what they think is cybersecurity and they’re not looking at backing off to look at the whole elephant. Of course, if they’re blind, they wouldn’t be able to see it, but you get my point. In my case, holistic security is about the entire elephant or teaching the entire elephant. I believe that’s the title of some of my talks. And if you’re going to get into the field, you’re going to really be limiting yourself. You just stick to one part of the elephant
And it’s definitely the solution.
Steve Bowcut:
Yep. Perfect. Thank you. That’s a great metaphor to visualize that. So this next question I wanted to ask, what I wanted to ask you is what some of the key skills and knowledge that students should focus on, but we may have addressed this already because it sounds like what you’ve told us so far that if in your mind the question is, is this skill or knowledge base important to cybersecurity regardless of what it is? The answer is yes. Right. So is there anything you can add to that idea of what students need, what their skills and knowledge areas need to be if they’re going to be successful in cybersecurity?
Dan Shoemaker:
I mean, I hate to push something I had a big part on, but all they really need to do is look at the NICE workforce framework. It’s a compendium of all of the knowledge, skills and abilities you need to have in order to work in cybersecurity. Nobody’s going to be able to read the whole thing or do it because it’s like, I don’t know, 2000 something KSAs. But the bottom line basically is that it’s going to show you the various areas. Forensics for instance, is extremely important. People don’t really think about that much. They tend to think of programming as being kind of a basic skill, and it isn’t, in fact, almost nothing out there has. That’s sort of a completely separate field which I was highly involved in, which is software assurance. And that’s been going on a long time before cybersecurity was even kind of mentioned as a word.
Sorry. The idea basically is that just kind of look at what people define for you, forensics stuff that has to do with intelligence. People don’t seem to realize the two of the workforce areas are all basically intelligence-centered not. And the reason for that is we’re eternally surprised by attacks that we didn’t know about. And so how do you work kind of outwardly for future or intelligence spy stuff, finding out what the enemy’s up to before they actually attack you, how do you work that into putting together an effective cybersecurity solution? And then there’s the regulatory and assurance areas that are like audit. People say audit, they think of guys with green eye shades and the cybersecurity audit stuff is how you go about making sure that the controls you have deployed are actually where they’re supposed to be and working properly. And nobody with a military background is going to say, okay, we’re going to send the troops out there, but we’re not going to keep any track of what they’re doing.
So I mean, it’s that sort of stuff. For a long period in the two thousands, I had a hard time keeping people in the program even because they take the audit course and the big four, I think audit for companies, the accounting companies would snap ’em right up because they needed people to do surveys actually audits. So at any rate, my point basically is that the key knowledge and skill areas, I could list them for you, but you don’t care about that on a podcast. All you have to do is go to either the CSEC or the NICE Workforce Framework, the NIST Workforce framework framework’s probably the best, and see what all the areas are, and it’s going to be so many surprising new things that maybe you even personally have got an interest in and it can do law teaching that next fall. Legal and regulatory compliance is kind of a major area in cybersecurity, and it’s getting to be more so as people kind of at the policy level begin to say, well, these folks aren’t doing it the way you want to do it, and so you’re going to have to do it or else, which I’ll get to at some point later on when we talk about the automotive piece.
At any rate, the idea basically is that, don’t think of this as a technical field because it’s not. It’s its own field and it’s got deep technology areas in it, but it also has areas that are purely human behavior. Education and training is the number three countermeasure of all countermeasures out there because you don’t want your workforce to be clicking on links that they don’t know where they came from because that’s asking for permission to install a root kit. And so the bottom line basically is cybersecurity education. If you want to just be a teacher in that field, it’s wide open for you.
Steve Bowcut:
Excellent. Just a note here, we’ll put some links in the show notes for the NIST framework and places where our audience can just kind click a link that maybe they’ll want to type in the URL. I’m not sure after listening to this Permiss
Dan Shoemaker:
Permission to install root kit. Yes. Yeah,
Steve Bowcut:
Exactly. But we will put some links in the show notes to help people find what we’re talking about. So let’s move on here a little bit. When I was reading your bio, I thought a little bit about this, the Midwest CISSE chapter, and there was a thing in there about collaboration with international partners, and I thought I want to ask him to elaborate on that a little bit. What does that look like?
Dan Shoemaker:
Well, I mean that’s my personal hobby. The thing I like best, I might add that CISSE stands for consortium for Information System Security Education, although it’s pronounced sissy.
Steve Bowcut:
Okay.
Dan Shoemaker:
Those of us out there, I mean actually for a long while I was working, while I was working with NICE, I was also working with CISSE, so I was a nice sissy,
Steve Bowcut
A nice sissy, very good.
Dan Shoemaker:
The Brits in particular are doing an awful lot in cybersecurity in a lot of ways. It’s kind of like putting second, they kind of see the mistakes we make and they’ve kind of been doing it a little bit better. I have a number of, and they’ve attended a lot of our back in my software assurance days and at DHS, they came to a lot of our events, and so I gotten to know them and generally speaking, we in particular, at UDM has been working with people at, they’re now at LBO University in the uk, but they’ve been at various other, it was Warwick prior to that. It’s a research team. They’re also at the Turing Institute, and one of my better friends is in charge of that. But we’ve worked a lot with the British government in just exchanging information and also in the sort of socialization where we talk about our stuff, they talk about their stuff, and we get sort of a larger understanding of things. They’ve had one attempt at kind of a worldwide conference that was in Paris sometime a while ago, I can’t even remember when, but back in the teens somewhere and kind of got everybody together and we all talked about what the issues are, and they’re pretty much what I’ve been talking about here.
But I mean, the bottom line basically is that there’s a vibrant research community out there and we talk to each other on an informal kind of social basis. Then of course, there’s always ISO, which is the International Standards Organization, and that is a primary source of all knowledge about cybersecurity in the form of the standards they promulgate. And so we also spend an awful lot of time watching what’s coming out of ISO as a way of getting an idea of where the field’s going and what we need to be doing in that area.
Steve Bowcut:
I was just going to comment that I love that idea as well, that let’s not require every nation, every entity to reinvent the wheel. Let’s share the information that we have, move the work forward much faster and much more efficiently if we share that information. So I appreciate the efforts.
Dan Shoemaker:
It’s amazing how influential the EU has gotten to be because basically, I mean ISO is in Geneva, and the European Union basically is coordinating much better around ISO type initiatives. And in many ways they’ve been kind of ahead of us in stuff like data security. So the GDPR, which is a general data protection regulation, which is kind of in European Union requirement regulation, meaning they have to do it. And that’s the reason why you’ve got to accept a bunch of stuff if it comes from a European website about your personal data. But I mean personal data, they’re selling us like cattle, the American data warehousing and harvesting industry. You can’t do that now in Britain, France, Germany, places like that because of the GDPR. So they’re coordinating some of their policy stuff. That’s really critical in a lot of ways to your personal security, much better in regulating it. Basically, it should be against the law for somebody to sell all my personal information because they got it off of Facebook or whatever, but it isn’t,
Steve Bowcut:
Yeah, I agree with that and I think the GDPR should be the standard that we should all strive for, but unfortunately, and this has come up a couple of times in our conversation, the vendors, the market, so the influences I think from vendors, and that’s where the money is at. I mean, selling data is where the money is at. And so in the US we have a hard time, our regulators have a hard time seeing not being influenced over, duly influenced by the market. So that seems to be the problem.
Dan Shoemaker:
Yeah, that industry follows the golden rule.
Steve Bowcut:
Yeah,
Dan Shoemaker:
Those who have the golden rule rule.
Steve Bowcut:
Exactly. All right, let’s move on. I do want to touch on a few more things here. So supply chain risk management is something that you’ve done some research in. Can you talk to us about that a little bit and the importance of that and things that our audience may need to know?
Dan Shoemaker:
I mean, that’s the scariest thing out there. We don’t really make software anymore. We did it 30 years ago. We don’t do it now. What we do is buy it off the shelf, but when you do that, that’s the original pig in a poke. You have no idea what’s in the software, and it’s developed up a supply chain, which could be at seven different levels if it’s like government software. And so we outsource it to a subcontractor and they outsource it to India. India outsources it to Vietnam. Vietnam outsources it to China. Each one of ’em scrapes a little bit off the top, and in the end the Chinese write it for us. And that’s not ever a good idea when your adversary is writing your code and so nobody can control it because nobody has a sliced idea what’s going on. You ask the folks the general dynamics what their software looks like and they say what software?
And so you’ve, you’ve had two really notable examples of supply chain disasters, the solar winds thing that pretty much gave away all our national secrets. And that was from an update server in Belarus. Why Belarus? Because it was cheap. And so that’s where it got sent, even though Belarus has got the word Russ in it. And that was considered to be an FSB exploit, the Russian CIA Cozy Bear they call. Then we have CrowdStrike, which that’s not a cybersecurity incident, it was a software error. It’s like when was there a cybersecurity incident? Not a cybersecurity incident when you’re called, not a cybersecurity incident. But anyway, the bottom line basically is that we have absolutely no control over what we’re running because we don’t really take the time to find out what we got in our stuff. And very smart adversary, we will figure out a long time ago that in some little shop you underbid in Vietnam or one of those other countries that’s actually do the coding, you underbid the thing and then when you provide the product, you provide the product with a little something extra in it that allows you to control, I don’t know, take a, pick the major fire control systems for the other guys’ airplanes.
But anyway, that’s got, when the government noticed that they were running Chinese malware in one of their Navy search planes, they had a big, I dunno if the right word, what Congress does, which is have a hearing and dragged the guy that was in charge of that from the Department of Defense down to the Woodhead. And in the end what they did was come up with an idea that we needed to teach it better. That was a kind of major effort that I was involved in and actually pretty much did with the Institute for Defense Analysis in Washington on what we needed to do basically to control our supply chains. And we came up with some really, I think effective solutions, none of which have been implemented, none of which have been taught because they’re a little bit complicated and you got to take time to figure that out and nobody’s doing that.
So long story short, we keep getting stuff like what has been happening over the last year, and I can guarantee you will become worse over time unless we find some way to get visibility to the bottom of the supply chain and then control it. But right now we have some answers in the sense that we’ve got some fairly effective process-based approaches that have nothing to do with technology. Again, it’s basically how do you make sure that you outsource it to the right people, know who you’re outsourcing it to, and then control the way it’s brought back to you through the integration ladder. And that basically is the supply chain thing. The whole software assurance initiative started up back in 2005, I was chair workforce training and development for most of that period, for the country, for the, and I can tell you from that standpoint, we had a lot of interest.
Almost nobody wanted to do anything different than what they were doing. And we kept telling ’em, you were really going to have to make this into a disciplined process or else and what they wanted to get as to how to better teach Java coding. And so there’s a real disconnect between the folks that have got some picture of the large big picture threat and the folks that are actually responsible for delivering it. And the only way that kind of happens is if the government pushes it, meaning another word for a big bag of cash if you do this. That’s my own opinion. But I mean the bottom line basically is that we’re not really, we have a number of solutions out there, but we’re really not applying them in any effective way. And so that’s a major problem.
Steve Bowcut:
No, I agree. And I think it’s another indication. Many of us early in the days of cybersecurity or information assurance, we were very hopeful that this field was going to be able to self-regulate and not need a bunch of government regulation. But things like the software, the supply chain software problems that we’ve seen over the last decade or so indicate that I know we’re going to have to have more government regulation to make sure that people are not just following the dollar and doing it the cheapest
Dan Shoemaker:
Way. The problem is that we’re making a lot of money doing it the way we’re doing it right now. And you tell ’em you’re going to have to slow down and actually be a little bit responsible in terms of what you’re doing here. And that’s like saying, I’m taking money out of your pocket.
Steve Bowcut:
Yeah,
Dan Shoemaker:
Exactly. And so you get a really, really negative reaction out of anybody out there to say, well, you got kind. Security is always overhead. And so it’s like how can I make a buck if I’m doing this stuff? So at any rate, I start on a number of my talks with the title “Cybersecurity: Why I Sleep Like a Baby.” And the punchline is don’t babies wake up every two hours crying and wetting themselves.
Steve Bowcut:
Yeah. Very good. Well, one of the things I kind of alluded to earlier is we like to, in our show notes, put helpful links for our audience. And I know that you’ve authored several books, so I would like to put some links in our show notes with your permission for some of the books that you’ve written and maybe you could talk about them a little bit. Which ones are key to the conversation that we’ve talked about today and what they cover?
Dan Shoemaker:
Well, I mean my own view is that you got to catch me on, and we haven’t been doing that. People have grown up with a certain view of the world, but most of your attitudes get influenced when you’re young, not when you’re 45. And so I can say this stuff to pretty much your audience and they’re all saying, oh, well, so isn’t a part of my experience set, but my own view is that the only place to do that is in the lower grades of K-12 education. And I might add the government’s gone there too because there an awful lot of money now coming out of nice to support K 12 type teaching and cybersecurity problem down there is you got these poor folks that are trying to survive in that sea of kids and then you’re asking ’em to learn a whole new discipline.
And so what we did, the latest book is called “Teaching Cybersecurity” under my name. If you put it into Amazon stand Share Records Teaching Cybersecurity and the book will pop up. That one has gotten an awful lot of, I mean I’ve got 15 books out there that was the 15th. You normally keep score by where you fall. That one’s been getting numbers that I’ve never seen before in terms of interest. But that just takes the csec, which is really the curriculum standard for cybersecurity authorized by the only people who should be doing that, which is the professional societies and boils it down to stuff that can be taught in under K 12 settings. And so we’ve got basically junior high and high school and we just got some funding to do it for K-6 type grades. And basically that’s righteous in the sense that it’s a society’s view of the field.
And so we teach the little areas and that’s stuff like you’re not going to teach component security to a third grader, but you can teach ’em stuff like the societal stuff or the human stuff that says basically you got to be aware of the fact that there are predators out there. And so the bottom line basically is that standard curricula that can be applied in K 12 settings I think are the actual solution. It’s going to take a generation before we’re going to have an actual aware population, but just telling ’em what the right thing to do isn’t really catching on much. I mean, UDM is a Jesuit foundation. I sort of understand how the Jesuit brothers must feel preaching righteousness and watching ’em go out and sin, but that’s kind of what I do here. And the bottom line basically is that if you catch ’em young, educate ’em properly, that’s the only solution.
And that particular book gives you everything you need to know to do that. Excellent. The supply chain risk management book, I’ve got a package of four right now that are being sold by that mike one publisher. It’s what amounts to the NICE framework book, that kind of 600 pages, everything you want to know about the NICE framework Risk management. In a lot of ways cybersecurity is nothing more than risk management or access control depending on what level you’re at. But a risk management book based on the government’s risk management framework and a book on supply chain risk management, which you mentioned. And the last one is kind of building cyber resilience, which is about design. Everything we’ve talked about here in terms of solutions is a design requirement design problem. And so the idea basically is to look at the problem out there and design a solution based on standard controls, best practice, standard best practice. And so thinking it through in a design manner is what that book kind of discusses and teaches. And so those are the ones that I would suggest are probably worth reading.
Steve Bowcut:
Okay, excellent. So we’re about out of time, but I do want to wrap up with kind of a future looking question for you. And it’s maybe a couple of questions put together here. So I’d like to get your advice for students who are just starting their journey in cybersecurity. And at the same time I’d like to get your perception of emerging trends in cybersecurity and maybe how those work together. Do students who are just starting their academic journey need to be concerned about these trends? And if so, what are those trends and what level of concern do they need to have?
Dan Shoemaker:
Well, I mean trend number one, which is sort of self-serving, I got to say is the holistic understanding. But I mean everybody, the CSEC has built around holistic security. I mean, you really got to lose the idea that you need to know how to program to be in cybersecurity or that you need to actually know binary or any of that sort of stuff because you don’t. And so the first trend basically is to just open your mind to the idea that cybersecurity is a concatenated work. And it is not about cyber, it’s about security. Cyber modifies security. It’s like national security. And so the cyber part is kind of a red herring. It’s about how do you secure things? And I’ve been telling people in some ways I’d rather have somebody with a background in military science than computer science because the problem really is how do you defend against an attacker?
And so I mean the idea here basically is to open your mind about the areas where the actual problem lies and lose the idea that this is technical. Think about the areas that you need to think about like intelligence, who ever think of that regulation that’s more obvious. But the idea basically is it’s a huge field. Find something that resonates with you and then go down that route. I talked to you earlier before we started this about vehicle cybersecurity, which is my current interest. Your automobile is currently, it may be safe to drive, but it may not necessarily be safe from the standpoint of any bad guy stealing your information out of it or via nefarious means or actually having failures at the component level that might lead you to drive into a wall or have the car stolen. That’s the main thing.
But I mean, the bottom line basically is that there are specialty areas that if you have an interest in it, I mean my interest in that came from the fact that I’m in Detroit or actually Ann Arbor, but the idea basically is that I’m near enough to the car manufacturers that that’s been something that they’ve been thinking about. And so the idea is that if you want kind of a pathway, just find what interests you and then see where that applies in your own practical universe and then go that way. You’ve got plenty of educational opportunities for that obviously. I think we’re one of ’em. But I mean the idea basically is that’s how to get certifications. All the usual suspects are great. They’re going to give you a skill. That skill is useful. You go through all the, I mean EC council sands, those folks, they all got trained and that’s going to get your foot in the door in some kind of job.
And the whole point of this from a student standpoint, I would think would be to find yourself a career, an employment. And so the idea basically is that there’s a role in this for anybody. One of my best, most highest successes, I’m not going to get into details of who it is, but CISO on a very important corporation as a history major. See, it’s the big picture added, the things he needed to have in terms of what he needed to know, and he went right to the top. And so you’re not limited if you think that you’ve got to have a strong technical background to get into this. Look for the parts of the field that aren’t technical and there’s plenty of opportunity out there. So that’s my last words of wisdom for you.
Steve Bowcut:
Perfect. Thank you so much. I appreciate that. We are out of time, but Dan, I can’t tell you how much I appreciate you spending some of your time with us. We truly are fortunate to have gotten you on the show. What you have contributed to this field is enormous and immense. And so we appreciate you sharing some of that with us. So thank you.
Dan Shoemaker:
Well, I appreciate the soapbox. My wife keeps calling what I do when I’m talking about these rants, so thank you for giving me the opportunity to rant.
Steve Bowcut:
Yeah, well it was great and a big thanks to our listeners for being with us today. And please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of The Cybersecurity Guide Podcast.