An interview with Bill Mahoney

Bill Mahoney
Well, it’s funny. I was in the wrong place at the wrong time. I was in the computer science department, actually here at the University of Nebraska Omaha (UNO), and the person that was running the cybersecurity program at the time was getting ready to retire.

And I ended up in the Dean’s office with people saying, “Gosh, cybersecurity is a wonderful field that you really ought to be interested in.” So I got [dragged] in kicking and screaming, but I was sort of interested in it. 

Bill Mahoney
I had a unique background because I was in industry for a long time before I came back to academia. And so I had a weird background in the area of embedded systems, which are computers that go inside of vending machines or things like that.

So I had a different perspective, I guess, coming in, which I think was good — industry perspective instead of a theoretical perspective. But the short answer is basically I was asked to take on that role and found it very interesting, and I’ve been doing it since.

Bill Mahoney
Okay. So I have two or three different areas that I work in. This is a little in advance of the question, I guess. You say you’re in cybersecurity and that’s like saying you’re in medicine. If you’re in medicine, well some people are heart surgeons and some people are dermatologists and some people are whatever.

So saying you’re in cybersecurity — it’s not very specific, but the parts that I’m interested in, I do most of my research work at the low-level end of things. So I’m looking at machine code, assembly language, things like that. So one of the areas that I play around with quite a bit is reverse engineering of malware. So if somebody downloads a piece of malware off of a website and it’s ransomware or something like that, then how does that actually work?

Bill Mahoney
What techniques has the person used to write the malware to make it difficult to reverse engineer? How do you get rid of it? Those kinds of questions. And so you’re looking at binary artifacts that are no longer at a high-level representation. So you’re trying to figure out, “Well, what does it do and how does it work?” Not having any of the original source code. And then the other thing that’s different, I guess, is I look at this from both perspectives because I’m also interested in obfuscation.

And so part of my research that I’m doing with the National Science Foundation grant that I have is to take high-level languages and compile them into machine code that is difficult to reverse engineer so that if you take the binary result and put it in one of the reverse engineering tools, you don’t necessarily get very far.

So it’s looking at how the compiling process can be changed around a little bit to make the reverse engineering process more difficult. So reverse engineering, and then I guess you’d say anti-reverse engineering is one area that I’m playing around with.

Bill Mahoney
Another interest that I have is industrial control systems. And the reason that we got involved in this actually is, Omaha is the home of strategic command, STRATCOM for short, basically, and STRATCOM was building a new headquarters building. They’ve moved into it now, this was a few years ago. And one of the questions that they had was, well, this building will have quite a bit of automation in it.

The HVAC systems are automated, and the elevators of course are automated, and the fire suppression systems, etc. And of course, because it’s military, they have different networks. So there’s a classified computer network. There’s an unclassified computer network. And now industrial control systems and building automation systems all live on plain old ordinary ethernet connections as well.
So they were curious, “We were going to move into this new building. We don’t necessarily know if we see industrial control traffic on our top-secret network, that’s obviously bad, but we don’t know what it looks like.”

So we actually put together a lab with some of the industrial control or SCADAs, another term you hear a lot, equipment in it. And we picked three different vendors and we actually taught a class for STRATCOM over the summer a few years ago on industrial control security. And then we just turned around and used that as a regular undergrad level class that we offer every other year now. So industrial control, the networking part of it, is a research area for me as well. Those are the big ones. 

And then I’m interested in a couple of little other things. Obfuscation at the hardware level. So reverse engineering of hardware happens as well, but the two big ones are reverse engineering and anti-reverse engineering and then also industrial control systems.

Bill Mahoney
Yeah, I think that’s correct. And I think that’s also why I ended up looking at industrial control because they have a lot of similarities. You wouldn’t think of industrial control systems as being like embedded systems, but the components that they’re using — these things that are called PLCs, programmable logic controllers — they’re just little embedded computers and they’re on a network like any other network.

And you configure them and talk to them over the network, using the same protocols that you’re using for everything else. So originally when I was doing embedded systems from the industry perspective, the internet hadn’t really taken off yet. You could go watch some videos and order some books and things like that. And it wasn’t until a little bit farther down the road where all of these components started…to become interconnected.

And then once they become interconnected, of course, the problem with embedded systems, in particular, is that the CPUs and things like that that are in these devices — they don’t have a lot of horsepower, so frequently you’re not doing any encryption. The security — they may have a password that’s built-in—but they don’t require anybody to change it, those kinds of things.

So the evolution there has maybe dictated why I ended up where I’m at, I guess. Because as you’re alluding to, the whole deal with embedded systems is that they’ve evolved into this ‘we’re everywhere and now we’re all connected,’ as opposed to a while ago where it was, well, you designed this computer and it goes in a postage stamp dispenser machine and that’s all it knows how to do. It’s not like it is now.

Bill Mahoney
And so for example, in the industrial control world, the problem is they’re taking the easy way out. It used to be, if I was going to set up a factory, let’s say, and I’m going to put all of these programmable logic controllers in there to run my factory and create cornflakes or something, then all of that was proprietary.

So if you bought the equipment from Siemens, it was all running Siemens stuff and you programmed it with Siemens software, etc. And if you bought all your equipment from Rockwell, it’s the same thing, except it was Rockwell. Well, over time what’s happened is [that] the easy way to make everything interconnected is to just put an ethernet connector on the side, and then in the software of the logic controller, you put a regular TCP stack and you open up the right port. And so these industrial control PLCs — now they have webpages built-in. So you have all of the vulnerabilities that come with web servers potentially inside of something that’s controlling actual machinery that could hurt somebody.

Cybersecurity Guide
Right.

Bill Mahoney
Maybe not the most ideal situation.

Bill Mahoney
Yeah. Another problem there is that if you’re a company that’s going to build, let’s say a new webcam or something like that, you don’t really design the thing from scratch. What you do is you start off with an evaluation kit, because the vendors of the components like Texas Instruments and Intel and whatever—they want to sell you the chips.

So they’ll give you a mostly completed design to start with, and then you make whatever changes you want for your product and then manufacture your product. So the problem is that if the original design has vulnerabilities in it, and you don’t know it, you may have made a hundred thousand of these things, and they’re all over the world and there’s no way to patch them. The order of magnitude or the scale, I guess, is just completely different with Internet of Things bugs versus “it’s on my laptop.” It’s kind of crazy.

Bill Mahoney
One of the things that the students really are excited about, there’s a number of competitions that happen throughout the United States, or for that matter throughout the world. And typically they’re called CTFs, capture the flag.

And so the students will do these CTFs and it depends on which format it is, but a typical one would be you have your computer and other teams have their computers and you have to defend your computer and at the same time attack their computer. And the flag part of it comes in where if I can manage to log into their computer, I can go grab this “flag.” 

Bill Mahoney
You grab this “flag” and then the fact that you have the “flag,” you post that on a scoring site and you get points. And so the students really get a big kick out of that because it’s a competition where they get to do a little bit of defense, but they also get to do a little bit of offense and it’s bragging rights and, “I’ve got my cred because I’m better than Purdue” or something like that.

Nowadays, a lot of high schools are letting students participate in those competitions. So when I talk to students that are coming into the cybersecurity program, some of them are already familiar with some of the things that we’re doing in the intro class. And in fact, we have a thing that we run once a year that’s sponsored by the National Science Foundation where we bring in high school teams from the Omaha area.

Bill Mahoney
Typically, we’ll have about 120 students in teams of five or six. And we will host the capture the flag competition for the high school students. Obviously it’s a big recruiting thing for us, but it’s interesting.

And I hear what you’re saying because when the students come in and I’m talking to them about, “Have you considered a career?” Et cetera, et cetera, most of them are there because they’ve already made that decision. And so it’s surprising, and it’s really funny to go back and look at videos of past events. And then I see high school students in these videos that are now my graduate assistants. “I didn’t remember you being here!” So that’s part two. 

Part one. So UNO has had a cybersecurity program in place for about 15 years.

Bill Mahoney
Originally, it was called information assurance, which is a catchall term. It’s a little bit broader than cybersecurity. And the problem with that is, we would have high school students and their parents come in and take the tour of the building.

And they’d come in our lab and I’d say, “Well, this is the information assurance lab.” And they would say, “Well, what insurance do you sell?” “Well, it’s not insurance.” So about, probably seven, eight years ago now, I would say we changed the name to be cybersecurity so that it’s a little bit more apparent what it’s all about. We have a bachelor’s degree that we’ve had for probably all of the 15 years, I would think. And then a master’s degree that we added about seven years ago, eight years ago.

And the other thing about it is that we have had a lot of success with the five-year integrated program where students start, they come to us right after high school and they go all the way through the master’s degree and you can complete it in five years instead of six because what we’ll let them do is double-count a certain number of credits.

Bill Mahoney
So when they get to be juniors, if they decide they’re going to go to continue on to grad school, then they’ll take the remainder of their classes, up to 12 credits anyway, as graduate credit classes. And then they count to finish out the undergrad and they count for the master’s degree.

So we have a five-year integrated program…let me back up a sec. We have a bachelor’s degree in cybersecurity, which is a little unusual because a lot of universities will have cybersecurity as a concentration in computer science, but we actually have a degree program in cybersecurity —  undergrad and grad.

So for the five-year program, what the students do is when they get to be juniors, if they think, you know, “I’m going to go on to grad school and get a master’s degree.” Or for that matter, go on and do a Ph.D. Then what we do is we let them double count up to 12 credit hours. So they can take classes in cybersecurity at the senior level but take the grad version of the class, as opposed to the undergrad version. And then it counts to satisfy the bachelor’s degree and it counts for credits on a master’s degree as well. So they can finish high school through a master’s degree in five years.

Bill Mahoney
We probably have about 50 people in the master’s degree program right now, and of the 50, I would say probably 30 of them, at least 30 of them are in this five-year program. Enrollment- wise, as I said, we have about 50 in the grad program, probably 250 or so right now in the undergrad degree. We’re having a hard time keeping up by the way, which is trying to hire people, but you can’t find them. So yeah, I mean, history-wise, as far as our program goes, it’s been around for quite a while.

Another thing about it is that we’re a center of academic excellence. Let me go off on that tangent for just a second. The combination of NSA and DHS designates schools as centers of academic excellence. There are several different types. If you’re a CAE in cyber defense, a CAE-CD, then you’re teaching certain things that have to do obviously with, how do I keep my network secure? That kind of thing. If you’re a CAE-R, R for research, then you’re primarily doing Ph.D. courses for future cybersecurity professionals that are going to go work for MITRE or for the government or something like that.

If you’re a CAE-2Y, 2Y for two-year, then you’re typically a community college and you’re teaching them about configuring networks, making sure that the network is secure, monitoring the logs, that kind of thing. And if you’re a CAE-CO, cyber operations, then that’s the polite term for learning offensive things. Here’s a piece of equipment. How can I break into the piece of equipment?
We’ve been a cyber defense school for a long time, probably all 15 years, I would say. We’ve been a cyber operations school (there’s only 20 of us now, I believe, in the United States)  for three years now.

And the way those designations work is that NSA comes along and they have a list of what they call KUs or knowledge units, and you have to prove to their satisfaction that everything that’s on their list of knowledge units you are covering, here’s the class where it’s covered, let me show you an example, course outlines prove that we’re really covering it, here’s some example homework, here’s a test, etc.

And they actually, for the cyber operations, they come on-site and do a two-day on-site visit and make sure that you’re really doing what you’re saying you’re doing. And so being a cyber operation school buys us pretty good credibility and opportunities that a lot of the other universities may or may not have. It’s a fair bit of work to get it, but it’s really kind of neat to be able to say that.

Bill Mahoney
There’s a center of academic excellence for intelligence. And in fact, UNO’s political science department has that designation, and that, the intelligence portion of it is like intelligence, like from the DOD—that kind of intelligence. So that program, I believe is also run, I think it might be jointly between NSA and either the CIA or the FBI, I don’t remember.

But that’s another one that I know of. I’m sure that there are others besides that. And so these centers of academic excellence are a little bit different than say an accreditation board. Right? And there are accreditations that also exist for cybersecurity as well.

But yeah, I’m sure there are others, but that’s another one that I happen to know about because we talk to the people in political science. And when their NSA rep comes to town, the NSA rep will meet with our cybersecurity classes just because they’re here anyway. So that one I know about, and there’s probably others.

Bill Mahoney
The low-level programming class is a 2000 level class. So it’s a sophomore-level class. To give you a kind of an idea of the prerequisites for that class, we have a very intro level programming class that’s done in Java that everybody in the whole college takes and that’s two, three-credit-hour classes, one after the other. And so that’s the prerequisite, but everybody in the cybersecurity program comes through this class. 

Now what we do is, it’s a typical programming class focusing on the C programming language because most malware authors will be using C or C++, but assembly language as well. So I will [tell students], “In two weeks, we’re going to do chapter three, four, five, six out of the book for C. Okay, now we’re going to do something that’s very similar to that, but we’re going to look at it from the assembly language perspective.” So I trade off—a couple of weeks of C, a couple of weeks of assembly language, a couple of weeks of C, couple weeks assembly language, all the way through.

The assembly language that we’re learning is ARM 7, and we kind of picked that because it’s a lot easier to pick up than Intel x86 assembly language. ARM is much simpler. So it’s a lot easier to cover at that student level. The plus side, ARM CPU, that’s typically the CPU that’s in a cell phone. And so they are learning something that’s very practical.

It’s not necessarily oriented towards a desktop computer. If you learn one programming language the second one’s easier. And so learning, starting with ARM and going to something else is probably not that big a deal. But yeah, that class is wildly popular. In fact, I was just told that my section limit is going up in the fall.

Bill Mahoney
The National Science Foundation has a program called The Scholarship for Service, or SFS. And I’m the lead person at UNO for the SFS program. And what the SFS program does, is they are paying students to go through the cybersecurity program.

They get full-tuition fees, plus a stipend, plus a travel allowance, plus supplies, etc. And the stipend’s pretty good actually. I mean, here are these grad students and they’re making $34,000 a year to go to college and the college is paid for. The agreement on the back end then is, they go to work for the federal government for an equal number of years. So if they take two years’ worth of scholarship money, then they’re obligated to work for the government for two years when they’re done. 

So frequently, what I get asked about in terms of career advice is, what do you know about this federal agency versus that federal agency, etc. So it’s a little bit skewed in the sense that most of the time, when students are asking me the kind of, “What should I do with my life?” questions, the answer that I have to give them is, “Well, you’re working for the government for two years. So knock yourself out buddy.”

But there is a certain amount of that. And so what I get frequently is, the money is more if I go here, but it looks like it’s more exciting if I’m going to go work there. And then I turn right around and I say, “Then go there, duh. Because the money is good, but the money isn’t everything. And going to a place that you hate, you’ll suffer for two years because you have to, and then you’ll jump ship anyway. So you might as well start off with someplace you like.”

Bill Mahoney
In terms of career advice, I would also say it’s interesting because a large percentage of the students that come through the program will end up in government kinds of positions. You would think that they would gravitate towards, well, like in Omaha is the headquarters for Union Pacific. Okay. So you would think that they would go work in the cybersecurity part of Union Pacific or the cybersecurity part of Mutual of Omaha or something like that.

And some of them do, but a large number of them are, “I want to go work at Sandia, I want to go work at MITRE. I want to go work at one of the national labs because they’re doing cool stuff and I want to do cool stuff too.” And so, yeah, in terms of career advice, it’s a little bit skewed because of that. 

Bill Mahoney
Oh yeah…there’s no doubt about it. I mean, and the reasoning isn’t necessarily good. I mean, you hear about ransomware and things like that now all the time. And it used to be that if some hospital gets hit with ransomware or whatever, it’s like, “Well, let’s keep it quiet. Don’t tell anybody, etc.”

And partially by states like California, for example, where I think they have disclosure laws now, right. It does show up in the news, and when it shows up in the news, I think people are realizing that it is really more of a problem than they think.

And then of course you also hear about, particularly this cycle of every four years, you hear about election security. Well, “Are the election machines secure or are they not secure?”  And I hear about that a lot, but I may be biased because Omaha is where Election Systems and Software is, that’s, ES&S, they manufacture the voting equipment for probably two-thirds of the country. So that’s in the news here all the time. But yeah…The incidents make it a much higher awareness level than it was even just a few years ago.

Bill Mahoney
I’m a big fan of this particular book company—it’s called No Starch Press and they have, oh, I don’t know, I’m taking a guess, I bet they have 50 books on cybersecurity and they’re all very well written. They’re all really well put together. They’re inexpensive. And in some cases, after No Starch has had them out on the market for a few years, they’ll just say, “Just come and grab the PDF. Here’s the link,” right? You don’t even have to buy the book after a certain number of years. And their intro book is quite good. 

Let me jump back a topic. Part of it is, let me tell you about our degree program. But part of it is your question about, are people more aware of this. We took our intro cybersecurity class and made it a general education class at the university, so anybody can take it for gen-ed credits. So we get people in there that are history majors or English majors or art majors or things like that.

And they at least come out of there knowing something about cybersecurity and ways that they should be concerned about their privacy and what kind of settings should I have in my browser. And what’s a phishing attack and et cetera. And so we’ve had pretty good success across the whole university by putting that class in place because it’s not a large percentage—I’d say maybe it’s a quarter to one-third of the people that take that class are not cybersecurity majors.

But it really helps to kind of spread the word among a broader audience. And I think that a broader audience of 19-year-olds probably passes it along to the parents. And so it kind of gets out that way as well. Anyway. So back to your book question, No Starch Press—I’m sold.

Bill Mahoney
Yeah, it’s sort of like, “Well, if everybody’s required to take geography…” Which is the more useful thing, right?

Bill Mahoney
I think trend-wise, I mean, personal opinion, I don’t know that much is going to change. I think the low hanging fruit or the easy cybersecurity attacks are still going to be the same things that we see right now. I send somebody an email, it has a link in it, they don’t think before they click it, they answer yes to some questions, then their computer gets infected.

And I don’t see that changing because that’s not a problem that you can fix with technology. It’s the person [who] has to be smart enough to say, “I don’t know the person that sent me this email, so I’m not going to open the attachment,” or whatever. So I don’t think that’s going to change.

Now, in the, for lack of any other term I can think of, the research-ey end of cybersecurity, I think the trend that people are looking at is, how can you automate the process? In other words, I want to set up a network, I want the network to be self-healing or resilient or something like that. So that if somebody breaks in and they’re controlling this particular computer, then the network somehow magically knows, “Oh, okay, well we have to isolate this part of it,” or whatever.

So I think research-wise, I think we’re going to see a mixture of cybersecurity knowledge and maybe machine learning or artificial intelligence or something like that. So that those kinds of things can be managed in a more real-time way, I guess.

Because a lot of cybersecurity practitioners right now, they’re like, “Oh, somebody took over this machine. Well, I’m going to spend the rest of the day wading through log files to figure out where did this attack come from? Oh, it came from this IP address.” And I think the pressure is going to be on to make that a much more automated kind of process.

So yeah, for the average person on the street, I don’t think that there are big changes in the future, but for the federal sector or the big business sector or whatever you want to call it, I think that it’s going to be more and more automation.

Cybersecurity Guide
Thank you