Drew Hamilton is a professor of cybersecurity and the director of the Center for Cyber Innovation at Mississippi State. LinkedIn profile
How did you first become interested in cybersecurity?
It wasn’t so much that I was interested in cybersecurity; rather, cybersecurity was interested in me. I was thinking about that in terms of Leon Trotsky, the communist who served under Vladimir Lenin. He famously said, “You may not be interested in war, but war is interested in you.” My original research area was in network simulation.
I’d always been interested in wargaming, and I had just come from an assignment teaching at the Army Signal School. Networking was exploding in the early ’90s. And I figured if I did doctoral work in network simulation, I’d learn about networks, which I did.
After completing my doctorate I was teaching at West Point. In those days, we didn’t have a security course, so I was teaching computer science. However, I found very few people with PhDs in computer science in the Army, and the Army has never had a lot of PhDs, to begin with. And every time I dealt with a general, they asked me about security. We weren’t using the term cybersecurity back then, but that’s what everybody was interested in, so it kind of came to me.
When I applied for my first civilian academic position at Auburn University, I presented network security research. I said, “I’m planning to work in computer security.” I could tell, looking at the people who became my future colleagues, they were not expecting that.
Because it just wasn’t a big deal, right? Roughly, what year was this? Just to give some context.
I joined Auburn University in 2001 and at that time cybersecurity was not part of the curriculum.
By the time I retired from the Army and I started my first faculty position at Auburn, universities were starting security programs. Most of those programs were three years old, some were less, and we started our program in 2002. Now I think it’s hard to find a school that doesn’t have some sort of cybersecurity program.
So, it really started in the late ’90s, and then it exploded. And now we’re reaching a point where instead of having one security person on a faculty, schools are hiring as many as possible.
In the late ’90s, my last military assignment was working in command and control interoperability. Some of the issues you get into with the interoperability of systems are, first off, there are some major league contractual issues that are nontechnical but can be pretty challenging.
Then you have some technical issues. In some cases, you’re trying to make systems connect with each other, where you just don’t have corresponding functionality between the two systems.
Then there’s also the problem that when you start opening, say, a US system to a NATO ally or another international ally, now you’re inheriting all their cybersecurity problems. I would travel to the various theaters that we supported out in the Pacific, and the Atlantic and other areas. All the generals were talking about security not interoperability. Basically, that is what DOD’s leadership was focusing on, and I would say that was in the ’98, ’99, 2000 time-frame.
Was the military more interested in defensive or offensive cybersecurity, or both?
Most of what was taught to me was defensive, and most of it was unclassified. Now, there was a lot of classified stuff going on. However, I wasn’t part of those efforts.
One of the books on my reading list is a book called Dark Territory by Fred Kaplan, and it really answers the questions you’re asking me. I knew a lot of the people in the book. It basically traces how the DOD leadership started facing nation-state cyberattacks in the late ’90s. That was not generally known; I mean, I wasn’t aware this was going on, but that’s clearly something the people that I was briefing were concerned about. Senior leaders did have access to that information, and I suspect that’s why they were asking questions of any computer scientist they got near.
Getting to your question, “How did cybersecurity evolve?” This is what happened, and I’ll give you the quick synopsis. The person who recommended Dark Territory to me was Admiral Mike McConnell, a former NSA director and former Director of National Intelligence. I got to talk to him in a hallway after he gave a lecture at Auburn University some years ago. As recounted in Dark Territory, in 1997 the NSA convinced the Defense Department to let them participate in one of their exercises. No one was prepared for an offensive cyberattack, and the NSA Red Team attackers did very well. And then sometime later, DoD noticed the attacks starting again, only it wasn’t the NSA, it was another nation-state. So, that kind of got everyone thinking about computer security, but this wasn’t common knowledge at the time.
In the early ’90s, we taught a security section at the Army Computer Science School. It was stuff like army regulations to safeguard computers. It was a lot of policy, stuff like, “don’t copy that floppy.”
I was a student at Vanderbilt doing a Masters in computer science when the Morris Worm came out, and that was a one-off. During the ’80s, that was the only security incident that I recalled. In the early ’90s, we were teaching a very basic policy course at Fort Gordon, but it was in the late ’90s when things happened.
The thing about computing in the late ’80s, you might connect to a modem. However, you didn’t have high bandwidth private computers connected to the internet 24/7. And there wasn’t that much on the internet to do back then, quite honestly.
What research are you working on right now?
Well, we have a number of projects that go on at the Center for Cyber Innovation at Mississippi State University. What I work on and it’s kind of my own private research is the idea of scalable security architecture. If you think of a network simulation where you are doing what-if analysis on redesigning networks, we’re finally at the point now in the 21st century where we actually have the computing power to make this work. There’s always been scalability problems associated with this. So, now the problem I think we see is if you want to have a picture of what your cybersecurity posture is, now you have to worry about IoT devices. Has someone in your office connected a Crock-Pot or a coffee pot to the network, or you have a device where you don’t even know what it’s doing, but network wise, enter your network access password and it is connected to your network. And you really don’t know if it’s surreptitiously collecting things or what.
Also, we have a problem with SCADA works, and we’re looking at better ways to secure SCADA systems. A lot of them are old. A lot of them are simple, but the traditional ways to detect these devices need to be improved. Sometimes we miss them, and sometimes we crash them. Network discovery of SCADA systems can be unreliable.
Would you say then that the need for scalable security is largely driven by the explosion of Internet of Things and Industrial Internet of Things devices we are currently seeing?
Absolutely, we are working in a BYOD (bring your own device) world. This is still fairly new, but as you’ve noticed, we have a pandemic going on, so we’ve got more online devices, more things that are converting to virtual, so yes, scale is an issue.
We also do work in network visualization. We have a product called NetMapper that’s in its seventh year, where students actually get a chance to work on an industrial-grade software development networking project. And again, if you’re involved in developing Netmapper, you learn the nitnoids of networking, which is pretty neat. We have a project named Autonomic Security Manager where we look at how the increase we have in computing power actually allows us to put a machine in the loop to automate responses to attack and give human operators time to react. So, those are probably our biggest research areas. We do a lot of cyber outreach to military audiences. We work with small businesses on NIST 800-171 compliance, so those are the primary things that are going on in my center.
Looking back at your career, just to give our readers kind of a visualization of the course you’ve taken, is there a thread or a theme? Have you focused on a particular aspect of security, or has it just been broad?
It actually has been broad, and I would say the common thread that has run through my academic career has been empowering students. I’ll give you an example. My undergraduate degree is in journalism, and I am typically the only faculty member in the College of Engineering that has a liberal arts undergraduate degree. My school didn’t have computer science when I was an undergraduate. When I was doing my Masters in computer science at Vanderbilt, the department chair asked me how old I was. I was under 40, and he said I was still young enough to pick up new ideas. There is some truth to that. Students are really the engine of a university research program and the source of many interesting ideas. My students make me think about things that would never occur to me. They think of things that I, in some cases, think would be impossible and they were impossible 20 years ago, but the technology has changed.
That’s a positive thing. I work with students, and they try a lot of new and different things, so I say that’s why I’m in academia. I love working with students.
Tell us more about the Center for Cyber Innovation at Mississippi State University. What would attract a student to the center?
Students who are in the academic program have an opportunity to engage in my center. And I don’t recruit students. My students recruit for me. It’s actually a lot more effective than you might think. When a student expresses an interest and has reasonable credentials, I start by having an interview with every project lead I have in the center. I found that it’s really important for students to engage in a project that they’re interested in, and I can’t gauge that on my own. Students need to see what we’re doing and determine what they are interested in.
They get a chance to work with my research engineers who are quite young, and quite talented. R&D is an inherently risky enterprise, and so we take some risks. So, that’s been how we’ve been operating, and I’ve hired a number of the students into permanent positions over the years, and that actually helps because if you have a research engineer who graduated three or four years ago from Mississippi State, they are very effective working with current students.
Right now, the job market in cybersecurity is out of control. It’s unbelievable how great the demand is, but the student feedback I get when they do interviews is employers want to know, “What projects did you work on?” Because everyone’s done coursework. And if they can actually describe one of the projects I mentioned earlier, that seems to be useful.
Is there any project you can tell us about or some of the projects the students are working on that are interesting or a surprising one?
Yes, one of the things that is really hot is machine learning. I’ve been around long enough that I’ve seen AI kind of ebb and flow. It would be hot, and then it would kind of cool off for a while. It’s definitely hot right now, so we have one project where we’re using machine learning to do malware analysis in main memory, and the idea here is when a piece of malware is loaded into main memory preparing to execute, you analyze the execution sequence to look for malicious behavior.
Somewhat related to this is the use of code clones. What that refers to is this phenomenon of software that is nearly identical. When you look at how virus scanners work, because consumers have very little tolerance for false positives, what happens is you have a random bit injected into the padding of an executable, and that will change the hash value. The scanner will fail. You don’t even have to write a virus yourself; you can just copy someone else’s malware code and slightly modify it.
So, through some techniques like fuzzy hashing and things like that, we’re working to see if we can detect some of these one-off type pieces of malware. That won’t protect from a nation-state that’s writing a custom piece of software to go after you, but this promises a contribution to combat copycat malware attacks.
And then we’re looking in the area of cyber resilience and using machine learning to generate new exploits to test against defensive systems. When we look at generating exploits, we’re not in the business of offense; we’re looking at running it against a defensive strategy and being able to evaluate how resilient the systems are. Those are all projects initiated by students.
You mentioned a book earlier. Is there anything else you could add to a reading list that would be useful for students?
Yes, and I think one of the challenges you have in cybersecurity is things change, and they change fast. And so, it’s really hard to write a book that’s going to be good ten years from now. As I said, I mentioned Dark Territory because I think it really answers the question, “How did we get into this cybersecurity business?” There’s another book that I think is also instructive to read; it was written in 1999; it’s called Unrestricted Warfare. It’s written by Qiao Liang and Wang Xiangsui, two senior colonels in the People’s Liberation Army Air Force and you can buy a copy on Amazon, but you can also find a DOD translation online that’s a PDF. They state in the book, two years before 9/11, that Al-Qaeda was the number one threat to the US, and they weren’t even on our radar. I was impressed by that.
It’s not a technical book; it’s more how do you destroy a country’s economy? How do you destroy their power grid? I think it is a very interesting read.
And then there’s an old book that still has value, Forensic Discovery by Farmer and Venema; it’s a UNIX based forensics book published in 2005. It focuses more on forensic principles and illustrates how these principles are shown in a UNIX operating system. And it’s a book worth reading. I don’t think the software that goes along with the book has been updated, but I think it is a good read.
Give us some vision into what you see in the future for cybersecurity in five or ten years.
Well, I’m really bad about doing that because I actually thought we would have solved the cybersecurity problems ten years ago.
That analysis was flawed, I think, for a couple of reasons. One, if you work in the computer security field, the first thing you have to recognize is that most people do not think the way you do and so intelligent users of all backgrounds are quite comfortable doing all kinds of risky stuff, so that’s one. Second, we are in a capitalist society. There are many things that affect security in terms of cost-benefit analysis, time to market, and things like that. So, it hasn’t always been really rewarding to build very secure systems. So, I think security is going to be an issue for some time to come. Even before the pandemic, more and more things were going virtual because you save money doing it. So the cost savings is driving more things online.
And so, I think cybersecurity is going to be important for a long time to come. But I also say things are going to change. We’re not producing nearly enough technically qualified people doing cybersecurity right now, and we’re not going to get to a point where everybody in the US is doing cybersecurity. What’s going to happen is things are going to change so that the number of people needed will be reduced, but I have no idea how long that’s going to take to happen.
I think that what students do need to recognize is they need to develop technical skills. They also need to get a good handle on budgets, managerial things. That can come a little later, but if you have a solid computer science or electrical engineering background, even if cybersecurity becomes reduced in importance 20 years from now, you’re still going to have a broad skill set that will allow you to do more than just security.
Is there anything else that if you had a classroom full of beginning or mid-career students that you would tell them to help them make good choices?
I would tell them to make sure that they enjoy what they’re doing because it does take some effort to get good at doing this, and while the job opportunities are great if this isn’t what you like doing, there are a lot of other technology areas. We talked about AI, briefly, for example. Students should make sure that they follow their heart and that they have a passion for what they’re doing. I would recommend students get involved in some outside of a class project, that’s one of the best ways to evaluate whether they’re going to like doing cybersecurity work.
Internships are powerful because you get to work outside the classroom. You get more of a sense of what you’re doing. I just tell you that within the constraints of a semester-based classroom experience, there are limits to what we can deal with. And we talked about scale earlier. Scale is really hard to do in a three credit hour semester class. A student who has spent two years working on a project in MSU’s Center for Cyber Innovation gets a different perspective than the perspective gained in any three-hour course.