Joe Scherrer is the Executive Director of Professional Education at the Washington University in St. Louis (WUSTL) McKelvey School of Engineering. He also serves as director of the school’s cybersecurity strategic initiative. Scherrer graduated from Washington University in 1989 with a bachelor of science in electrical engineering. Following a distinguished 24-year career as a leader and information technology and cybersecurity innovator with the US Air Force, culminating as the commander of the Air Force’s only combat-coded deployable communications wing, he retired as a colonel and returned to his hometown of St. Louis. In addition to his university duties, he is pursuing a doctor of liberal arts from University College, is an avid master’s bicycle racer, and is a certified executive leadership coach. LinkedIn profile
Why did you first become interested in cybersecurity?
It goes back to my Air Force background and basic communications officer training at Keesler Air Force Base in 1989. Back then, what we now call cybersecurity was referred to as computer security. It wasn’t even called information security yet.
From a military standpoint, keeping your communications secure and preventing the adversary from undermining your ability to operate in a wartime environment has always been important. That’s when I was first exposed to it. I didn’t learn about it during my undergraduate work at Washington University in St. Louis. I went through an electrical engineering program, but security was never considered even in computer science courses.
We were just getting to the point where the internet was really becoming a thing. It was pre-commercialization, pre-world wide web. It was really about keeping communications and information secure from a military standpoint. That’s how I was initially exposed to computer security.
So, was becoming a cybersecurity expert by design or more serendipitous?
It was definitely the latter. I was principally on the operational side during my Air Force career. I was running IT organizations and communication squadrons in the Air Force. That was part of the portfolio, whether we were in garrison or whether we deployed, we had to bring the security piece with us, especially communication security.
The National Security Agency, the cryptographers, would send us paper key tape to load up into our cryptographic devices. One of the first jobs I had in the Air Force was the base COMSEC (communication security) officer. I was a First Lieutenant, and three enlisted experts in a vault took care of everything.
I remember when I was brand new, they invited me in and said, “All right, Lieutenant,” they appointed to a three-foot stack of manuals, “We need you to read all this and sign off that you understand it.” I was thinking, “there is no possible way that I’m going to be able to read all this and understand it.” I said, “Listen, my job is to help give you the support you need, and to help keep us all out of trouble. If that means me staying out of your business, fair enough.” After that, I had no more problems. We had a fun relationship.
Later in my career, while I was stationed at the Pentagon, during the Iraq War from 2005 to 2007, the Chinese People’s Liberation Army figured out how to break into our unclassified networks. They were doing it with impunity. It was brazen.
At the time, Secretary of Defense, Secretary Rumsfeld, was very “exercised” about what the Chinese People’s Liberation Army was able to do.
A task came down from Secretary Rumsfeld, through a conversation with Chairman of Joint Chiefs of Staff, Peter Pace, to my boss, who was Lieutenant General Bob Shea, to Marine Colonel Gearhart. There were three Marines in my chain of command, General Pace, General Bob Shea, and Colonel Rob Gearhart.
Colonel Gearhart came to my desk – I’m a Lieutenant Colonel in the bowels of the Pentagon, no windows, nothing – and he says, “Hey, Joe, the Chinese just figured out how to break into our networks. We don’t have a national military strategy. Can you write one?”
I looked at him and said, “Is that it? You want me to write a national military strategy?” It was really a peak experience in my career. I got the opportunity to pull together a cross-functional team across all services.
We coordinated a strategy in 16 months through all four military departments, 52 defense agencies, the CIA, Department of Homeland Security, NSA, the National Security Council. Secretary Rumsfeld signed it the day before he left office in December 2006.
What a fascinating story – thank you.
Let’s jump forward to your current role. Do you have the ability to do independent or discretionary research, and if so, what areas are you doing research in now?
I am more on the education side, but one of my roles in the McKelvey School of Engineering is the Cybersecurity Strategic Initiative Director. The Dean brought me onboard a few years ago to help figure out how to grow McKelvey’s strength and reach in cybersecurity education and research.
I put together a strategy in coordination with the faculty. I work with our McKelvey Cybersecurity Research Group, and we are actively pursuing federal grants and corporate opportunities to do both basic and applied research in several areas. It’s pretty exciting. It keeps me plugged in from a technical perspective.
Our expertise is at the nexus of what we call cyber-physical systems and artificial intelligence. Think of anything that touches the real world as we know it. A classic example is autonomous vehicles. There are ways to spoof and fake AI and software on board some of these vehicles, and it’s actually pretty easy to do.
We have faculty that have expertise in adversarial artificial intelligence. I joke around that, “You all are the Terminator 3: Rise of the Machines, people. You’re supposed to stop all this from happening.” They chuckle, but they say, “We’re a long way from that.”
We call it trustworthy cyber-physical systems. We just won a planning grant from the National Science Foundation to build out an Institute focused on that. We’re actively working in the areas of AI and machine learning. WashU ranks among the top five of all US universities in AI.
We have expertise in secure systems and networks as well. Another initiative we’re pursuing is a secure energy infrastructure, not just power plants, but any kind of utility, water, solar, all those types, and how 5G might affect them with secure edge computing.
This initiative has opened up for McKelvey are these brand new vistas for us to go out and really make a difference and impact the society we live in today.
Joe, you have worked as a cybersecurity leader in both the private and public sectors. How do they differ?
The public and private sectors differ in two main areas. One is how technology is deployed in the field. On the military side, it is very deliberate, and since there is taxpayer money involved, there are checks along the way to ensure money is being used well. The military is so large that acting quickly is very challenging.
There are large private organizations, but they can act much faster. Here’s an example.
A friend of mine is a cybersecurity executive at Walmart in Bentonville. They were considering an edge security solution. The Air Force was looking into similar systems, so there was some coordination between the Air Force and Walmart security teams as they each evaluated some of the options.
My friend and his team made a decision and implemented a solution globally. After some months, his Air Force counterparts who were still evaluating potential solutions reached out and asked how the project was going. My friend told them, “We’re done.”
The difference was the bureaucratic red tape. The private industry can be much more agile in that regard.
Another difference between the private and public sectors is in the thoroughness or scope of training. The Armed Services invest a tremendous amount of money in making sure our folks know their jobs.
If you’re in the military and you get training on cybersecurity, it’s going to be very good. You’ll go to training for months and then get refreshed at certain times of your career. You might be working with older technology, but you are going to know how that technology works.
On the industry side, there’s a considerable gap with cybersecurity talent. In general, the industry is unwilling to invest in training the same way that the military is because it goes right to the bottom line. There’s a stalemate in the job market. I put much of the onus for that on industry because of their unwillingness to invest.
Industry leaders put the responsibility for attaining the appropriate skills on the job prospect or the employee. I think that’s a dynamic that needs to change.
Those are the two significant ways in which the public and private sectors differ.
What are your students interested in? What kind of cybersecurity projects are they working on?
It varies based on the type of program that they take. We basically have three ways for students to get involved in the cybersecurity arena. The first one is through an undergraduate degree in computer science.
We have a set of elective courses that students can take that’ll give them a really grounded foundation in the theoretical, conceptual, and, to an extent, the applied aspects of cybersecurity. But it won’t be the entire focus of their degree.
At the graduate level, we have a master’s of cybersecurity management and a master’s of cybersecurity engineering. Our cybersecurity engineering program is one of the few in the country. We feel like we’re leading the way in that regard.
To get a cybersecurity engineering degree, you either need to do a master’s project or a thesis. The project and the thesis are necessarily going to be very technical in nature.
For instance, you might be examining advanced internet of things security. Maybe a new secure radio protocol, or something like that. You’re going to be getting down in the nitty-gritty of what that means.
On the cybersecurity management side, what our students will be looking at is really the practical, applied, and operational aspects of leading and managing a cybersecurity organization.
For instance, we have a cloud security course where students will look at how to vet a potential cloud vendor to ensure that they will provide the type of security controls and capabilities that the company needs.
It really depends on where you’re at from a career perspective and what you’re interested in. I guess the final thing is that we really try to make it experiential across the board. We work hard to bring in companies and organizations to sponsor “real world” projects to bring it home. Because ultimately, cybersecurity is applied. It’s an applied discipline.
Do you feel that cybersecurity is becoming a mainstream concern? Are people beginning to realize the importance of cybersecurity and how it should be applied?
Many large companies are becoming more and more educated about cybersecurity and now include it as part of their business risk equation. You can see more of them funding CSO, CISO, or VP of Security roles.
But in the small to medium-sized businesses, I don’t think that type of awareness is there yet. That is, at least partly, because smaller firms find it more challenging to fund security roles.
Cybercriminals are adapting to this fact. You can see them focusing more on cities, schools, hospitals, and smaller organizations rather than larger multinational corporations.
From a general consumer standpoint, I don’t think we’re there yet either. Progress has been made in that if you talk about cybersecurity, you generally get a head nod, but as far as what it takes to protect themselves, I think there’s a vast deficit there.
Part of that is because people feel that because it hasn’t happened to them, they question if the “British are coming” over the hill. They haven’t seen the whites of their eyes yet. I’m a little more pessimistic on that point than some others may be.
If you were to build a cybersecurity reading list, what would be your top picks? That could be books, papers, lectures, what do you recommend?
Articles on major cyber attacks are useful reading. IEEE Spectrum published one in 2013 called The Real Story of Stuxnet that was an excellent piece. It takes you behind the scenes of what was the first publicly leaked nation-state attack.
Another one I like is from Fortune, Sony Pictures: Inside the Hack of the Century is about how Sony was hacked in response to a movie they put out about Kim Jong Un.
Another excellent one is from Wired call The Untold Story of NotPetya, the Most Devastating Cyberattack in History.
I would also read the National Cyber Strategy of the United States of America. Cybersecurity is a bipartisan political issue.
Thank you. My final question is where I ask you to dust off your crystal ball. What do you see coming in five or ten years that is interesting, unusual, or concerning?
I am not an optimist when it comes to cybersecurity because the fact is that although technological innovation is relentless, so are malicious actors in cyberspace.
We have quantum cryptography, artificial intelligence, and machine learning really coming on, but the big constant that is human nature doesn’t change.
In this business, it really is a battle between good and evil. When a new piece of technology comes out, it will be bent to good or ill purposes. Whether it’s a nation-state or any kind of malevolent actor, there’ll always be this offense/defense, attack/respond dynamic going on. It will continue to get worse. I think the defense will continue to struggle until we figure out how to break that cycle.
It’s a bit of a dystopian view, for sure, but I don’t see any way out of this do-loop we have gotten ourselves into.
Thank you so much.