John V Franco is a professor at the College of Engineering and Applied Science at the University of Cincinnati.
He is also the director of the National Center of Academic Excellence in Cyber Operations at the University of Cincinnati. The Center is a collaborative effort between the university and local major defense contractors to advance training in cyber operations and cybersecurity. Linkedin profile
Key takeaways from the interview
- Understanding cybersecurity issues: Franco highlights the importance of discussing cybersecurity issues with undergraduate students, who often bring insights from their experiences at the NSA or defense contractors.
- Changes in cybersecurity research: The biggest shift in IT cybersecurity has been the challenge posed by the Internet of Things (IoT), requiring research into diverse devices’ vulnerabilities and ethical disclosure.
- Addressing the cybersecurity skill shortage: Franco argues that the perceived shortage in cybersecurity professionals is more a result of panic due to a lack of understanding of the problems and solutions. He suggests focusing on developing specialized tools and training in-house teams rather than relying solely on external solutions.
- Misconceptions in personal cybersecurity: Many people wrongly assume they are safe under the principle of ‘security through obscurity,’ not realizing the risks involved.
- Advice for aspiring cybersecurity professionals: Franco advises choosing a field where one can develop a passion, indicating the importance of genuine interest in the cybersecurity domain.
Tell us about your career trajectory. At what point did you start working on cybersecurity issues?
John V Franco
I started in electrical engineering in the Digital Signal Processing group at Bell Labs in Holmdel, New Jersey. That was in 1969. One day I happen to notice that someone placed a calculator outside their room, in the hall (it was as big as a table and stood on legs – it was able to be programmed).
I had little experience with computers at the time and saw creating a sample program on this calculator as a fun exercise. So I imagined and programmed a simple program to find two integers X and Y such that X/Y is a very close approximation to pi. I was expecting numbers over 100,000 but found 355/113 did better than all of the higher numbers I tried. I was so surprised by this that I changed my path toward computer science.
So, I went to Rutgers University and received a Ph.D. in computer science (CS) in 1980. In an event similar to the calculator, just as I was beginning to find a dissertation topic, I heard a talk regarding the efficiency of the Davis-Putnam procedure for solving instances of satisfiability and was again inspired to investigate. The result of that is still being cited. After graduation, I continued with investigating the performance of SAT solvers of various kinds. This led to the use of SAT solvers in the verification of circuits and programs. I received funding for developing one such solver in the late 1990s.
During this period up to 2009, I gradually became aware of the damage vulnerabilities can cause as well as the reasons these vulnerabilities show up in the first place. Then by 2009, I realized the importance of the verification work and the tools to support it – notably ACL2 and SMT solvers. At that point, I immersed myself in cyber education and got an NSA designation of Center of Academic Excellence in Cyber Operations.
Cybersecurity Guide
How do you explain your work to people outside of the field, or to people that don’t have a background in cybersecurity?
John V Franco
Attack and defense and defend forward or persistent engagement. That is, not IT-oriented cyber where best practices and policies take the spotlight.
You are the director of the National Center of Academic Excellence in Cyber Operations at the University of Cincinnati, can you explain what the center is?
John V Franco
A collaboration of the School of IT, the Department of Political Science, and the Department of Electrical Engineering and Computer Science. We share research and courses. The strength of the collaboration has resulted in the first state-sanctioned and funded Ohio Cyber Range whose mission is workforce development.
The state has also funded a hands-on cyber lab that aims to engage high school cyber clubs in competitions and education. Members of the cyber club at UC, called Cyber@UC, have been sworn into the charter class of Ohio Cyber Reserves.
How does collaborating outside of the university help understand cybersecurity issues better?
John V Franco
Actually, I get a better understanding of cybersecurity issues from my undergraduate students, many of whom coop at the NSA or major defense contractors. We tend to freely discuss issues in our cyber lab – an unintended and positive use of the lab.
What kinds of cybersecurity research is happening at the University of Cincinnati?
John V Franco
At the moment the things that are getting the most attention are the policy work of the Political Science department and the cyber-physical systems (for example IoT) security in the Department of Electrical Engineering and Computer Science. Also notable is research into the security of Software Systems, and several projects (ex: drones) in Aerospace and Mechanical Engineering (Advanced Manufacturing).
How has cybersecurity research changed?
John V Franco
I believe this question makes sense for IT but not so much for engineering. The big change for IT has been worrying about the internet of things (IoT). As you know there are quite a lot of crazy different devices that people are trying to connect to networks. Perhaps it is against company policy to connect something like a fish tank heater and thermometer to a company’s network but people do it anyway. Remember when people used to connect modems to their office phones so they could bypass controls while logging in remotely? Well, some still do. This gives IT security fits. All these devices are different and some have no security built-in.
So researchers need to investigate these devices for vulnerabilities and disclose discoveries in an ethical manner. The Digital Copyright Millenium Act and Digital Rights Management have conspired to give researchers fits and have at least caused researchers to have to defend themselves in court or caused researchers to revoke some of their results – especially those that have proved very important.
On the engineering side, the important research in formal methods continues with incremental advances every now and then and improved research tools for malware analysis (for example Ghidra which has recently been released by the NSA) have become increasingly important, especially considering the increasingly stated principle of defend-forward.
Do you think more attention is getting put on cybersecurity issues now?
John V Franco
Maybe so but many people still do not understand what cyber is about. Some people think that getting hacked is something you can’t do anything about – it is going to happen. There needs to be more attention placed on building tools that will be used throughout the development cycle to significantly raise confidence in the correctness of deployed systems.
Also, and very important, is to end the practice of some companies to avoid fixing vulnerabilities because it is too costly to do so. Companies need to be made accountable for the misery they inflict on their customers who get hacked due to some vulnerability. Laws must be written to protect the customer but this seems to be ignored. So there is still quite a way to go before all cyber issues are getting the proper attention.
Cybersecurity Guide is dedicated to bringing more attention to the need for well-trained cybersecurity professionals. From your vantage point, why is there a shortage of people with the right kinds of skills to help deal with cybersecurity threats?
John V Franco
I do not think there is a shortage – only panic resulting from a lack of thorough understanding of problems, consequences, and solutions. At one of the NICE conferences, a CEO of a medium-size security company noted public reports of severe shortages of cybersecurity personnel are projected for the future.
He said those jobs are never going to be filled because companies can’t afford to hire all those people. He suggested the development of tools, such as I noted above but he stuck in AI as important to the development of those tools. AI may have a role to play eventually but these days many people equate AI with Machine Learning and without the ability to reason, you don’t really have AI.
What’s the best way to deal with the shortage of cyber professionals?
John V Franco
Convince companies that instead of relying on shrink-wrapped packages for security (perhaps really just compliance) they should train a small group of employees in the use of the tools that I talked about above and have that group work on problems for the entire company. Some defense contractors do this.
What do you think is the most obvious thing about personal cybersecurity that most people don’t understand or implement?
John V Franco
They do not understand that “I do not have to worry about security because no one is going to be concerned with little old me (so I am safe by the principle of ‘security through obscurity’)” is completely wrong for many reasons.
Do you have any advice or guidance for students or young professionals interested in starting a career in cybersecurity?
John V Franco
Generally, do not enter a field that you do not have or can not develop a passion for.