Matthew A. Chapman is a computer science and cybersecurity professor at the University of Hawaiʻi –West Oʻahu and an experienced computer scientist serving for over twenty-four years as an officer in the U.S. Army in a variety of positions both nationally and internationally.
He served combat and operational deployments in Europe, the Middle East, and Asia. Key positions held include the Chief of Cyberspace Operations for U.S. Indo-Pacific Command.
He is directly responsible for excellence in teaching and the leadership and management of the Bachelor of Science in Cybersecurity and Bachelor of Applied Science degree programs. Concentrations include Cyber Operations and Information Security and Assurance (ISA).
Dr. Chapman is also the Director of the UH West Oahu Cyber Security Coordination Center (UHWO CSCC) focusing on cyber workforce development. Full bio
Key takeaways from the interview
- Skills for cybersecurity: Chapman emphasizes five fundamental skillsets for cybersecurity success: mathematics, programming, operating systems, databases, and networks. He also discusses the importance of industry certifications like CompTIA Security+ and ISC2 CISSP.
- Cybersecurity in different sectors: He points out the differences in cybersecurity approaches and responsibilities between the military, private industry, and various government organizations, each having distinct authorities and limitations.
- Cybersecurity coordination center at West Oahu: Chapman discusses the center’s focus on five areas of study: global cyber environment, technical vulnerability research, industry best practices, digital forensics, and cybersecurity for industrial control systems.
- Employment for graduates: Graduates of the program generally find employment across various sectors, supporting the local need for cybersecurity talent in Hawaii.
- Future concerns in cybersecurity: Chapman predicts challenges with the proliferation of IoT devices and the need for managing and transmitting data efficiently, highlighting the potential for new vulnerabilities and the necessity of protecting against them.
How did you first become interested in cybersecurity?
My background started in computer science. After high school, I accepted an Army scholarship for a computer science degree at the College of William and Mary. That’s where my formal education started, but even younger than that; it began when my dad bought me an Apple II Plus computer.
In those days, programs were loaded with cassette tape. I started getting interested in programming very early. By the time I got to high school, I learned to program with both the Apple II Plus and TSR-80s. Later when I started college, computers and programming were my primary interests. The Army scholarship was specifically for computer science, so that started the ball rolling. My master’s degree and Ph.D. are both in computer science as well.
Early on in my military career, cybersecurity existed, but it was not a focus. Given my military responsibilities and my computer science foundation, my responsibilities evolved toward cybersecurity and the larger mission set of cyber operations.
Cyber operations include cyber defense, cyber network operations, and offensive cyber operations. It covers the entire spectrum. Over time, both the global situation and technology changed. I became more interested in cybersecurity, specifically as nations recognized this emerging domain.
If you consider the military’s role throughout history, it is quite interesting. At first, there was conflict around who owns what piece of land. Nation-states built armies to settle those disputes. That evolved into disputes about who controlled the seas, and navies emerged. Eventually, we had to consider the control airspace at the nation-state level, bringing about the evolution of the Air Force. Then dominance in space became an issue. So, cyberspace is really just the next domain that nation-states consider for both physical and economic security.
There are significant challenges associated with protecting our critical interests in this domain. In cyberspace, there are disputes about sovereignty, which country has rights and privileges, the location of physical assets, and who owns data traveling worldwide.
Because we now must consider our nation’s security from a cyber perspective, cybersecurity was a natural fit for me. It is where my computer science background and twenty-four years as a military officer came together.
That’s interesting. So, you’re an army officer and a computer scientist. How did you translate that experience and education into the skills needed for cybersecurity?
That’s a good question and something important for students to understand—many of the fundamental skills needed for cybersecurity overlap with computer science. I would even say that cybersecurity is a subset of computer science, but it also has some particular areas that computer science does not cover.
I would say there are five fundamental skillsets that students must focus on to be successful in cybersecurity.
The first skillset is mathematics. Whether students are interested in it or not, mathematics is essential to many aspects of cybersecurity, and they should take as much as they can handle. Everything from securely transporting information to cryptography requires mathematics.
The second skill needed in cybersecurity is programming. Nearly everyone involved in cybersecurity needs to understand at least one programming language. It would be challenging to protect programs and code if you do not understand it.
Number three is operating systems. Cybersecurity professionals should be comfortable with multiple operating systems. It could be Windows, Linux, or something used with programmable logic controllers and SCADA systems. Knowing how to use as many operating systems as possible is important.
Next is databases. There is so much information stored either in the Cloud or locally in databases that you must have a good understanding of these technologies.
Lastly, knowledge of networks is essential. You can not even start in cybersecurity if you do not understand how networks communicate. Globally, the Internet runs on TCP/IP, so generally, in academia, you’re going to spend a lot of time working with that protocol stack, but it’s vital to academic education in cybersecurity to understand that this is only one of several protocols stacks used.
Proficiency in all five of these skills will help build a career in cybersecurity. As your career progresses, you can earn industry certifications along the way. You might start with CompTIA Security+ or Pentest+ and then move on to the higher-level certifications like ISC2 CISSP. Some of these certifications may be mandatory, if you will be working with critical infrastructure.
You have extensive experience on the military side of cybersecurity and now in academia. It would be interesting to get your perspective on how cybersecurity in the private sector and public sector differ or are the same.
One of the big differences between the U.S. Military and private industry relates to authorities and responsibilities. There are various entities within the military branches, and responsibilities with respect to cybersecurity can vary. The military generally has the responsibility to protect their own networks.
Many groups have different responsibilities for cybersecurity. These include military, private industry, and various government organizations. Some have limited authority on networks within the United States due to specific laws and protections. Law enforcement departments may require authority both within the country and globally, to pursue the rule-of-law and security requirements. So, it’s not only the military and industry, but many organizations working on cybersecurity.
For students trying to figure out where they want to work as a cybersecurity professional, they need to understand that working for the military is very different from working with industry, other federal government agencies, or even law enforcement.
Would you say protecting critical infrastructure has been a common thread running through your military and academic careers?
Yes, and not just for me. Protecting critical infrastructure is a focus for our program at UH West Oahu. The University of Hawaii system is quite unique. We are a bit dispersed because of the Islands’ geography. We have ten campuses, and the campus that is the center for cybersecurity is the University of Hawaii – West Oahu. What we’ve built here is focused on protecting the nation’s critical infrastructure.
In our program, we pull together much of what we have discussed today. First, we teach the foundational skills needed for cybersecurity. Next, students explore the cybersecurity of business networks and how to achieve the necessary industry certifications to get the right jobs. We are expanding into new areas, as well. We teach the different network protocols used by industrial control systems (ICS) and the security considerations for ICS and SCADA systems.
Our primary focus is on protecting critical infrastructure.
That sounds interesting. Can you expand on that a little? Does that include attribution? What do you cover in cyber investigations?
Attribution, as you know, is very difficult, because it is easy to mask cyber identity or location to create false attribution markers. It may appear an attack came from someone or somewhere else.
The malicious activity seen on a network depends on what actors are interested in the information on that network.
Whether you work for a small retail company, a giant retail organization, or the government will determine what types of malicious groups are interested in your data. Part of cyber investigations is to understand who may want to gain access to the information you are protecting.
Cyber malicious actors may be dispersed worldwide, so most cyber investigations are, in some sense, global investigations. Cybercrime often crosses nation-state borders, and investigating these crimes requires digital forensics, advanced networking, and advanced telecommunications knowledge.
These investigations also require an understanding of the global cyber environment and the different policies countries have in place. Things that are illegal in the United States may be perfectly legal in other countries.
Can you tell us more about the Cybersecurity Coordination Center at West Oahu?
My military background helped me realize that one of the challenges of cybersecurity is attaining situational awareness. A Network Operations Center (NOC) is part of the puzzle, but it takes more than a NOC to gain the level of situational awareness needed to protect a network.
At West Oahu, we created the UH West Oahu Cybersecurity Coordination Center. It’s a place where students can get real-life experience to prepare them for employment in the information technology and cybersecurity fields. The Center allows students to research and gain insights into cyber situational awareness in five areas of study.
The first piece of the puzzle is the global cyber environment – what’s happening as far as policies, ethics, and strategies. We look at how folks are trying to leverage cyberspace, similar to how they leverage land, sea, air, and space.
The second area of study is technical vulnerability research. It is essential to understand what’s happening globally, regionally, and at the nation-state level, but then there are vulnerabilities at the technical level. There are always new vulnerabilities published. For many people in this field, that is their day-to-day job. They go to work and scan for vulnerabilities. They check to see what has changed on their network and patch vulnerabilities before a malicious actor exploits a vulnerability.
The third area stems from the first two. This is the understanding of industry best practices. Here the students are taught to ask, “Based on what I know about the global environment and what I know about the technical situation, what industry best practices are there to protect my information?”
The fourth area of study is digital forensics. We teach students how to use all the information at their disposal to figure out, “what happened” and “what is likely to occur next” on the network.
The fifth and last area is the study of cybersecurity for industrial control systems. We feel it is essential to teach students about more than business networks. It is important to be equipped to protect the energy sector, health services, transportation, and all the 16 critical infrastructure sectors.
Are you able to place most of your graduating students? And, do they mainly stay in Hawaii or move to the mainland?
Generally speaking, when a student is standing in graduation, they have a job. To support our island culture and requirements, our message is that agencies and industries do not need to import talent from outside of the state.
The culture adjustment for imported workers can be quite significant. We provide and develop local cybersecurity talent, and our graduates continue to prove they are among the best in the country. Our students consistently place among the top universities in the country in national competitions.
If our students want to stay in the Islands, they can find jobs. The graduates are getting jobs, and it’s across all sectors. This is a good situation for our students and graduates.
Do you feel like cybersecurity is getting the attention that it needs, both from industry and academia?
I think the message is getting out there, and I think the emphasis is appropriately messaged. I believe we are moving in the right direction.
One significant indication is that we, as a country, are beginning to understand the importance of cybersecurity. This has been demonstrated at the highest level of national politics. There are very few things that presidential administrations agree upon. The one thing that every administration has been 100 percent supportive of, and concerned about, is cybersecurity for our critical infrastructure. This is true, going all the way back to George W. Bush.
Right after 9/11, President Bush and his administration immediately moved to protect our critical infrastructure. On October 16 of 2001, Executive Order 13231, which is critical infrastructure protection of the information age, was put out by President Bush. He realized how important it was for our nation.
Presidential Policy Directive 21 was President Obama’s capstone document for the protection of our critical infrastructure. It was released on February 12, 2013. It took what President Bush published and expanded it to organize into 16 critical infrastructure sectors. It details the roles and responsibilities for each sector-specific agency. Within a week of that policy directive, he also put out an executive order improving critical infrastructure cybersecurity.
Jump up to the next president, President Trump. On May 11, 2017, Executive Order 13800 was signed, strengthening the cybersecurity of federal networks and critical infrastructure. This EO takes what Bush ordered and what President Obama directed and drilled it straight into cybersecurity considerations for strong federal networks.
Then we have NIST Framework, Version 1.1. This is the framework for improving critical infrastructure cybersecurity.
Also, President Trump’s National Cyber Strategy, outlined in September 2018, is a fantastic document.
So, yes, I think we are moving in the right direction.
Well, that just leaves one question, which is where we ask you to dust off your crystal ball a little bit and look into the future. What kinds of things do you see coming in the future, things that we need to be concerned about, or maybe things that we’re going to do right?
I would probably consider two areas:
I think the proliferation of internet-connected devices will continue to grow at a rate that’s higher than linear. Is it exponential? Could be. That’s problematic. We’ve already had this massive proliferation of Internet-connected devices, and there is a lot of concern around cybersecurity of IoT devices. I think this is going to go beyond what anyone expected.
People now have refrigerators that tell them when they are short on certain things. We have Internet-connected coffee pots. We have people’s doorbells and thermostats, all connected to the Internet. How to protect all these devices is a growing problem that will only get worse.
That leads to the second concern, which is our ability to transmit and manage data. If we have an exponential growth rate on connected things, we will need to continue finding ways to transfer information faster and farther. We have a problem with how we are going to provide enough bandwidth to do it.
For example, you can see how phone service is migrating from 3G, 4G, and 5G. There’s going to be new technologies and, as we explore new technologies, we are going to introduce new categories of vulnerabilities. We’re going to need faster ways to move data around. What other new technologies are going to consume this data? It could be problematic.
Those are the two areas that I foresee will need our immediate attention. We don’t want to let the proliferation of IoT devices get ahead of our ability to protect them or store, transmit, and process the data from these devices.
That brings us to an end. Thank you so much for sharing your wealth of experience and expertise with us. I’ve enjoyed speaking with you.
Thank you for reaching out. I appreciate the opportunity to talk though our program at UH West Oahu and our responsibility as cybersecurity professionals to protect our nation’s critical infrastructure.