Nate Evans is currently the cybersecurity program lead at Argonne National Laboratory. Evans received his doctorate in computer engineering with a specialty in cybersecurity from Iowa State University. Before joining Argonne, he managed cybersecurity and cyber defense activities at several private-sector companies.
Evans is considered a key asset by the Department of Homeland Security (DHS) in several cybersecurity capabilities including the development of a cybersecurity vulnerability assessment for field use, analysis of cybersecurity consequence and threat studies, and leading the pilot cyber-physical regional assessment.
Evans and his team have developed a patent-pending operational instance of moving target defense (MTD) and he has worked in a variety of other cybersecurity research areas including transportation, satellite communications, social engineering, and offensive cybersecurity. LinkedIn profile
Key takeaways from the interview
- Focus at Argonne: The lab emphasizes proactive cybersecurity research and analysis, developing technologies for proactive defense and resilience against cyber attacks.
- Collaboration and projects: Argonne collaborates with other national labs, academia, and industry on diverse cybersecurity projects. Projects include cybersecurity assessment methodologies, proactive defense research like the Moving Target Defense, and the SECuRE testbed for understanding critical infrastructure interdependencies.
- Workforce development: Evans highlights the importance of addressing the job gap in cybersecurity. Argonne runs the Department of Energy’s CyberForce Competition and is initiating programs to spark interest in cybersecurity among young students.
- Cybersecurity perception: He observes a shift in public perception of cybersecurity, from a “nerdy” field to one with broader appeal and necessity, driven by increasing mainstream awareness of cyber threats and data breaches.
- Recommended reading and advice for students: Evans suggests several cybersecurity-related readings and advises students to focus on the positive aspects of cybersecurity, encouraging them to get involved in clubs and competitions to build networks.
How did you first get interested in cybersecurity?
I actually started in computers much later than I would say a lot of my peers did. My dad was really big in the newspaper business, and so I didn’t even have my first computer at home until probably a freshman in high school.
What kind of computer was it?
It was actually an iMac, one of the first kind of Bondi blue iMacs which actually came out, and interestingly enough, just this past weekend I picked it up from my parents and it still works, which is exciting.
But so with that, I got this computer. I wasn’t from a very well-off family, so we’d get a lot of the demo game CDs in the mail, and so in order to continue to play more than a few minutes of it, you had to figure out how to hack through it.
So as such on the Mac, one of the first things I ever installed was MacBug, which drops what your computer is doing and does assembly, and then lets you jump over commands. And so that was kind of my first exposure to cybersecurity, was kind of in the gaming world, I guess you could say.
How about college? What did you study as an undergrad?
In college, I was so interested in computers, in the cyber aspect, that I went into computer engineering, and just continued to ride that along through a master’s and a Ph.D. I’ve been doing cybersecurity work ever since and always found it very exciting, and it’s obviously a great career field.
Did you focus specifically on security during your academic career?
I’m not sure I knew it was called security when I first started. It was laid out as three pathways for me at Iowa State. One was the computer science or the programming route.
One was the electrical engineering or how power gets to the computer route, and so I was interested in both of those, so I took that middle train, that computer engineering train, which included a little bit of programming and a little bit of electrical engineering and chip manufacturing and that sort of thing.
And so that’s how I started. And then as you get later in your collegiate career at Iowa State, you have to then concentrate. And so then I picked cybersecurity as a concentration, and then my Ph.D. was obviously in cybersecurity, specifically in the social engineering world.
After your graduate studies, you joined the private sector and then you eventually wound up working at a national lab. Could you just maybe talk us through how that all went and why you made the switch from going from the private sector into working at a national lab?
So I’ve worked for a variety of different private sector groups, everything from financial companies, such as Principal Financial Group, to large corporate settings to even more boots on the ground or more people-oriented cybersecurity with Walt Disney World down in Florida.
So I’ve been involved in a lot of those entities. I went to a national lab originally because I was on the fence if I wanted to continue to work in industry, work in academia and become a professor, or work for actually the federal government and have a larger impact.
And so I was debating which one of those three to do, and I had offers and I had encouragement in all those areas and connections and the national lab seemed to be the good combination of all three of those.
What was your experience of the job initially?
So it was a little bit of academia, a little bit of industry and a little bit of government and impact. So I went to a national lab expecting to just be here for a couple of years until I found out where my true passion was, and then lean more heavily into that. And it’s been almost 11 years now, and I’m not really looking anywhere else.
I really love the autonomy you get at Argonne and the national lab as a whole, it’s a very interesting mix of all three of those, where I still have that impact. The pay is still very rewarding and competitive, and I still get that academic autonomy to pursue whatever I want to from a cyber perspective.
Cool. Let’s talk more specifically about your position and the program that you’re involved in at the lab, and what kinds of initiatives that program is working on.
Sure, I’m actually cybersecurity program lead for Argonne National Laboratory, which effectively means that I’m in charge of all the analysis and the research work in the cybersecurity field that Argonne does. So everything that’s not protecting the lab itself from a cyber attack.
What do you feel is unique about Argonne, in terms of how it compares to other labs?
We’re a little different than a lot of the other national labs as we focused much more on the research and analysis with a view of very heavily towards the proactive side of things. So cybersecurity has tended to be very reactive in nature.
There’s a vulnerability somebody finds, people quickly run around to try to patch it. We try to develop technology that is proactive in nature or those that leap forward from a cybersecurity perspective.
Is the work you are describing housed at Argonne or are there similar programs at other national labs? And if so, are you communicating and collaborating with them, or are you taking this on at the national lab level and then disseminating the lessons learned to the other labs?
All the labs work in a very collaborative fashion, working on projects as needed, and we bring in expertise that’s needed across the labs. As far as individual programs or mechanisms like that—as we start talking a little more about the types of projects, you’ll see it’s quite diverse in nature.
And one of the things that drives me to stay at Argonne is that autonomy. So we can identify what is a critical problem, or a problem that no one is potentially tackling. We can reach into that field and reach to partners, whether that’s partners at other national labs, partners within academia, partners within industry, and try to find solutions, whether that’s all jointly working on a solution, whether that’s trying to identify a federal partner then to fund it, or industry partners to fund or something along those lines.
But we were very self-motivated to identify where there are problems and where we can contribute solutions, and then identify partners across a variety of entities for that. We work with a lot of the other national labs on some projects, [some] are just at Argonne, some projects we bring in a variety of industry folks, or we matured up to a specific level and then transitioned off to either academia or industry to run with and implement more regularly.
Okay, got it. Thank you. And then now maybe we could dive into some of the projects you’re working on, in a way that would be useful to someone just entering the field and considering career options.
I’ll identify what I would consider four of our larger projects just to give a summary of the types of work and types of expertise and impact we’ve had. So the first one of those is probably the most boring, I would say, but I think it’s pretty interesting from a high-impact perspective. We have done a lot of work in assessment methodology, so looking at how organizations assess their infrastructure for cyber risk.
A lot of organizations in the past have done that through maturity models. There are standards out there, so they say, “Hey, what standards are we not following? Let’s try to follow those.” We have taken a more proactive approach to that. And instead, we designed the systems and assessments to look at it comparatively. So we say, “Okay, well, you’re doing great in these areas. You’re leading in these areas, but you’re the low performer in these areas, according to your peers.”
That tends to encourage change much more. And so we’ve deployed that across a wide swath of the critical infrastructure sectors. I’m working on…applying it to a lot of public events and venues such as stadiums and arenas as more of them start stepping up and things like that.
On the assessment front, we do a considerable amount of work there. Again, looking at it very heavily from a comparative assessment, and that can be developing the methodology that could be actually going in the field to a power plant and helping them assess their infrastructure for cyber risk.
Our second project group is in the proactive defense research realm, where we look for leaps forward in cybersecurity. And so a few of our successes there have been in the moving target defense front, which is based on the old missile defense technology.
Can you tell us what that’s about?
We move around what’s traditionally attacked, so we’ve developed technologies that’ll run a website in Linux for 30 seconds, and then Windows for 30 seconds, and then different versions of Linux, and continually rotate that around. So it increases both the resilience of the site if it is attacked, as well as the cost of the attacker to try to find exploits across all those different operating systems.
Additionally, we’ve developed something called the Scalable Emulated Cybersecurity Environment (SECuRE) testbed, which is a scalable, emulated cyber range environment. This is a testbed that connects a wide variety of critical infrastructure together so we can build small cyber cities you could say, and then understand the impact of dependencies and interdependencies.
Can you give an example of the interdependencies you’re talking about?
If a power plant goes down upstream, that can cause impacts down the line to water pumping stations or even various cloud provider businesses or companies along those lines. Helping people understand that dependency and interdependency aspect from a critical infrastructure perspective is the goal for SECuRE and the types of work we do within Secure.
Then the last project I wanted to highlight is in the workforce development world. I mean, there’s a continual significant gap in cybersecurity, right? Depending on which journals or things like that you look at, somewhere between a million and 3 million job gap within cybersecurity.
Tell us what Argonne is doing to help narrow that gap.
We are doing our best to try to get more people interested and more people in that career field. We run the Department of Energy’s CyberForce Competition, which over 100 universities participated in last year.
That gets students actually coming to protect pieces of critical infrastructure and building innovative solutions around that. We’ve deployed that out across ten of the national labs and had, again, thousands of students participate in that and end up in various careers from a cybersecurity perspective.
While we see that as very valuable in the near term, we also see the need to invest on the flip side of that in the long term in order to get more and more students interested at a younger and younger age. We’re just actually starting some programs now, even in workforce development, at even the K through fifth-grade levels. So kindergartners, first graders, how do we start getting them interested in cyber?
I mean a lot of them are getting the negative aspects of cyber, the slaps on the hand to [not] share your information out there or the whole digital citizenship concept. We’re trying to bring that more positive, that this is a really good career field potentially even at that young age to create that spark of passion, that moment of interest.
Do you think cybersecurity is becoming more of a mainstream concern? Is it something you feel like people are talking about more and more as they maybe experience some of these vulnerabilities themselves?
Yeah, I mean I definitely think cybersecurity has become much more accepted over the past five years or so. I mean you’re very hard pressed now to find somebody that hasn’t been exposed to either a data breach incident from a variety of the big ones out there, or even just a credit card loss. Right? I mean I’m sure everybody has had various credit card information stolen or things like that.
Do you think there is more support or more attention on cybersecurity right now?
I think it’s become much more accepted. It’s become less of that bad guy or that money pit that a lot of organizations look and dread spending money on and has evolved to become that necessary need, like a security guard out front is or something along those lines.
Do you think the public’s perception of people who work in the field has changed?
I would say it’s taken a shift over the last five years to being less nerdy, I guess I would say. It’s less of a career field that is only for very smart people hacking away at computers. There’s a lot of other areas into that, whether it’s the cyber awareness side, whether it’s the workforce development side.
There are a lot of very interesting components that’s making it more of a cool field, not just from the money side of things, but also from the types of work, the types of activities that can be done with that.
I think it’s definitely a growing field and something that continually needs more and more students, and it’s made that shift, I think from being more negative in nature to being more positive in nature. I think that’s going to continue to grow and continue to be a great field for students to continue to invest their time in.
If we were going to crowdsource this cybersecurity reading list or resource list for people. What two or three things would you add to the list that would benefit someone who’s getting started in cybersecurity?
Sure. I guess the most powerful paper that I ever read was actually one of the first papers that actually one of my professors, Dr. Daniels at Iowa State, made me read, “Reflections on Trusting Trust” by Ken Thompson. It’s a paper which dives into [the fact] that you really can never trust anything in cybersecurity, and brings up a lot of the issues that we’re running into right now with some of the supply chain aspects.
And that a lot of our supply chains can’t be trusted because we don’t know where they’re coming from because so many parts are being outsourced, and so many parts are even being created upon creation upon creation. It’s a pretty interesting paper and I go back and read it every so often. It really brings up some pretty interesting points and aspects there, so I definitely recommend that one.
How about book recommendations?
If there was one cyber book you were going to read in order to see if you’re really interested in that field, I would probably recommend The Countdown to Zero Day by Kim Zetter. That is a book that talks a lot about Stuxnet and talks a lot about the whole nation state actor growth from a cybersecurity perspective, which has really caused that sort of explosion. That’s definitely a must needed read.
And then from just a very well written book, I would recommend Andrew Bloom’s Tubes: A Journey to the Center of the Internet, which talks about how the internet evolved and even some of the weaknesses and concerns there. I see internet resilience becoming an even more interesting issue as all this telework stuff has taken off and evolved. I see that becoming a growing risk and a growing perspective that a lot more people need to get into.
And then just as a quick fourth, not really cyber focused, but more motivational, The Power of Moments by Chip Heath is a very great book from just a generalized motivational perspective. And I just actually read that this year, but I really wish I would have had that when I first started. There were so many just common sense lessons within that book that I think really can drive your career and your motivation and your passion as you develop your career.
Thank you. That’s a great list. Here’s the last question: for students who are studying cybersecurity, how would you suggest they position themselves as they begin their careers?
I would recommend that students look at the positive and the hope from a cybersecurity perspective. There is a lot of doom and gloom articles out there, and a lot of doom and gloom information, and a lot of people that have thrown up their hands and given up in some ways. I think there’s a lot of technologies out there that we’re on the verge of that create a strong hope for a cybersecurity perspective.
One of those being the quantum communications field. Argonne just actually piloted one of the first quantum communication loops. So we have a 76-mile loop where we are sending qubits of information. I don’t see why quantum communication won’t be the next major form of communication that we adopt that cleans up a bunch of the cyber issues that we’re facing from an integrity perspective and trust perspective.
I would also encourage students to be thinking outside the box and thinking, “How do you apply other fields to cyber?” Even things like bio and how our bodies fight off infections, which is obviously on a lot of people’s minds right now with COVID. If you can take those concepts and apply those in the cyber world to cleaning computers of viruses or mechanisms like that, I think there’s a lot of unexplored areas, which we definitely need people to dive in.
I guess my one big piece of advice, if I was a student, is I would encourage students to get involved in clubs and competitions, whether it’s DOE’s CyberForce competition, CCDC, Iowa State’s Cyber Defense Competition – just get involved in groups, and start building networks of colleagues because I think it’s going to continue to be a team sport, cybersecurity, and we need as many people on our team as we can.