Richard Forno is a senior lecturer in the University of Maryland, Baltimore County (UMBC) Department of Computer Science and Electrical Engineering. He is the UMBC Graduate Cybersecurity Program Director and serves as the Assistant Director of UMBC’s Center for Cybersecurity.
His twenty-year career in operational cybersecurity spans the government, military, and private sector, including helping to build the first formal cybersecurity program for the U.S. House of Representatives, serving as the first Chief Security Officer for Network Solutions (then, the global center of the internet DNS system), consulting to Fortune 500 companies, the government, and military, and co-founding the CyberMaryland conference.
Dr. Forno has a strong interest in the influence of technology on national security, individuals, and global society. Full Faculty bio and find a more recent Cybersecurity Guide podcast interview.
Here are the key points
- Entry into cybersecurity: Forno’s interest in cybersecurity emerged from his early fascination with diplomacy and national security. His involvement in the local hacker scene in Washington D.C. and understanding of the importance of protecting information on computers led him to merge his interests in national security and computer security.
- Unique perspective in cybersecurity: Despite having degrees in international relations and foreign policy, Forno’s industry experience in cybersecurity is extensive. He approaches cybersecurity operationally rather than just technically or analytically, bringing a unique perspective to academia.
- Current work and research: Forno collaborates with colleagues on various projects, including artificial intelligence, supply chain cybersecurity, and educating future cyber practitioners and policymakers. He is currently assisting in writing a book on local government cybersecurity, focusing on the increasing cyber threats faced by local governments.
- UMBC center for cybersecurity (UCYBR): Established in 2012, UCYBR serves as a hub for cybersecurity on campus, facilitating education, research, entrepreneurship, and partnerships. It plays a key role in promoting cybersecurity education and research at UMBC.
- Cybersecurity education approach: Forno emphasizes a broader understanding of the world in cybersecurity education. He advocates for learning about business operations, psychology, politics, and how governments interact with industries, believing these areas are crucial for effective cybersecurity practices.
- Future concerns in cybersecurity: Forno expresses concerns about the proliferation of smart devices and their implications for privacy and security. He also highlights the potential adversarial use of artificial intelligence and machine learning in cybersecurity, including the creation of deepfakes.
Thank you for speaking with us today. Can you tell us how you first became interested in cybersecurity?
Richard Forno
When I was growing up, I wanted to go into the military, the intelligence community, or the foreign service. I was interested in diplomacy and national security. And when I got to D.C. for the latter part of my undergrad years, I became involved in the local hacker scene. Which kind of made sense since I was always good with computers growing up and managed to find ways to break software and push the limits of technology at the time.
At the time, as I was preparing for a presumed career in the intelligence community, I realized that intelligence is nothing more than information. Since information was becoming more and more prevalent on computers, it needed to be protected.
So with my exposure to the hacking world, I realized that there was an opportunity to marry my interest in the national security world with my interest in computer security to help protect those secrets. After all, you can’t just learn one side of the equation, how to be a good defender, you’ve got to know how to break into those systems, so you know what to defend against – and how. They are two sides of a coin. And that’s how I got into this field.
Ironically, even though two of my degrees are in international relations and foreign policy, I’ve had a long industry career in operational cybersecurity. I’m a self-taught geek who’s never taken a computer science course in his life and don’t hold any industry certifications – or want to.
And at the moment, I work in a research-heavy computer science department. So I’m a bit of a black sheep in some regards, but the reality is I provide a different perspective because I come at cybersecurity from more of an operational approach than exclusively a technical or analytical one. I have some interesting ideas that a traditional computer scientist may not appreciate or have considered. I had twenty years of cybersecurity industry experience before I came into academia. So I definitely have a unique background, but I think one that now is entirely complementary to where I am.
What are you currently working on or researching as it relates to cybersecurity?
Richard Forno
As a faculty member, I support my colleagues in their research, whether on artificial intelligence or supply chain cybersecurity or how to educate and train the next generation of policymakers or cyber practitioners. Coming from industry, I bring a unique perspective on many of the issues for which career academics may not have first-hand knowledge. So I’m certainly happy to work with them and share my ideas about their projects.
Right now, I’m helping some UMBC colleagues write a book on local government cybersecurity. They did some research a couple of years ago that included the first nationwide survey of local government cybersecurity preparedness and awareness. It was pretty groundbreaking work and revealing in its findings, so it’s definitely an area that needs greater attention and resourcing. After all, we’re seeing more and more local governments being attacked by cyber adversaries using things like ransomware to paralyze large cities.
My own research thinking and writing at the moment tends to take cybersecurity concepts like confidentiality, integrity, and availability and apply them to the internet and networked society at large. I address questions like where are we going with all of this, and can we be resilient?
What if the cloud-based providers we depend on go down or have hiccups or problems? Can we still function? I also look at what I consider to be a very broad interpretation of information-age conflict in things like surveillance, privacy, technology controls, hacking, cyber warfare, and technology policy – but often, it’s something that can be distilled down into exploring how two sides are in a constant struggle for power and capability. So I try to explore these types of issues and questions. My cybersecurity background informs my research, and my industry experience informs my thinking.
Do you have an anticipated publish date for the book you’re working on, and is there a title that someone could watch for?
Richard Forno
If everything goes as planned, it should be out late next year, probably December of 2021. That’s the target. And the current working title is Cybersecurity for Local Governments, but we may change that.
Tell us about the University of Maryland, Baltimore County (UMBC) Center for Cybersecurity.
Richard Forno
In 2012, UMBC stood up the UMBC Center for Cybersecurity (UCYBR) as the one-stop-shop for cybersecurity on campus. We bring together elements across our campus community, whether it’s education or research or our business tech incubator BWTECH@UMBC – we have a very strong cybersecurity incubator – to present a unified front to the world. If people want to work with us or partner with us, they can contact UCYBR.
Then we can facilitate the relationship with the appropriate department, faculty members, or companies so that the interested parties can work together and figure out how to collaborate. We have faculty that have cybersecurity labs, teach cybersecurity, and have research groups. At the Center, we know whom to contact if inquiries come in. We also promote talks from these research groups to get more audience participation.
In some ways, it’s very much a virtual center. We don’t have a big room with lots of blinking lights for people to come in and see. But the reality is UCYBR exists as more of a facilitator for inquiries coming into the campus and to promote all the good things in cybersecurity education and research and partnerships that UMBC is doing.
UCYBR was formed partly to help us keep track of what we’re working on across the University and then better message that externally. It is built on four pillars; education, research, entrepreneurship, and partnership.
Education: We’re a diverse and inclusive public university, so we’re delivering innovative and quality undergraduate and graduate education and non-credit training for the workforce.
Research: As a university, we research to answer the bleeding edge questions of cybersecurity across the board, both technical and non-technical.
Entrepreneurship: There are 50-ish companies in our cybersecurity incubator, plus several more in a special incubator program called Cync, which s a unique opportunity that’s sponsored by Northrop Grumman.
Partnerships: We partner with universities and companies both locally and globally to look at and collaborate on cybersecurity questions, whether it’s on curriculum and teaching or research projects.
Is there an element of the Center for Cybersecurity that would guide an undergraduate student, or even a graduate student trying to decide where they want to get their cybersecurity education? Can they come there and see what kinds of things are offered?
Richard Forno
While the Center’s site isn’t specifically a recruiting site for students, if they are looking to learn about some of the major projects that UMBC is doing in the cybersecurity space, they will see links to various research projects, research labs, student activities, and scholarship opportunities that could whet their appetite as a place that they might want to come for their cybersecurity education. Of course, there are links to our various graduate and undergraduate cybersecurity education programs on the UCYBR site as well.
If you were to build a cybersecurity reading list, what would be your top picks? It could be books, papers, lectures, blogs, any of those kinds of things.
Richard Forno
My recommended reading list probably would have few if any cybersecurity technology books on it. I think we get too bogged down as an industry in focusing on the cybersecurity or technology aspects of our work.
A common question from students applying to my program is, “I’m not a coder. Can I still do cybersecurity?” And I’ve always said, “Look, I don’t have any computer science background but spent an entire industry career in cybersecurity. But I’m well-read, have common sense, and an inquiring mind. And I’m not a coder, either.”
So were I to create a reading list for cybersecurity, I would look for books about how the world works, how businesses operate, good management, psychology, and how the human mind works. How does politics work? How does the government interact with industry and interact with academia?
Books and articles and talks like that, I think, are far more useful than a top 10 list on how to secure systems or how to manage a security organization. If you think about it, books on how to technically secure things and implement effective cybersecurity have been published for decades – and yet our overall cybersecurity posture continues to be plagued by incidents and events arising from a failure to follow fundamental best practices. Why is that? It’s not a technical problem, it’s a human one.
I’m not saying those types of books aren’t necessary. And you definitely need a fundamental understanding of things like networking, operating systems, platform technologies, and so forth. Still, if I was a hiring manager, I would much rather see a well-rounded, interdisciplinary job applicant coming to me, someone who knows more about the world than just cybersecurity and technology.
For example, when I was a chief security officer, I hired a second-semester senior student at a local university. He was pursuing a degree in forest science.
The H.R. people thought I was nuts. Why did I want this student to come to work with my team? Well, the questions he asked me in the interview scared me – in a good way. He knew his stuff. His name was well-known by Linux practitioners. He knew a lot of the same security people I did. He knew how to think like a hacker. He knew how the human mind worked. And that to me was more important than what his degree said. He ended up being a fantastic addition to our team.
So, I would say, yes, read up on cybersecurity and stay abreast of the technology. You have to. But don’t forget the rest of the world, and learn how the world works. Psychology and human factors are essential. Organizational psychology, current events, stay current. Following the world is so important – as is knowing how people, organizations, and society tick.
But if I were to focus on cybersecurity reading, I would say follow people like Bruce Schneier. He makes nuanced and/or complex cybersecurity topics very understandable for the layperson, which is essential. I believe the best books on cybersecurity are written by those who have been there, done that, who have been practitioners, who are current researchers and aren’t just armchair analysts. They’ve defended networks, written policies, invented new security technologies, and gotten the proverbial 3:00 AM phone calls.
Those are the best folks to share operationally informed knowledge about what it takes to secure cyberspace – and even better if they can speak and write in ways that the average person or policymaker really can understand. Not to mention, they’re less likely to spread uninformed or sensational Fear, Uncertainty, and Doubt (FUD), which is something to be avoided at all times!
Do you see a disparity between how beginning students envision cybersecurity work and what they will do in the workplace?
Richard Forno
I sometimes have students say, “Look, I’ve got a degree in computer science or cybersecurity, but I’m having a hard time finding a cybersecurity job.” I tell them, “Expand your horizons. Don’t just focus on ‘cybersecurity’ in the job title; look at ‘network administration’ and ‘systems administration’ or ‘compliance’ or ‘risk analysis’.
All of these jobs likely also include cybersecurity components as a function of the job. So if you take a broader view, you can get in the door as a network administrator. You will be employed and get workforce experience while still doing some cybersecurity work in the course of your duties. Then you can grow and/or specialize further into cybersecurity once you’re inside.
So we’ll wrap up with this last question. Dust off your crystal ball and look into the future; what do you see? And this can be cybersecurity-related or just technology related, but what do you see in five or ten years?
Richard Forno
Sadly, I’m a cybersecurity cynic — I think we’ll see more of the same both technically and policy-wise. I don’t see a sudden ground shift in improved cybersecurity practices suddenly taking effect. That said, one large concern I have, looking forward, is the proliferation of smart devices, especially in our homes.
We rush to embrace all these devices without really thinking through what the consequences might be. What are we giving up in terms of privacy and data? Can we function if those devices go down? And who’s listening or reading to the stuff these devices scoop up that can profile our private or professional lives and sensitive information? How do we address this?
I’m also extremely concerned about the advancements in artificial intelligence and machine learning being used adversarially against cybersecurity by crafting smart network attacks or generating deepfake audio and video items. Again, going back to some of my research interests, bad actors – including political or journalistic entities — could use those types of technologies to warp our sense of reality by crafting alternative audio and video that becomes viral and/or amplified around the world – and believed.
So if you can’t even trust what you’re seeing or hearing, what can you trust and believe? Are you even capable of challenging what you’re seeing? That’s a very frightening – if not dystopian – view of the future that affects society in ways far beyond just cybersecurity, but one I am greatly concerned about at the moment.
Cybersecurity Guide
That’s all I have for you. I sincerely appreciate your time today. It has been a pleasure speaking with you.