Tamara Schwartz is an Assistant Professor of Business Administration and Cybersecurity, a retired Air Force Officer, and an independent consultant. She is a recognized innovator with over 20 years of National Security experience. She received her BS in industrial engineering from Rensselaer Polytechnic Institute, her MS in engineering management from the University of Dayton, and her doctorate of business administration from the Fox School of Business, Temple University. Her research specialty is advanced cyber strategy. Faculty profile
How did you become interested in cybersecurity?
I come from a family of early adopters. I remember my Dad bringing home a Texas Instruments TI-99 home computer, and I was the first person in my sorority to have her own computer instead of going to the computer labs on campus. But there was no such thing as cybersecurity when I entered college. And depending on how you define cyberspace, there wasn’t much of that either.
I really stumbled into my career in cybersecurity. I am a retired Air Force officer, and in 2007 I was stationed at Hanscom Air Force Base in Massachusetts and assigned to the Electronic Systems Center.
When I arrived, I was handed the research and development portfolio for what was called airborne networking. An airborne network is designed to be flown into an austere area with no network coverage and provide connectivity to personnel on the ground.
My job was to determine whether we were investing in the right technologies and begin to make targeted investments. The technical support contractors who worked for me began coming into my office with, I kid you not, 100 slide PowerPoint briefings with pictures of boxes, which represented computers or radios or systems, and lightning bolts, which represented wireless networking technologies.
If it sounds meaningless, you’re right, it did not convey the complexity of the DoD computer infrastructure. Networking is much more complex than those pictures conveyed. The technology that was required to create the “lightning bolts” between the boxes created significant technological challenges.
Several weeks after I arrived, a blast from my past entered the room – a colleague I had known some 10 years earlier. She took one look at the slide-deck on my desk and said, “There’s no such thing as an airborne network. There’s a network, and some of it is airborne, and some of it is in the banks, and some of it is…” She listed out many industries, and this made sense to me. More importantly, she taught me to always go back and answer the “why” questions first. Questions like, why do we even have computers on our desks? What are we trying to achieve, automate a process, support decision making, or just make us more efficient?
Keep in mind that with our military systems, lives are on the line – we’re conducting operations every day. Imagine a Navy SEAL is downrange and needs to reach back for information to take action. In that case, the supporting infrastructure needs to be there for them, and it needs to be designed with their unique needs in mind.
Because of my ability to grasp these complexities and understand these early systems, I was introduced to the senior leaders who were developing what ultimately became the US Cyber Command, and I worked with them to develop a vision of operations in the cyber domain. So it really was just by sheer accident that I wound up specializing in cyberspace and cybersecurity.
Since you have worked as a cybersecurity leader in both the private and public sectors, can you tell us how they differ? Are there cybersecurity strategies that the military executes better than private enterprise does, and vice versa?
The answer depends on which part of the public sector and which part of the private sector you go into. There are players in both sectors who are highly sophisticated, and others who are less so.
For example, if you look at the NSA, no one in the private sector is doing what they do. In the private sector, the finance industry is exceptional in how they handle cybersecurity.
My experience has taught me that the best results come from public/private partnerships where both sectors contribute value to the equation, and that kind of collaboration is what is needed to create the best possible outcomes in cyber.
What are you currently researching or working on?
I created something I call a cyber-based view of the firm. It is a dynamic view designed to capture the complex interactions between people, technology, and data that enable cyberattacks.
Because organizations keep becoming more and more virtual through electronic storefronts, digitization, and the introduction of internet-connected devices, they are expanding access to their operations through cyberspace, and anyone can enter.
We look in the mirror, and we see ourselves as we appear in the physical world. But really, we look like the character Seven of Nine the cyborg from Star Trek. We don’t have a way to see ourselves where it reflects that we have become Seven of Nine. Organizations, businesses, even you and I, have all become Cyborg, but we look in the mirror and see humans.
Why is this an important difference? How is saying that I’m a person who uses computers different from understanding that I have become partly virtual? If I see computers as a tool, I can set them down and be separate, but this is no longer true. There’s a whole version of each of us that is purely digital, and this digital self isn’t just of our own creation, it’s from every database that references us, every google search we create, and the digital dust we leave behind in our daily interactions.
What are your students interested in, or what kinds of cybersecurity projects are they working on?
We have a unique program here at York College of Pennsylvania. My partner, Dr. James Norrie, and I come at cybersecurity from a Fifth Domain perspective. The vast majority of the country’s programs tend to examine cybersecurity as a computer science problem. But cyberthreat has been mischaracterized. At the end of the day, cybersecurity is a competitive advantage problem – a human problem.
It isn’t enough to understand the technology. We teach our students that you have to understand the IT piece, but you must also understand operations because you can’t make informed trade-offs if you don’t understand the link between operations and technology. There is an emerging need in the public and private sectors for practitioners who understand that this is a strategic competitive advantage problem. Part of the solution is technical, but most of it is about human rivalry for competitive advantage.
For example, the hacker community behaves like a community of practice – a community of continuous learners who are constantly sharing and growing their knowledge and by extension their capabilities.
Most organizations today perceive cyberthreat as a technical problem with a technical solution, which is why there is a constant struggle. The only way to combat continuous learning in a rival is to engage in continuous learning yourself. This is why we have designed our program to teach the skills necessary to take on the competition for strategic advantage that occurs within cyberspace.
If you were to build a cybersecurity reading list, what would be your top picks? Additionally, it would be interesting to hear your opinion regarding joining the military to get cybersecurity experience.
There’s value to joining in the military first, and there’s value getting a college degree. Both are a great way to enter the cybersecurity field. The military builds mental and physical agility and provides you with an understanding of operations and the connection with cyber. I have some students who’ve come into my program from the military, and this gives them greater context for what we’re teaching in the class.
But it’s an equally valuable decision to come straight out of high school and go to college if that’s what you want to do. There are plenty of ways to learn. I have a student who got selected for an NSA internship. He has no prior experience, but he is highly sought after.
As far as books I recommend, as I mentioned earlier, I like The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats, by Richard Clarke.
Another book I recommend is the fiction title Daemon, by Daniel Suarez. It seems like a science fiction book, but most of the technology in the story is real and at this point in time, fairly old. It’s about artificial intelligence that gets released on the internet.
Another fiction book, Zero Day, by David Baldacci, is about finding a zero-day exploit and launching an attack.
And last, but certainly not least, my colleague, James Norrie, wrote Cybercon: Protecting Ourselves from Big Tech & Bigger Lies.