in ,

Charles Palmer of IBM Research: Integrity, Curiosity Make a Good Cyber Pro

Charles Palmer of IBM Research: Integrity, Curiosity Make a Good Cyber Pro - top government contractors - best government contracting event

Charles Palmer of IBM Research: Integrity, Curiosity Make a Good Cyber Pro - top government contractors - best government contracting event
Dr. Charles Palmer, IBM Research

IBM Research‘s Chief Technology Officer of Security & Privacy Dr. Charles Palmer has been a self-proclaimed computer geek since high school; however, his transition into security did not happen until years later.

After finishing his doctoral degree, he was continuing his thesis research on genetic algorithms and optimization. One day, he was asked by his boss at IBM Research to consider assembling a team of security professionals who would conduct system penetration testing of customers’ systems at their request. A tough opportunity to pass up, Palmer agreed. He built up a team of ethical hackers and started helping customers around the world improve their security.

Since then, the security department has grown to have dozens of cryptographers, high-assurance systems people, security analytics experts, and secure software development professionals across IBM Research’s worldwide labs “doing some pretty amazing stuff,” as Palmer put it.

Charles Palmer: Since then, my thoughts have turned more toward national security because the more I learn about this stuff the more I realize how much we don“™t know and it kind of scares me. If you look at the way the world“™s going, we“™re putting more and more of our capabilities to run daily life on the Internet: computers, sensors, smart transportation systems and smart grid and all of that. I kind of got the feeling that the folks leading the charge weren“™t doing any better a job at security than the IT folks did 30 years ago. And sure enough, it turns out that was correct, because they were having to worry about all of the challenges posed by the physical world at the same time: things like keeping power transmission lines off the ground, dealing with sudden weather changes.

For the last three years or so, I“™ve been working with the I3P at Dartmouth College. I“™m still with IBM Research, but I“™ve been spending time with this consortium of academic institutions, nonprofits and national labs across the nation that“™s doing cybersecurity research for the government. Getting more and more into the cybersecurity area, I“™m now spending most of my time with the IBM Federal teams helping folks understand what cybersecurity is and not just preaching fear, uncertainty and doubt–anybody can do that–but rather talking about what we really need to be doing. That“™s where we are right now. As it turns out my wife, Elaine, is just as much of a geek and just as much of a security person, and she is into very high-assurance systems. It is sort of a family field.

The New New Internet: Are you still teaching?

Charles Palmer: Yes, about a month ago I finished the winter term at Dartmouth. I had 24 victims this year ““ it was way cool. I had about a dozen grad students and a dozen undergrads. The thing I really enjoy about teaching at Dartmouth is that the students there are extraordinarily bright and it is a challenge to stay ahead of them. It“™s really invigorating to go to class and be asked a question you are not even sure you can answer, and then be able to work with the students to figure it out.

TNNI: Have you seen an increase in interest in cybersecurity among your students?

Charles Palmer: Absolutely. For example, other than the absolute entry-level computer science courses, the security course is one of the more popular courses they have. It is not even a part of the core curriculum. I had students who were not majoring in computer science who had taken enough computer science to meet the prerequisites and were signed up for the course even though their plans were to go on to do things in other fields, like economics or public health. All of the students from my classes are very aware that many fields of study are increasingly connected to the world of cybersecurity. I had a chance to meet Sen. Rockefeller yesterday, and was pleased to see he understood my point that cybersecurity research and development protects all of us. It“™s not just about geeks, it“™s not just about IBM or HP or whomever; it“™s about protecting the infrastructure that runs the nation. When the bad guys come, they are not going to attack the military or the government directly. They are going to go after the critical infrastructure, and that“™s where we need to spend our resources. That“™s what the I3P consortium, my students, or anybody that holds still long enough to listen, that“™s what they go away thinking about.

The New New Internet: In your role at IBM, what are some of the greatest challenges you“™ve met?

Charles Palmer: The biggest challenge has been getting people to understand two aspects of security; one is that you can never bolt it on at the end of your process. Whether you are talking about securing gates at an airport or highly complicated software or building security into a car–you can“™t add it on at the end, it has to be a part of the design. A lot of the security we are living with today is bolted-on after the fact, and we see how well that works on many of our enterprise and home systems. The other challenging aspect is with regards to privacy. I“™m on advisory boards for privacy with DHS and spend a fair amount of time there–and it sounds like it is a weird thing for a security guy to do–but the bottom line is security and privacy are not antagonists; they are not enemies or opposite ends of a scale. You don“™t balance security with privacy–that“™s the wrong metaphor. What I“™ve had a hard time getting people to understand, and they are coming around slowly, is that security and privacy are like two voices in a piece of music. They have to be harmonized. They have to be developed together. They cannot be two unrelated things slapped together, because will likely sound awful. That doesn“™t work; one will win or at least dominate the other. No, they have to be developed together in a harmonious manner, so that at least if you are thinking about them both from the beginning, you have a much better chance of having something that has attributes of both when you are done.

The New New Internet: There has been talk about the high demand of cyber professionals. Where do you find top talent?

Charles Palmer: That is the bazillion-dollar question because DHS, NSA, every agency, every corporation is looking for them. Increasingly, schools like Dartmouth, Purdue, Columbia, NYU/Poly, UC Davis, Georgia Tech, Tulsa, and others are producing super people. You can go to MIT and they“™ll have good people, but there are a lot more choices than that and the MIT“™s can“™t meet the demand alone. Let“™s take Tulsa for example; I lived in Tulsa in the late ’70“™s and the university was known for its fine law school. Now, I“™m not sure when or how it happened, but when a colleague of mine got there, he started developing a cybersecurity and forensics program. Now, every person he graduates there has a line of Washington agencies ready to interview them for jobs after graduation. There are people all over pursuing this now. They realize that this subject really matters and they are standing up a lot of good programs. Of course, some of them are going to be better than others, and some have been at it a little longer than others.

But what is reassuring is that at all levels, even at the community-college level, people are talking about cybersecurity. And, it“™s not just sort of, “˜oh yeah, you have to have a good password,“™ but it’s why that“™s true and what else might you do instead. As far as international, that is a little scary because a lot of the international schools have spent more time on this topic than many of our schools have, and many of the students who come here to study leave upon graduation. One of the things I was complaining about yesterday was the fact that so much of our cybersecurity needs in research and development are classified. Maybe they should be, I don“™t know. I“™m not privy to all of those secrets, but by classifying many aspects of the cybersecurity areas we“™re missing the ability to leverage probably a third or more of our really smart men and women in universities who are studying cybersecurity. One of the things we can do to address the brain drain, as well as address the overall lack of cybersecurity folks, is to give them something to do. Let them help if they want to, because if they can“™t get the job here, then they will just leave.

The New New Internet: What do you see as the most important traits to have as a cybersecurity expert or anyone working in that field?

Charles Palmer: I guess it goes back to when I was looking for the early cyber warriors or ethical hackers; integrity has got to be first. One of the biggest problems in the industry today is the insider, either someone who accidentally does something that enables a bad situation, someone who is actively trying to make it happen, and everywhere in between. After integrity is curiosity. Someone once told me that some of the best computer programmers are musicians and bridge players. That makes sense to me, because of the patterns and sequences and learning to recognize things, or variations on things, when you see them again. I think those are some very similar skills that we need in computer security. Is there a big math requirement? No, there really isn“™t. However, the way that I look at the math requirement is that people have used them as one way to gauge how a person can think–they can see patterns and identify ways to solve a problem. The folks who are used to thinking outside the normal confines of tradition, the free thinkers, are also highly valued in cybersecurity. Take physicists, for example: They are smart in math and all of that other stuff, but they think really well and they“™re excellent problem solvers.

A lot of the folks that I hired were physicists, just because they had that ability to look at a problem perhaps in a completely different way and then ask you a question that you never even considered.  Curious, creative, good at puzzles or problem solving, organized, integrity–I could be asking for applicants to a law school as well, but those are some of the things that we are looking for. I guess, finally, it is increasingly important that we have good communication skills with, as my sister-in-law puts it, the “˜normals“™ (meaning noncomputer security geeks). The geek-to-normal ratio is not going in the right direction, and more and more people around the world are using computers that have never had much experience with them before and they certainly don“™t have any clue about security. If we can“™t explain it to them, if we can“™t build systems that they can use safely because the person building it was actually good at understanding how people think, then these hordes of new users will only add to the worldwide cybersecurity challenge.

We need nontraditional computer security folks as well, because right now security is a pain in the neck ““ it“™s too hard to use, gets in the way, and so on. We“™ve got to beat that, because at the end of the day the person using the computer will decide whether or not to do something securely or not.  Believe me, getting your job done and keeping the boss happy or getting to go home on time are far stronger motivators than practicing good IT or cybersecurity is at the moment.

TNNI: What is the best career advice you“™ve ever gotten?

Palmer: I would give two examples: When I told my parents who are both music majors that I was thinking of majoring in music, my father said, ‘OK, but remember, you“™ve gotten used to eating regularly.’ I got some more advice later in high school when we were looking for things to do in the summer, and the counselor said, ‘Keep an open mind and consider this.’  It was a summer camp sponsored by the NSF that said they would teach you things that you“™ve probably never heard of. This was in 1973, and topics were computer science and organic chemistry. I said, ‘Well, I“™ve always kind of liked chemistry and math, so what the heck?’ The day we got there, they said, ‘This summer will change your life,’ and they were absolutely right! After that summer, I knew I wanted to study computers and how to use them. Another piece of advice that I got was, ‘you can“™t eat a title: Go for the work.’ I“™m a researcher with IBM. I“™m not an IBM executive; I“™m a researcher. That“™s just fine with me.

TNNI: What is something that most people would be surprised to learn about you?

Palmer: I“™m 53, and so is my security-geek wife, and we“™ve got 5-year-old twin sons and an 8-year-old son. Most people think they are our grandchildren, so that is certainly one surprising thing. I guess the other thing is that I am an Eagle Scout and a Cub Scout den and pack leader. It“™s a blast! The Cub Scout and Boy Scout movement has kind of faded a bit, but the values and the independence that they teach are still invaluable. That“™s been a big part of my life and now that I have little guys, I get to do it again.

Having my wife and I in the same field certainly makes for very interesting dinner conversation. We are a very good balance because she“™s the ‘prove it correct, down in the silicon, get it right against all comers no matter how technically capable or well financed.’ I understand and appreciate what she does, but I“™m more of the “˜what can we do to solve this particular challenge, where will this technology lead, how do we explain it to C-level executives or to the folks on the Hill?“™ kind of researcher, I“™ve been with IBM Research 26 years now, and taking the incredible technology that the worldwide teams produced and then explaining it to the folks that might use it is a great job. It“™s been very rewarding help people across many industries, public and private sector, experienced and less so, understand what they are up against and what they can do about it.

ExecutiveBiz Logo

Sign Up Now! ExecutiveBiz provides you with Daily Updates and News Briefings about FedTech SoundOff


Written by Admin

Lieberman and Collins Unveil Cyber Bill - top government contractors - best government contracting event
Lieberman and Collins Unveil Cyber Bill
World Cup Good for Spammers - top government contractors - best government contracting event
World Cup Good for Spammers