Cybersecurity Prof. Henry Collier on our national readiness, the latest ransomware attacks, and his pitch to potential majors
INTERVIEW BY SEAN MARKEY
NORWICH RECORD | Fall 2021
Henry Collier is curious about human behavior. Particularly the moments when we are the most distracted or harried—the vulnerable times when we are easily duped or likely to make a careless mistake, especially at work. Collier isn’t a psychologist, however. He’s a cybersecurity expert and a 30-year Army Reserve chief warrant officer, who has taught at Norwich since 2014. Today, he leads the undergraduate programs in cybersecurity as well as computer science and information systems and the master’s program in cybersecurity at NU’s online College of Graduate and Continuing Studies.
“One of the problems that we run into in the realm of information security is every¬body seems to think there’s going to be a technical solution to this problem,” he says. Collier wrote his recent PhD dissertation on executive functioning and human behaviors related to susceptibility. He points to the well-established fact that human users—not software, not hardware—are by far the easiest component of any computer system for hackers to manipulate, trick, and crack. “Until we embrace the fact that human beings are involved,” Collier says, “…we’re always going to lose.”
You are a professor. What grade would you give the country for our cybersecurity readiness?
That is actually a hard question to answer, and here’s why: There are some organizations that would get an A+. They are doing everything right. Then there are other organizations that aren’t. They’ve just been lucky that they haven’t been hacked. We don’t know which organizations fall into which of those two categories. As an inside person at an organization, you can see if things are being done properly or not. As an external person, you can only see what the organization lets you see. As a country, if I had to pick a grade, I would say maybe in the “B+”-ish range, just given the unknowns. We have a lot of companies that are small mom-and-pops, who just don’t have the financial means to do the A+ job. Then we have big organizations that have the financial means, but all they do is throw money at the problem. They’re not solving anything.
They may have CEOs who understand cyber, but they just shovel money at it. That doesn’t fix anything. It might give their tech people the resources they need to do their job. But if you don’t have the right tech people, or if they’re not truly getting support from senior management, they’re not going to be successful. Cyber-security should start at the top. Whoever that top executive is, they should be leading the way. They should be the first one to finish their annual training and announce it. “Hey, I did my training everybody. Please get yours done now. Get it done quickly.” Leaders need to see their bottom line not only in terms of profits and earnings. But also framed by the question, how solid of a company are we? If you’re not watching out for the cybersecurity side, you might find yourself in a world of hurt. Cybersecurity incidents, when they occur, almost always come down to making a poor information security decision. We need to figure out how to change that so that people are always thinking about information security. Always.
What does your cybersecurity dream team look like?
I believe in the concept of diversity of mind. To be successful in cybersecurity, you need a team of people that all think differently, in order to see the problem and find solutions, whatever the problem is. If everybody thinks exactly the same way, you will never solve the problem. You will never stop the hacker. Because that’s what they’re doing. They’re all thinking in different ways. They’re approaching their target in as many different ways as they can.
If I got a group of people together on a cybersecurity team, it might be 10 people. They all have different backgrounds, different traits, different belief systems, etc. I think that kind of diversity helps a team come up with unique solutions to problems, and they’re able to solve them quicker. Add to that the resilience factor, and you’ve got a whopper of a team that’s just going to do great.
Let’s talk about some of the ransomware attacks that have been in the news this year. Colonial Pipeline, which pumps gasoline and jet fuel from Houston to the Southeast, was hacked, causing gas shortages for weeks. What’s your take on that incident?
Colonial Pipeline is very concerning for a couple of reasons. Let’s take away what we know already about it, and let’s just hypothesize about the incident. Do we know for absolute certainty that it was a ransomware attack because they wanted to get money?
We know that hackers did it and that Colonial Pipeline paid $4.3 million in Bitcoin. The organization that did that, Dark Side, is out of Russia. So then you have the question, well, were they doing it on behalf of the Russian state organization? Or were they simply doing it for the money? Or were they doing it for both? Were they being condoned by Russia, or were they doing it on their own? We don’t know.
The concerning piece to this is, if indeed it was Russia using Dark Side as a tool, that exposes a weakness in our system. They took out some essential infrastructure, showing that we as an American society are really at threat. If it was simply because of the money—because Dark Side was looking to make millions and Russia actually had nothing to do with it—it’s still concerning. It shows that Colonial Pipeline was vulnerable. Any time our infrastructure is targeted and attacked, that’s a Homeland Security issue. Because in the event that any of them are taken down, we are vulnerable as a nation.
Organizations are always vulnerable. They’re always going to be vulnerable. It’s really making sure that they have the right people in place to do the best job that they can to make sure things are secure. Simple things, like making sure that things are up to date. Almost every single cyber incident can be brought back to the human being and an error that occurred because of the human. Colonial Pipeline is a great example: They were using an outdated version of the VPN. All it would have taken to prevent the attack, is for somebody to have upgraded that.
Let’s turn to the SolarWinds ransomware attack, one of the worst cybersecurity breaches in U.S. history. Russian hackers infiltrated the company’s widely used IT networking software, gaining access to thousands of companies and some U.S. federal government agencies, from the Pentagon to the Department of Justice. It seems like we’ve been getting our shins kicked over and over lately. Why?
You’ve got to understand that the systems we deal with are extremely complex. Any time you have an extremely complex system there is always the risk of something not happening the way you think it should, or not operating the way it should. Whether it’s a glitch in the system or whether it’s human error that allows something through. There’s always that possibility. There’s the old saying, “It’s not a matter of if you’re going to get hacked. It’s a matter of when.” And that is so true.
It’s how you react to it when it happens that really says a lot about you as an organization. SolarWinds took total responsibility for it. But at the same time, it still happened. Hackers got into places that they should never have gotten into. What was concerning is, they were there for months before the intrusion was identified. What we don’t know is at what point did SolarWinds figure it out? At what point did any other organization figure it out? And did anyone share that information with the other organizations that should have known? We don’t know that, because one of the things that companies do is they don’t like to talk a whole lot about the fact that they got hacked.
UVM Medical Center is another great example. Last year, they suffered a ransomware attack and were basically shut down for two to three weeks. (In the end, it cost them an estimated $40 to 50 million in lost revenue and other costs.) The CEO would come out and give these little briefings here and there. But the information was very sparse. Yes, it was ransomware. No, it wasn’t ransomware. Yes, it might have been ransomware, but we didn’t have to pay a ransom. That’s very contradictory. Why are you giving us information without confirming what the information is?
I would get it if the CIA got hacked, and they didn’t want to talk about it. Okay. Even the FBI. Okay. But the government in general, I think, could have said what happened, when it happened, why it happened, and when they actually found out about it.
What keeps you up at night?
I have a very vivid imagination. I write short stories and stuff on the side. Having a vivid imagination…is great and wonderful. But sometimes it can get in the way and be really frightening. Because if you can imagine it, somebody else can make it happen. What kind of thing keeps me up at night when it comes to cyber is the fact that we in the realm of cybersecurity are not maybe doing enough to push students and individuals to be more creative about approaching solutions, about approaching problems.
I’ve been teaching this subject for a while, but I’ve been in this industry for a couple of decades. The moment that people stop and become complacent is the moment that we’ve lost. They’re no longer seeing how somebody can get in [to your systems] or somebody can’t get in. If we are not constantly looking ahead and thinking like the bad people, we’re never going to win the battle or the war. We might win little things here and there, but [our foes] are always going to get in.
So we need to really look ahead. We need to be innovative. We need to think. We need to work as a team.
What’s your pitch to potential majors?
Cybersecurity is one of those fields that is constantly changing. If you want to have a job where you’re never bored, one that’s constantly changing, constantly pushing you, constantly forcing you to think around a problem, cybersecurity is the way to go. It really is. Plus, you get to help people and organizations.
Not everybody who wants to come into cybersecurity is going to successful. You need the right mentality. And by that, I mean you need to be persistent. You can’t quit. You can’t give up when you fail. Because you are going to fail. We fail all the time in our industry. In the world of computer science and cybersecurity, you’re constantly failing. You just need to accept that and move on, understanding that you might not solve the problem the first three times. But you will the fifth … tenth, or even the hundredth time.
Interview condensed and edited for length, clarity, and style.