I learned from Star Trek it is not the size of the enterprise that defines success. It is the leaders, the crew, who do
“Computers make excellent and efficient servants, but I have no wish to serve under them.”
Spock expressed doubts over the M-5 Multitronic system, a revolutionary tactical and control computer on board the Starship Enterprise.
He was right, as the M-5 eventually attacked four sister ships of the Enterprise, and had to be shut down.
That episode of Star Trek aired 51 years ago, but its message around careful considerations on deploying disruptive technologies resonates still.
So much so that Brig Gen (ret) Touhilll, appointed by President Obama as the US government’s first chief information and security officer, calls NBC’s cancellation of Star Trek 50 years ago “a terrible tragedy”.
Touhill, now president of Cyxtera Federal Group, says however that the sci-fi series, movies, and subsequent spinoffs, continue to deliver great lessons on cybersecurity for networked enterprises today.
Plus, as he points out at the ISACA Oceania CACS conference in Auckland last week, he has been getting cyber lessons throughout his career “from looking at the box - of television.”
“I take a lot of different TV shows with risk discussions, but I don’t think you will be able to do better than Star Trek.”
Your risk exposure is more than your server room and desktops. It is time for us to start thinking like the Star Trek folks and look beyond the horizon
Touhill’s career allowed him to have an unmatched view of cybersecurity across government and private sectors.
He joined Cyxtera Technologies after his CISO stint with the Obama administration.
Prior to this, he was a military officer, a diplomat, and also held civilian government roles. Such include Deputy Assistant Secretary, Cybersecurity and Communications at the United States Department of Homeland Security; and Director of the National Cybersecurity and Communications Integration Center, where he led national programmes to protect the United States and its critical infrastructure.
He is also a board member of ISACA, an international professional association focused on IT governance.
At the ISACA conference and in an interview with CIO New Zealand, Touhilll stresses that his views on ‘cybersecurity lessons from Star Trek’ (the title of his presentation) are his alone.
“I was not consulted or contributed during the creation, production, editing, or advertisement of any of the Star Trek television series or movies...but I wish I had,” he says, smiling.
He further adds: “I do not own a StarFleet uniform or tricorder, but I do have a communicator; my kids gave it to me as a present.”
For Touhill, the cybersecurity lessons from Admiral James T Kirk start with: “You have to learn why things work on a Starship”.
Make sure you understand how things work and why. Admiral Kirk knew that and used it to his advantage
“Often, we lose sight of how things work. We are a plug and play society,” he says on a lesson for corporates.
“Make sure you understand how things work and why. Admiral Kirk knew that and used it to his advantage.”
Touhill has a strong message around complexity. “Complexity is the bane of security,” he contends.
“We make things too complicated for users, while making it easy for the attackers.”
He quotes Captain Montgomery “Scotty” Scott: “The more they overthink the plumbing, the easier it is to stop up the drain.”
The lesson for enterprises is this: “We need to make sure when it comes to security, it should be easy for the user, as well as the operator.
“Because if it is not easy, the users will work around it. At the same time, for the operators in the server room who have to build and configure all of the back office, if it is too complex, things don’t get done.”
“Security should be simple,” he concludes. “I want to to make it easier for users, for the operators, but exquisitely difficult for the attacker.”
At the same time, he points out the traditional IT security perimeter is dead.
We are proponents of ‘augmented intelligence’...We want machines to help us make better decisions but we don't want to surrender decision-making to them
The Enterprise teams had tricorders and communicators. Like them, he says today’s enterprise teams are constantly outside the traditional security perimeter.
“We need to be changing our mindset on security from the castle moat type of thing and we really need to be changing the conversation on cybersecurity to a risk based conversation.” he says.
“We have to rethink how we do security,” he advises. “It has to be mobile, it has to be agile.”
“You never get risk to zero.”
He adds that, “People who manage risk to zero become paralysed and don't act. And in today’s cyber-enabled world, you need to be informed and making informed risk decisions at the top level.”
Another major lesson from Star Trek is the need to change the default password.
“If you have to have a password, make it sufficiently complex,” he emphasises. “That is a basic in cybersecurity in Star Trek.”
“This is the kind of password that puts the bad guys out,” he says.
The password used has over 50 characters, with three alphabetical characters.
It will take 14 vigintillion years (where one vigintillion is 1 followed by 63 zeros) in today’s current processing power, to break that code, he says.
This, according to Touhill, is going to be the way with passwords for quantum computing, an area that organisations need to pay attention to.
Quantum computing, he states, “is going to be transformational within our lifetime, not tomorrow, but pretty soon.”
He notes organisations can continue to use biometrics, but warns this has its own risks. “If that data gets compromised, you are not going to get a new retinal pattern or new fingerprint.”
Touhill calls on organisations to enforce “least privilege”, the concept that says users are only going to see information that they are authorised to see.
The best CIOs lead up. They make sure their boards, their fellow C-suite are continuously updated and kept abreast, are technically ready to make decisions
“All too often, we give too much privilege to people and they see more than they should see.”
“Always protect your industrial control systems your supervisory control and data control systems and IoT,” he says.
“Your risk exposure is more than your server room and desktops. It is time for us to start thinking like the Star Trek folks and look beyond the horizon.”
Touhill also points out that “every computer can be hacked and every code broken”.
He says it is important the enterprise is as secure as it can be.
Know your software provenance
He further advises: “Know your software provenance, know where your code came from. There may be some hidden Easter eggs in your code, you need to be aware of that.”
In one episode of Star Trek, the crew found Deep Space Nine space station had some codes from the Cardassians ("not the Kardashians", he stresses).
“Do you know where your codes came from? Most folks don’t and they don’t invest in talking to their vendors to find out where their code comes from so they can better evaluate the risks.”
“That is part of your software supply chain, it is part of your overall supply chain.”
Do you know where your codes came from? Most folks don’t and they don’t invest in talking to their vendors to find out where their code comes from so they can better evaluate the risks
He also cautions that not every upgrade goes well.
Touhill asks, “When you do an enterprise upgrade of your software, do you have a backup plan a failsafe type of plan?”
“A lot of organisations that do upgrades well invest in failover capabilities,” he says.
Organisations also need to securely back up vital data.
“Most folks don't know what their vital data is. When you do back up your vital data, you [should] know where it is and that you are doing it securely.”
Touhill then discusses one of the most talked about topics today - artificial intelligence.
In one episode, a Nomad space probe killed crew members, as it has been programmed to destroy any "biological infestation" that it considers imperfect.
“Be careful with what we do in pursuit of these machines,” he warns. “Artificial intelligence is not always good.”
“We who grew up in the military side of things, carry over to the private sector our scepticism over surrendering human authority to make decisions.”
“This is why we are proponents of augmented intelligence,” he expounds. “We want machines to help us make better decisions but we don't want to surrender decision-making to them.”
“There are some people out there who believe a properly coded and trained computer system particularly with AI algorithms out there, can in fact make discernible decisions faster and better than humans,” he notes.
“That may be so in some regards, but it opens a whole new risk of exposure.”
'Adversaries change, so should you'
Touhills says that as a cybersecurity and military professional, he recognises that adversaries change.
“We can’t be fighting yesterday’s battles the same way because the adversaries will always be changing their tactics,” he points out.
“We need to think like adversaries - hackers, criminal groups, nation state actors - when we are designing systems. We need to understand our information and protect it.”
He veers away from Star Trek analogies and quotes Frederik the Great, Prussia’s king in the 18th century, who said: “He who defends everything defends nothing.”
The lessons for today’s organisations is to “understand your information, your high value assets and start there,” declares Touhill.
“Don't try to implement equally.”
“Even good guys can change,” he states. Thus, he calls for organisations to adopt the ‘zero trust security model’.
“Zero trust is the way to go for all of us, because our enterprise goes beyond our borders.”
According to Touhill, organisations should keep in mind that learning never stops.
“We should all be investing in training all the time, because things change all the time.”
“Invest in your own holograph,” he advises.
“You need continuous professional education, not only for technicians in the server room. It is up to the CIO level.”.
“The best CIOs lead up,” he stresses. “They make sure their boards, their fellow C-suite are continuously updated and kept abreast, are technically ready to make decisions.”
A leadership transition plan is critical, he points out.
Complexity is the bane of security
“We need to make sure we are investing ourselves to grow the next captains in the journey - the next person to take our place.”
“I learned from Star Trek it is not the size of the enterprise that defines success. It is the leaders, the crew, who do.”
“So make the investment, continue your training; your education toward the next generation, have that leadership and succession plan.”
“You may not be at the helm, but you want to make sure you set the stage for the next generation of leaders.”
The next major attack: ‘Data poisoning’
“We have seen denial of service attacks and ransomware,” says Touhill, but he notes that he sees a major cyber concern in the near future is “data poisoning”.
“Instead of a ransomware attack, someone will come to you and say, ‘I have been watching you for a long time. I figured out you do your backups to six cycles. And I have hacked into your system and poisoned your data to all six backups.’”
“I will tell you where I poisoned your data and give you the inoculation so you can restore your data.”
However instead of paying one million bitcoins, the cost to unlock the data will be 100 million bitcoins.
This is a major concern because, “if you don't have trust in the integrity of your data, no matter what business you are in, whether public or private, lack of trust in your data can paralyse the organisation,” says Touhill.
‘Data poisoning’ will be the next attention grabbing cyber concern
He adds that one way to help promote a safer world is for organisations to behave like a “neighbourhood watch”.
“You make sure you are part of that information sharing and contributing as well as subscribing.”
“This way, you understand best practice,” he states. “You don’t want to make the same mistakes other people make, and if you make mistakes, you need to share that out.”
He says ISACA and other organisations are helping inform the risk management narrative and shape the conversation around it.
Security should be simple. I want to make it easier for users, for the operators, but exquisitely difficult for the attacker
“Cyber is not a server room issue, it is a boardroom issue,” he says. “Cybersecurity needs to be at the top of the agenda and not an afterthought.”
He notes the important role of cybersecurity professionals in all this. “We want to make the world a better place.”
Like superheroes? He smiles, and says that in fact, “There are some comic books now that talk about cyber heroes.”
He cites the work, for instance, of Dr Chase Cunningham, co-author with Heather Dahl, of the Cynja comic series. The series features 11-year-old Grant Wiley, 11, a computer whiz who is also a cyber ninja or ‘cynga’.
“Don’t rest on your laurels,” he stresses, on another message for technology leaders.
“A lot of folks are still using 1990s-based technology and are failing in the 21st century world.”
“It is time to recapitalise not only the technology, but make sure people and processes are recapitalised and kept current.”
This, he says, is where things like software defined perimeter technologies are proving themselves most worthy.
He concludes: “Doing something different can be good, but you have to make sure you learn from the lessons of the past and have a clear vision of the future.”
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Send news tips and comments to firstname.lastname@example.org @divinap
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.