We were honored to talk to Richard F. Forno, Ph.D., who has more than 20 years of experience in the cybersecurity field. Dr. Forno helped build the first formal cybersecurity program for the U.S. House of Representatives as the first Chief Security Officer for at Network Solutions (operator of the InterNIC), and is considered one of the early thought leaders on the subject of “information warfare.” Today, he is the Assistant Director of the UMBC Center for Cybersecurity, an honors college in Maryland, as well as the director of its cybersecurity graduate program. Dr. Forno is also a SpiderOak fan.
1. How have you seen cybersecurity evolve since you’ve been in the field, and how would you describe where it is right now?
RF: Cybersecurity these days means much more than just people at computers guarding data and network resources. Yes, that’s where it started off decades ago when it was known as ‘computer security’ and existed as a small function of the IT department and treated as an administrative overhead budget item — but with technology, data, and networking permeating nearly every aspect of society, it’s taken on a much broader meaning and become a critical corporate function. Now, ‘cybersecurity’ can refer to nearly anything related to ensuring the security, availability, integrity, and resilience of the many systems and sources of data that form the foundation of modern existence — from protecting company (or national) secrets to personal health care and financial records, from the systems controlling water and power distribution in our cities to the widgets in our televisions, toasters, and electronic devices they all require some degree of security, assurance, and resilience since our lives and much of society depends on them. That said, I still believe cybersecurity — and by extension, privacy — is a state of mind and very much dependent on the context of any given situation to be effective.
2. Are you seeing more students that care about privacy and cybersecurity, or is it harder to attract people to your program?
RF: The former, absolutely. There remains a sizable global interest in cybersecurity education, from high schools and community colleges all the way through 4-year and postgraduate study. Recurring news reports of data breaches, website defacements, and denial of service attacks certainly help generate interest in the subject both personally and professionally.
That said, given the strong interest in cybersecurity, it’s important to set and manage student (or prospective student) expectations appropriately. Despite glorified portrayals of cybersecurity in the media, one can’t simply “wave a magic wand” and become a “cyber warrior” exclusively by a single college degree or certification exam … it’s a combination of fundamental and applied technical knowledge, social acumen, and the ability to understand the ‘big picture’ while exercising common sense that makes for an effective cybersecurity professional. Cybersecurity in 2013 is far more than just working with the bits and bytes….and by contrast, you can work in some areas of cybersecurity and not necessarily need a deep technical background to be successful or make a difference.
3. Are there any trends in cybersecurity or privacy that you are excited about or think are the future?
RF: I think the ongoing revelations from Edward Snowden are giving people and organisations around the world a useful opportunity to reassess how much they share online and/or what third-party services they use to store information and communicate, which naturally includes both privacy and cybersecurity considerations. That public discussion, in my view, is long overdue — normally folks rush to embrace new technologies first and then figure out if or how they’re dangerous, and usually only after something bad has happened. So in terms of privacy I am quietly optimistic that the pendulum may begin shifting towards people doing ‘less sharing’ – or, perhaps more accurately, leaving ‘less footprints’ around the Internet. At least they might start doing homework and determining what level of exposure (and to whom) they’re willing to live with and under what circumstances.
The last time I saw such heated public discussion about government intrusion into online privacy was back in the 1990s — first when the US government tried (and failed) to criminalise the distribution of PGP encryption software and then when the Communications Assistance for Law Enforcement Act (CALEA) was enacted by Congress to provide US law enforcement wiretapping capabilities on Internet devices — which was a faint foreshadowing of things-to-come under the ‘Patriot’ Act of 2001 and subsequent legislative proposals.
However, I’m encouraged to see security and privacy capabilities being brought to market and/or incorporated into software and devices. To many users, security and privacy technologies are hard to understand and implement — so I am pleased that more user-friendly products and services are making it easier for people to understand and manage their privacy and security exposure if they choose to do so. But by contrast, I worry about our obsession with creating the ‘Internet of Things’ — do we really need to have our home appliances, air conditioners, baby monitors, and automobiles constantly connected to the Internet? While convenient and perhaps fun or useful at times, what risks do they present to our security and privacy?
4. Tell us about how you came to your current role at UMBC, and what this graduate program is about?
RF: At UMBC I wear many hats. My primary role is directing our graduate programs in cybersecurity, which now is entering its third successful year of educating cybersecurity professionals to assume more senior leadership positions in the technology and cybersecurity industry. I’m also the assistant director of our Center for Cybersecurity, which serves as the University’s central coordination and outreach entity on cybersecurity education, research, and related activities to allow us to better interact with our many partners, prospective collaborators, and the public. And, through UMBC, I am co-founder of the annual Maryland Cyber Challenge — our state’s official cyber-competition.
As to how I got here? My cybersecurity career began in the early 1990s before the Dot Com Boom. Over that next 20 years I worked for a variety of government, military, and private organisations and thus not only was an ‘eyewitness to history’ in terms of cybersecurity and the Internet Revolution, but worked for some of the entities that helped shape it. Along the way, I remained interested in Internet policy, cyberculture, and how Internet technology influences modern society — which, obviously includes many cybersecurity and privacy issues.
After a while, my interests turned toward “giving back” to the professional community and sharing my lessons learned with the next generation of cybersecurity practitioners to help them improve the future and perhaps learn from our collective past. And thus I landed at UMBC in 2010 — certainly the right place at the right time to be working on this very timely global topic!
5. How long have you been a SpiderOak user?
RF: I learned about SpiderOak in early 2012 from a fellow academic down in Australia and signed up for the free personal account out of curiosity. Now, with the SpiderOak Hive capability, I expect to increase my account size and replace another popular realtime sync service I’ve used for years with one that places great emphasis on addressing modern privacy concerns for its users in a meaningful way.
We’re grateful to Dr. Forno for sharing his time and expertise with us.