People of ACM - Leigh Metcalf

April 9, 2020

How did you, a theoretical mathematician, end up researching cybersecurity?

I've actually been asked this question often, because my specialization is algebraic topology. That’s the field string theorists use, so “practical applications” isn’t high on the list. An algebraic topologist is often found in a university math department working on abstract theories, not working in the real world.

I think it boils down to two things. One, I love a challenge, and cybersecurity is a very challenging field. It requires the ability to look sideways at a problem and to be careful with your assumptions. Two, I really hate being bored, and this field is never boring. Frustrating, annoying, confusing, but never boring.

How did your experience working as a systems engineer and architect in industry shape your perspectives about how the cybersecurity field needs to adapt in the coming years?

I've been asked before what I think the biggest threat in cybersecurity is today and my answer hasn't changed. It's the users. Every security event that I had to handle in industry originated from a decision a user made. From "I'm going to click on that link" to "I'm going to ignore that policy," not to mention "I'm going to have that policy removed because it makes me click an extra time." As cybersecurity professionals, we would figure out what caused the problem on the user end, mitigate it, clean up the mess, and move to the next problem.

What this taught me is that security is an unending chess match with an infinite amount of pieces. The malicious actor figures out a new attack that we don't have a mitigation for (i.e., puts us in check), we figure out a way to get out of that situation (getting out of check) and the game continues. The gold standard, of course, for each side is to find that mate situation. As a defender, I want to find a solution that prevents the malicious actor from ever affecting my security. As for the attacker, they want a solution that enables them to steal all they can. There isn't a perfect solution for either side, but we must continue the fight. The malicious actor is going to continually refine their approach to achieve their goal, while we, as defenders, must continually refine our mitigation strategies as well as our user education.

The only completely secure computer is one that has been turned off, encased in concrete, and dropped into the Marianas Trench. As that makes it completely unusable, we're going to be playing this unending chess match for a long time. We also need to educate users continuously. Complacency is a real problem, and the fact that this field is an ever-changing one should be reinforced.

In addition to fostering more dialogue and collaborations among researchers and practitioners, what are some of your key goals for the DTRAP journal?

I'd like DTRAP to promote evidence-based research in cybersecurity, by delivering results that have a grounding in science and are repeatable. I've read too many papers that say, "I have a method, this is my data, and here's the results." They skip the very important part of the method that allows them to achieve the results. If the paper says it has a solution to ransomware, then I should be able to read the paper, implement the method, and have a solution. Otherwise, why was the paper published? It just tells me you did something but not how you did it.

There is much discussion on whether security is a science. I think the recent paper “Practicing a Science of Security: A Philosophy of Science Perspective” summarizes the solution nicely. The field is challenging in itself, but we need to approach it in a structured way, with observations and analysis that are documented cleanly and clearly. The experiments done should reflect the real world as accurately as possible, not just laboratory conditions. If the experiment isn't relevant to the real world, then the result isn't applicable. We want applicable solutions presented in DTRAP, not theoretical lab-based results.

Both science and engineering are necessary in this field. We use engineering to create solutions and science to not only evaluate the solutions but evaluate the situation that requires the solution. Sometimes we do skip ahead of evaluation to create a solution—packet firewalls are a good example of that.

Information sharing is also a goal for DTRAP. Cybersecurity requires data in order to analyze events and discuss solutions. However, the data often found on the internet is either out of date or anonymized so much it isn't usable. The goal is to share the data of all the papers; however, due to privacy constraints, that isn't always achievable. The papers in DTRAP should describe data used in such a way that another person can construct their own dataset that is similar to the paper.

The cybersecurity field appears to change so quickly. What advice would you offer a younger colleague just starting out in the field?

When I talk to people about joining the field, I usually deal with a lot of misconceptions. They see movies or TV shows where the defense is done in real time. They think that I'm sitting at a keyboard fencing with the malicious actors and I can manage to keep them out with some magical programming. That tells a good story, but in reality, it isn't what happens.

What most students don't realize is that the field is huge. It's not just the technical side, there’s also the social science, the legal, the political, and business/economics aspects. All of this can come to bear in working in cybersecurity. I know researchers who focus on the human-machine interaction side of digital threats as well as those focusing on the economics. Saying, "I want to do cybersecurity" is a broad statement. No one person is going to cover all the fields that comprise cybersecurity.

My first question to these students is, "What about cybersecurity excites you?" Is it finding malicious actors? Then look at the situation awareness aspect of the field. Is it how the malware worked? Then malware should be your focus. What part of cybersecurity excites your passion? That passion is going to fuel your studies and move you forward in the field. Read news articles, research papers, technical reports, anything you can find. Find that thing that makes you think, "I wonder…" and dive into it.

Second, get involved. There are many open source projects out there; if you look, you can find one that excites you. There's also a huge amount of data available. If your chosen field is vulnerability discovery, you don't need to have a huge background to get started in it. Look for tools, learn what a vulnerability is, and go hunting. There are companies that will pay you if you find vulnerabilities in their products—start looking! Or, if malware excites you, you can find samples online. Start learning how to reverse-engineer using open source projects.

Third, learn a programming language. A scripting language like Python or Perl will help you in the field immensely. You don't have to know one to get started, but it will help you moving forward, letting you collate results, analyze patterns, or adapt tools to your situation. Not everyone who comes to cybersecurity has a technical background, but picking up the language can definitely help you. And don't forget your passion and your willingness to go figure it out.

Leigh Metcalf is a Senior Network Security Research Analyst at the Carnegie Mellon University Software Engineering Institute’s cybersecurity (CERT) division. CERT is composed of a diverse group of researchers, software engineers, and security analysts who are developing cutting-edge information and training to improve the practice of cybersecurity. Prior to joining CERT, Metcalf spent more than 10 years in industry working as a systems engineer and architect.

Metcalf has presented research at numerous conferences and is the co-author (with William Casey) of the book Cybersecurity and Applied Mathematics. Metcalf is also the Co-Editor-in-Chief (with Arun Lakhotia) of the new ACM journal Digital Threats: Research and Practice (DTRAP). DTRAP seeks to promote scientific rigor in digital security by bridging the gap between academic research and industry practice.