People of ACM - Josiah Dykstra

February 2, 2021

You have said that, when you were receiving your PhD in 2010, the field had almost no focus on cloud forensics. How is the cybersecurity field doing now in terms of digital forensics for cloud computing?

Cloud forensics has evolved significantly in the past decade since I began my work in that area. Today, there are more cloud-native logging and forensic support capabilities, and commercial tools for investigating cloud incidents. Advances continue and nearly every year there is a new research paper on cloud forensics at the Digital Forensics Research Conference (DFRWS) and other digital forensic research conferences. This is good news, since hackers are going after the cloud more than ever before. In December, for example, NSA released an advisory on detecting abuse of authentication mechanisms, including cloud mechanisms.

As with all technology and cybercrime that continues to evolve, there is always more to be done. Even now, I am working with the Enduring Security Framework, a government/industry partnership on cloud security for 5G.

In December 2020, a massive hack was uncovered that compromised many US federal agencies, as well as private companies. The origin of the hack was traced to malware that was attached to software from SolarWinds, a Texas-based company. What key recommendation(s) would you offer to prevent something like this from happening again?

Cybersecurity is about risk management. There have been some serious and significant incidents that need remediation. Unfortunately, history suggests that there is also a near-100% guarantee of new incidents or data breaches in 2021. As a result, my first recommendation is to understand your risks. Before deciding what or how to protect your assets, one must first understand what’s valuable and needs protection. My second recommendation is to hire some staff with skills in two nontraditional areas: economics and human factors.

The reason we need cybersecurity is because we have human users, human developers, and human adversaries. I regret that I didn’t take any courses in Psychology or Economics during all my Computer Science education. These are essential to the profession and practice of cybersecurity. My third recommendation is to ruthlessly practice basic cyber hygiene starting with keeping systems patched. Patching may not stop a dedicated nation-state attacker, but it raises the cost for all types of malicious cyber actors. I am very thankful for advances in automatic updates that allow systems to stay updated with minimal human effort.

The importance of human factors in cybersecurity has been another focus of your research. Will you briefly discuss a central insight in the presentation “Stress and Hacking: Understanding Cognitive Stress in Tactical Cyber Ops,” that you co-authored with Celeste Paul?

It took me many years in the profession before I recognized the importance of humans in cybersecurity. I spent seven years doing tactical cyber operations like penetration testing. When I transitioned from that work to a role in research, one thing that interested me was studying the human impact of cybersecurity work, including stress and fatigue. With my experience as an operator, I asked Celeste—a colleague and expert in human-centered computing—how we might measure cognitive workload. Together, our research produced some of the first data showing that tactical cyber ops increase fatigue, frustration, and cognitive workload. Because the work is important and failure is not an option, we observed that participants achieved high performance no matter the workload.

We published and released our Cyber Operations Stress Survey to help others evaluate their own workforces. We also recommended that employers review their policies on breaks, scheduling, and operation length. Empowering operators with happy, healthy work environments can help lower stress and fatigue. Importantly, this isn’t about free food, but about the extent to which a person feels that they have control over their lives.

You are also interested in the use of augmented reality for cybersecurity applications. Will you give us a few examples of how augmented reality might be an effective tool in the cybersecurity realm?

I am very interested in opportunities to help the cybersecurity workforce be more effective in their work. That can take many forms, from automation to augmented reality (AR). Several years ago, I began to wonder if AR might offer advantages as an interface for understanding network anomalies. We built a prototype using Microsoft HoloLens and compared it with traditional 2D visualizations. The evaluation showed potential but it was so new that users had difficulty quickly learning it.

AR continues to show promise as the technology matures, and I can foresee uses in training, maintenance (e.g. servers in a datacenter), and planning (e.g. traffic moving around a network). This work intersects with the study of cognitive workload, since the Stress Survey could be used to measure change over time in pilots of technology such as augmented reality.

Josiah Dykstra is a Technical Fellow in the Cybersecurity Collaboration Center at the US National Security Agency (NSA). Prior to his current role, he held a variety of technical and leadership positions at NSA, including as a senior researcher within NSA's Research Directorate studying computer network operations. His research focus areas have included digital forensics, cloud computing, network security, cybersecurity science, and human factors. Among his many publications, Dykstra authored the book Essential Cybersecurity Science.

He has received numerous awards, including the Presidential Early Career Award for Scientists and Engineers (PECASE), a Galileo Award from the Director of National Intelligence, and an NSA Research Team of the Year award. Dykstra is an ACM Distinguished Speaker was recently named an ACM Distinguished Member.