A Cat and Mouse Game

Host: Deepak Saini, Media Strategist, Science and Technology Directorate, Department of Homeland Security

Guest: Donald Coulter, Senior Cybersecurity Advisor, Science and Technology Directorate, Department of Homeland Security

[00:00:00] Donald Coulter: This is really a cat and mouse game that's going to continue to go back and forth, similar to how we have done over in the cybersecurity domain forever, where adversaries are going to be looking to use AI tools to develop more, attacks, develop quicker and develop more effective attacks, and we are going to be looking at AI to give us a chance to identify attacks more quickly and respond to those more effectively.

[00:00:26] Dave: This is Technologically Speaking, the official podcast for the Department of Homeland Security, Science & Technology Directorate, or S&T, as we call it. Join us as we meet the science and technology experts on the front lines, keeping America safe.

[00:00:40] Deepak: Hi everyone. Welcome to this episode of Technologically Speaking, my guest today is Donald Coulter, who is a Senior Cybersecurity Advisor for the Department of Homeland Security, Science and Technology Directorate. Donald, welcome.

[00:00:54] Donald Coulter: Hi. Thank you for having me. It's great to be here.

[00:00:57] Deepak: Are you a little bit nervous?

[00:00:59] Donald Coulter: Of course, but no, I'm excited to talk about this. I love, cybersecurity and I love the research that we do here, so I'm excited to talk about it.

[00:01:06] Deepak: Well, you're in good hands. All right, so I'm really excited to talk to you. I'm very interested in cybersecurity and it's such a big word and there's so much to get into, but here's where I want to start. What is a cybersecurity advisor, you know, anything with an advisor title always sounds a little bit mysterious, right? Like, are you a sage sitting in the corner who's activated when people need your advisement? Or how does your role work?

[00:01:32] Donald Coulter: Yeah, so that's a great question. The primary responsibility that I have is to one, be on deck as a subject matter expert for the department, especially from our R&D and science and technology mission, to be able to understand and make recommendations about the technical approach that we are taking towards some of our programs from a cybersecurity perspective, as well, and especially, in our cybersecurity, R&D efforts specifically, and making sure that it's based on latest, and greatest advances in the domain and that we're taking into consideration how academia and industry and governments are all pushing the limits and the state of the art, and that we are incorporating that into our research agenda and applying that effectively to the DHS mission.

[00:02:24] Deepak: What led you to becoming a cybersecurity advisor? Is this something you always wanted to do as a kid, or did you have something different in mind then?

[00:02:33] Donald Coulter: Yeah, so I think I've always loved computers, my family got a computer that got internet and we had old, I think Juno service way back in the day. And I had all those AOL CDROMs, so one of my first forays into kind of computer security is probably all those chat rooms and people like hacking in the chat rooms and like booting people out, or like taking over the screens and displays and putting their own content in. So, thinking through how to protect yourself from that, and hackers trying to, whether we were just having fun or actually being truly malicious, just thinking through those things and how can we use our technology securely has always been interesting to me. I have multiple passions. I actually came up in the band program and I actually went to a college on a music scholarship for playing tuba. So, I was always interested in the arts and in the sciences and engineering, but ended up making a switch to Computer Science and, Software Engineering as my passion. I got into cybersecurity more specifically during my time when I worked for the Army as an Army Material Command fellow, and I was working on smartphone, and personal digital assistant programming, so I got an opportunity to, work on and program as an information assurance engineer and learning how do we build in protection and security into our software systems while we were developing the systems?

So that's how I really got into it. And I really opened my eyes up to not only how do you develop software, but how do you develop it securely because by default a lot of our software engineering and computer science discipline programs, from an educational perspective, they don't really talk about security. They don't talk about the risks, that we're putting into our software by default if we're not thinking about how users will misuse and abuse these systems that we're creating. I've just been interested in it ever since.

[00:04:25] Deepak: So, I want to go back to a little bit about your experience with the US Army. What was it like to support the Army Development Command at a time when we were in the throes of wars with Iraq and Afghanistan?

[00:04:37] Donald Coulter: Yeah, it was a really informative time, a really challenging time. Obviously, working for the Department of Defense in the Army, it's similar to how it is here at the Department of Homeland Security. You have a deeper sense of purpose, and you know, what you're building is going to be used by people that have an important mission and are putting themselves in harm's way. So, there's always a deep sense of we are developing software and capabilities that will protect our soldiers and our war fighters and increase the likelihood that they'll be able to come home safely after having done their job well. It was an exciting time, and a time to learn a lot, and grow a lot.I was able to work on crypto systems. I was able to work on mission command systems. I also spent some time as the Deputy CIO and worked on an IT management system. So a lot of different variety and background, and it gave me an opportunity to become the first science and technology advisor for the network cross-functional team, right when the Army was setting up their new four star command, which was called, eventually called, Futures Command.

[00:05:40] Deepak: Looking back on your experience there all these years later, what are you the most proud of during that time?

[00:05:47] Donald Coulter: Yeah, that's a great question. I think I am, overall, I'm probably proudest of the fact that I got to work with so many great people. I got to learn and influence so many systems across the Army.

[00:05:59] Deepak: So, let me lay out some stats, I'm going to go over a few here, according to a study by the University of Maryland there's a cyber-attack every 39 seconds. Last year there were nearly 500 million ransomware attacks detected worldwide. And then government, technology, and retail, and healthcare seem to be some of the most affected industries. When I read this, it makes my head want to combust, how does someone in a role like yours even begin to tackle this? Like where do you even start?

[00:06:30] Donald Coulter: So that's always been an interesting challenge, especially in this domain where you have cyber-attacks and other problems going on on a daily basis that are facing these chief information officers and chief information security officers and IT staff on a daily basis. It's often difficult to convey and communicate how important it is to invest in and conduct research and development activities that will lead to protecting your systems, three years, five years, ten years, in the future. So that's always a challenge. In my role, I have to make sure that I keep cognizant of what's happening on a daily basis, but I'm also stepping back and thinking about what are the underlying challenges or risks that are, or properties of our systems that are putting us at risk for these attacks. And what can we do to fundamentally eliminate or significantly reduce broad classes of attacks?

[00:07:30] Deepak: Do you feel like, do you feel like these threats are like weeds? It's like if you take care of one, then two sprout, if you take care of two, then four sprout, right? It seems like you're always either trying to play catch up or get ahead of the curve, but there's always more around the corner.

[00:07:43] Donald Coulter: They are always around the corner, and I think if I'm taking the weed analogy further, we are not trying to just pull weeds. That is a lot of the job of what our current, system and cyber operators and defenders are doing. They constantly have to respond, whack-a-mole, to each situation. What we're trying to do is put them in a position where they will have to respond to fewer of these things in the future that will make it harder for adversaries to attack our systems and increase the cost of, and effort that it takes, to do that, so that we are defending, fewer, smaller issues that we're taking care of without distracting our people. Because our people, we have some of the brightest and smartest and capable people in the world protecting our networks and we need to make sure that they're concentrating on those challenging problems, and mitigating those as best they can. So if we can equip them with more fundamentally secure technologies by default, that will free them and enable them to concentrate on even harder problems.

[00:08:44] Deepak: Earlier this year S&T released the technology center's research agenda, which basically provides a strategic framework that aligns and focuses our research portfolio, basically communicating priorities over the next three years. How hard was it to down-select the priorities, and is there a focus area you might be particularly passionate about within that agenda?

[00:09:07] Donald Coulter: It was very difficult to down-select, or even identify, the areas that we wanted to focus on. This is a living research agenda that will continue to grow and evolve as our research continues and as we learn more. I would also say that our research agenda is multidisciplinary interdisciplinary. We focus from a cybersecurity and communications resiliency perspective. We wanted to focus on classical things that are always going to be important to us from a data-centric security perspective and a software and hardware assurance and resilience perspective. Because those are always going to be true, right? Cybersecurity is fundamentally about increasing and preserving the confidentiality, integrity and availability of your information, your data, and your systems. And we think about them when we think about the increased proliferation of operational technologies and cyber-physical systems. We have to also expand our focus on things like safety, as well. We're really looking at opportunities not only to think about traditional cybersecurity areas, but to look at that intersection between other areas of research that we have going on, including other advances in computing technology, advances in artificial intelligence and machine learning, advances in quantum information systems, and computing as well as advances in biometrics and identity capabilities. So, there's a lot of intersecting areas and domains, and I think the really interesting thing is that intersection between cybersecurity and these other technical domains, as well as thinking through, “How do humans better participate in these cyber-physical operations that we're doing?”

[00:10:45] Deepak: Let's focus on the intersection of AI and cybersecurity. We hear so much about AI, like so many different federal government agencies and also private sector agencies are either using it or using tools like it, right? It's informing a lot of our programmatic day-to-day ability to save time, be more efficient. But of course, there's obviously a lot of bad actors that use AI as well, to harm a lot of our interests. So how do you define the intersection of AI and cyber security in the world we're in today?

[00:11:19] Donald Coulter: I look at it from a couple of different perspectives. One thing that we have to do, as we realize that there's going to be an ever-increasing expansion of the uses of AI for our missions, which does provide this really enhanced capability, right? We have to secure those systems. And the way that we do that, although the goal is still preserving the availability and integrity of those systems, as well as preserving the confidentiality of the data that's going into these systems, how we train them, and what is inside of these models? We have to preserve that, and that includes preserving the privacy and protecting the privacy of people and or information that's going into these models from a homeland security perspective. So one thing we have to do is really focus on securing these AI systems.

Secondly, we have to focus on, and I'm excited to focus on how we can use AI to help us in our cybersecurity mission, right? So these things are increasing our ability to automate certain processes. They're increasing our ability to take in more information and make, increasingly make, sense of increasingly complex situations and make recommendations about how to address and mitigate risks, which is going to be critical, especially as I talk about the third area that we look at it from, protecting ourselves from adversarial AI based attacks. So this is really a cat and mouse game that's going to continue to go back and forth, similar to how we have done in the cybersecurity domain forever, where adversaries are going to be looking to use AI tools to develop more attacks, develop quicker and develop more effective attacks, and we are going to be looking at AI to give us a chance to identify attacks more quickly and respond to those more effectively. Not only are we going to use it to identify and respond quickly in real time, we're using AI to help us identify where those risks could be and develop and design those out of the system in the first place. To help us develop systems, and software, and capabilities, that are secured by default.

[00:13:24] Deepak: I feel like there's so much misinformation or misunderstanding about AI in general. Are there any common threads or misunderstandings that you would like to point out, and perhaps provide a little bit of clarity on those?

[00:13:38] Donald Coulter: Sure. So one of the areas that people seem to always talk about with AI is that it's magic, and it'll solve all of our problems, or that it's going to take over the world and eventually destroy us all. But actually it's a tool and it's a tool in our toolkit. And even as the technology gets more capable, there will still be risks associated with using it, and that we need to think through how to use it effectively.

One of the things that I'm most concerned about using AI is thinking through how humans will interpret and make judgements and assessments of the recommendations and the actions that it's taking and thinking through what is that situation? Because ultimately we're building AI capabilities, AI-based capabilities, that will make recommendations or take actions that we would never be able to think of, even if we had more time. To look at all the data and digest it. It sees relationships and opportunities that we just fundamentally don't notice over time. So we need to think through how we will deal with that and how will AI and human teams come together to make decisions about how to protect our systems and our networks.

[00:14:47] Deepak: Where do you see this going in like five to 10 years from now?

[00:14:51] Donald Coulter: Yeah, that's an excellent question as well. And trying to predict where technology will be in five to seven or more years is a fool’s errand. But it's the job that I took on, I must be foolish, but I do think…

[00:15:04] Deepak: I like that though.

[00:15:06] Donald Coulter: ...AI will continue, and the technologies will continue to proliferate and be embedded in all the technologies that we have. I suspect that we won't even be thinking too hard specifically about the concept of AI in five to seven years because it'll be so ingrained in all the technologies that we have. We'll probably have it in our glasses and contact lenses, and all types of stuff. I really think it is going to be somewhat kind of pervasive and fading into the background from a general person's perspective, and thinking about it, but it'll still be a part of how we operate and live, if that makes sense.

[00:15:42] Deepak: No, that does, that makes a lot of sense. I feel like technology has advanced so rapidly, so fast. There's no guidebook that tells us how to address this, how to get around it, right? We're having to try to stay on top of it and figure it out as we go. What would you like the common everyday American to know about cybersecurity, about AI, especially things that could either help them, protect them, things to look out for?

[00:16:10] Donald Coulter: Yeah, I think everyone should know that with great opportunity from a technology perspective, there are risks and challenges and you just need to think about. I'm very excited about the technologies and as they grow, I'm always in the room every time we talk about risk management and threat responses, I'm always trying to inject some conversation about the opportunities that these technologies provide us. I just want us to all think through when we're creating these technologies, what can we do to make sure we're designing and developing them securely and that we're giving them to people in a state that is secure, even when we give it to them, secure by default, if you will. If we can do that as a society, and we can start training ourselves to think through how we can use technology to achieve our outcomes, but we can think about, alright, how can we protect ourselves from unintended consequences, and misuses? And that would be great for us.

[00:17:06] Deepak: So like how does your family like figure this out in their head with you?

[00:17:10] Donald Coulter: I don't think they do. My mom still calls me to help her with Word or something. She has like some type of spreadsheet she wants to make and she still like, calls me to fix that. I'm not sure that they fully get it, but I, in the simplest terms, I help make sure that the systems and the technologies that we use, in our Homeland Security missions, are secure and that our adversaries and people that don't want them to operate effectively and don't want us to be able to accomplish our goals, we make it more challenging for them to affect us. And that's such an important mission when you think about everything that we do. When, if I, and sometimes they can glaze over, right? Like, okay, protect all the technology, great, but then how real is that to someone?

Depends on how much they're interested in technology, but when you talk about all the other things we do, when we talk about, alright, we have systems at the border that are helping us track and understand who's coming in and who's going. And we need to make sure that the information is telling our border patrol folks is accurate and it's available online so they can do their job. Like, okay, that makes sense. When we say, “Hey, there's a natural disaster, we’ve got to know where people are, where the issues are. And we’ve got to have ground truth on the information about who needs what resources, when and where. And that's got to be accurate and available to them.” Ah, that makes sense to people. So when I just try to put in into terms that they can really relate to.

And the best thing from a cybersecurity perspective; I don't want people worried about me. If people are calling me or especially because there's an actual specific cyber problem, you don't want that. Like the dream of every like CIO and CISO is that no one ever calls them because everything is just working perfectly.

[00:18:53] Deepak: Yeah. that is definitely the dream, right? That's all we can always really hope for, right? Is just that the work we're doing is impactful. Talk to me a little bit about, I want to get a little bit into the nitty gritty when it comes to going behind the science, behind the development process. When you look at, you know, big data, or systems of systems, what does that mean to you?

[00:19:16] Donald Coulter: These are where emergent properties give us such challenges, right? We're developing these building blocks and we're trying to secure them and make them do what they're supposed to do. But oftentimes it's hard to predict some of those qualities that come once you converge systems together. You have new things talking to each other, and maybe you didn't envision them talking to each other when you first created them. So a lot of research and a lot of think thinking goes into how do we make application programming interfaces, or APIs, secure. Because there's a lot of advances in terms of thinking through how to expose as much functionality from your particular software application as possible when you're developing it. But then once that exposure also gives you exposure to risks, right? How do we protect systems of systems? How do we protect systems that are not owned by the same organization, the same people? How, when we have multiple organizations that are all a part of our critical infrastructure that are not all just government owners and operators, that we have private partners as well, that are part of the system, they have proprietary and sensitive information that they need to protect for their intellectual property and for their operations effectively. And yet we have larger systemic concerns that go across the boundaries of any one individual organization. How do we get those systems to share enough information to advertise and let people know that, hey, I've just seen a new threat, I want everyone to know about that, and get that information out. And then as my systems are become more resilient and we build defenses, either manually or automatically, eventually, like how do you share that information across those boundaries while preserving the confidentiality and privacy of sensitive information?

[00:20:58] Deepak: I do want to go into one more personal thing. I feel like it's fascinating to learn about like how much you love and geek out over cybersecurity, right? You're the cybersecurity advisor at DHS S&T, but then I feel like music and the arts has also been such a big, impactful part of your life. So, I remember, and you'll remember this too, because I feel like we're relatively the same age, but do you remember Drumline with Nick Cannon?

[00:21:28] Donald Coulter: I do. Yeah,

[00:21:29] Deepak: Yeah. So that came out around the same time you were in the marching band when you were getting your bachelor's in computer science at Bethune Cookman

[00:21:37] Donald Coulter: That's true.

[00:21:39] Deepak: So that movie elevated and finally gave band kids a cool factor that was long overdue. So, curious about like, what that experience was like and then do you feel in some sort of way your experience with, you know, jazz bands, marching bands, and music in general, has, does it somehow influence or, kind of shape your cybersecurity role that you do today?

[00:22:02] Donald Coulter: Yeah. I, it absolutely does. And in fact, it's funny you brought that up. I was actually in Drumline, so that was…

[00:22:08] Deepak: That's so cool. You were?

[00:22:11] Donald Coulter: …I was, yeah.

[00:22:12] Deepak: Okay.

[00:22:13] Donald Coulter: And I promise we did not prep that, but I was actually in the movie in the Battle of the bands at the end of the movie. When they had several schools come in, I played for Bethune Cookman College, the best band in the land, and, so I got an opportunity to go on set. I was in Atlanta when we were filmed. We got to record everything. Got to eat and meet Nick Cannon and all the stars in the movie and everything. It was great. Yeah. So that was an awesome experience for sure, and, yeah, but certainly that thinking has always been a part of my life. Being able to think, and train, both from a classical perspective and from a jazz, perspective, and improv perspective, being able to apply that, to think on the fly, and things that, maybe a common misperception of thinking that improv is just like, no rules, and not thinking. It’s quite the opposite.

The best improv, improvisational artists, really, it's, you do know the rules. You know what key you're in, you know where the changes are going to go, and you know what tempo you're at, and you know where the music is going, what the theme is. So, it's using the constraints, the limited constraints you have to make art and make advances in the same thing in the cybersecurity world, right?

You think about cybersecurity and it often seems like there are rules and constraints to bog us down, lock down our machine, so that we can't do anything. But in all actuality, it's really actually a framework that we can use to inspire us to be more effective with the technology and the way that we operate - but do it in a way that is secure.

[00:23:41] Deepak: I love how you're talking about this and you can make that cybersecurity and then also that musical-arts connection. So was one of your first sort of experiences with cybersecurity dealing with the AOL chat rooms and did you ever try to hack into them?

[00:23:58] Donald Coulter: Oh, yeah, we got into mischief, but that ultimately kept us passionate about like, learning what can this do, and so that's - I think a lot of engineers and scientists and technologists ultimately they can look back to like they took something apart and put it back together. And I didn't really do that with hardware things and stuff so much, but software and computers. I'd love to just like, “what can I click on?” “Where can I go,” “What can I type in this thing?” “How can I make this thing act differently than the limits that they try to put around it and see what I can do with it?” So yeah, I remember all the AIM days, the chats and all that stuff.

[00:24:32] Deepak: So, you know, S&T has such a big workforce, so does the entire department, I think sometimes you don't always get a chance to interact with every single person, so if there's anything you would like to share with the workforce just about, like, anything you want them to know about you or the role that you do, or maybe just even the passion you have for your job, or just kind of what really resonates and sits in your heart about S&T, go ahead and share that.

[00:25:00] Donald Coulter: I think what most resonates with me is just the opportunity to work with such a diverse set of people from backgrounds, from perspectives, from science and technology, perspectives as well. And I think that, I'm excited to be in an organization that has that scientific focus, that technology focus, and that really encourages us to work across our boundaries, to break down those silos, and work collectively as a matrix to really deliver innovative capabilities, because I think that's where the most interesting advances are happening in our science domains. It's really at those intersections of multiple disciplines. That's where we're going to make the biggest breakthroughs, and that's where we're going to define the greatest successes.

[00:25:47] Deepak: Can you talk about specifically what S&T is doing in this space and if there's any specific projects you've supported?

[00:25:55] Donald Coulter: So, S&T is doing a lot in the cybersecurity space. One from a tech technology center's perspective, we are actually just embarking on some research that's going to be looking into a couple of areas. One of them is looking to shared intelligent resilience, which the concept really there is about how do we look at our systems that we use from an organizational organism perspective, and how can we increase the herd immunity to attacks by detecting new and novel attacks, and propagating that threat information and that risk information. And then also using artificial intelligence to help us develop mitigations to those attacks and to spread that information back to people again, across, not only system boundaries, but organizational boundaries.

How can we share the right information across these systems to help them automatically detect them and prevent risk to them? Similar to the challenges we face when we see typical viruses out in the wild. Another area that we're very interested in is looking at how to counter adversarial AI - based attacks, especially when we think about that in the context of operational technologies like industrial control systems and SCADA systems.

[00:27:12] Deepak: Definitely takes a lot of team effort on everyone’s part at S&T. You brought up SCADA systems. Can you define that for us common folk?

[00:27:23] Donald Coulter: Yeah, so SCADA systems are, Supervisory Control And Data Acquisition systems. So again, these are just kind of hardware - physical systems that help us understand or control some of these physical systems. That's really the interface and software that we often use to supervise and control a lot of these operational technology systems that we have. So, we're looking at not only how do we look at what are some of the intrinsic vulnerabilities and risks associated with operational technologies as they continue to proliferate and integrate with traditional information technology and communication systems. But how can we address, and prevent, and mitigate the risks from adversarial uses of artificial intelligence in that context. Furthermore, we have large programs that are working more directly with our components as part of our CISA R&D portfolio. Two major ones, or three of the major ones we like to talk about and focus on. One is called CAP-M, which is the CISA Advanced Analytics Platform for Machine Learning. And that one is focused on enabling cyber-analytic activity and automating that and enhancing the cyber defender and network analysis capabilities through cloud capabilities and artificial intelligence.

Another program we have is the Cap C, which looks at malware analysis and supports some of our threat focused reverse engineering capabilities and threat hunt capabilities. So, there's a bunch of different approaches that we're using to really automate and expand our ability to take software and break it apart and understand what's happening and identify where there may be malicious content or capabilities built into that software.

And another major area for us is software assurance. We look across a lot of open-source software is embedded in our critical infrastructures. So we have programs that are looking at how do we identify and secure, how do we identify potentially risky or harmful elements within our open source software? How do we identify where we're relying on various open-source packages, and how do we make sure that we understand the risk that we're accepting by utilizing them? Instead, we have visibility so that if we identify some risk while we're using these systems, we can quickly identify and mitigate that risk.

And so we're doing this not only internally with DHS and with the R&D community, but a lot of these are operated in collaboration with academia and industry. We utilize our Silicon Valley Innovation Partnership office as a key partner in this. And we also use our international cooperation office as a key partner to help us solidify relationships with some of our international partners and identify opportunities to embark on collaborative research there. So we're formulating and utilizing our connections, to increase our capabilities by partnering with other people as well.

[00:30:26] Deepak: Donald Coulter, this has been such a great conversation. I've really enjoyed learning a lot about you as a person and then also just what you do for a living, my fellow colleague at S&T. So, you've been hearing from Donald Coulter, who is a DHS Science and Technology Director and Senior Cybersecurity Advisor. Thank you so much, Donald, for being on. We've really enjoyed talking to you.

[00:30:49] Donald Coulter: All right. Thank you so much for having me.

[00:30:52] Dave: Thank you for listening to Technologically Speaking. To learn more about what you've heard in this episode, check out the show notes on our website, and follow us on Apple and Google Podcasts, and on social media at DHS SciTech. DHS SCI TE CH. Bye!