The Software Engineering Institute, operated by Carnegie Mellon University as a federally funded research and development center, has a new name at its CERT Division. The division’s new director is Greg Touhill, a retired Air Force brigadier general and former federal chief information security officer joined Federal Drive with Tom Temin to discuss his new role.
Tom Temin: Greg, good to have you back.
Greg Touhill: Hey, thanks, Tom. I appreciate being here with you.
Tom Temin: First of all, just remind us what happens at the CERT Division at the SEI, which I think people recognize is one of the premier software engineering locusts in the country.
Greg Touhill: Well, Tom, I’d have to say that the Software Engineering Institute isn’t one of the premier software engineering locusts, it’s the center of the universe, I think, for software engineering excellence. Software Engineering Institute has been around since around 1984. And in the aftermath of the Morris worm catastrophe in the late ’80s, the Department of Defense chartered the CERT Division to serve as a focal point for best practices and computer emergency response. And CERT goes now by the trademarked acronyms CERT, but originally was the Computer Emergency Response Team. And now, it’s been a recognized world leader in cybersecurity and one that I’ve worked with throughout my military career, my government career, and my time in industry. So, I’m delighted to join this team as we partner as part of that public private partnership doing federally funded research development, working with industry. And ultimately, our mission is to reduce the risks to national security and national prosperity by strengthening the cyber ecosystem. And I’m very honored to work with these world class big brain experts in cybersecurity.
Tom Temin: And this whole idea of emergency response or just response, whatever the case might be, seems to be more imperative than ever, given the scope and sophistication of some of the big attacks that have happened literally in the last six months. So is that what the CERT Division is looking at in trying to develop contemporary ways for agencies and organizations to respond?
Greg Touhill: Well, that’s an excellent question. And as we take a look at just the name itself, getting away from the acronym, computer emergency response, I think, is a strategic move several years ago, because we don’t want to necessarily be in a reactionary mode, we want to be lead-turning issues and solving them before they become problems. And as a research organization, we are working with our partners in government, in the military, and in industry to better secure that cyber ecosystem. And at the SEI, the Software Engineering Institute, we have a team that is working to promote secured coding practices, and tighter and better code, that is secured by design. In the CERT Division, we are working with folks who are creating code, we’re analyzing a whole host of different things from malware, vulnerability, we identify best practices, we help organizations with risk and resilience, and their business process. And our researchers are actually on the forefront of providing capabilities such as, what we call OCTAVE, a Operationally Critical Threat Assessment and Vulnerability Evaluation, where folks can come in and assess their own risk and resilience by using the frameworks and models that we are doing through our research. And we want to lead-turn the cyber ecosystem and harden it before the bad guys can exploit it. And that’s going to be a constant challenge for us. And now, the supply chain is increasingly at risk. And we’re at the forefront of trying to secure that supply chain.
Tom Temin: Let me ask you this question. What about hackers and that type of penetration testing, as opposed to analysis of code as it’s developed? And it’s true people are analyzing code in more frequent blocks in the DevSecOps type of model. But do you think that external white hat type of penetration testing has a role in all of this?
Greg Touhill: I do. And I think from my time in federal government, as well as industry, I’ve seen a lot of efficacy, working with the researchers and casting the net. The bug bounty program that we put in during my time in .gov service really was paying off extremely well, not only in .gov, but also .mil. And we’ve seen that in the industry as well. So, as we take a look at cybersecurity writ large, it’s all about risk management, and it really is a team sport. And within the CERT, we serve as kind of a center of gravity for information sharing, research, and working across the aisle as it were, between the industry, within government, within military, and with academia, as we tried to help build that cyber ecosystem to be stronger and more resilient.
Tom Temin: We’re speaking with Greg Touhill. He’s the new director of the CERT Division of the Software Engineering Institute at Carnegie Mellon University. And you were a federal chief information security officer, among many other federal roles. Now, there is a new one appointed. There’s a whole new panoply of people. The division of DHS, that you were part of, has been reorganized into CISA. A lot has changed. What do you think this group of leadership, now freshly in place, needs to do next to keep the cybersecurity mission kind of furthering itself?
Greg Touhill: Well, thanks, Tom. I’ve been really delighted with many of these appointments. Chris DeRusha, who’s the new federal chief information security officer who used to work with me at DHS, and was a member of my staff when I was the federal chief information security officer, and Chris knows the .gov space extremely well. And his experience in industry with Ford, as well as the states, serving as chief security officer at Michigan, will serve him well. From a strategy standpoint, I’m really encouraged that in .gov, as well as .mil, the strategy is now pivoting, as I’ve been calling for, towards a zero trust approach from a strategic initiative. And Eric Goldstein, for example, who is now at CISA as the executive assistant director for cybersecurity, he was at DHS with me and used to work on my team when I was there, Eric bring some great experience, not only from his DHS time, but also from industry working with Morgan Stanley. And I see, not only that, but from Chris Inglis is the national cyber director, Anne Neuberger at the National Security Council staff, all the way down. Now we’re seeing a whole lot of alignment that’s going extremely well. And I think we’re going to be making some very strategic inroads, but the big challenge remains execution. And as I left federal service, you may recall Tom, I said that I thought we had some really great policies. But we didn’t need really more policies, we need better execution. And I think that’s going to be the biggest challenge for the new team that’s on board now.
Tom Temin: And let’s talk about DoD here for a minute, because they have launched a number of cyber initiatives, I think many of them when you were still there, that have flowered into whole new branches, whole new offices. And DoD has now their supply chain initiative going on in the CMMC, and so forth. What do you expect to see there?
Greg Touhill: Well, there’s a lot to unpack there. But let me just say that when it comes to the cyber maturity model, we want to make sure that all of our suppliers, the defense industrial base, are in fact following best practices in cybersecurity, protecting intellectual property that results in better national security. So, I’m very encouraged by the movement forward for a CMMC program, and I’m looking forward to seeing that succeed. We want it to be as streamlined as possible, so that it is producing results that are effective, efficient, and secure. And my team at the CERT Division is been part of that construct and continues to remain engaged in that as we move forward. And if you take a look at the supply chain risk management, we at the CERT in the Software Engineering Institute have been working with the Department of Defense, which is our prime sponsor, to try to find means encouraging secure coding standards, to develop better requirements documents, to basically help the Department of Defense, as well as other government agencies be a better customer, be able to assess risk better, and help us get in there with industry so that we can help industry provide better and more secure products and code.
Tom Temin: So I guess the last question then, if anything is possible now that you’re moving to Pittsburgh, can the Pirates ever regained glory?
Greg Touhill: I’m very encouraged by where I’m seeing the Pirates this early in the season. Last night they won again, and I think that takes them to one game over .500. So, they’re on a roll.
Tom Temin: Greg Touhill is director of the CERT Division at the Software Engineering Institute. Thanks so much for joining me.
Greg Touhill: Thanks Tom. Thanks for having me on.