Folk brings more than 18 years of experience supporting the national and homeland security communities, working in operations, intelligence, infrastructure protection, and cybersecurity programs for the DoD, IC, and DHS.
In this interview he discusses the challenges involved in working with several U.S. government agencies, approaching the insider threat, the resilience of the government cyber ecosystem, future threats, and more.
How has your background prepared you for your current role as Director of the HS SEDI FFRDC National Protection Division? What are the main challenges involved in working in this position?
I have had the privilege of being involved in a wide range of national and homeland security missions over the course of my career. At MITRE, a not-for-profit organization that operates federally funded research and development centers for several U.S. government agencies, I started out supporting the Department of Defense (DoD) on sensitive activities and special programs, then changed to an intelligence focus and ultimately, to a homeland security focus.
Working across those three missions has provided me with a very strong foundation to address the challenges my team faces today. I’ve also supported the U.S. Navy, the Department of Energy, the FBI, the U.S. Intelligence Community and helped stand up DHS — it’s been very well-rounded and thorough exposure. I understand how these vastly different organizations and their missions intersect; they must work in concert with one another to help bring the right solutions to their individual national defense and security missions.
What's the most underrated digital threat to the critical infrastructure at the moment?
We have been intensely focused on securing the .gov and less so on helping commercial companies understand or appreciate the threat they face. A fundamental change to our cybersecurity game is to alter what we watch and what we share.
For the past 30 years, companies have primarily played a reactive game of, “reduce the attack surface.” In other words, we have become obsessed with understanding ourselves and our own networks, our own devices. We have felt that if we can fully understand all of our infrastructure and the associated vulnerabilities, then we can use software products to mitigate threats by blocking malicious sites and patching systems to correct exploitable vulnerabilities. As with most complex problems, this singularly focused approach is not bad, but it is not sufficient.
The issues with this approach are many. Simply “reducing the attack surface” demands too close of a focus on identifying vulnerabilities in our own systems, an approach we have seen fail again and again for more than 30 years. It requires that we look inward and not outward. It assumes, at a time when systems are highly complex and connected to one another in ever changing ways, that it is even possible to understand all potential vulnerabilities. It also tends to focus on discrete incidents. And finally, when we only focus on vulnerabilities, it means that vulnerability information is the most valuable information an organization has to share with the government or other corporations who have joined forces with us in preventing cyber attacks. Many organizations are uncomfortable—and frankly, unwilling—to share information about weaknesses in their own systems.