Mobile

11/8/2017
10:00 AM
100%
0%

Greg Touhill: How an Air Force Lieutenant Became One of Cybersecurity's Top Guns

Security Pro File: After leading cyber efforts in the military, DHS, and the federal government, the former Federal CISO now sets his sights on new security technology.

It was a typical day at McChord Air Force Base in the early 1980s. A box had arrived at the command post. Lieutenant Gregory Touhill, a recent ROTC graduate on his first assignment, opened the box and looked inside. It was a desktop computer – still a new concept in most bases and businesses, not long after IBM introduced the first PC in 1981.

A skeptical colonel peered inside the box. "What the hell's that?" he growled.

"It's a computer, sir," Touhill replied.

"Well, you take it," the colonel said. "You're in charge of it."

More than 30 years later, retired Brigadier General Greg Touhill is still following those orders. In fact, he's taken charge of some of the largest and most complex computer communications and cybersecurity programs in the world. As an Air Force officer, he became one of the service's top communications and logistics leaders, earning three awards of the Legion of Merit and the Bronze Star. As a brigadier general, he was the CIO and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command – a $15.4B enterprise that won the NSA's Rowlett Award for the best cybersecurity program in the US government.

But he didn't stop there. In 2014, after his 30 years in the Air Force were complete, Touhill took his cyber skills to the civilian side of the US government. He was appointed to be the Department of Homeland Security's Deputy Assistant Secretary for the Office of Cybersecurity and Communications. He also served as the Director of the National Cybersecurity and Communications Integration Center (NCCIC).

In 2016, Touhill once again took charge of a major cyber operation, becoming the first Federal CISO ever appointed by the US government. US CIO Tony Scott and then-Cybersecurity Coordinator J. Michael Daniel cited Touhill's "considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices."

In fact, he was uniquely qualified for the job, having worked with not only with all branches of the service and most federal agencies, but with thousands of private contractors during his career.

Earlier this year, with a new administration coming into office, Touhill stepped down from his post as Federal CISO – a position that remains unfilled – and is now president of Cyxtera Technologies' Cyxtera Federal Group, where he is still leading efforts to break new ground in cybersecurity.

"I feel like my mission hasn't changed across all of these roles," says Touhill, who will be the keynote speaker at Dark Reading's INsecurity Conference later this month at National Harbor. "I've been in different positions, but I'm still protecting data for America. That's still what gets me going every morning."

Source: US Air Force
Source: US Air Force

Having held critical cyber roles in the US military, DHS, and in the federal government, Touhill has more than his share of CISO war stories – and, in his case, many of them are actual war stories. The U.S. Transportation Command had to protect information about the movement of supplies and equipment – key data that might tell the enemy where US troops were going. The organizations and systems he secured at DHS and the federal government were similarly attractive targets, where a bad mistake might cost not only sensitive data, but human life.

"I have seen a lot of things happen, but one positive thing I've learned is that as defenders, we're not as bad as we sometimes think we are," says Touhill, who has an optimistic, open demeanor that suggests more teacher or coach than brigadier general. "As professionals, we tend to focus on where we fail, and that's as it should be. But we also have to remember that the risk level is high, and it's really not so much about protecting everything – it's about managing risk." Touhill laid out his risk management strategy in "Cybersecurity for Executives," a book he published in 2014.

The risk equation is one that is familiar to most military officers -- and perhaps separates military cybersecurity from enterprise cybersecurity, where some CXOs still cling to castle walls and network perimeters. "Frederick the Great said that he who attempts to defend everything defends nothing," Touhill recalls from his Air War College training. "A lot of companies don't know what assets they have, and so they are trying to defend everything. It just doesn’t scale."

At DHS, Touhill had a front-row seat to some of the most serious online threats posed to US interests – both in government and in private industry. He became a driver behind cyber simulations and exercises that help defenders practice for "the very bad day that's going to happen," as he calls it. He helped to build and support federal cyber exercises such as Cyber Storm and GridEx, which allowed federal, critical infrastructure, and defense agencies to perform real tests of their cyber response systems, and identify weak spots that needed work.

"Many companies have trouble with incident response because they fail to practice," Touhill says. "Not only do they not rehearse the process, but they don't know all the participants. And I can tell you, the time to exchange business cards is not in the middle of a crisis. You need to know the people involved and the roles that they are going to play - before the bad day happens."

As the first Federal CISO, Touhill had a chance to begin building coordinated security initiatives across agencies, but he feels much more needs to be done.

"I believe it is critical that the new administration take action to appoint a new CISO to capitalize on our cybersecurity initiatives," Touhill says. "I believe cybersecurity is a non-partisan issue and we can't wait any longer for a Federal CISO. We need a highly qualified technical leader as the Federal CISO as soon as possible, because marking time in today's hotly contested environment is actually falling behind. I am hoping that Congress helps by making it a specified position in the next Federal Information Security Management Act (FISMA) as well."

Touhill's time working with federal agencies also pointed up another key issue he sees in private industry: too much reliance on older technology. "Touhill's Law says one human year equals 25 computer years," he says. "If you want an effective defense, you don’t rely on outdated technology. You don't fly a Wright Flyer against a MIG and expect to win."

That need for advanced, better technology was the primary reason why Touhill chose to take his new position at Cyxtera, an emerging technology vendor that is working on a wide array of next-generation security technologies, ranging from authentication to microsegmentation, deep analytics, and total fraud protection.

"I had a bunch of opportunities when my position as Federal CISO was not renewed, but I left them at the altar when I saw what Cyxtera was doing," he says. "The idea of a zero-trust model that can work anywhere, even in the cloud, is where we need to go. I feel like I'm in the right place for what comes next."

 

 

PERSONALITY BYTES

Things Touhill has carried over from military life: I walk fast. I eat fast. I don't sleep much. I'm up by 0500 and I still work out for an hour every morning before work.

What his co-workers don't know about him: I love Key lime pie. If you want to get me to do something, you can ply me with pie.

Electronic must-haves: A phone loaded with my family photos, music, and the Major League Baseball app.

Favorite hangout: Right next to my wife.

Comfort food: My wife's chicken pot pie. There is nothing better.

In his music playlist right now: I’m reliving my high school years. Queen's "Don't Stop Me Now" is playing; ELO's "Turn to Stone," and Journey's "Don't Stop Believing" were right before it.

Ride: A BMW. My wife has always wanted one. She asked for one when I was a first lieutenant, but I couldn't afford it, so I got her a dog. Twenty-five years later, we got the BMW.

After hours: I love baseball and writing. I have another book in the works.

Favorite team: The team that wears red, white, and blue: the Boston Red Sox.

Signature style: I wear red socks every chance I get.

Actor who would play Touhill in film: That's easy – Tom Hanks. People tell me I look like him.

Next career after security: Commissioner of Major League Baseball.

 

Meet Greg Touhill Nov. 29 at his keynote address for Dark Reading's INsecurity Conference. See the full agenda here.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20168
PUBLISHED: 2018-12-17
Google gVisor before 2018-08-22 reuses a pagetable in a different level with the paging-structure cache intact, which allows attackers to cause a denial of service ("physical address not valid" panic) via a crafted application.
CVE-2018-20167
PUBLISHED: 2018-12-17
Terminology before 1.3.1 allows Remote Code Execution because popmedia is mishandled, as demonstrated by an unsafe "cat README.md" command when \e}pn is used. A popmedia control sequence can allow the malicious execution of executable file formats registered in the X desktop share MIME typ...
CVE-2018-20161
PUBLISHED: 2018-12-15
A design flaw in the BlinkForHome (aka Blink For Home) Sync Module 2.10.4 and earlier allows attackers to disable cameras via Wi-Fi, because incident clips (triggered by the motion sensor) are not saved if the attacker's traffic (such as Dot11Deauth) successfully disconnects the Sync Module from the...
CVE-2018-20159
PUBLISHED: 2018-12-15
i-doit open 1.11.2 allows Remote Code Execution because ZIP archives are mishandled. It has an upload feature that allows an authenticated user with the administrator role to upload arbitrary files to the main website directory. Exploitation involves uploading a ".php" file within a "...
CVE-2018-20157
PUBLISHED: 2018-12-15
The data import functionality in OpenRefine through 3.1 allows an XML External Entity (XXE) attack through a crafted (zip) file, allowing attackers to read arbitrary files.