Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

Greg Touhill: How an Air Force Lieutenant Became One of Cybersecurity's Top Guns

Security Pro File: After leading cyber efforts in the military, DHS, and the federal government, the former Federal CISO now sets his sights on new security technology.

It was a typical day at McChord Air Force Base in the early 1980s. A box had arrived at the command post. Lieutenant Gregory Touhill, a recent ROTC graduate on his first assignment, opened the box and looked inside. It was a desktop computer – still a new concept in most bases and businesses, not long after IBM introduced the first PC in 1981.

A skeptical colonel peered inside the box. "What the hell's that?" he growled.

"It's a computer, sir," Touhill replied.

"Well, you take it," the colonel said. "You're in charge of it."

More than 30 years later, retired Brigadier General Greg Touhill is still following those orders. In fact, he's taken charge of some of the largest and most complex computer communications and cybersecurity programs in the world. As an Air Force officer, he became one of the service's top communications and logistics leaders, earning three awards of the Legion of Merit and the Bronze Star. As a brigadier general, he was the CIO and Director of Command, Control, Communications, and Cyber Systems at U.S. Transportation Command – a $15.4B enterprise that won the NSA's Rowlett Award for the best cybersecurity program in the US government.

But he didn't stop there. In 2014, after his 30 years in the Air Force were complete, Touhill took his cyber skills to the civilian side of the US government. He was appointed to be the Department of Homeland Security's Deputy Assistant Secretary for the Office of Cybersecurity and Communications. He also served as the Director of the National Cybersecurity and Communications Integration Center (NCCIC).

In 2016, Touhill once again took charge of a major cyber operation, becoming the first Federal CISO ever appointed by the US government. US CIO Tony Scott and then-Cybersecurity Coordinator J. Michael Daniel cited Touhill's "considerable experience in managing a range of complex and diverse technical solutions at scale with his strong knowledge of both civilian and military best practices."

In fact, he was uniquely qualified for the job, having worked with not only with all branches of the service and most federal agencies, but with thousands of private contractors during his career.

Earlier this year, with a new administration coming into office, Touhill stepped down from his post as Federal CISO – a position that remains unfilled – and is now president of Cyxtera Technologies' Cyxtera Federal Group, where he is still leading efforts to break new ground in cybersecurity.

"I feel like my mission hasn't changed across all of these roles," says Touhill, who will be the keynote speaker at Dark Reading's INsecurity Conference later this month at National Harbor. "I've been in different positions, but I'm still protecting data for America. That's still what gets me going every morning."

Source: US Air Force
Source: US Air Force

Having held critical cyber roles in the US military, DHS, and in the federal government, Touhill has more than his share of CISO war stories – and, in his case, many of them are actual war stories. The U.S. Transportation Command had to protect information about the movement of supplies and equipment – key data that might tell the enemy where US troops were going. The organizations and systems he secured at DHS and the federal government were similarly attractive targets, where a bad mistake might cost not only sensitive data, but human life.

"I have seen a lot of things happen, but one positive thing I've learned is that as defenders, we're not as bad as we sometimes think we are," says Touhill, who has an optimistic, open demeanor that suggests more teacher or coach than brigadier general. "As professionals, we tend to focus on where we fail, and that's as it should be. But we also have to remember that the risk level is high, and it's really not so much about protecting everything – it's about managing risk." Touhill laid out his risk management strategy in "Cybersecurity for Executives," a book he published in 2014.

The risk equation is one that is familiar to most military officers -- and perhaps separates military cybersecurity from enterprise cybersecurity, where some CXOs still cling to castle walls and network perimeters. "Frederick the Great said that he who attempts to defend everything defends nothing," Touhill recalls from his Air War College training. "A lot of companies don't know what assets they have, and so they are trying to defend everything. It just doesn’t scale."

At DHS, Touhill had a front-row seat to some of the most serious online threats posed to US interests – both in government and in private industry. He became a driver behind cyber simulations and exercises that help defenders practice for "the very bad day that's going to happen," as he calls it. He helped to build and support federal cyber exercises such as Cyber Storm and GridEx, which allowed federal, critical infrastructure, and defense agencies to perform real tests of their cyber response systems, and identify weak spots that needed work.

"Many companies have trouble with incident response because they fail to practice," Touhill says. "Not only do they not rehearse the process, but they don't know all the participants. And I can tell you, the time to exchange business cards is not in the middle of a crisis. You need to know the people involved and the roles that they are going to play - before the bad day happens."

As the first Federal CISO, Touhill had a chance to begin building coordinated security initiatives across agencies, but he feels much more needs to be done.

"I believe it is critical that the new administration take action to appoint a new CISO to capitalize on our cybersecurity initiatives," Touhill says. "I believe cybersecurity is a non-partisan issue and we can't wait any longer for a Federal CISO. We need a highly qualified technical leader as the Federal CISO as soon as possible, because marking time in today's hotly contested environment is actually falling behind. I am hoping that Congress helps by making it a specified position in the next Federal Information Security Management Act (FISMA) as well."

Touhill's time working with federal agencies also pointed up another key issue he sees in private industry: too much reliance on older technology. "Touhill's Law says one human year equals 25 computer years," he says. "If you want an effective defense, you don’t rely on outdated technology. You don't fly a Wright Flyer against a MIG and expect to win."

That need for advanced, better technology was the primary reason why Touhill chose to take his new position at Cyxtera, an emerging technology vendor that is working on a wide array of next-generation security technologies, ranging from authentication to microsegmentation, deep analytics, and total fraud protection.

"I had a bunch of opportunities when my position as Federal CISO was not renewed, but I left them at the altar when I saw what Cyxtera was doing," he says. "The idea of a zero-trust model that can work anywhere, even in the cloud, is where we need to go. I feel like I'm in the right place for what comes next."

 

 

PERSONALITY BYTES

Things Touhill has carried over from military life: I walk fast. I eat fast. I don't sleep much. I'm up by 0500 and I still work out for an hour every morning before work.

What his co-workers don't know about him: I love Key lime pie. If you want to get me to do something, you can ply me with pie.

Electronic must-haves: A phone loaded with my family photos, music, and the Major League Baseball app.

Favorite hangout: Right next to my wife.

Comfort food: My wife's chicken pot pie. There is nothing better.

In his music playlist right now: I’m reliving my high school years. Queen's "Don't Stop Me Now" is playing; ELO's "Turn to Stone," and Journey's "Don't Stop Believing" were right before it.

Ride: A BMW. My wife has always wanted one. She asked for one when I was a first lieutenant, but I couldn't afford it, so I got her a dog. Twenty-five years later, we got the BMW.

After hours: I love baseball and writing. I have another book in the works.

Favorite team: The team that wears red, white, and blue: the Boston Red Sox.

Signature style: I wear red socks every chance I get.

Actor who would play Touhill in film: That's easy – Tom Hanks. People tell me I look like him.

Next career after security: Commissioner of Major League Baseball.

 

Meet Greg Touhill Nov. 29 at his keynote address for Dark Reading's INsecurity Conference. See the full agenda here.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15132
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
CVE-2019-15133
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
CVE-2019-15134
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
CVE-2019-14937
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
CVE-2019-13069
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a 127.0.0.1 service.