Maria Vello, Executive Advisor, Former CEO of the Cyber Defence Alliance and the NCFTA
Maria always had a focus on security, starting when she worked for a Fortune 500 company managing their Global infrastructure and communications network. Maria Vello’s real career in security/cyber-security began with an atrocity. After September 11, 2001 terrorist attacks in the United States (“9/11”) the start-up company she worked for had to close their doors after losing the support of one of the investment companies. The event also inspired her to change her career direction and she found a new mission – fighting global cyber-crime.
“When 9/11 happened, I can remember being at work in a telecoms start-up in Pennsylvania,” Maria recalls, “and it was absolutely a huge shock but also a wake-up call, our country would never be the same. There were many repercussions, implications to our country’s national security, our safety, resilience as a nation, emotional implications and of course the economic ones. Such as, the one that impacted me and my colleagues, when one of the three investors in our telecoms start-up company pulled out, and we had to close our doors.”
But the world-changing terrorist attack also set Maria thinking. What she realised was that “the future of warfare was not going to be just about physical attacks, especially with the evolution of the internet and global interconnectivity. It was absolutely going to evolve rapidly and move into cyberspace.”
Maria went the same way, moving into cyberspace. Two decades on she has travelled far, to the role of CEO at the Cyber Defence Alliance in London prior to being the CEO and President of the National Cyber-Forensics and Training Alliance (NCFTA) in Pittsburgh, Pennsylvania.
Her journey began with profound studies. She went to the Carnegie Mellon University, Software Engineering Institute, where she studied the Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) methodology – a means of streamlining and optimising the process of assessing security risks.
Carnegie Mellon’s name and the Octave methodology “opened doors for Maria.” The first doors to open were at the waterworks, since the US Government foresaw the need to protect critical infrastructures and the water supply could be one of the many parts of the critical infrastructure that could be targeted for attacks.
The U.S. government was providing grants to secure water supply against terrorism and Joe Hohman, the manager of a number of water companies, shared Maria’s view that the risk was not just of acts of physical sabotage but also cyber-attacks that would sow chaos. He too was an early adopter and worried about not only physical but cyber-attacks.
And so just six months after her studies at Carnegie Mellon, Maria’s business fighting cyber-crime was up and running. She began advising water companies on how they could develop their defences and enhance their security posture against hacking by terrorists. Word of mouth became her best marketing. “It just evolved,” she says, “and turned into getting contracts with some bigger companies,” almost always in critical infrastructure that terrorists might want to destroy or disrupt.
She was driven by her patriotism, strong motivation and belief, a realisation that “security/cyber-security and the need for it was here to stay.” Pandoras box had been opened. Maria saw “how imperative it was for people to actually pay much more and greater attention to detail around security. No one ever imagined that the internet was going to be used for these things (both good and bad) like it is used today. A dear and brilliant friend, Paul Vixie, who was a key figure in the design of the internet will tell you, he would have designed/done things differently had he known.”
In a sector that was new and evolving rapidly, the learning process, too, was just beginning. Maria found she learnt from “some of the gentlemen who worked with me. The people that really were a whole lot smarter than I was and certainly a whole lot more technical but very patient and very willing to teach me and improve my knowledge and understanding.”
She sees cyber as a field ripe for this kind of learning. “You just pick things up along the way,” she says. “Security is one of those fields where you can absolutely do that, although many people are a bit afraid of not having the technical knowledge from the go. But honestly, I think in this day and age there isn't anything that you can't find either on a YouTube video or in a book.” Working with like-minded people willing to share and collaborate, along with taking courses in security, are invaluable in shaping and moulding your career in security and/or cyber-security.
The years of experience she has accumulated mean Maria knows the workings of cyber-criminals very well, and she paints a frightening picture of them.
For 20 years, Maria and her peers have been warning businesses and the public to use strong passwords, to not click on links, and not give away their credentials. But the “tradecraft” of the cyber-criminals is extremely good. They are “organised crime groups with an enterprise network and companies and they are very clever. It’s a business, they have coding departments, sales, tech support, a development department, etc. And they do their homework and create some very sophisticated attacks, but also use some well-known less sophisticated methods and count on people making basic mistakes.”
Cyber criminals may seek to “get into your system undetected, stay there for periods of time to unearth significant information, compromise your systems and steal your intellectual property.”
The threats therefore now come from “any place in the world literally. There are no borders. It’s seamless, systemic, and global. In numerous cases these threat actors/criminals operate with impunity.”
And the criminals use “everything they’ve found and reuse it as much as possible. They find a number of different clever ways to monetising and re-monetising the intelligence, credentials, intellectual property, etc.”
Maria and her colleagues in the cyber-crime fight come from industry, academia, law enforcement, research, and all walks of life. By sharing information and turning it into intelligence and working together collectively, the team is able to close the gap on cybercrime and by working with law enforcement, get to attribution. It’s a team of cyber sleuths and investigators, researchers, detectives, people with a common vision and goal putting the puzzle together. “You do your forensics, you share different pieces of information across the teams,” she says, “and you basically find the whole trail of breadcrumbs and the last pieces to finish the puzzle and attribute. Our ultimate goal is to identify the threats, methods, means, tactics of the criminals and give an early warning to companies and innocent people. After the fact is too late, the damage is done... if we can prevent it from happening and be prepared prior, stop it, and make it a non-event – that is where we need to be. But somehow, we're never able to prevent all the attacks but we’ve had numerous success stories where we have been able to prevent companies and networks from being compromised. We need to do more!“
The enjoyment and reward of the job, however, Maria finds, comes from waging a shared battle, supported by a community of like-minded people in different fields with a shared vision and goal that does not worry about who gets the credit.
“I'm interacting with law enforcement,” she says, “with government agencies, researchers, academia, intelligence analysts and companies. With people that are 100 times smarter and brighter than I am and people that have been in the security business far longer than me with more experience and knowledge. There is a global community right there, where people work together for the greater good and leave their egos at the door. They don’t care who gets the credit, they just want to right the wrongs and bring the threat actors to justice.” We have to work with law enforcement - we might have the best information/intelligence, but they can add to it and they’re the only ones with the authority to arrest.
And it is idealistic.
“There are patriots, global security and cyber-security/crime warriors.” The passion is “contagious,” and the successes are not individual but “shared.”
To have a career in cyber-intelligence Maria sees “a very curious intellectual problem-solving mind” as essential. “You have to be curious, willing to pay attention to detail. Find a clue and develop it. Show the tenacity to just keep going. Know when you are going down a rat hole and know how find the associations and correlations to put the pieces all together.”
In network operations quite different and more technical skills are required. “You need to understand networking, understand how IP addressing works, understand what you're looking for. Find a signal in the noise as you look through some of the threats, identify vulnerabilities, know your critical assets, network infrastructure, understand people, enhance your security posture and stay diligent and vigilant.”
People can be trained, Maria says, in these skills – in the use, for example, of open-source tools.
Maria sees women playing a bigger role. “Some of the smartest people I've met in this field have been women,” she says. And she finds many women are extremely interested in moving into tackling cyber-crime. We need, she says, to show women that “it’s an awesome career with so many different areas that you can explore. You’re wanted, needed, you have and can offer tremendous value to the field, you will never be bored and there is a vast and very rewarding career path ahead in cyber-security – most importantly woman have what it takes and there are tons of areas to explore – if you have the heart and desire to learn, then CAN do anything!” A career in cyber-security requires that heart and desire, along with a curious, intellectual mind, attention to detail, and good problem-solving skills.
The cyber-criminals are numerous, inventive, clever, powerful, and destructive. The fight against them must be waged equally inventively, collaboratively, collectively, and powerfully - we need more women and men in the battles to win the war.
“We need to put a significant dent in cyber-crime to close the gap, protect innocent victims and make a difference in the world” Maria concludes. “There’s so much to do and there is more than enough crime and glory to go around. We all play a role in creating a safer cyber future. We need everybody we can get.”