1
FIREFIGHTERS
Some are born geeks. The only question is whether theyâll end up in cybersecurity or doing some other aspect of computer work. Craig Williams, for instance, was in kindergarten and playing on an old Apple computer when he discovered that by clicking on the control panel icon, he could change the display colors on a screen, thereby messing with teachers who had no clue what had happened. âIâve known exactly what I wanted to do pretty much for my entire life,â said Williams. Today, Williams is thirty-eight years old and handsomely paid as a manager for an elite security team inside Cisco. By comparison, Allison Wong was a late bloomer: not until she was around eight did she first touch one of the machines that would change her life.
Angela Gunn, by contrast, didnât discover info-sec as a career until she was on the wrong side of forty. Gunn, who had grown up in a small town in Nebraska, had studied philosophy at Occidental College, a small liberal arts college in Los Angeles. She thought she might want to write about architecture until learning, she said, âthereâs very little money in that.â She figured she had scored big when she secured an interview with a new literary magazine called Wigwag that had been started by a group of exiles from The New Yorker, âbut it closed before I even got to New York.â She would become a de facto tech journalist, not from any deep affinity for computers but âbecause thatâs where the jobs were in the early 1990s.â She took a job at PC Magazine, where she quickly moved up the ladder from researcher to reporter to editor. That was in 1995, at the dawn of the internet and a perfect moment to be working as a tech journalist. She was just twenty-six when she was hired as the editor in chief of a new publication called WebWeek. Five months later, she let herself be wooed away by another startup magazine called Yahoo! Internet Life. Over the next few years, Gunn wrote for a number of well-regarded trade publicationsâcolumns for IEEE Internet Computing and Computer Shopper, product reviews for PC Magazineâbefore moving to Seattle, in 1999, for a job as tech editor at the cityâs big alternative weekly, the Seattle Weekly. That was at the peak of Microsoftâs industry might and a couple of years after a relatively modest-sized online books-and-CD retailer named Amazon had gone public. At the Weekly, Gunn wrote a column she called Kiss My ASCII (ASCIIâpronounced âass-Câ or âass-key,â depending on whom you askâis a computer standard for text dating back to the 1960s) and also contributed to its film and music sections.
Gunn never seemed to stay in one place long. Two years after moving to Seattle she was back in New York to rejoin the staff of Yahoo! Internet Life, which went out of business a year later. There was a brief stint as tech editor of TimeOut New York before Gunn moved to the Washington, D.C. area to take over as tech editor of USA Today, a national newspaper with a circulation in the millions. That proved a great job but also a burnout position and one that allowed her little time for her own writing. She stepped down as tech editor but continued writing for the paper and its website. She also moved back to Seattle, where she cohosted a short-lived revival of PC Worldâs Digital Duo, a PBS tech show focused on new products. At its peak, it ran on 184 public television stations around the country. âThereâs always part of me that craves the new thing,â Gunn said.
Digital Duo was canceled at the end of 2005. Gunn thought about moving back to New York but she landed a gig with Computerworld, which wanted her to stay on the West Coast. Her interests were growing geekier, as were the outlets interested in publishing her work. Her change in focus meant a return to the more esoteric publications where she launched her journalism career. âAs a journalist, I was looking into privacy,â Gunn said. âThat led to security issues, and I was off to the races.â
The job at Microsoft was a happy accident. âI wasnât looking for them and they werenât looking for me specifically, either,â she said. A friendâsomeone who had written for her at Computerworldâhad met with someone at Microsoft to talk about a new position working with some of its security people. The friend said he didnât think he was right for the job but recommended Gunn. âMicrosoft reached out to me to gauge my interest and I figured what the hell.â She knew Microsoft well from two decades of reporting and they knew her work. âThey told me they felt Iâd been pretty evenhanded in my coverage over the years,â she said, but they also couldnât refrain from quoting a couple of sharp things she had written. In 2010, twenty years after she had taken her first job in journalism, Gunn showed up on Microsoftâs campus to work as a senior response communications manager within the companyâs Trustworthy Computing program, which Bill Gates himself had announced, in the early 2000s, once the company belatedly decided to get serious about security. Gunn was now working incident response for the worldâs largest software maker, a very fat target for people with bad intentions.
⢠⢠â˘
âWEâRE SOMEWHERE BETWEEN A firefighter and dental hygienist,â Gunn said of those who work incident response. The firefighter part of the job means rushing in when clients fear the worst about their computer systemsâa member of the âcyber special forces,â as Gunnâs latest company, the London-based BAE Systems, describes the four thousand people working for them across the globe to âdefend against cyber-attacks, fraud, and financial crime.â Itâs that part of the job that prompts Gunn and others to make comparisons to paramedics, ER doctors, and other first responders. The dental hygienist part of the job is the preventative work Gunn does. Sheâs responsible for a small constellation of clients. Are they making security a priority and investing the resources and time needed to reinforce and test their defenses (and thereby reduce the likelihood that sheâll need to play heroine because its defenses have been compromised)? âItâs a strange balance,â she notes. âThe IR [incident response] work is pure firefighting. But the âreadinessâ part of the jobââhow incident response people spend much of their timeââis really about the importance of flossing and periodic checkup appointments,â she said. This time between incidents is a time for healing. âWe call that polish-the-firetruck time,â Gunn said.
Most people spend only a few years, if that, in incident response. Just as emergency rooms are common entry points for recent medical school grads doing the internship or residency they must endure to become a doctor, so is incident response a standard route for people getting into info-sec. âWhen people ask me, âHow do I get into this field?â I tell them, âGo get an on-call gig,â â said Ciscoâs Craig Williams. âNot at a help desk but something where youâre working on these breaking security issues.â For people at Cisco or Microsoft or Google, that means responding to news of a vulnerability in one of their products. A software team will work on a fix but meanwhile a quick patch must be applied, a makeshift intrusion prevention system deployed, and an autopsy performed to figure out what happened. At a firm like Gunnâs, itâs her and her team responding to an âincident,â which is what people in the industry tend to call it when a client phones to report a problem. The hours can be brutal but the pay excellent, even for those with little or no experience in info-sec. The average pay for an entry-level âincident analyst/responderâ in 2018, according to CyberSeekâs Cybersecurity Career Pathway, was $99,000 a year, and yet there are thousands of openings in the field. Entry-level forensic workâwhat the survey describes as a âcybercrime analyst/investigatorââwas paying $85,000 a year. Salaries are bound to be inflated for those fortunate enough, financially at least, to work in a big city for a huge corporation or a big international consulting firm.
âFrankly, itâs a job a lot of people burn out on,â said Ciscoâs Williams. âBut itâs one of those positions where you learn a ton. If youâre just getting into the field, itâs a great way to get up to speed.â Williams knew it wasnât the right life for him early in his career at Cisco, when he and his wife were relatively new to Austin and out at a place called Trudyâs, known for selling margaritas so oversized that they cut you off at two. âI make it my personal challenge to finish two every time,â Williams told me. He had already polished off his second margarita when his cell phone went off. It was his boss. âHeâs like, âThereâs a worm in Thailand; we need you to come in and write an update,â â Williams said. He explained that he was in no condition to drive, let alone write a patch, but his boss wasnât accepting his no. âSo my wife drives me to the office and I write the update as she sits there looking at me like, âYou have the weirdest job.â â Williams is still with Cisco as a company âdirector,â where he plays more of an ambassador role and not what anyone would describe as an on-call job. âThat was my life when I first joined the company,â he said. âBut as you can imagine, thatâs not a super-sustainable model.â
Yet there are also people like Gunn, for whom incident response, if not the perfect job, seems as good as it gets in a world where you have to devote fifty or sixty or more hours every week to pay the bills and keep the lights on. âItâs a work style that feels comfortable to me,â Gunn said, adding, âIâd rather be summoned on a call at four in the morning a few times a year than sit there in a nine-to-five job being bored.â She had worked as a deadline journalist and agreed with me when I offered that her job now seems not unlike all those years she was working for websites in the business of breaking news. When I asked her if sheâs happy doing what sheâs doing, she laughed. âHave you ever known a truly happy journalist, ER worker, or first responder?â she countered. I conceded the point but then Gunn gave a direct answer to my question: âItâs a lot of crazy hours. Sometimes Iâm surviving on caffeine. But I do like it. Iâm enjoying it.â
Gunn had always been a talented journalist. So it was no surprise that she had the right instincts about security back when she was still writing about tech: she was writing increasingly about security in the second half of the 2000s, just as the computing world was moving in that direction. Securityâalong with privacy issuesâwas becoming more central to computing and becoming a greater priority inside the industry. News outlets started employing reporters who focused exclusively on security. Venture capitalists funded more security startups while more traditional corporate security companies that had always focused on physical security beefed up their cyber practice. So, too, did big-name accountant firms and other consultancies. And Microsoft was hardly alone. Every big name in computing, from Apple to Google to Facebook, has suffered embarrassing data breaches.
Microsoft was eight years into its transformation from security laggard to industry leader when Gunn joined the company. Gates had implemented Microsoftâs Trustworthy Computing program in 2002, and twelve months later, the âSlammerâ worm hit one of Microsoftâs core products, SQL Server, the database software that helps run business around the worldââthe storage backend,â as a former Microsoft engineer described it for me. Slammer infected roughly seventy-five thousand servers in ten minutes and caused problems across the globe, including flight delays and clogged ATM networks. âThat caused Bill G [Bill Gates] to declare a major reset,â the engineer said. âThe whole company stopped working on features, at least for a bit, and focused on security.â The job Gunn had been recruited to fill was created both to improve communications about security issues with the companyâs developer community and also those who were using Microsoft products.
Gunn was on the job six weeks when the world learned about Stuxnet, one of the more insidious worms to ever infect computers connected to the internet. Inspectors for the International Atomic Energy Agency found that centrifuges at an Iranian uranium enrichment plant were failing at alarming rates yet couldnât figure out why. Several months later, computers around the world were spontaneously crashing and rebooting. That was Stuxnet, which took advantage of multiple security holes in Windows and other software. The brilliance of Stuxnet was twofold. First, it covered its tracks. It hid the malicious files it added to a computer and took extra steps to cloak any processes it was initiating. Second, Stuxnet weaponized a computer: it didnât steal information or wipe out a hard drive but instead hid out and did physical destruction to the Iranian nuclear facilityâthe worldâs first digital weapon, reportedly created by Israel and the United States to disrupt Iranâs nuclear efforts.
âStuxnet was my first big case,â Gunn said. âThat was brutal.â The fact that she was so new to the field only added to the âweirdness,â she said. âMy poor boss. We werenât close but he says to me, âYou do this, youâre not going to be a journalist anymore.â This is a month or two into Stuxnet. He asks me, âYou sure you want to do this? Because if you want to go back, we can pretend this never happened.â Basically, he was asking me, âAre you in or are you out?â â
Gunn wasnât going anywhere. There was something intoxicating about being on the inside after all those years as a journalist on the outside. She had found out about Stuxnet before most of the rest of the world when she was summoned to what she called the âssirp room.â (A shortened version of what at Microsoft they call the Software Security Incident Response Process, or SSIRP.) Weeks passed before they pieced together what had happened. âWeâre talking meetings that lasted for hours with people youâre scared to make eye contact with because theyâre screaming,â she said. âBut you start to figure out whatâs going. Whatâs on fire and needs immediate attention and what can wait until tomorrow.â There were showers downstairs for those days when there was no time to make it home. âAll of us had a locker for a change of clothes. There were nap rooms. A towel service. Food. It wasnât uncommon to spend three days on-site.â
Gunn coordinated communication for the companyâs incident response group. Much of the job boiled down to managing how Microsoft spoke to the wider world about Stuxnet or some other piece of malware introduced through a security flaw in a company product. Often that plan centered on a speech delivered in a large ballroom at one of the big industry conferences: Black Hat, Hack in the Box, RSA. Gunn fielded press calls on security-related topics, and handled communications from contractors, consultants, third-party software makers, and others outside the company. She provided answers when she could and, when she couldnât, routed the query to the right person. Gunn delivered regular security bulletinsâone or two in a quiet month, a dozen or more in a busier one, and, when necessary, published a special advisory. She blogged about security issues on the Microsoft website and served as a writing coach and editor for members of her group who wanted to write about whatever small disaster hit Windows or another Microsoft product.
Yet the part of the job Gunn lovedâthe part she spoke of with passion years laterâwere the hours spent in the ssirp room after they had learned of a new security breach. âThereâs this excitement,â she said. âYouâre constantly on the phone, figuring out whatâs happening, getting your guys together, getting control of this thing.â She was fascinated by the glimpses it gave into the people she worked with: those who rose to the occasion and those who couldnât handle the pressure. âA lot of incident response training comes from watching people who are really good at it do it,â she said. A small incident might mean only a few days in the room but the drama stretched out for weeks when it was a massive problem like Stuxnet. âYou worked on an issue you were assigned to until it was time to stand down,â Gunn said. Some chafed at that kind of pressure but Gunn seemed to thrive on it. âWhen I shifted to another position inside Microsoft, I missed it,â she said. Sitting across from me at Bedlam Coffee, she mimed out the feeling she had once she had shifted to that new job at Microsoft. She stared longingly at a make-believe door now off-limits and then said in falsetto, as if a child, âYou mean I canât go into the ssirp room anymore?â
Gunnâs first job in info-sec ended when, a little over two and a half years after she had started at Microsoft, in the fall of 2012 she received a promotion from senior response communications manager to senior security strategist. Her job now was to help Microsoft figure out how it should talk to the larger world about vulnerabilities in its software. She represented the company at conferences, promoted interesting research being conducted at Microsoft, and helped introduce âbug bountyâ programs to college campuses. This last initiative proved a radical shift for any software maker. Rather than fight the impulse of hackers to find holes in a product, Microsoft would pay a reward to any who reported a vulnerability in its software.
Yet the commute from her home in Seattle across Lake Washington to Redmond, where Microsoft is headquartered, was taking a toll, as was workplace drama inside the companyâs security unit. Fifteen months after her promotion, Gunn left Microsoft for Hewlett-Packard, where her friend Dave Weinstein, whom she had met while both were working security at Microsoft, had landed a year earlier. HP had taken custody of the Zero Day Initiative, an effort by white-hat hackers to create a kind of clearinghouse of software flaws that lead to cyberattacks and security breaches. There, Weinstein was among those analyzing the bugs that researchers sent to Zero Day in the hopes of being paid a bounty for finding a security flaw. âWe told you how much we were willing to pay for the bug and the researcher said yes or no,â Weinstein said. âIf they said yes, that meant they sold us the intellectual property in the bug, and then we would study it and use itâ to better combat malware. The attraction for Gunn was a chance to work âthreat intelligenceâ and, not incidentally, take a break from the intensity of IR work inside a place like Microsoft. She didnât go to HP thinking she was done with IR but she was happy for the time away. âPeople cycle in and out all the time,â Gunn said. Once again, she was working as a writer and editor. She oversaw the white papers, blog posts, public speeches, and tweets produced by Zero Day engineers while also publishing her own original research.
Gunn enjoyed working at HP. The hours were good, her colleagues congenial, the work interesting. There were also holidays with family. âMost people in IR canât remember a December holiday that went without a hitch,â she said. âThere are always calls on Christmas and Thanksgiving, even when I was covering this stuff as a journalist.â Yet she also missed being in the room and the camaraderie that came with doing battle against a formidable new bug. There were also the good feelings that came with a job that let Gunn compare herself to the gunslinger in an old-time western who saves the town from t...