George Silowash didn't arrive at Norwich University from a military background, as many of his colleagues and students did. But Silowash, who started work last week as the chief information security officer at Vermont's only military college, has a unique connection to Vermont and the armed forces. His father, a recently retired physicist, designed the nuclear reactor currently being installed on the U.S. Navy's newest submarine, which will hit the water in 2019. It's called the USS Vermont. Says Silowash, "I considered that a good sign."
Though he's a civilian, Silowash has been fighting America's adversaries nonviolently for years. As an information security expert who specializes in digital forensics and investigations, he has protected federal agencies, universities and the private sector against countless cyber attacks launched by hostile nations, crime syndicates and lone hackers. His past employers include Carnegie Mellon University's Software Engineering Institute and the U.S. Department of Justice's National Drug Intelligence Center, the latter of which investigates drug trafficking and international drug cartels.
The 38-year-old native of Greensburg, Pa., is now charged with managing risk, understanding digital vulnerabilities and protecting sensitive data at one of the country's preeminent cyber-security programs. He'll teach at Norwich next fall, too. Recently, Silowash sat down with Seven Days to discuss emerging cyber threats and what keeps him up at night.
SEVEN DAYS: Is Norwich University a bigger target for cyber attacks than other organizations?
GEORGE SILOWASH: That's an interesting question. Our adversaries may see us as a military school and think we have close ties with the [U.S.] Department of Defense. But in general, the attacks aren't necessarily that targeted. The criminals out there seem to be looking to gain whatever foothold they can and then try to access whatever information they can. But I don't know if they target us specifically.
SD: In your world, who are our adversaries?
GS: I'd say our adversaries are probably foreign nation-states that are after research materials. They want to know what we know so they can advance their own programs.
SD: So, most cyber attacks you're seeing are government sponsored?
GS: It's hard to say which hackers may be funded by a nation-state. Some of the more sophisticated attacks that are drawn out over years tend to be very well funded, and they tend to be a nation-state-sponsored attack. But nowadays, it's so easy for anyone with a malicious intent to carry out an attack. They have tool sets out there that are freely available online to download for anybody to use. It takes a little bit of skill for those to work and actually exploit data. But there have been large data breaches in the last year that have compromised data not only from the federal government but the private sector. Actually, I was a victim.
SD: Really? When?
GS: Due to the [U.S. Office of Personnel Management] data breach [in June 2015, which compromised the personal records of 21.5 million federal employees and contractors], my information was used to open a credit card account. Fortunately, I detected it before my credit monitoring service did. So, yes, I was a victim myself. I'm not proud to say that, but data breaches are so common that anybody can be a victim nowadays. It's really hard not to be.
SD: How common are cyber attacks on Norwich?
GS: I couldn't say specifically. I know that we're always seeing some type of malicious traffic. What I can say, personally from my own experience [and] based on my own home network, I'm constantly being hit. Right now we're seeing a lot of malicious emails with virus attachments that are being spewed out to everybody. We're also seeing a lot of ransomware attacks, where people are tricked into visiting a website or sent a malicious attachment that then encrypts their hard drive, and they can't get access to it unless they pay money to get it back.
SD: You know more than most people how to protect your digital identity and yet became a victim yourself. What can average Vermonters do to protect themselves online?
GS: One of the biggest and simplest things to do is maintain your software updates and patch your system. Whenever Microsoft says you have software updates available, don't delay. Just download and install them. Keep your antivirus [program] up to date. Protect yourself when you're using social media. Don't post about everything you do.
SD: What do you recommend for the average computer user with no background in cybersecurity?
GS: When you're connected to an open wireless network, you should use a VPN, or virtual private network, that allows you to encrypt your traffic between you and the internet. It reduces the likelihood of sensitive data being available on a wireless network. Also, be mindful of who's watching your screen in public places. On my laptop, I have a privacy shield, so if you're looking at it from the sides, it looks blank.
SD: What about smartphones?
GS: I think people just need to be mindful of what their devices are doing, what applications they install and what permissions they allow. For example, I downloaded a flashlight application that said, "Flashlight application wants access to your location, your contacts and your storage." Why? You're just turning a light on. Uninstall! But the problem is, most end users don't understand that and just say, "Yeah, OK." Now, their flashlight app is spying on them and siphoning off data. Why does a flashlight need your GPS data to work? It doesn't.
SD: You're assuming the job of Norwich's chief information security officer at a critical moment in history. This is the first time that cyber warfare may have played a role in the outcome of a U.S. presidential election.
GS: I can't speak specifically to that because I don't know who the malicious actors were, and I don't think we [as a country] actually know yet. But you're right, we're starting to use technology more and more, especially in elections. We have the electronic voting machines now that are definitely susceptible to cyber attack. I don't think there's a solution to that right now. And it's going to continue to be a problem simply because, for the manufacturers of these devices, their audience is so small. It's local and state governments, and there's no real incentive for them to build security into them. I'm not picking on any one of them. It's just the way it is.
SD: What are the new frontiers in cybersecurity?
GS: One of the things that concerns me the most is the internet of things, or IOT for short. Light bulbs can now connect to the internet. Some of these devices may be $10 or $20. Well, how much security is built into those devices? Recently, a certain type of light bulb was used for a DDoS, or distributed denial-of-service attack, against large internet providers. Also, webcams were used because their software had a vulnerability and was used to target some big companies. Most people aren't really concerned about the security of their webcams. It's an inexpensive attack, and the code to do these things is freely available online. The attackers made it available to anyone who wanted to download it.
SD: Specifically, what concerns you about the internet of things?
GS: We're plugging more and more things into the internet that, personally, I don't see a need to be connected. Why should my toaster be plugged into the network? I couldn't care less what it's doing right now. It's fine right now sitting on the counter at home. Why do my light bulbs need to be connected? It might be a nice, convenient feature to turn my lights on and off remotely, but I've been getting by with regular light switches for a long time now.
SD: Anything else?
GS: We're starting to see vulnerabilities in automotive systems. Some cars are now connected to the internet. People can get into some cars' infotainment systems and take over the car, whether it be through some wireless connectivity or the car's cellular capabilities. We like all the new bells and whistles and convenience features, but sometimes they come with a big security trade-off.
SD: What keeps you awake at night as a cybersecurity expert?
GS: There's a lot that keeps me awake at night! One of my personal concerns is the security of our nation's power grid. There are way too many things that are dependent upon the power grid, and if we lose electricity, we lose everything. We have power companies that just connect things to the internet for convenience without having adequate security. There are ways to protect those systems, but whether or not they're doing it in the most secure fashion remains to be seen.
The original print version of this article was headlined "Digital Defender"
Ken Picard has been a Seven Days staff writer since 2002. He has won numerous awards for his work, including the Vermont Press Association's 2005 Mavis Doyle award, a general excellence prize for reporters.