Teachers, Trainers, and Educators

January 27, 2020 • Monica Todros

Our guest this week is Jeremy Blackthorne, president of the Boston Cybernetics Institute. They provide a variety of cybersecurity services, and our conversation focuses on their unique approach to training, specifically for members of the U.S. military.

Jeremy served in the U.S. Marine Corps, and we explore the advantages that provides when approaching both training and operational security issues. We’ll get his take on threat intelligence, as well.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone and welcome to episode 143 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest this week is Jeremy Blackthorne, president of the Boston Cybernetics Institute. They provide a variety of cybersecurity services, and our conversation focuses on their unique approach to training, specifically for members of the U.S. military.

Jeremy served in the U.S. Marine Corps, and we explore the advantages that provides when approaching both training and operational security issues. We’ll get his take on threat intelligence, as well. Stay with us.

Jeremy Blackthorne:

I guess I would start, one of my most defining parts of my career was when I joined the Marine Corps. So I served in the Marine Corps 2002 to 2006 and then afterwards, undergrad, graduate school, and then doing research for MIT Lincoln Laboratory. After Lincoln Laboratory, a small group of us left and we started a company called the Boston Cybernetics Institute.

Dave Bittner:

So what sorts of things do you do there?

Jeremy Blackthorne:

We started BCI to be a training company specifically to support national defense. So our mission statement is to promote and provide education and training in support of national defense. We started this company because of what we saw at MIT.

We did research in support of defense, so we worked with a lot of military and intelligence sponsors and very talented people at Lincoln Laboratory and our job was specifically to assess the security of these government systems. So we were tasked with finding the weaknesses, exploiting them, and then recommending how we could best fix them.

But one of the things that we noticed was in many systems we could get to, for every one system that we could assess and help out, there was a hundred systems we never could and we noticed that if we really wanted to support national defense and to really make a difference, make a big impact, we had to be a force multiplier, to borrow a term from the military. We had to make more people like us so that the U.S. could have the amount of expertise that we think it needs. So that just, it felt like an obligation for us. It was our duty to leave Lincoln Laboratory and try to do something about the problem that we saw.

Dave Bittner:

So how do you go about doing that?

Jeremy Blackthorne:

Well, just put simply, we teach. We’re teachers, we’re trainers, we’re educators, we’re mentors, we’re coaches.

We have a classroom located next to Harvard University in Harvard Square and it can hold up to 50 students and so many military and government sponsors will fly to us and we will do training here and we’ll do training in topics in cybersecurity.

Our specialty is assessing the security of embedded systems, or … You might think of the Internet of Things as how we know it in the commercial sector. So we teach them how to analyze and take apart these systems or the jargon term for that would be reverse engineering.

So you start with a final product and then you take it all the way back to its original design and in doing that, you develop intimate knowledge of how the system works and sometimes how it’s not supposed to work. By training the military to understand their own systems in great detail, they can find the vulnerabilities in those systems and then try to address those.

So that’s what we do. We do research, we innovate here, we try to always push ourselves and then we try to quickly pass that on to the government to try to empower them to be self sufficient. We don’t really want to be a bottleneck or like a sole provider of this expertise, but rather empower the government to be self sufficient and we try to do that one student at a time.

Dave Bittner:

What is it about the military in particular, where is it from a cultural point of view or from a practical point of view, that they find themselves needing the types of services that you provide?

Jeremy Blackthorne:

Well, the military has a long history in our country but they do not have a long history in cybersecurity or cyberspace. The U.S. military was definitely part of creating the internet with the ARPANET, but as of recently, I would say that the commercial sector has taken off and now the military is catching up with the expertise in the commercial sector and there are a lot of solutions, a lot of companies in the commercial sector where they’re selling products or they’re selling commercial training. But a lot of it is cost prohibitive to scale to the national scale and so what we try to do is, we try to be the solution that does not exist, that we did not see existing while we are at MIT. That cost effective, efficient, elite tier of cybersecurity, cyberwarfare training.

So that’s what we provide to the military and so far they think we’re doing a good enough job. They’re keeping us around. We’re now entering our third year of training for them and we expect to keep going and keep growing.

Dave Bittner:

Yeah, it seems to me like you have, with your experience, you have the ability to crossover between knowing how things work in the military with your experience in the Marine Corps. So, being able to speak that language, knowing the local lingo if you will, but also having been on the outside to serve as sort of a translation layer for the folks who are still in the service.

Jeremy Blackthorne:

Yeah. That is a huge advantage that we have and I’m not the only veteran that works at our company, we try to tap into that veteran knowledge, that cultural awareness, to best train the military and I think that’s a big distinguishing factor that we see from other commercial training providers.

So a lot of the commercial training solutions are born of an IT enterprise background where they’re trying to certify networks and be compliant and the military, it does have those requirements but also needs to push to be better. So the military is very much about committing violence through cyberspace and these are the same types of life and death decisions that the military has to make in the physical space, the air, land, and sea, and now they’re being tasked to do it in cyberspace.

So having a background from the military where we were trained in that same mentality to always push ourselves, the discipline, the teamwork, the leadership. So those are all themes, constant themes of our training. We’re not just technical trainers, but we have to train people and your team, and what happens if this person’s no longer available? It’s not about job security. It’s about, like, if this person isn’t available, you have to be, you have to have redundancy in your team because in military situations people can go down or be no longer available. So we always try to tap into the cultural awareness, the severity of the decision-making and try to train all the technical topics.

Dave Bittner:

Can you give me some insights in, what are the spectrum of, levels of expertise of the people who come to you and how do you calibrate your training to meet them where they live?

Jeremy Blackthorne:

That’s a great question. So as teachers, we are always aware that we’re teaching to a variance of backgrounds. So in our classroom, we’ll always walk before we run and that makes sure that we capture the entire student body. But then we always have exercises that will quickly ramp up to the deepest expertise possible. So putting it shortly in our classroom, we say no one will ever be bored in our classroom. If you come in here an expert, we have challenges that … We have weeks of material prepared for a one day class because if that person does come in and they’re ready and they’ve seen it before, I’ll walk around the room and I’ll say, “How’s exercise number three?” And they’re like, “I’m on 19.” I was like, “Okay, well let me know when you’re on 20 and let’s keep it going.” I cannot, their time is so valuable, I can’t afford to waste it.

So we always make sure that a range of exercises are immediately available, so if somebody does finish an exercise, they immediately go to the next one. They don’t wait on us because we are, like I said before, we are as much coaches as we are teachers. So we will not be a bottleneck to their talent and their drive. We will always be empowering them to push themselves further.

Dave Bittner:

What sort of feedback do you get when the classes are over and it’s time to send these folks back to their military missions, what sort of feedback are they sharing with you?

Jeremy Blackthorne:

Well, I am proud to say that our feedback is overwhelmingly positive and that’s just because before we were good teachers, we were bad teachers and we learned in the classroom and we’ve been teaching for several years now, starting in college and now moving to the private space of the military. But some of the feedback they have is we need to get our whole unit in here or can you come deliver a more advanced training? What’s your availability? They do latch onto the teaching techniques that we use and that’s because as we’re going we’re teaching.

Sometimes I’ll pull back the curtain and be like, this is why I introduced it this way. Or this is, you know, I don’t know if you noticed this, but I actually dimmed the lights when you’re training and what I want you to break, I raise the lights as sort of a nonverbal communication to calibrate your mindset to where I need it and that shows up sometimes in our teaching reviews, which is just a good feeling for us that they’re responding well to the teaching techniques, to the training techniques. Usually they’re just grateful and they want to learn more.

But I guess if you want a more unbiased answer we’d have to point you to the military units instead of taking our word for it.

Dave Bittner:

Sure. Fair enough. Fair enough. I do want to talk some about threat intelligence, which is our focus here and I wanted to get your insights on where you think threat intelligence fits in to the folks who are out there defending us in the cyber realm.

Jeremy Blackthorne:

So I think about threat intelligence in terms of a spectrum of changing information. So starting at the bottom where the information changes the least, you have the fundamentals of computing and you have the limitations and you have what is a computer program and these are the fundamentals. These things haven’t changed in tens of years or even going back to like the 40s and 50s when computer science was first coming about.

So that’s on one end of the spectrum and you need to know those things and you also need to know like moving up the spectrum as the information changes faster, you have things like operating systems. So like you learn the latest Windows. Now in five years, that information won’t be as relevant, but you still need to know that information and there’s a quick turnover.

Then I think of intelligence, and then I think that’s the information that helps make decisions that’s turning over the fastest. An attacker uses a technique today and that technique gets burned and distributed and then tomorrow they’re using a different one. So it requires a much quicker turnaround cycle in terms of managing that knowledge.

So that’s another military phrase I guess is probably used in a lot of places but knowledge management. I think of, in terms of threat intelligence, you have to have a well-lubricated, efficient knowledge management mechanism. You need to be bringing in the information, distributing it to the decision makers who can then review it, make decisions back on it and then feed it back into the system.

So it’s just one continuing spectrum of knowledge that people are trying to use to their advantage to make decisions in cyberspace.

Dave Bittner:

A phrase that we use a lot here, it comes up over and over again is actionable intelligence, that transforming information from just information to intelligence. I would imagine that plays a big part in the work that you do there as well.

Jeremy Blackthorne:

Oh yeah, absolutely. So, I mean, we can teach the fundamentals all day, but if there’s too much of a gap between what the student learns in the classroom and then what they have to apply when they’re on mission or are at their job, then we’re setting up an undue burden on them.

So when we think about intelligence, the latest tactics that are happening, we have to bridge that gap for them. So when we teach an exercise and we talk about the fundamentals, we say this is how this fundamental is manifesting itself in the last six months. Let’s look at how this country is attacking this country and let’s understand it through the lens of the fundamentals, but then also understand, look at the latest style and nuances of how it’s being applied.

So we put a big emphasis on trying to stay up to date and staying relevant and closing that gap between the unchanging tactics in cyberspace and then the latest style, the latest trend that’s out there.

Dave Bittner:

What sort of insights can you share with us in terms of the experience coming up through the military itself and I’m thinking about those folks out there who might be considering a career in cybersecurity and a path through the military might be one of the options for them. Do you have any insights to share from that perspective?

Jeremy Blackthorne:

I guess I would have a few insights. So I would start off by just saying that I was not in cybersecurity while I was in the military. I was actually a rifleman and scout sniper in the Marine Corps. So the specific domain expertise has not helped inform me in my current duties but rather more of the mindset, teamwork, leadership, discipline, all those relevant things. So that’s what I try to bring into the classroom and how we train units now.

But for people who are considering joining the military to do cybersecurity, I would say that it is a great place to do cybersecurity. The number one thing I would say is purpose. You’re defending our country, you’re defending our way of life and anybody who watches the news knows that our way of life is not guaranteed. It requires a sustainable investment by citizens.

So I would say if you’re looking for a purpose and you don’t want to be just securing an infrastructure to put out a product by the holiday time, or you don’t want to sell ads, then you know the military, there’s no shortage of purpose there.

I would also say a big draw for joining the military for people who want to learn things in cybersecurity is the ability to master your craft. So we talk to the military units a lot and they’re pushing for things far beyond compliance. They don’t need to be, they don’t have to reach a minimum threshold of competency. They have to be the best in the world at what they do. Or sometimes what I jokingly say, you have to be willing to dominate. You have to be competitive because there’s people out there that they’re training when you’re sleeping. There are teams set up that live and breathe to tear down what you built and so if you want to master your craft, then the military is making the investments in their personnel to be able to master their craft.

So those are two big draws for me and that’s what I would communicate to anybody who’s considering joining the military for cybersecurity.

Dave Bittner:

You know, it’s really interesting the insights that you share. I mean I hear many times from folks I talk to who have military experience, that one of the things that sets them apart is the amount of resources that they are willing and able to expend on training, on getting people up to speed from the most basic fundamental levels up through and including expertise and a lot of organizations in the private sector are either unwilling or unable to do that.

Jeremy Blackthorne:

Yeah, I’ve definitely heard both sides. I’ve heard too, the private sector, you look at like the top five banks. They’re investing a lot. I look at other commercial entities and their security is just a function of how much are they willing to lose this year based on breaches? There’s no ideals involved, it’s just a profit loss trade-off.

Then I look at the military and I’ve heard both on that side. I’ve heard some units they’re screaming for more training. They want to be better and the military is, they’re moving as fast as possible but they’re a big machine. So some units are still going through growing pains and there’s other units that are leading the way and they’re getting as much training as is needed.

When I think about the military and just training in general, they are a training organization. They take millions of people and they turn them into proficient experts in their individual domains, whether it be with a rifle or with a computer.

So as far as large scale training, the military is the best, or one of the best, and they’ve been doing it for hundreds of years. Whether it’s how to eat, sleep, walk, march, shoot a gun. Or it’s going to be, how to think about ones and zeros and how to use those ones and zeros to your advantage.

Dave Bittner:

Our thanks to Jeremy Blackthorne from the Boston Cybernetics Institute for joining us.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Defending MacOS Against Sophisticated Attacks

Defending MacOS Against Sophisticated Attacks

August 10, 2020 • Caitlin Mattingly

Our guest today is Phil Stokes He’s a security researcher at SentinelOne, where he specializes in...

Making Security Real in the Context of Business

Making Security Real in the Context of Business

August 3, 2020 • Caitlin Mattingly

Our guest today is Shamla Naidoo, a managing partner at IBM Security With a career spanning over...

Ransomware Negotiations and Original Hacker Culture

Ransomware Negotiations and Original Hacker Culture

July 27, 2020 • Caitlin Mattingly

Our guest today is Sherri Davidoff She’s the founder and CEO of LMG Security, a cybersecurity and...