Protecting Missiles From Malware

August 6, 2018 • Amanda McKeon

Raytheon is one of the largest defense contractors in the world, with over 60 thousand employees and annual revenues near $25 billion. They’ve been in business for nearly a hundred years, with humble beginnings in vacuum tube manufacturing, RADAR systems and microwaves during World War II, and post-war expansions into everything from missiles and aircraft to refrigeration and robotics.

Our guest today is Michael Daly, chief technology officer for cybersecurity at Raytheon. He shares his experiences spinning up a cybersecurity team at Raytheon, the challenges of doing so within such a large organization, and the importance of a strong corporate culture to ensure safety and security.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and thanks for joining us for episode 68 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Raytheon is one of the largest defense contractors in the world, with over 60 thousand employees and annual revenues near $25 billion. They’ve been in business for nearly a hundred years, with humble beginnings in vacuum tube manufacturing, RADAR systems and microwaves during World War II, and post-war expansions into everything from missiles and aircraft to refrigeration and robotics.

Our guest today is Michael Daly, chief technology officer for cybersecurity at Raytheon. He shares his experiences spinning up a cybersecurity team at Raytheon, the challenges of doing so within such a large organization, and the importance of a strong corporate culture to ensure safety and security. Stay with us.

Michael Daly:

I started in the business in the mid-’80s, working for a private security company that did electronic security surveillance and monitoring, and they did the whole guns, guards, and dogs piece as well. I eventually took over the monitoring center for that operation and got into doing software and other kinds of security work that you now call cyber. After that, I went to work for the federal government in the FDIC. That was during the banking crisis of the … I guess it was the late ’90s, mid-to-late ’90s, when we had the Resolution Trust Corporation spinning out and coming back with the savings and loan crisis.

So, I did that for a number of years, and then I came to Raytheon in 1996. Around 1998, I had an opportunity to start up the first IT security practice at Raytheon as we were merging together Hughes, Texas Instruments, E-Systems, and AlliedSignal, and then, of course, classic Raytheon that I belonged to. I set up a security practice for that merger of companies. Then, in 2011, I came to the intelligence business unit to help put together our externally facing cyber business, which we call Cybersecurity and Special Missions.

Dave Bittner:

Back when you were spinning up that first organization within Raytheon to handle cyber, what was the situation then? What was the environment that you found yourself in?

Michael Daly:

Yeah, it was not a sophisticated landscape at the time. Security, at that time, meant things like antivirus. The task, at that time, was to start standing up an array of services to provide them as, essentially, a shared service across the company, and then establish the policies that all of the different parts of this new Raytheon would follow. That included acceptable use policies, what is encryption, what is authentication, what’s required and not required, and you know, that kind of thing. It evolved over time to include insider threat monitoring and standing up a 7-by-24 monitoring center and active directory, and LDAP, and all of that other good stuff, and consolidated internet services for the company on a global scale.

Dave Bittner:

Yeah. I guess one of the things about Raytheon, certainly, is the scale of the company. I mean, you have this longtime legacy on the defense side making missiles and things like that. I mean, how did that legacy within those organizations inform what you were doing on the cyber side?

Michael Daly:

Yeah, we had very smart engineers all across the company who had done what we now call cybersecurity, IT security, information assurance. There were a lot of different names moving around at the time, but they’re very smart engineers who had done that in different pockets, either for top-secret enclaves or for collaboration environments in which, maybe, satellite data is streamed down and distributed to multiple parties. We actually picked up the BBN group out of Cambridge who actually invented the first IP router. They put the “@” sign in email. They’ve done other things. We had quite an array of very, very smart people to help us think it through. So yeah, we had good resources, but what we didn’t have as a company was a unified practice and policy at the enterprise level, which was really required, in my view, to get the company working together and ensure that we really did have coverage because not every place within Raytheon understood IT security. We were basically an arm for sharing knowledge across the enterprise.

Dave Bittner:

What was the process there? I mean, I can imagine — again, with the scale of the company, the size of Raytheon — you’re going to have a lot of people who did things the way that they’ve always done it, and with your task of establishing standards within a company of that size, I imagine that was no small task.

Michael Daly:

No, that was very contentious at times. The way we accomplished it was by standing up committees and councils, you know, councils above committees, and making sure that all of the stakeholders were engaged. We did it by actually establishing services rather than trying to adjust push policy. I think a lot of folks will do it the other way around, but by doing it as a service offering where you can do it better, faster, and cheaper than it could be done in the business, you get that additional business lift, and so leadership gets behind it and says, “Well, why am I going to pay for my own smaller internet circuit that costs me much more and is less secure, when I can just subscribe to the enterprise one and pay a lot less and get better service?” We were driven to always be better, faster, and cheaper in order to drive adoption.

Dave Bittner:

Yeah, that’s a really interesting insight. So, you had support from above. Then, was it a matter of going around and making your case with organizations around the world that, “Hey, we’re offering these services for you and here’s why you should join us”?

Michael Daly:

Yeah, that’s exactly right. I had some groups that were eager to jump onboard. They saw that vision. Then, there were other groups that resisted and needed to be convinced. So, metrics became important. Showing that, well, the patching level of the rest of the company looks like this. The patching level in your organization looks like that. The speed of the internet for each individual user in the rest of the company is so many bits per second, and your people are only getting this much, and so on. Number of infections and all kinds of other metrics, and that helped drive adoption because it became harder for the leaders of those organizations to get behind them, being a one-off standing on their own.

Dave Bittner:

In terms of where we stand today when it comes to the air, space, and defense industries, what is the view that you have? Specific to those industries, what’s your description of how things stand when it comes to cybersecurity?

Michael Daly:

The large organizations, the primes … We’ve all been working together really well since around the 2004 timeframe when China had stepped up its attacks and become much more covert. We saw that happening and decided we needed to collaborate to combat this more advanced threat. The big primes, I think, are doing well and have helped establish standards and guidelines for the industry. The small and medium enterprises that are in the defense sector are coming along, and I think are being helped by the recent changes in the DFARS. I think they’re being helped by other efforts that … For instance, we stood up an organization some years ago, actually around 2002, called Exostar, which was a business-to-business exchange. I mean, it is. It still exists. Within Exostar, we actually set up some cybersecurity checklists and so on so that the small and medium enterprises can actually do a self-attestation as to how they’re performing, and then they can be directed to go and get professional help if they think they’re falling down in certain areas. By and large, the defense industry is doing well, but it’s still very highly targeted, more so at the small and mediums than at the primes.

Dave Bittner:

When you say targeted, what exactly do you mean?

Michael Daly:

Targeted by nation-state adversaries. Targeted by … I’ll say, disgruntled organizations around the world that are upset at defense companies. They want to cause harm or steal information, or otherwise disrupt that supply chain to the U.S. military or others, or our allies and friends around the world, because all of these businesses are global enterprises. So, they’re targeted not just in the United States, but also where we do business around the world.

Dave Bittner:

Now, is there a difference … When you compare the types of things you do versus, say, the private sector, what are some of the differences there? Is there a difference in velocity or are you able to get things done more or less quickly? How does it compare?

Michael Daly:

Most people think of the defense sector as not being nimble.

Dave Bittner:

Right.

Michael Daly:

That’s because we’re large and we have more requirements laid on us — not just in procurement — which is a thing. There are requirements for us to make sure that we partner more broadly than a private sector that can partner with whoever they want. We have to bring in small and disadvantaged organizations. We might have to bring in a company that is working in one part of the company versus another, so we have those obligations. We also have security obligations that are above and beyond what most other businesses have to comply with, although health has HIPAA. The financial sector has Gramm–Leach–Bliley, and so on.

Everyone has their rules, but the defense sectors are very rigid because we’ve been attacked so regularly for the last … Nearly 20 years. To that end, yeah, it’s harder for us to be as nimble as an organization that can just do anything that it wants. With that said, we have been working very hard to establish common infrastructure in our businesses, and we have, within our company, a group called Global Business Services — GBS — that helps provide that infrastructure to our entire company and to make it easy for the employees to just do the right thing, get their job done, and meet all those requirements. To that end, I really don’t feel like we are a lagging industry, but more a leading industry in being responsive.

Dave Bittner:

Yeah, I mean, that’s an interesting insight. I think one of the things that it kind of brings up is this notion of your responsibility, of removing the friction that folks just have work to do every day, and if you get in the way of them doing that work, that’s where they start to come up with workarounds that might make everyone less safe.

Michael Daly:

Yeah, and that’s dead-on right. In fact, that’s part of our mantra of, “Make it easy for the users to do the right thing.” When I said earlier, about instead of trying to just push down standards and practices and all that, and then punish people for doing the wrong thing, we were tasked with establishing services that simply do it the right way and do it better, faster, and cheaper. So, that’s been part of our DNA, if you will, in the Raytheon IT security function, from its founding.

Dave Bittner:

Now, how do you break down the tasks that you need to do? With a company as large as Raytheon, you have tens of thousands of employees worldwide, billions of dollars in revenue. When you come into your office in the morning and have to prioritize the things that you’re working on, where do you begin with something of that scale?

Michael Daly:

My role now, as a chief technology officer, is to help shape our customers, help find solutions for them, and make sure that when that procurement they’re going to issue two years down the road, when that comes forward, that there are solutions in the industry to meet those needs. So, my priorities flow from, first and foremost, trying to connect with customers to understand their needs, to help them understand where technology is going, and the art of the possible. So, that’s always my first priority, and then you mentioned this whole idea of the process and how defense companies have a lot of checkboxes to hit, so that’s a second priority that I have to follow. We have a lot of what we call “gate reviews.” Those things get fixed on the calendar. Usually, it’s certain times of the day, regularly, and we have to go through those gates to make sure that the programs we’re moving out follow those rules.

Dave Bittner:

Now, I want to touch on threat intelligence, which is a topic that we discuss here regularly. What is your take on that? What part does threat intelligence play in the work that you do and the services you provide for your customers?

Michael Daly:

Internally to Raytheon, threat intelligence is critical because we are targeted, but the threats are changing on a regular basis. You can’t put infinite resources at this problem, so you have to know where to invest, and that’s what threat intelligence helps us do. It tells us that threat adversaries are using these new techniques, that they are going after specific lines of business, that they have collection requirements, that they may have gone after peer organizations, whether it’s part of our supply chain, or maybe our legal community. They often target legal organizations and so on, so that helps on the internal part of Raytheon. For our customers, Raytheon is a provider of managed security services and other types of engineering services. So again, we use threat intelligence there to support our customers that are subscribers of our managed security service. We even use it in our engineering so that we can stay ahead of the threats and understand what types of services to build, what types of products to build to help meet those challenges.

Dave Bittner:

For those of us who are on the outside — you know, the civilians, more on the civilian side of things — from the point of view of a major defense contractor like Raytheon, what are some of the things you wish we all knew about cybersecurity, about the work that you’re doing? Are there any common misperceptions when it comes to companies like yours?

Michael Daly:

Yeah, I think that the bigger misconception is that cyber really just affects PCs and phones. Cyber is broader than that, and that’s why people changed the term from IT security to other things. Cyber is about all of the electronic devices that are floating around in our homes, of course, but also in our critical infrastructure, so that’s water, and power, and other environments like that. It’s medical care. Then, when that comes to things like your defense and intelligence organizations for your nation, well, those organizations have all of those types of components themselves. They have military devices that have all of those types of electronics embedded in them, and they’re dependent on a supply chain that has all of those types of electronics. Cyber is a much broader landscape than, I think, the average person gets exposed to, and it’s hard to comprehend, even for professionals, all of the interconnections between those which are threat factors.

Dave Bittner:

Yeah. I find the whole thing fascinating. When you think about the product development cycle on some of these things, something like a Tomahawk missile or something like that, the things that you all manufacture and are responsible for from the planning, to the design, to the funding, to putting it out in the field, and then how many years that device will be in active use, that is a long timeline when it comes to the electronics within it, the brains within it. That’s something that you all have to have a handle on.

Michael Daly:

Right, and even from before it was manufactured, in a sense, because of the components that we’re going to buy, whether they’re integrated circuits, or cabling, or other things that go into it. Right? We have to understand the provenance of those and make sure that they are properly secured. Then those get integrated, but there are manufacturing machines that are part of that chain, and those we need to make sure are secured, and hardened, and not going to go out of tolerance because somebody wanted them to go out of tolerance, and so on. And then, when it gets fielded, there’s a wide range of support services that need to be provided, and those can become threat factors. If you need to update a system with new software, you know the classic case of that USB stick being inserted into a management port. We have to make sure that that management port is screening out unintended effects.

Dave Bittner:

Yeah, it’s an interesting thing to think about. I mean, obviously, we talk about IoT things — the internet of things — but you all have been in the business of making and deploying things around the world for decades. But the things that you have perhaps have different consequences than me with my security camera keeping an eye on my backyard.

Michael Daly:

Yeah, yeah. We worry about air traffic management, nuclear safety, kinetic weapons, and so on. So, yeah, the bar is pretty high for us, and we take it extremely seriously. It’s a part of the everyday of a Raytheon employee. You can’t walk down the hall without walking past many different posters. You can’t walk into the cafeteria without a brown bag lunch going on that talks about mission assurance and doing the right thing.

Everyone goes through hours and hours of training every year online, in classrooms, beating that into everybody to make sure our culture is unified, especially as we rotate new employees in who maybe worked in a different type of environment. Maybe they were used to using different kinds of collaboration tools with external parties, so they’re like, “Oh, well, I can go get the answer from over there.” Well, before you go and talk to somebody on the outside about this, we don’t want to start passing information inappropriately, so we have to educate everybody that maybe their style of business has to change a little when they come to our company.

Dave Bittner:

Our thanks to Michael Daly from Raytheon for joining us.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

Related Posts

Exploring the Future of Security Intelligence at RFUN: Predict 2019

Exploring the Future of Security Intelligence at RFUN: Predict 2019

December 5, 2019 • The Recorded Future Team

Just about a month ago on October 29 to 31, more than 600 Recorded Future partners, clients, and...

Threat Hunting, Mentoring, and Having a Presence

Threat Hunting, Mentoring, and Having a Presence

December 2, 2019 • Monica Todros

Our guest today is O’Shea Bowens He’s CEO of Null Hat Security and a SOC manager for Toast, a...

From Infamous Myspace Wormer to Open Source Advocate

From Infamous Myspace Wormer to Open Source Advocate

November 25, 2019 • Monica Todros

If you are of a certain age — an age where you may have spent a good bit of your time online...