ACDS's Jim Morgan Interviews Forge Institute CEO, Lee Watson
LEE WATSON’S LINKED-IN page lists his occupation as “serial entrepreneur/innovator,” and indeed he has tended to be wherever the action is, be it as CEO of his own software company, Founding Champion of Startup Arkansas, co-founder, director, and former head of the Venture Center, or as a member of Governor Hutchinson’s State Computer Science and Cybersecurity Task Force. With cybersecurity such a hot topic—and cybersecurity expertise such an in-demand skill—it’s no surprise that Watson’s Forge Institute is partnering with ACDS to conduct cybersecurity apprenticeship programs in both Little Rock and Northwest Arkansas. We asked Watson to tell us about the apprenticeship classes, starting with cybersecurity in general.
How did you become so interested in cybersecurity?
I kind of backed into it, in a way. In college, at UCA, I studied business and marketing, and when I graduated, I started a software development company. Later, when I was running the Venture Center, we hosted a cybersecurity innovation event—a hackathon—once a year. And we were getting a lot of participation from the local hacker community, and also from the business community. And having a software development background, I have a bit of experience in that. So as we were looking into cyber more, we were seeing trends about how the significant threats are getting worse. More internet-of-things or IoT devices are coming online, making cybersecurity more hairy and more complicated. And it just felt like there was an opportunity to build some capability in Arkansas to meet this challenge head on. So we started Forge Institute in 2018. And now we're building a public/private partnership to address what we call the more serious threats in cybersecurity.
A few years before Hurricane Katrina, former FEMA Director James Lee Witt was asked to name his worst disaster fear. "Category 5 hurricane hits New Orleans," he said. So what’s your greatest cybersecurity fear?
Cybersecurity has evolved into information warfare. We’ve all read about election interference, and if you go look at social media, you can see some interesting examples of what our adversaries are trying to do to us. There are governments out there that have lots of people and lots of resources training all the time about how to muck around with our stuff. And we don't have a lot of people or an endless amount of money training all the time to combat that.
You mean Forge Institute, or do you mean—
The U.S., I mean the U.S.—federal government, state governments, and industry. If the adversary is training all the time to mess with us, we better be training all the time to defend against that.
There are so many different possible careers in IT—is there a certain kind of person who gravitates toward cybersecurity?
Cybersecurity touches so many different things that there are opportunities for lots of different people to be involved in different aspects of cyber. Generally, though, people who have an inquisitive mind and are self-learners perform better because they're more interested in digging into a computer or a system and looking for where those vulnerabilities might be, what the adversaries might be up to.
And by “adversary,” I mean even an insider threat. Somebody who works for the organization—and even without malicious intent—can, through their own behavior or lack of knowledge, contribute to a cybersecurity problem. Take thumb drives, for example. Thumb drives are very convenient, but usually convenience opens up more opportunities for risk. Just taking a thumb drive and going to your printer or your scanner and then going back to the computer creates an opportunity for stuff to go wrong.
From an overall adversary perspective, it's nation states, organized crime groups, the one-off hacker trying to prove something or see what they can do. And besides the insider threat of the person who’s just making a mistake, you’ve also got the manufacturers of software, computers, and components—the supply chain risk. When you have folks building microchips or producing operating systems of software, if they're not fully assessing the gaps, the vulnerabilities, or the risks of the systems they're building, then they’re just creating more opportunities for somebody to take advantage.
Are you a cybersecurity expert yourself?
Absolutely not. And I don't think very many people are, because cyber is such a complex integrated system of systems you really need to bring people together with expertise in different areas. It takes a team.
How do you keep up? How do you or those team members you bring in stay on top of a field that is constantly changing?
So again, there are a lot of different pieces of cybersecurity, and where Forge Institute is focused is on combatting more advanced or serious risks or threats. The U.S. cyber community predicts a deficit of skilled cybersecurity professionals by 2021 of 3.5 million folks. And that's next year. That's the gap, and that gap is going to increase as we talk about 5G, internet-of-things, artificial intelligence, information warfare—all of these fun, interesting advances in technology.
This seems like a good spot to ask about Governor Hutchinson’s new Cybersecurity Education Task Force, of which you’re a member. What’s the goal of the Task Force, and how’s it going?
Members of the task force—which is composed of leaders in education, industry, and government—will be assessing the state’s computer science and cybersecurity education programs and will make recommendations for continuing and enhancing the progress we’ve made in computer science education over the past five years.
Arkansas is in a unique position because Governor Hutchinson serves as the co-chair for cybersecurity for the National Governors Association. He's also co-chair of the Counsel of Governors, which advises the president and the national security community on national security issues as they affect the states. Because of the governor's leadership in these areas, Arkansas is really poised to learn from other states and what they're doing in cyber, but also maybe take a step or two forward.
I think an example of taking a step forward is the governor’s and the administration's commitment to coding, the first coding initiative, and now the second one—expanding the coding initiative in K through 12 beyond computer science and into data science and cybersecurity. I’ve been in meetings with people from other governors' offices, and they're intrigued as to what Arkansas is doing. And some of them seemed to feel a little challenged, and I think that's okay.
Okay, tell me about your cybersecurity apprenticeship program, which is going on now in both Little Rock and Northwest Arkansas.
For all the reasons I’ve mentioned, we've got to get more people into the cybersecurity profession. The apprenticeship program and the training that goes along with it is a perfect onramp for somebody with some amount of IT background to get in and learn the full plethora of what cybersecurity is, so that training is really an inch deep and a mile wide. And then from that, they can see where they want to specialize and go get additional, deeper training.
There's been a lot of interest, especially because of the support that ACDS provided—more than 200 people applied for the cybersecurity bootcamp program, and that was significantly from Arkansas, but also from coast to coast. The folks that are taking our training program are already employed by Arkansas employers, and the companies range from managed service providers that are assisting doctor's offices and clinics and law firms, all the way up to Fortune 500 companies within the state.
So there’s significant demand both on the employer side and the apprentice side. There are roughly 1,400 open cybersecurity positions in the state of Arkansas, and that's just the ones we can count. Then you have all these people who saw that ACDS job posting and said, "Hey, I want to do that." What's interesting is that these are folks who graduated with a computer science degree. They may have worked for 12, 15, or even 20 years in industry and now they want to move into cyber. Many of them come from the military or have data science backgrounds, and they want to apply that skillset to cyber. So it’s a very, very interesting applicant pool.
How many apprentices do you have?
We limited this bootcamp to 10, which is probably good since this is the first one and we’re learning how to put all the pieces together. We have nine instructors, which is great because the curriculum is broken into 12 modules, so the instructors are subject-matter experts in the modules that they're teaching. It starts with learning about operating systems and networking. Then it moves into more advanced things, like firewall settings, network management, encryption, and the ever-popular red-teaming and blue-teaming and purple-teaming.
What does that mean?
A red team would do penetration testing—that’s where they try to get into systems in order to see what doors are left open that should be closed. It’s not hacking, but assessing risk. Blue teams build defensive capabilities and purple teams engage back and forth to develop greater resiliency of the computers, networks, and systems they manage.
In addition to the instructors and the classroom aspect, we've built an incredible cloud-based simulated training environment. Using our cloud platform, students are able to get on keyboard in a simulated computer or network environment to learn red and blue team TTPs (Tools, Techniques, and Procedures). It's an incredible way to gain experience and it’s scalable—we can support hundreds of thousands of simultaneous students training.
Where do you find your experts?
Arkansas has a pretty strong cyber community. If you look at the professionals that work in regulated industries, like the electric grid sector, the banking sector, or just the large enterprises including the telco sector, they've got some good expertise. Arkansas is also blessed with some pretty interesting military missions. They bring in some really smart people from around the country and they train constantly.
You mean like the Little Rock Air Force Base in Jacksonville?
Yeah, and there are some other bases in the state too. And they bring in some smart people to do interesting things.
This is beginning to sound like one of those interviews in which you can’t really tell me anything.
Let’s just say that if you look at critical infrastructure, at threats to banking or the electrical sector, it's all similar, and everybody needs better, constant training. And besides the straight cybersecurity education, cyber professionals need to have an operational mindset, so that they know how to react in a situation. They might not have all the answers, but they know where to find the answers. You can't prepare for every situation, so you have to have that mindset: "All right, I don't know exactly what to do, but who do I need to call?"
Sometimes it's that simple. And that’s a good point because it draws the distinction between what's information technology and what's cybersecurity. And it correlates back to the notion of needing to be trained because the adversaries are training to mess with us. And so cyber, real cyber, is a mindset of what are the things you need to do to defend your system against people who are trying to leverage everything in their toolbelt to get into that system.
Are they mostly looking for information?
Nation states, organized crime, and other bad actors are constantly looking at ways to take advantage of vulnerabilities, steal information, or potentially cause harm.
Sounds to me like your apprentices are older than the normal ACDS apprentices.
You know, we have a really good bell curve. We’ve got some people who are fresh out of school, all the way to some folks who’re closer to retirement, but they want to get into cyber and do that for a little while. We have some former government operators, people from pharmaceutical backgrounds, retail experience, healthcare.
There's an electronics technician who used to be in the military. There are database administrators who have been doing database administration for 20 years. So it's a really good mix of different ages, experiences, backgrounds, industry. And they all come with really great perspectives to share with the rest of the cohort.
Another good thing is that a lot of this kind of work is getting outsourced these days, so the companies involved in this apprenticeship program are forward thinking: Let's retrain some of the people that are already onboard and see where their strengths may be around cybersecurity. And that's great for the employer because these people already fit into the company culture. They're already a part of the team. So I applaud the private sector leadership in the state, the people who run these companies, for seeing the value in their employees, and for giving them the time and paying the expense of putting them through this training. I’d also thank Mr. Cody Waits, Director of the Office of Skills Development in the Arkansas Department of Commerce, for making some partial tuition reimbursement funds available to eligible Arkansas employers to help retain and grow these cyber (high paying knowledge) jobs in the state.
One final question: What's the hardest thing to teach?
Curiosity. You can teach the technical skills all day long, but if someone isn't a self-learner, if they don't have a curiosity to go dig into something deeper, you can't wave your hand and provide that. If somebody comes in with those characteristics, then they do exceptionally well in the training.