Marcus Fowler is Director of Strategic Threat at Darktrace. Before joining Darktrace in 2019, he spent 15 years at the Central Intelligence Agency (CIA) developing global cyber operations and technical strategies. He has led cyber efforts with various U.S. Intelligence Community elements and global partners and has extensive experience advising senior leaders on cyber efforts.
Fowler was a Department Chief and Executive Leader for one of the CIA’s largest departments, where he led hundreds of officers. He served as the subject matter expert and senior representative to national security data and cyber policy and strategy discussions. He also led a significant multi-million-dollar budget focused on combining innovative data exploitation techniques and also drove the development of complex engineering solutions, specialized tool development, new data science applications, and private sector and foreign partner outreach. He is recognized as a leader in developing and deploying innovative cyber solutions.
Prior to serving at the CIA, Fowler was an officer in the United States Marine Corps. He has an engineering degree from the United States Naval Academy and a Masters’ Degree in International Security Studies from The Fletcher School. He also completed Harvard Business School’s Executive Education Advanced Management Program.
In an exclusive interview with Augustin Kurian from CISO MAG, Fowler talks in detail about his journey, his time with the CIA, the evolution of cyberattacks, and a bit about the cybersecurity of elections.
Edited excerpts of the interview follow:
You started your career with the United States Marine Corps, and you were the Company Executive Officer. Following which you had a brief stint in Celixir. You then served the CIA for nearly 15 years before joining Darktrace. Tell us more about your journey.
Security has always been present in my professional interests and career. While attending the U.S. Naval Academy, I was drawn to the Marine Corps and the force protection and security missions it conducted. As a Marine, I had the opportunity to serve as the Executive Officer of a Security Forces Company responsible for the physical security of sensitive sites. I was also stationed overseas in Italy when the USS Cole terrorist attack in Yemen occurred. I was quickly assigned to assist in standing up Port Vulnerability Assessment Teams designed to forward deploy ahead of ships coming to port and work with the local Embassy and police forces to evaluate the overall port security.
This experience led me to get a Master’s degree focusing on international security studies and finally to the Central Intelligence Agency. It was during the early days at the Agency that I started to gravitate towards mission areas that allowed me to run teams focused on developing and deploying emerging technologies to maximize mission impact, specifically around cyber and big data.
I wouldn’t trade a minute of my Agency time for anything — the men and women that serve there are incredible and dedicated Americans. However, I had reached a point in my career where I felt the need to explore the private sector and see if there was a company or role that resonated equally with me. In the end, I was drawn to Darktrace’s trailblazing innovation, applying artificial intelligence and machine learning to the critical area of cybersecurity, as well as to the opportunity to work closely with an amazing group of subject matter experts, including mathematicians, machine learning experts, white hat hackers, CISOs, industry analysts, and ex-intelligence members.
How do you differentiate between older and newer cyberthreats?
Given we are seeing old cyber threats get recycled or re-engineered it is difficult to differentiate between old and new.
It is almost easier to differentiate between the different tiers of attackers. There’s the lower level or “Bottom Feeders” taking advantage of unpatched networks or devices, poor password management, and targets conducting poor cyber hygiene. This is compared to the “Apex Predators,” which these days include not only nation-states but most likely some cybercriminals as well. It is this second group that is conducting slow and low attacks targeting sensitive data, going after third parties to hit many targets at once, and creating zero-day tools.
Two recent trends that I’m increasingly concerned about — and which we’re seeing from both tiers of cyber-actors — are the increases in speed and scale of cyberthreats.
Has critical infrastructure always been the epicenter of cyberattacks?
Most offensive cyber-efforts have historically been more about stealing sensitive data, from classified military secrets to financial data to PII. With the rise of ransomware attacks, the destruction or encryption of critical data and, by extension, the disruption of critical IT-driven processes, is currently the greatest concern for many companies today. However, if we think about nation-states and their aims then critical infrastructure is a natural center of gravity and offers the greatest opportunity for disruption and asymmetric strategic advantage. If we think about smaller, less-militarily capable countries and their ability – or really inability – to project power against a stronger, more forward-deployed adversary, cyber can be the perfect equalizer.
Tell us about the types of highly sophisticated attacks you see attempted against government organizations on a regular basis. These can be during your tenure with the CIA as well as during the times Darktrace took up government projects and security.
For reasons you and your audience no doubt understand, I’m not able to discuss anything I saw during my time at the agency. That said, I can certainly say that Darktrace is seeing, and thankfully detecting and stopping, a consistent stream of sophisticated and novel attacks.
One that immediately comes to mind is an incredibly slow and sophisticated attack against a large U.S. city where Darktrace detected an attacker attempting to exfiltrate sensitive data. It would have been very difficult for a human to see what was happening and it was our AI that was able to build the full story of the intrusion and alert the security team.
We have also seen IoT devices, specifically security cameras deploying facial recognition software, begin beaconing out to a foreign country. The list goes on and on, from targeted spear-phishing enabled by complex social engineering to advanced insider threat leveraging Raspberry Pis.
DISA had recently fallen victim to a cyberattack. The attack on the critical agency which oversees military communications, including calls for POTUS, had many experts wondering, what this means for the national security of the country — especially in the lead up to the election. What does the attack mean for national security and election security?
This is incredibly troubling and certainly should increase concerns around election security and even the U.S. census, which launches online this week, and is expecting to see most respondents leverage the online platform to respond.
When a breach does occur, I get frustrated when I see public or private organizations try and assuage fears by saying not to worry because no “sensitive” data was stolen. As a former intelligence officer, I can tell you firsthand that every bit of personally identifiable information can be used for social engineering attacks to target either individuals or institutions, especially if this data can be correlated against other stolen big data sets.
It is critical that as more and more important government and democratic processes move online and leverage the scale and accessibility that new technology affords, security — not convenience and access — be the top priority.
What types of cyberattacks can mar elections? What are the best practices that need to be established?
The goal of cyberattacks targeting the election will be greater than marring just the election but rather aimed at undermining the credibility of our democratic institutions and processes. There is a focus on the voting infrastructure and votes, but a large-scale series of ransomware attacks could have the same impact by causing public service and potentially, transportation disruption. Especially if these attacks were aimed at swing states this could certainly fuel conspiracy theories and allow portions of the population to call the election into question. Cyberattacks could also serve as an outstanding complement to large-scale disinformation efforts as well.
Beyond targeting the credibility of the election, cybercriminals will most likely attempt to take advantage of the general chaos and increased cyber activity around the election to conduct large-scale spear-phishing campaigns.
As for best practices, the most immediate step that needs to be taken is that state and federal agencies and municipalities need to review their processes and communication plans around a ransomware event, especially one conducted around the election that could have an impact on voting. I think State, Local, and Federal agencies need to be more strategic – resourcing their cybersecurity teams more efficiently and more in line with the current threats and leveraging technology that will help buy back time for their security teams through autonomous response and investigation.
From an individual standpoint, stay vigilant, question what you read, validate the information with multiple sources, don’t click on links in emails, verify the sender, and go straight to the official website to get the contact details.
Several private entities are also working with the government and the election commission. Do you think there is a need for a public-private partnership toward securing election infrastructure?
Public-private partnership is key. There needs to be a high level of transparency and intel-sharing. Organizations need to be sharing what is or isn’t working – the technologies that are providing them with visibility, that are stopping attacks, the threats that are slipping through – all these details are key.
The need for private-public partnership also extends beyond election security, with critical infrastructure being one great example. Private companies own and operate some critical infrastructure in the U.S. – the same critical infrastructure that we’ve seen nation-states attempt to target. The government needs to be working closely with these private corporations to ensure they are prepared for advanced, nation-state attacks that might target critical infrastructure in the upcoming future.
Which of the following poses a bigger threat to the upcoming U.S. elections: Accessing a campaign strategy that would deliver a competitive advantage to the adversary; Opportunistically digging for information that could be reputationally damaging to prominent individuals, or Disrupting the organization to slow productivity?
When we think about threats to the upcoming elections, I would break them up into two groups.
For undermining the election, disinformation operations supported by cyber operations pose the greatest threat.
Adversaries looking to hack a campaign to get the upper hand will likely be going after the information that could reputationally damage a candidate. This is less about broad disruption or undermining trust, and more about swaying individual voters and out-maneuvering a campaign. One would hope that we don’t see this type of targeting between campaigns, as we have enough to worry about from foreign actors.
Do you think artificial intelligence and machine learning will be useful in protecting election infrastructure as these can not only detect these attacks early but also stop them before confidence and data integrity are seriously undermined?
In the face of advanced threats, artificial intelligence and machine learning have become crucial in protecting IT infrastructure at large, including the election. Given the current speed of attacks and the cybersecurity skills shortage, we can no longer expect human teams to be able to identify and stop threats before they can do damage without support from technology.
AI is supercharging every stage of cyber defense: visibility, using AI to understand a digital environments’ unique sense of self, investigation, augmenting the human team to supercharge threat triage and prioritization, and response, autonomously responding to disrupt a threat within seconds while maintaining business operations.
I do want to be clear about the specific types of AI that are able to respond to attacks. Some AI applications, often those that rely on supervised machine learning, attempt to predict the threat actor or attack by analyzing historical attacks. It’s nearly impossible to accurately predict what attackers might launch or target next, even with AI. However, with unsupervised machine learning, AI can understand and enforce what is normal for a company or government by learning the digital “pattern of life.” This approach can stop ransomware, novel threats, or insider threat in seconds, buying back valuable time for security teams.
With AI, we are finally seeing the advantage shift from the attacker back to the defender.
This interview first appeared in the May 2020 issue of CISO MAG. Subscribe to CISO MAG
About the Author
Augustin Kurian the Assistant Editor of CISO MAG. He writes interviews and features.