This post is based on an interview with Mike Tanji. It is part of our series of interviews of OODA Network members. Our objective with these interviews is to provide actionable information of interest to the community, including insights that can help with your own career progression. We also really like highlighting some of the great people that make our continued research and reporting possible. For the full series see: OODA Expert Network Bio Series.

Career Progression: A native of Hawaii, Mike joined the Army to work in the Signals and Intelligence Field (SIGINT).  One of his first assignments was at the Kunia Regional SIGINT Operations Center in the middle of Oahu.  This highly classified underground facility (aka: Kunia Tunnel) was home to the most advanced computers known to the Military – mostly mainframes.  After he learned how to use these massive computing machines to do his job (analyze signals), he was curious to discover what ELSE they could do.  He was given some flexibility to explore mainframe capabilities, and a career was born.  He spent the next twenty years evolving the field of Threat Intelligence for the government: in the Army and at the Defense Intelligence Agency.

While at DIA, he spent some time in the DOCEX (DIA Document Exploration unit).  Box after box of documents were sent back from Iraq and Afghanistan.  After the initial triage was conducted by the analysts, these boxes just sat in storage, collecting dust. Mike was sure there were nuggets of intel still to be extracted. He had been studying Computer Forensics at George Washington University and was full of new ideas to fix old problems.  He pulled together a bunch of computer experts and was successful in finding significant intelligence information from the masses of papers.  He learned that other government agencies were doing the same thing, and he spearheaded a new working group, called the National Media Exploitation Center, with members from DIA, CIA, FBI and NSA.

In 2005, he decided it was time to take a break from the grueling pace demanded by the Federal Government.   He followed a buddy over to Wells Fargo, where he built and led a team that provided threat intelligence to support both the security and operations units of banking. While he enjoyed the new challenge, he missed working for the Government.  There is no mission more compelling than arming our Military with the right threat intelligence.  He soon found himself back in the middle of the action, working for several innovative companies, helping with the growth and formation of cyber security, and co-founding Kyrus Tech – a successful endeavor that has led to several successful spin-offs (including Carbon Black and Red Canary).

Surprises:  Mike is astonished by the abundance of “willful ignorance” he sees every day.  At this point, he thinks everyone should already understand how critical cybersecurity it.  Yet people tend to fall for the same tricks… over and over.  “No one is in the Security business.” Mike says.  “It’s all about making a successful, profitmaking business that sells something.  Every time a company gets compromised, the media rakes them over the coals.  But every company is in the business of making money. Good intentions are plentiful at the start, but functionality often wins out over security.”  One example is the field of implanted medical devices.  The convenience factor (Bluetooth, for example) is often treated as more important than security.   Mike foresees terrible consequences that could endanger human lives if these devices aren’t made more secure.

Advice for Decision Makers:  Mike recommends that Commercial Leaders take a hard look at how they are managing their business and then ask themselves this critical question: “What would the impact of a cyber intrusion be on their business and on their market share?  How can they better prepare for this?”  Depending on the type of business, security may or may not be a big discriminator.  But every company should think about it and do some basic threat modeling and impact assessments.

Mike wants our Government leaders to help find a middle-path for dealing with security issues that are related to reliability.  American companies tend to be very entrepreneurial. The start-up culture in the U.S. is to grow fast – break things – and see what survives.  But there should be better accountability when sloppy (non-secure) code causes damage.  Companies need to think about their liability and responsibility if their code does harm It will probably take more Government regulation to make that happen.

One area he is particularly interested in is the U.S. Copyright Office. Copyright is traditionally a tool that helps compensate a developer for something they have created.  It protects the inventor and helps grow the capability.  Mike has been looking at ways to protect the investment but also enable sharing and collaboration.

Security Improvements:  Mike credits multifactor authentication for taking a “whole class of security problems off that table” in the past few years.  Humans are lazy; they reuse passwords or create mnemonic password methods to manage their log-ons.  All it takes is the breach of one password and the rest is easy to figure out.  Multifactor authentication fixes most of these problems.

Risks in The Near Future:  The thing that keeps Mike awake at night is worrying about the impact of the Internet of Things on network security.  “We computerize dumb things and connect them to the internet all the time.  And we expect it to go smoothly, because it worked so well the first time around. People love the convenience.  We MUST take security seriously when we connect these things.” Mike says.

He is a big believer in doing better to educate the user – especially our children.  “We tell our kids they can’t talk to strangers, they shouldn’t drink soda, etc. but we don’t spend NEARLY enough time and energy telling them how to use their devices safely.  We need to educate our children on how to stay connected but also how to stay in a SAFE environment.”

Technology of Interest: Mike is trying to find ways to recruit better cyber talent into the Armed Forces.  Each branch of the service has a program to recruit cyber talent through direct commissioning programs.  But the success rate is abysmal!  Currently the track record has been hovering around 2%!  The Military has to be able to access cyber talent more effectively.

Views on Thought Leaders: Mike is a fan of Jason Healey at Columbia University (so are we, by the way) for his insights into cybersecurity.   https://www.linkedin.com/in/jasonhealey/   He also follows Kelly Shortridge for her ability to connect different issues together and make then relevant to the issues we are facing today.   https://twitter.com/swagitda_

Quick Hits:

• Book Recommendations: The Idealist by Justin Peters – an excellent overview of the history of the Internet Free Culture movement and its impacts on our society.
• Favorite piece of content on OODAloop: Mike singled out Matt Devost’s recent articles based on his operational experience.
• Best way to connect: [email protected]