"The only way to prevent a cyber attack is to be totally off the grid. Like a place in the U.P. with no electricity or water,” said David O’Connor ’96 BS, cyber security expert at Ford Motor Company. “But you still need fuel for your car, and food. So really, there is no such thing as 100% secure.”
“We are so interconnected now,” O’Connor said. “An entire electrical grid can be shut down. All of the preparations can be right, but it can still happen.”
Business continuity is what keeps him up at night. “What if something happened to our food? Or our food supply chain? Look what happened during the toilet paper shortage!”
Incidents in which cybercriminals attempt, and succeed, in disrupting basic functions of life—whether it be a bank hack where you can’t access your account or they’ve accessed your money; malware that locks your computer until you pay a bitcoin ransom (known as ransomware); or joyriders who access your vehicle’s operating system via your phone and set your cruise control at 80 in a 25 mph zone—O’Connor warned that “the threats and effects are on the scale of a hurricane or tornado. There’s no hiding, but you can manage the risk and prepare by creating a continuity and disaster recovery plan.”
However, as an in-vehicle cloud security engineer, cybersecurity strategist and incident response analyst and newly anointed information technology risk management analyst, O’Connor said “it feels really good to know that you’re trying to protect everyone as best as you can. You’re the do-gooder in a world where sponsored nation states and black hat hackers want to hurt you.”
All companies are being attacked, whether or not they know it or admit it. And it’s not sufficient to have security components at just one level of a business, but to have them at each branch of a supply or support chain. Take for instance what happened this May with Colonial Oil, where the Russian-based hacking group Darkside shut down one of America’s major pipelines, leading to a shortage of gas and oil in 15 states from Texas to the Northeast. They infected the company’s billing system, so it had no way to track fuel distribution and bill customers. The hackers demanded a $5 million ransom, making company leaders choose between making a deal with criminals to get business back to normal, or lose millions in sales and continue dealing with the effects of the hack. They paid the ransom. In April, Apple was openly held for ransom when a hacker gang stole proprietary technical files from a company in Taiwan that makes their computers. The facets of such hacks are many; O’Connor published an article on supply chain and social media network risk management in the international EDP Audit, Control and Security Journal.
“You have to identify and find where the impacts are coming from and plug the holes,” explained O’Connor. “On the downside, though, you’re playing Whack a Mole. The landscape is always changing. The threat actors are very smart and use technology against you. Some do it for money. Some do it just to brag on the dark web. Some do it for political reasons. They laugh about it and think it’s funny. They exchange ideas in how to do things. They could even be your own employees.
“People have been lying, cheating and stealing since the beginning of time. This is just a different vector.”
Because these cybercriminals are often from countries that will not extradite to the U.S., little can be done to arrest them and stem the tidal wave of their future misdeeds.
“If you had asked me 10 years ago, I wouldn’t have guessed what cars would be like today. Ten years out is mind blowing, especially with technology changing so rapidly. Whatever people can think of is what’s really exciting.”
Still, there’s the thrill of the modern-day cops-and-robbers chase. “Incident response and threat hunting is cool and fun because it is a game of IT chess between the hacker and the responder,” O’Connor laughed. Hackers may attempt to shut down assembly lines, disrupt integral third-party suppliers, access intellectual property or mess around with people’s personal vehicles.
As a cyber expert in the automotive industry, what does he envision cars are going to be like 10 or 20 years from now?
“If you had asked me 10 years ago, I wouldn’t have guessed what cars would be like today. Ten years out is mind blowing, especially with technology changing so rapidly. Whatever people can think of is what’s really exciting.”
“Twenty years ago, I would have thought our competitors were GM, Chrysler and Japanese companies. Where did Tesla come from? When you have competition that’s so technologically sophisticated, it’s exhilarating. Companies like Google are also impacting the car industry. I would not have thought that when I was driving my green Buick Century at NMU.”
The future of cars is 100% electric autonomous vehicles that are interconnected through the infotainment systems using the internet of things (IoT) and artificial intelligence and powered through computer systems.”
“The Jetsons were pretty predictive. There’s some part of me that wants to be like the Flintstones, but I’d be out of a job!”
O’Connor definitely would not have predicted his own place in the world during orientation in old Jamrich Hall, where he was advised that for his generation, getting a liberal arts degree was key, as it would allow you to change in the future as things inevitably change. “That really struck me,” he said. “I was thinking I would be like my grandpa who worked at Ford his whole life. But I had no idea what I wanted to do.”
He embraced the liberal studies mantra. He took Intro to Psych with Steve Anderson Platt and discovered his love for how the mind works; covered sports and provided technical support for The North Wind with Doc Waite, who taught him to write in a practical manner; took statistics with Sheila Burns, who helped him truly understand numbers and statistics and communicate their meaning; and found a mentor in John Renfrew, with whom he did studies on Prozac with rats, shared authorship on a published paper in Aggressive Behavior titled “Preliminary Analysis of the Effect of Fluoxetine on Shock Elicited Fighting in Rats,” and had their research presented in France. He ended up with a degree in psychology/biology focusing on neuroscience with a psychopharmacology concentration. “At the time,” he said, “I hadn’t realized what all of these things were leading to.”
So far, it has turned out to be a career in personal innovation and reinvention, drawing on all aspects of his NMU adventure. O’Connor found success fighting diseases as a pharmaceutical salesperson, driven by doctors’ reports telling him how the drug products he represented saved and improved patients’ lives. He decided to pursue an MBA and went into banking and financial advising to help people lead better financial lives. Taking another turn, he dove into cyber, earning a second master’s degree, in computer and information systems security/information assurance, despite not knowing anything about computers or how they work.
“Cyber seemed like a hot profession,” he said. His cyber professor at University of Detroit Mercy, renowned cyber author Dr. Dan Shoemaker, accepted him into the program despite his lack of knowledge, because “he said I had all the components to be good in this business. My writing skills, my objective questioning, my reasoning… it all came from Northern.” O’Connor went on to cyber consulting, securing DTE Energy and then to Ford. He also serves on NMU’s Cyber Security Industry Advisory Board.
“When I went to NMU, cybersecurity didn’t exist. For me, I’ve had a unique journey. I’m hoping whoever is reading this may not be in this space, but is interested, and will consider being a career changer, earning a master’s degree from NMU in computer science, a certificate from the U.P. Cybersecurity Institute, or tell their friends about the great undergrad degrees in cyber tied with business, which is genius. It’s not just zeros and ones. It’s project management. It’s analytical thinking. It’s part of everything.
“You can be one of the good guys.”
Personal Cyber Security Tips from Dave
- When you get a notice to update your security settings, do it right away.
- Don’t click on phishing texts. It will likely download malware on your phone and also to your computer. It’s all a con job.
- Use strong passwords over 15 characters because it takes longer for the password cracker to get your password; shorter is easier for them. I personally like to use a statement that is easy to remember: MarquetteisbeautifulandIlovebeer1996!
- Use 2 factor or Multi-Factor Authentication as an extra layer of security.
- Backup your data regularly – I personally don’t recommend using USB sticks because they are easy to lose and steal; there are plenty of cloud options such as Dropbox.
- Don’t use the same password for more than one site. Use a password manager to manage your passwords.
- Get yourself a good fishing pole in case your local food supply system gets hacked.
(Comments and opinions are Dave’s and not Ford Motor Company’s)