Faculty Profile: Shaun Hutton
There is no such thing as an unsinkable ship, a lesson learned the hard way more than once. There is also no such thing as an unhackable computer network, a lesson that we’re still learning. It is also the lesson that computer science clinical associate professor Shaun Hutton, B.S. ’05, intends to impart to Baylor students.
Hutton joined Baylor after a 13-year stint at the Johns Hopkins University Applied Physics Laboratory (JHU/APL), the nation’s largest University Affiliated Research Center (UARC). He earned a master’s degree in computer science from the University of Virginia in 2007.
In this Q&A, Hutton provides some insight into his career and what he thinks will be most important to the future generation of thinkers and leaders in the cybersecurity industry.
Q: Can you talk a little about yourself, your hobbies, and your cybersecurity background?
I’m not originally from Texas, and I didn’t really have any connections to Texas when I was choosing a college to attend, but I wanted to go to a Christian school while also not sacrificing academics. My faith is very important to me, as is being a part of a faithful community, which is a large part of why I came to Baylor out of high school and one of the reasons I returned here to be a professor. As for hobbies, I love following sports; so, naturally one of my favorite hobbies is following Baylor sports. Another hobby I have is reading and studying theology and history. In fact, I even got a seminary degree because I love — and believe in the importance of — the local church and wanted to be better equipped to serve. Before returning to Baylor, my career spanned the field of cybersecurity, including cyber resilience, cyber risk analysis, network situational awareness, networks architectures, end-to-end systems engineering, cyber incident response and penetration testing. So, hacking, but in an ethical way, of course. My background and training are in a holistic approach to cybersecurity — not just defense but working to study both sides of the problem.
Q: Can you define cybersecurity as an umbrella term, and what does that term mean to you?
I think a better umbrella term would be cyber resilience. Cyber resilience deals with the ability to anticipate, withstand, recover from and adapt to adverse conditions — whether those are attacks, compromises, et cetera — of things that use or are enabled by cyber resources. While cybersecurity does include elements of responding and recovering, most often practitioners in the field are focused on keeping the adversary out of their network or system. Cyber resilience is more focused on the notion that keeping all the bad guys out forever is an impossibility. While we want to include protections to limit the adversary, we need to be able to withstand and endure an attack and then have response capabilities to recover from it quickly. There are overlaps between the two complimentary disciplines of cybersecurity and cyber resilience, but the reality is that cybersecurity is often focused on trying to keep people out. Unfortunately, the problem is that the adversary is going to learn what we do and what tactics we use. We need to be able to adapt dynamically to the adversary and be able to withstand and recover in changing hostile conditions crated by the adversary. As an industry, we build solutions that are too brittle and too broken, but we don’t fully know how they are broken. They’re so complex we don’t even know where all their weaknesses are when we deploy them. Additionally, there’s no “physics” for cyber. An engineer can build a bridge and can study the strength of the components and the forces that weigh on it and measure its tolerance. Currently, we can’t as effectively measure the strength of the tools we use to build computer systems, which makes cybersecurity jobs even more challenging.
Q: What key factors brought you back to Baylor?
There are a number of factors that made Baylor attractive, but I'll summarize it in three words: family, challenge and passion. Starting with family, my sister works in the computer science department already, which gives me the opportunity to be closer to her, my brother-in-law and my nephews. Plus, Baylor is its own kind of family atmosphere. Second, I wanted to be part of something that’s exciting and challenging, and helping build a cybersecurity program from the ground up with people like Dr. Jeff Donahoo is exactly that. I knew it would be hard work, and it is, but it is exciting to be part of the creation of something like this. It was important to me that it wasn’t just something that our department thought would be a good idea but that it was supported at the university level. When I interviewed, I met with the vice provost of research and heard his vision, and that got me even more excited about it. Being as excited as I am about this opportunity was important, too. That’s the passion part. I’m passionate about Baylor. I’m passionate about trying to build ethical future leaders in my industry and doing it in a caring Christian community. When I was preparing to move to Waco, as I was going through things in my house, I came across an old application for a scholarship when I was a student. It essentially asked, “What do you want to be when you grow up?” What I essentially wrote and had since forgotten was, “I want to graduate from Baylor. I want to go to grad school. I want to work in industry doing impactful things for our nation, and I want to come back and teach at a Christian school like Baylor.” That’s what my goal was. I’d forgotten the story I wanted to write, but God hadn’t.
Q: What are the most important things your students should learn before finishing one of your courses?
I want to differentiate between skills and knowledge here. In the skills area, I want them to develop what I call the security mindset. They need to be suspicious and challenge assumptions, which is terrible for personal relationships but good for cybersecurity. President (Ronald) Reagan famously said to “trust but verify,” but in security, we need to modify that. We need to verify first and then maybe trust. I want them to have that mindset because security compromises are about abusing trust relationships. As professionals, they’ll need to be able to evaluate the assumptions that are implicit and explicit in computer systems. Students need to understand what the impacts are, what would motivate an attacker, and things like that. They then need to develop a healthy curiosity. Industries are rapidly changing all the time, computer science changes a lot, and cybersecurity changes even faster. In order to succeed in the industry, they need to be curious. As a professor, I’m going to highlight some things, but I need them to also investigate on their own because what they learn today will, in part, be obsolete by tomorrow, which is why I care more about the mindset than purely a set of facts. Facts are important to get started, but the field of cybersecurity 10 years ago is very different than what it is today, and it will likely be very different 10 years from now. Another thing crucial from a skills perspective is being thorough. All it takes is one mistake, and you can have serious consequences. It doesn’t matter if someone does 99 out of 100 things great; 99 might be a great grade in the classroom, but in cybersecurity, that one thing could lead to really terrible consequences. Lastly, they need to be able to communicate their ideas effectively. They may have the best idea in the world, but if they can’t communicate it effectively, no one will know how great their idea is. I incorporate written and oral presentations into the curriculum to ensure they can communicate complex technical ideas to potentially non-technical audiences.
From a knowledge perspective, I want them to understand common vulnerabilities and how they’re introduced to systems. I bring in current events and use them to draw out themes that we’re learning in class. I want students to learn common weaknesses that are introduced in software — the common things that people mess up even today. I’m trying to give them experiential opportunities instead of purely academic theoretical knowledge. They need theoretical knowledge to underpin it, but I also want them to understand how it all plays out in reality. We have labs and projects where they have to apply the theoretical knowledge. I also want them to understand the legalities and the ethics of what they’re learning. I’m going to teach both offensive and defensive tactics. It’s important to understand adversarial tactics in order to have a good defense; you have to study the playbook of the offense. However, now you have a responsibility to act in an ethical and legal manner. I want them to understand how to be ethical. I want them to be good stewards of the knowledge that they have to make the world a safer place.
Q: Can you share any of your current research?
We’re working on a few different things, and I’m in the process of helping write some research proposals. There are discussions within the University of creating a Baylor cyber range. It’s not a done deal; it may not happen. But people in the University are evaluating creating a cyber range that would enable research, education and training, where we can bring in industry professionals and train them on a variety of topics. We can also then work toward becoming a trusted analysis center — a place where a company or organization can come if they’re building a product and need an independent assessor to evaluate its cyber resilience or cybersecurity posture. If it comes to fruition, we’ll have a learning environment where you can educate and train operators via various attack scenarios on what to do when a cyber event happens. It could also become an environment to test out cyber defenses while they are being developed. Ideally, it will be a place where you can either bring your physical solution, or we can virtualize it in order to assess the solution. The vision is that it would be an innovation incubator that also helps teach and train current and future cybersecurity professionals. These kinds of facilities can become magnets for innovation because they bring in various stakeholders to collectively identify important problems and develop impactful solutions.
Also, while not research oriented, we are in the process of trying to roll out a new cybersecurity concentration for computer science majors in the computer science department so that students can focus their computer science studies in this exciting field of cybersecurity.