Lockheed’s Teresa Merklin: There’s no such thing as a quick fix

Teresa Merklin specializes in cyber risk assessment and engineering for cyber resiliency.

As a fellow at Lockheed Martin attached to its Aeronautics Cyber Range and someone with 30 years’ experience in software engineering and cybersecurity engineering, Merklin has seen security practitioners and others seek out a quick solution, the so-called silver bullet. And she still frequently hears security products and technologies hyped as such.

But she’s here to confirm: There’s no such thing as a quick fix for the complex problems plaguing the country’s security posture.

It may seem obvious, yet it hasn’t quite sunk in, Merklin says. “Everybody is looking for a quick fix. We want to believe our problems are easily solvable.”

Merklin is trying to turn around that thinking. She has delved into that mindset as well as the continuing challenges that make securing systems so hard, and she’s promoting an approach that centers on secure systems engineering with cyber resiliency at its core.

“For cybersecurity the answer is to focus on fundamentals and to consider resiliency objectives as systems are designed and architected,” she says. “That includes understanding what’s most valuable for adversaries to exploit, building in mechanisms that work against those threats, and architecting systems in such a way that they’re adaptable as threats evolve. That’s not a quick fix. It’s not one product. It’s developing a firm foundation for systems and making sure they’re maintained over time.”

Merklin’s work has given her the opportunity to practice such principles.

Protect and defend

Merklin joined Lockheed Martin in 2002 as a principal cyber systems security engineer, after having worked for 12 years in engineering at Motorola.

She became a fellow at Lockheed Martin in January 2021, stepping into a position that has a three-year term (with the potential for renewal) and has her engaged in planning, mentoring and internal consulting.

Meanwhile, her attachment to the company’s Aeronautics Cyber Range has Merklin considering how to protect and defend the computer systems that power U.S. military aircraft.

Lockheed Martin

“The days of these being strictly mechanical systems are over. Almost everything happening on an aircraft is computerized; it’s all computer-driven. It’s a rich and complex processing environment and highly specialized,” she explains. “So when I came to Lockheed Martin from a commercial IT environment, the thing that I came to quickly learn is it’s a giant networked computer system. The fact that it flies is interesting, but from a computer cybersecurity standpoint, it’s not that much different than enterprise IT systems.”

And like enterprise IT systems, those aircraft are under attack and they must be able to withstand those assaults.

“Our aircraft are basically cyber-enabled systems that provide a tactical advantage in the battle space, but they’re also an attack surface for the adversary,” Merklin explains. “So my post is making sure they’re as secure and cyber resilient as they can be.”

That, too, is now a legal requirement. The National Defense Authorization Act of 2016 requires the Department of Defense to have complete evaluations of the cyber vulnerabilities of each of its major weapon systems.

Building security in

Merklin notes that some of the elements that go into protecting and defending U.S. military aircraft vary from those that go into securing an enterprise IT environment. Yet her work in the former space has informed her ideas on the latter. In both cases, she says, security and resiliency need to be built into the design.

That still isn’t happening often enough in enterprise security, she says.

Many security teams don’t have the executive support to create better defenses, because those executives don’t understand the threats coming at them nor the required urgency to address them.

“It’s something we’ve find hard to communicate outside of cyber risk, which makes it difficult for those making business and investment decisions to decide on how to invest to mitigate risks,” Merklin says.

Many security teams also struggle to evolve their defenses as quickly as threats evolve.

“Cybersecurity is just an extremely dynamic environment. So a system that was secure one day is possibly wide open the next because of a new vulnerability,” she says. “You have cyber defenders who are fighting an asymmetrical battle. You might have a handful of people defending the system, but the adversarial activity in the rest of the world is pointed against them.”

As a result, she says, “You need defenders to be really good all the time and sometimes just lucky.”

Towards cyber resiliency

Meanwhile, some organizations are still waiting for that silver bullet that isn’t going to come, Merklin adds.

All of which is why Merklin believes security must move from its traditionally defensive positioning to being proactive, and to move away from focusing on only security to targeting the broader concept of resiliency.

“To me, cybersecurity is the domain we’re operating in. Cyber resiliency is an objective within that domain,” she explains.

Merklin, in conjunction with Women in CyberSecurity (WiCyS), presented her perspectives in a fall 2021 webinar, No Silver Bullet – Essence and Accident in Cyber Resiliency Engineering. She says she borrowed the title, and the concept, from a similarly named 1986 paper on software engineering, No Silver Bullet – Essence and Accident in Software Engineering by Fred Brooks. (That paper in part said there was no one solution for the challenges within software engineering: “Not only are there no silver bullets now in view, the very nature of software makes it unlikely that there will be any,” it stated.)

Merklin similarly talks about the need for fundamentals, incremental improvements, and practices that embed security considerations into the software designs.

“We have engineering practices that really describe how to develop and deploy our systems to meet that objective of cyber resiliency,” she says.

She uses the definition of cyber resiliency listed by the National Institute of Standards and Technology (NIST): “Cyber resiliency is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”

Merklin summarizes: “It’s to preserve mission-critical functions.”

She shares an analogy she uses to describe what she means: She compares an organization to a traffic cone with a basketball balanced on top; the mission is to keep that ball balanced on top, even as adversaries try to knock it off. Cyber resiliency is about designing and caring for a cone that can keep that ball on top even if the cone itself gets dinged.

Merklin acknowledges that such an objective is much more complicated when talking IT instead of traffic cones. Some of the designs and controls that are put around systems could make other controls weaker or superfluous; it could slow the systems down.

“So you have to understand what the mission critical functions are, and know that cyber resiliency isn’t 100% preventing attacks,” she says, “but it’s continuing the mission even when successful attacks happen.”