• United States



by aaron_turner

Mike Assante’s lasting impact on critical infrastructure security (and me)

Jun 18, 20197 mins
Critical InfrastructureSecurity

Thanks to Mike Assante, critical infrastructure stakeholders have a better understanding of and ability to respond to cybersecurity risks.

In August of 2003, I was on a team at Microsoft responding to a cyberattack that infected over 2 billion computers worldwide. Known as the Blaster worm, it had impacts that most technologists had never even considered. The public telephone system in the U.S. Pacific Northwest went haywire due to support calls made by millions of Microsoft Windows customers with infected systems.

Within hours of the Blaster worm going viral, the U.S. Northeast suffered a massive power outage. In the following days, U.S. government officials and some private sector business leaders began to tie the power outage to the Blaster event.

Over a hundred people died due to that blackout. Those of us on Microsoft’s global security team felt we needed to do anything we could to figure out what dependencies that failed electric grid had on Microsoft software.

The Fall of 2003 was one of my most difficult professional experiences, but I am grateful for it because it set me on a path to work with one of my favorite people in the cybersecurity world, Mike Assante. While I was battling the global impacts of Blaster, Mike was dealing with the actual Northeast power outage as CISO for American Electric Power, a utility at the epicenter of the blackout.

I met Mike in 2005 while doing cybersecurity community work on a steering committee coordinated through CSO Magazine. I recognized his passion for doing real research to actually improve the situation that we both had seen first-hand from our different vantage points: the absolutely horrible state of how technologies that were never designed to serve as integral parts of critical infrastructure had been built into utilities and other systems that provide basic services to modern civilization.

Then, Mike was leading the charge to form a unique research team at the Idaho National Laboratory (INL). His vision for cross-discipline collaboration, taking computer hacking geeks and mixing them with power engineers, grid operators, infrastructure designers, international law enforcement, US military special forces officers and other world-class experts was one of the most important cybersecurity projects in our lifetimes.

The year 2005 was one of personal challenges for me. My career at Microsoft was giving me unique opportunities that few others in the world would have, but in May I was diagnosed with melanoma and given a 50-50 shot at making it to the end of 2005. This made me re-evaluate everything. I had a wife and three daughters under the age of eight. What would happen to them if I didn’t make it to the end of 2005? I had to do some life planning, and quickly.

In early 2006, I had exceeded the doctor’s original expectations, but nothing was certain when it came to my health as I was still dealing with the impact of my skin cancer diagnosis. I was planning on visiting my parents in Idaho that summer and reached out to Mike to do a face-to-face meeting. Over a lunch, Mike and I immediately hit it off, having very similar goals around improving the technology industry to help support critical infrastructure operators while educating policy-makers on how to make real progress in reducing the cybersecurity risks in critical infrastructure. Mike went out of his way to create a position for me at INL.

Mike’s willingness to offer me a once-in-a-lifetime opportunity was a double blessing. It helped me expand my knowledge of the cybersecurity domain in ways I never could have if I had stayed at Microsoft. It also allowed me to move my family to Idaho Falls to be near my parents. This was a risk management move in the event that I lost my battle with melanoma.

Working with Mike gave me a great example of how he fought through his first battle with lymphoma and working with him on a daily basis gave me hope to win that battle, which I did!

While INL gave Mike and me opportunities to further the cybersecurity research that we wanted to do, it was also a highly charged political environment. We were often frustrated with the friction that existed among INL management, DOE bureaucrats, congressional staffs and elected officials, industry regulators, military officers, private infrastructure executives and other stakeholders in our research.

I’ll never forget one meeting in which we presented some of the initial findings to a group of infrastructure regulators who actually shouted us out of the room, accusing us of being fear-mongering psychopaths who were suffering from technology-induced delusions. That and other bad experiences while working together at INL made us great friends, sort of like soldiers on a digital battlefield who suffered through the madness together.

I managed to last two years with Mike at INL before I left the politics and the friction, heading back to the private sector to pursue my entrepreneurial passion for creating new security technologies. Mike managed to stay in the eye of that infrastructure protection hurricane for over a decade after I left INL, with his efforts leading to groundbreaking policy improvements, regulatory guidance, infrastructure improvement plans and numerous other projects to push things forward in the critical infrastructure protection space. Most importantly, Mike convinced the SANS organization to invest significant resources in a long-term education and awareness program that has trained thousands to improve the world’s critical infrastructure.

Watching Mike fight the good fight with the recurrence of his illness has torn at my heart in ways that I’ve never suffered through before. He and I both won victories against great odds when it came to our health in the mid-2000s. There may have been some shadows of thoughts about a recurrence of our cancers, but I never really wanted to think about what would happen if one of us suffered through another brush with terminal disease.

Of anyone in the cybersecurity community, I ask myself why it had to be Mike who had to suffer the way he has. The opportunity cost of his battle over the last year is tremendous when it is measured by how much more good he could have done in that time without the health challenges. As he is now coming to the end of his fight for life, we can be grateful for all the good he has done for the entire cybersecurity ecosystem.

I’ve had the opportunity to interact with tens of thousands of cybersecurity experts in over 70 countries around the world, and there is no one like Mike Assante. He has received much greater accolades than I can give from industry publications, policy makers and others. I’m so grateful that I could work side-by-side with Mike as long as I did. The gratitude is double for being able to call him a friend for over a decade.

The highest compliment I can pay Mike is that he was tireless in his dedication to working on a complex problem, never taking credit for other people’s work. He acted with integrity at all times, motivating everyone around him to perform to their best potential and being an excellent industry leader. Most importantly, he did all this while being a great husband and father.

The world needs more like Mike Assante, and I hope the programs and initiatives that he has started will help create many more people like him. I know that he will inspire me for the rest of my life.

by aaron_turner

Aaron Turner is a multi-decade veteran of the cybersecurity community. This year he was recognized by SC Magazine as one of the most influential cybersecurity leaders of the last 30 years. Beginning in the 1990s as a young member of Microsoft’s security teams and later working for US government and private sector organizations, he has first-hand experience in dealing with the global scale of cyber security problems. For the last 15 years, he has been an IANS Faculty member, and a leader in cellular network and mobile device security research. Aaron is currently the CEO and founder of Hotshot, a high-integrity messaging and identity management platform. He has recently moved to Luxembourg in the EU to drive a new wave of data protection technologies designed to give individuals better control over their digital identities and data.