Chris Doman is something of a prodigy in the world of cyber security — so it's a good thing that he's one of the good guys when it comes to hacking.
In 2012, the Cambridge graduate aced the Pentagon’s “Digital Forensics Challenge," a contest that involves investigating and solving breaches in cyber defenses. Doman was so adept it took an entire team from the Northrop Grumman, the huge American defense contractor, to beat him to first place.
His skill comes from years of practice. As a youngster, Doman was your typical computer geek, taking apart machines and putting them together like the stereotypical tech whiz kid. He would build fake computer networks at home and then hack into them, just to figure out how to do it.
Now, at 28, he works for PricewaterhouseCoopers, a consulting firm. His job is to track hackers who try to break into multinational companies, and he admits he can spend way too much time bent over a keyboard.
But when he can, he likes to head to the mountains. He’s climbed the Himalayas in Nepal, but he’s just as happy on the peaks of Scotland. “Even on a horrible day in Scotland, when you can’t see much, you feel like you’re in a totally other world," Doman says. Which is why I invited him to go for a hike in a forest outside London, to get away from the hum and whir of hard drives and computer screens.
The climb is actually an easy walk up a hill to an Iron Age fort called Loughton Camp that dates back 2500 years. Remnants of big, earthen defenses can still be seen on the hilltop.
So if this is what security looked like thousands of years ago, what does it look like in today’s world of computer malware and cyber hackers?
“I suppose now the defenders no longer have the advantage,” Doman says. In the Iron Age, attackers had to run up hill. The guards at the top could see what was coming and try to fend off their adversaries.
“Now, it’s the opposite,” he said. “You can lob something over, get inside fairly easily, and for a long time at least, I think the offense is going to have the advantage.”
In other words, it’s no longer just a matter of building a wall to keep people out. “That’s been proven to fail so many times now,” Doman says. “People will find a way through it. I suppose the equivalent here would be you wouldn’t just have the sentries walking around the outside. You’d have them all looking inside as well just continuously seeing who’s got through.”
That’s where Doman comes in: He’s one of those sentries who just assumes someone has slipped past the barricades. His job is to help companies protect against cyber attack, whether it’s someone stealing customer data at a large retailer or the designs for a wind turbine at a green energy company.
When an attack happens, he and his colleagues make a plan to lock the attacker out of the system — but they have to be sneaky themselves.
“As soon as you tip them off, they’ll start spreading quicker,” Doman says. “They will also steal information as quickly as possible once they know that you’re on to them. So it is very adversarial when it’s that kind of attack you’re dealing with where there’s actually someone on the other end of a keyboard.”
He and his team also determine what was stolen, and, more importantly, how can they prevent it from happening again. The problem is only getting worse. “In terms of the number of attacks, they’re increasing,” Doman says. “They’re definitely increasing.”
Doman believes the cyber security industry needs to get better at sharing information about the types of attacks that are out there. Right now, he says, a hacker can write a malicious piece of software and use it repeatedly. It’s like picking the same lock over and over again.
On average, it takes a year before a company even knows it’s been hacked. And Doman says cyber attacks need to be caught a lot earlier.
“In the best case scenario, you can pick them up when they’re researching you, when you know they’re going to be attacking you, because they’ll be setting up fake websites that looks a lot like yours,” Doman says. “If you can pick that up before that happens, that’s the ideal world.”
Cyber attacks can be conducted by almost anyone — state-sponsored organizations in China or Russia, criminal gangs or even just an individual, all alone in his bedroom, who’s in it for money, a desire to wreak havoc or just for fun.
Of course, Doman was once a kid tearing through networks just for the fun of it. So what kept him from going over to the dark side?
“There are lots of people in this industry who have more interesting stories about how they did do things they probably shouldn’t have when they were younger,” Doman says. “And I suppose, for one thing, I was always scared to get in that much trouble. But that wider question about how that some people go down that route? I mean I’m hoping that more and more people will chose to go into the defensive side. You can actually really stop bad things happening. There’s a lot more fun there.”
Doman seems to love his job. He likes outsmarting bad guys — and it's way better than what he was doing after he graduated college.
“You know, I got a good degree from Cambridge,” he says. “I was a big computer science geek. It’s the kind of thing I loved. I just went for a couple of interviews. Didn’t get them, and then I got a job at a temping agency. And then I was just doing data entry for minimum wage. And that definitely sticks with you.”
Doman later started his own business, a website that compared hotel prices. But then he entered the US Department of Defense’s cyber security contest, scored high and suddenly had a job in cyber defense.
On the way down the trail, I ask Doman about the Edward Snowden revelations. After all, my hiking companion is an expert in cyber security.
“Actually this is the kind of thing that is quite hard to talk about,” he says. “I do remember sitting back and wondering if I was going to do something how I would do it. And then a couple of things that came out, like, ‘Oh, okay that is a sensible technical implementation.’”
What kind of things? Does he mean being able to observe activity online, is that what you mean?
“That kind of thing,” he says — but he’s not at liberty to explain further. “I’m not going to go into that. I can definitely see why some people are concerned. But there isn’t that much I can say about it."
As a bit of advice, Doman recommends keeping things like your operating system, web browsers and anti-virus software up to date. It may not keep out the National Security Agency, but it may at least keep your credit card safe.