How CSC’s Bill Tafoya Applies Creative Thinking to IT Security

Throughout a successful career with the FBI, Bill Tafoya championed maverick thinking in law enforcement and attacked bureaucratic impediments to creativity. Now at CSC, he is applying this thinking to information security and computer forensics.

If Tafoya’s name rings a bell, it’s probably connected with the Unabomber. Tafoya was the FBI Special Agent who developed the 1993 profile of the Unabomber that proved to be an uncanny match for Ted Kaczynski. The profile was not greeted with universal enthusiasm.

Tafoya recalls, “My profile was controversial because it was so different from those that had gone before and more detailed with regard to his academic background.”

Despite much rhetoric extolling “thinking outside the box,” ideas that run counter to conventional wisdom are often unwelcome in practice, especially in bureaucracies. Today, as we struggle to prepare for threats we may never have imagined, Tafoya finds the stifling of creative thinking in organizations particularly unfortunate, possibly even dangerous.

Analysis with a dab of creativity

How does this connect with information security? “Most information security work is reactive,” says Tafoya. “You search for vulnerabilities, repair the holes and, with firewalls, protect against attacks and monitor for future vulnerabilities. But that’s only looking in the rear-view mirror. Using that approach, we had no way to protect against the September 11 attacks. You need creative thinkers to brainstorm about possible threats, probable vulnerabilities and preferable solutions. For crimes such as terrorist threats, you need to bring in behaviorists.”

Tafoya’s own professional credentials are in criminology. In hindsight, it seems almost inevitable that he would become a criminal profiler, combining keen interest in criminal behavior with a penchant for connecting dots in unconventional ways. His process in developing the Unabomber profile, he says, “integrated extensive analysis with a dab of creativity and imagination.”

“Kaczynski was in four databases the FBI searched,” Tafoya recalls, “but the search criteria were set to find a blue collar worker, not an academic. In preparation to interview the living victims, when I looked back at the evidence, I decided to throw out that assumption. The bombs were increasingly sophisticated and included elements you don’t find on the Web or in the Anarchists Cookbook [a 60s underground bomb-making publication]. He clearly had access to materials and knowledge of a scientific nature, not readily available. But he wasn’t trained by the military or a government agency because he didn’t seem to understand conventional bombmaking. I thought the probability was high that he was an academic.”

Lessons learned from Futurists

The marriage of analysis and imagination is characteristic of another field in which Tafoya is well known: Futures Research. The discipline grew out of DoD efforts in the 60s to devise better ways of projecting costs and timetables for large weapons programs (most famously, the Polaris submarine missile system). When the resulting processes were combined with creative, imaginative thinking about trends in an array of human activities, the discipline of Futures Research was born. Today, Futures Research has shifted toward the social sciences and draws participants from many walks of life, but the imaginings of Futures Researchers, however farfetched, are usually grounded in research and scientific method.

Criminal profiling shares its basic process with Futures Research: Use what you know as a basis for imaginative speculation about what you don’t know. The process is evident as Tafoya talks about one of his goals at CSC — to profile computer hackers and cyberterrorists.

Cyberterrorists likely to be sophisticated

He starts with the September 11 highjackers. “These men did their homework,” he observes. “They took flying lessons. They communicated via e-mail at public kiosks, cyber cafes and even public libraries. They went to airports to find weaknesses in security systems, and so forth. They did sophisticated planning and researched vulnerabilities. There’s no reason to assume a cyberterrorist wouldn’t do the same thing. In fact, there is a high probability that cyberterrorists would be even more sophisticated in developing a strategic plan for ‘the next time.’”

To counter such threats, Tafoya insists, “Creativity is the crucial element. When the problem isn’t like anything we’ve seen before, we need our imaginations.” In organizations, “We have to do our best to encourage maverick thinking and not to let conventional corporate culture get in the way.”

He recommends the think tank model as the best starting point. What’s essential is to create conditions that encourage people to be creative and think outlandish thoughts. Tafoya reminds us that the September 11 scenario was not completely unanticipated. A group of futurists developed scenarios for the Pentagon about possible terrorist tactics. One suggested that someone might intentionally fly a plane into national monuments. The idea was dismissed as too outrageous.

Related Information:

Contact Us and Let Our Experience Help You Produce Results.

Learn more about CSC’s government solutions.

Read more about CSC’s information security solutions.

Read about how CSC employs a team of ethical hackers to test the vulnerabilities of computer networks.