Securing Systems and Chasing Bad Guys
Years ago, when Sarah Brown envisioned all the things she might do with a master’s degree in mathematics from the University of Maryland, chasing bad guys was definitely not one of them.
“I don’t think I knew exactly what I was going to do,” she explained. “I knew there would be job opportunities. I could aim to be a teacher, perhaps a university professor.”
Instead, Brown’s career path has taken her to the rapidly changing world of cybersecurity. For over 15 years, Brown (M.A. ’03, mathematics) has been on the front lines of the global fight against cyber threats. Now based in Delft, Netherlands, she currently works as a senior scientist with the NATO Communications and Information Agency (NCI Agency), ensuring that NATO’s essential communications systems are protected and resilient to compromise.
“NATO is an alliance of 30 countries from Europe and North America who consult and cooperate in the area of defense and security, as well as conduct multinational crisis-management operations together,” Brown explained. “It’s essential that NATO’s systems can fully support these activities, including from a cybersecurity perspective.”
It all started with math
As an only child who grew up in Columbia, Maryland, Brown discovered a love of mathematics early on.
“I thought math was exciting from an early age, and this definitely came from my parents,” Brown explained. “My dad was a mathematician, and my mom was a manager in a very heavily mathematical research group supporting the government in Ft. Meade, Maryland. A lot of my parents’ colleagues were mathematicians and I would meet them at different functions.”
From problem-solving to the challenges of algebra, topology and complex analysis, Brown particularly loved the field of pure mathematics.
“I liked my math classes in school, I enjoyed logical thinking and doing fun little puzzles, I enjoyed the other nerds that were on the math team with me,” Brown explained. “It made sense to me and I thought it was a lot of fun.”
At Oberlin College, Brown majored in mathematics and, at the encouragement of her dad, computer science, too. She studied for six months in the Budapest Semesters in Mathematics program for U.S. undergraduates and interned during the summers at the National Security Agency. After getting her undergraduate degree, Brown began her Ph.D. in mathematics at the University of Washington.
“The first year of graduate school was tough and I started to think about getting through it with a little more support,” Brown recalled. “Fortunately, I had also been accepted into the mathematics graduate program at the University of Maryland, and after a year in Seattle, it was like coming home.”
During graduate school, Brown worked at Sandia National Laboratories for two summers, where she did research on a type of optimization problem that could be solved using complex simulations called asynchronous parallel pattern search. She also spent a fellowship semester with the National Academy of Sciences, which introduced her to how scientific research and mathematics are used to inform and shape public policy, and she quickly realized that was exactly what she wanted to do.
“I wanted to do a little bit of technical scientific work, but I also want to see the big picture and understand from a business perspective what the priorities in an organization should be and what kinds of mathematical problems or research should be pursued,” Brown said.
After receiving her master’s degree, Brown joined the National Academy of Sciences full time before finding her next career move.
“At some point I came across The MITRE Corporation, and I learned about Federally Funded Research and Development Centers—FFRDCs—which is the model under which MITRE operates,” Brown said. “FFRDCs function as nonprofit, technical experts for the government, with work that involves plenty of technical challenges as well as public policy and strategy.”
MITRE hired Brown in 2004.
“I applied several times to different departments and was ultimately contacted by their information assurance department,” she recalled. “They said, ‘Your math and computer science background is a really good fit, we could definitely use someone like you.’”
Brown had never pictured herself working in this field, but the more she learned about it, the more interested she became.
“I knew about cryptography and the encryption of data from my mathematics studies at Maryland, and computer programming and operating systems, but I didn’t understand the complexities of system security, and cyberthreats until I joined MITRE,” Brown explained. “In my work there, we focused on identity and access management, evaluating product security and how to ensure data confidentiality during communications between systems.”
A big move
While Brown was working at MITRE’s D.C.-area headquarters, her fiancé was offered an opportunity to do research in Amsterdam. Moving to the Netherlands sounded like a great adventure, so Brown started doing some digging.
“I found out MITRE had a scientist working as a liaison to NATO sitting in The Hague,” Brown explained. “I asked my management more about this role and partnership with NATO, and it turned out there was a great opportunity to serve in a similar position.”
The rest, as they say, is history.
“It was very serendipitous,” she said. “MITRE sent me over for what was supposed to be two years. We got married, packed three suitcases, came overseas and started taking Dutch lessons. We just got up and went.”
That was 2008. By 2013, Brown’s husband had finished his postdoc and settled into a job with a Dutch company, and Brown had gained a great deal of experience in system security from the NATO perspective, with an appreciation for technical collaboration between the U.S. and NATO and the importance of interoperability and coordination between systems and technical teams. Now she was ready for a change, and she found an exciting opportunity with Fox-IT, a well-known Dutch cybersecurity startup.
As principal cybersecurity expert for FoxIT, Brown supported the threat intelligence team, tracking the changing landscape of cybercrime around the world—and threats to banking institutions in particular—providing guidance to help keep customers’ systems safe.
“It was a fascinating experience,” Brown said. “We were doing technical work, collaborating on a daily basis with the banks and trying to understand the latest cybercrime methods, how these complicated attacks were being carried out and what could be done about them.”
Over the next three years, her work involved collaborating with other cybersecurity experts around the world to unravel and disrupt complex cybercriminal schemes that were stealing millions.
“Many high-profile groups, like GameOver/P2P Zeus, SpyEye and Dridex were coming up with new and never seen before attack techniques that were very effective,” Brown explained. “It takes a big team effort to understand the full picture of what’s going on. We were involved at Fox-IT, but so were a lot of different companies and countries—and in some cases, law enforcement took action. I enjoyed the collaboration in this work, and it was rewarding to be able to make a difference and to be a part of that.”
“Working for the good guys”
In 2016, Brown returned to NATO, accepting a role as a senior scientist at NCI, the Communications and Information Agency in the NATO Cyber Security Centre. There, she found a welcome change of perspective from her previous work tracking cybercriminals.
“It’s definitely a lot of fun to be kind of a cyber detective, but after some time focused on criminal activities at NATO it felt like, ‘I’m working for the good guys now, focusing on security systems and taking a break from chasing bad guys,’” she said.
Five years later, Brown is a senior scientist with the Communications and Information Agency, which procures, deploys and defends systems for NATO nations and commands, specifically communications, information and cyber systems, intelligence systems and systems.
“Robust and resilient communications are at the center of our work,” Brown explained. “Security is all about confidentiality, integrity and availability. You want things that need to stay confidential to stay confidential, things that are put into the system should maintain their integrity, they’re not going to get tampered with, and the system’s available and the data is available when you need it.”
This year, Brown focused on updating the agency’s cybersecurity strategy.
“Our NCI Agency cybersecurity promotes a perspective of resilience,” she said. “That is, we ensure that the work we do is driven, monitored and reported on from a cyber resilience perspective. It’s essential to create a balance between prevention, protection, defense and recovery in a way that manages risks, because realistically, 100% security is not an achievable goal.”
Though Brown never imagined a career in cybersecurity years ago, she loves her work and the mathematics that’s very much a part of it.
“I don’t have any integrals to solve, which would be nice,” she said, “but in cybersecurity it’s about problem-solving and breaking down complicated problems into logical pieces in the right order. And I think it’s those skills that I still use now more than anything.”
And, after 14 years, the Netherlands feels like home.
“We arrived with three suitcases, but we now have two girls, ages 10 and 11, and we live in a beautiful little town where we can bike and walk everywhere,” Brown said. “I really enjoy Europe’s healthy work-life balance. People work from 9 to 5 and they’re very focused in those hours, and then at five o’clock they switch the computer off.”
Brown’s work-life balance allows her to spend more quality time with her family, which she hopes will include a lot more math in the future.
“I love the time I have with my girls. As the girls go through school, I look forward to learning with them and encouraging them the way my parents encouraged me,” she said.
Written by Leslie Miller