As an elementary school student in the Canadian city of Calgary in Alberta, Dustin Heywood could barely grip a pencil. His handwriting was so bad that it often took hours to write a single page. Yet he was able to solve math and computer science problems far beyond his grade level.

His condition confounded school officials. Relatively little was known about autism at the time. When Heywood was diagnosed with a high-functioning form of what was then called Asperger’s syndrome as a teenager, he finally understood the challenges he faced and also the potential of some of his extraordinary capabilities. In cybersecurity, he has since found a community of people who, like him, thrive for their ability to see the world differently.

“I always looked at the rules and found ways around them,” Heywood said in an interview with SiliconANGLE. “I learned how to violate the spirit without violating the letter. But I never used my skills for something other than good.”

Different perspectives are an asset in a field where the best prevention is to think like your adversary. “You need to find people who are 100% ethical but can think like a criminal,” he said. As an ethical hacker, Heywood specializes in finding patterns that humans and even computers would overlook. And as a member of IBM Corp.’s X-Force Red, an elite team that organizations hire to break into their computers and identify critical vulnerabilities, he has found a place to thrive.

A gift for spotting patterns

Heywood got hooked on password cracking early in his cybersecurity studies. “My ability to see patterns in data just clicked,” he said. For example, he can recognize keyboard patterns such as “zaq12ws” that users think are hard to guess but that are easy marks for cybercriminals who know what to look for. He also has an uncanny ability to identify the song and quote references that frequently turn up. “Humans can’t create a password to save their lives,” he said.

As the go-to person on passwords within X-Force Red, Heywood specializes in working with clients to audit authentication credentials used by system administrators and other critical information technology staff to identify the most vulnerable targets.

Heywood didn’t start out looking for a career in cybersecurity. Hoping to build his social skills, he found early work as a telemarketer, followed by a series of manual labor jobs. While working in a potato chip factory in his mid-20s, he suffered a dislocated shoulder that forced him out of his job and into a retraining program that happened to include cybersecurity. “I did the first year in six months, knocked that out of the park and started doing low-level IT things,” he said.

An early job at an IT contractor sent him on back-to-back trips to Afghanistan to set up TV entertainment and videoconferencing systems in remote regions. “I actually had to rely on a lot of hackerlike skills to make things do what they were never intended to do,” he told the Toronto Globe and Mail. “No one ever intended to have TV streamed over satellite, over an IP network and into a remote base in Afghanistan.”

On the road

There followed several years at a large financial services firm where the work was interesting but kept under tight wraps. IBM offered him not only the opportunity to immerse himself in a field he loved but also to discuss his work freely at conferences and events. He became a frequent speaker at the now-defunct DerbyCon security conference where he was better-known by his online handle, EvilMog. His hacker team, The Church of Wifi, has won the Hacker Jeopardy! competition at the DefCon conference for the past two years.

Despite being in the spotlight, Heywood admits that he continues to wrestle with some aspects of his autism. “I have a lot of masking tendencies,” he said. “I take a lot of things literally and jokes can fly over my head. I can’t read nonverbal communication.”

Like many neurodiverse people, he said, “I’m terrible with things I don’t have an interest in, but I collect hobbies like being glider pilot, scuba diver and pyrotechnics. I can tell you things about those hobbies you’ve never heard of.”

He’s proud of a technique he recently developed that standardizes the distribution and management of encryption keys for the Secure Shell Protocol while also hardening security.

But his passion for password cracking has forever labeled him as the “password person” inside X-Force Red. He accepts the distinction with humility. “I initially didn’t think I had a gift for it, but people keep commenting on it,” he said. “If they tell you you’re a horse, I guess you’re a horse.”

And he expects that his skills will be in demand for many more years. As he wrote on the IBM-sponsored Security Intelligence site two years ago, even such alternatives as multifactor authentication and biometric security have their weaknesses. “The guidance of creating secure passwords has worked for the last 20 years and I think will work for the next 15,” he said, adding with a grin, “by which time I’ll be retired.”

Photo: IBM