Quantum computing, Grobman's curb, upcoming election, how to prepare for the Cyber pandemic, all part of this fascinating episode with Steve Grobman, Chief Technology Officer at McAfee.

 

Episode Table of Contents

• [01:11] A Self Proclaimed Cybersecurity Pragmatist
• [06:31] The Need to Move Faster in Securing the Upcoming Election
• [12:05] How Artificial Intelligence Makes the Adversary More Lethal
• [19:54] Securing the Upcoming Election by Making the Citizens Trust the Election Process
• [25:40] Turning Your Home Infrastructure Into an Organizational Infrastructure
• About Our Guest

A Self Proclaimed Cybersecurity Pragmatist

Arika: And this week we have Steve Grobman, who is the Chief Technology Officer for McAfee. Hi, Steve. How you doing?

Steve: Hey, Arika. I'm great. It's great to be on it. And Eric, great to chat with you again.

Eric: Great to chat with you, Steve. Steve also is a 20 plus year intel veteran, intel fellow. I'll read the line from his latest book, I believe, on about the author, "A self-proclaimed cybersecurity pragmatist." That is an apt description, mostly

Steve: Well, thank you. It's great to be here.

Eric: I need your help once again. I know we're not working together, but I was on a radio show, the John Gilroy Show on Federal News Network a few months ago. I was asked a question about quantum computing and security. It was an unexpected question.

Eric: My response was something to the effect of, "We've got a lot of problems to deal with and quantum is going to be a problem. But I think we've got to deal with things like patching and cloud security and training and user awareness and other things first. I think you'd like to set me straight on that one, as you've done many times in the past.

Steve: There are a few things. First off, one of the challenges in cybersecurity is you can't just stack rank the issues and only deal with the ones at the top.

Monumental Moments in Life

Steve: It's a little bit like saying what are the most important parts of the airplane? Like the wings and the engine both have to stay on and work or bad things happen. And it's exactly the same in cybersecurity.

Steve: The issue with quantum computing is that when quantum computing becomes practical, it will be able to decrypt and break RSA and other public-key algorithms that secure all of the communications that we've been using for the past decade.

Steve: And the challenge with that is, if you're an adversary, if you're a nation-state, if you're a cybercriminal, you can steal encrypted data today and then wait until this becomes practical in the future and decrypt the data then. It's a problem now, it's not a problem at some future point in time.

Eric: Sometimes you have these monumental moments in life. I remember exactly where I was, I remember the time of day, I remember what I was doing when I heard, "Steal today, decrypt tomorrow," and my mind just opened up. Thank you, once again. I mean, it blew me away, Steve.

Steve: Well, it really reinforces the point that we need to think about our data fundamentally differently. We've always thought about how sensitive data is. But what quantum brings to the table is we now need to think about how long does data need to be kept secret for?

Steve: And there's a wide variation. If you think about things like public earnings or earnings announcement for a public company, it's very sensitive data.

Nation-State Secrets to Secure the Upcoming Election

Steve: But it's a very short amount of time because the time between quarter-end close and public release of the data is just a few weeks. Even though that data is very sensitive, it's not required to be kept secret for very long.

Steve: Contrast that with national secrets. There's information, and I talked about this a little bit in my RSA keynote. There's information related to the Kennedy assassination over 60 years ago that still retains redactions for national security secrets.

Steve: Nation-state secrets have a very long shelf life of how long we need to keep that data secret for. That's why when we think about data, it's really along those two vectors. How sensitive the data is, but also how long does it need to be kept secret for.

Eric: Arika, how did I miss that? I mean, it's so simple, and it's elegance, but I totally missed that.

Arika: Yes, I was going to say, conceptually, that just makes a lot of sense. But that's not how data really, how we look at it right now. It's just that it's a secret, is a secret, is a secret. It has to stay in that sensitive bucket, but you're right.

Eric: Steve, I think you're saying is, anything that we encrypt today, which is the majority of material and compute these days is potentially breakable in the future.

Steve: And it gets worse in that a lot of us are now moving our capabilities to the cloud, which is the best place to do things. But if you think about how do we access the cloud, we access the cloud on a public network. It's called the internet.

The Need to Move Faster in Securing the Upcoming Election

Steve: Given that this data is flowing through an untrusted network, our most sensitive data is now sitting out there using encryption algorithms that can be siphoned off today. As long as you're an adversary that has patience, that can be decrypted tomorrow. The one thing we know about nation-states, they have patience.

Eric: Do we sleep better, Arika? Do we sleep better tonight knowing everything is open?

Arika: I guess that's my question. You're saying we know that they do have patience. So how do we then still stay in front of the adversary if we know that they're in it for the long haul?

Steve: What we really need to do is move faster. Right now, NIST is in the process of selecting the next generation of public-key algorithms to replace things like RSA and elliptic curve. These algorithms need to be resistant against quantum attacks, but also resistant against traditional attacks. So, it's really important that we get the selection of those algorithms correct.

Steve: The challenge is, it's moving really slowly. It's going to take years for the selection of those algorithms to be finished. Once that's done, it's going to take another few years to get worked into standards. And then worked into products that are deployed within environments.

Steve: The call to action here as an industry is, number one, we have to move faster. We have to support groups like NIST to enable them to move more rapidly in things like algorithm selection, algorithm validation. But then we, as an industry, need to start working in parallel to look at how will TLS work in a post-quantum world?

Breaking Encryption Using Quantum

Steve: How will things like code signing or identity work in a post-quantum world? And then start to build the standards now so that we can move much faster. One of the things that's interesting about breaking encryption using quantum is adversarial nations aren't necessarily going to announce when they've been successful. A great example of that is look to our own history.

Steve: When the allies cracked the enigma in World War II, it was literally decades before they made it public that the enigma was broken. That gave the intelligence communities the ability to continue to tap into encrypted information that other nations believed was still secure.

Eric: It's crazy. So, Steve, you talk about having to get the standards done faster. At the same time, we're going to have to productize quickly. I know you're the inventor of Grobman's curve, does that still apply in this world?

Steve: It does, because the way to think about it is adversaries are going to focus on things that are easiest and providing the highest return on investment for their attack. Right now, going after data that's been encrypted using traditional means is where the adversaries are going to be focused.

Steve: The organizations that can move most quickly to post-quantum data protection algorithms will, at first, not generate enough volume for the adversaries to go after them. And we'll have an inherent advantage of being able to protect their most critical data.

Eric: Just for our listeners, if you aren't familiar with Grobman's curve, that's efficacy over time, correct?

Steve: A simple way to think about it is, whenever a new defensive technology is built in the security industry, it has an advantage that it's solving a known problem.

Securing the Upcoming Election Using a New Defense Technology

Steve: In the early days, the new defense technology works very well because not only is it focused on a known problem, but also, there's not enough volume of that new defense capability to make it worth the adversary's while to try to build or countermeasures to work around it.

Steve: But then, as it gains steam, it essentially creates incentives for the adversary to figure out how do they work around the new defense capabilities. It's just something to always keep in mind that cybersecurity is very different from other information technologies in that moving fast is very important. There's not necessarily this notion of being a late adopter as providing the advantage as it does in other places.

Eric: Does that make sense, Arika?

Arika: It does. And my question back to you is, obviously, we're not moving fast enough. Can we ever move fast enough? Can we ever get in front of the adversary? And then, as we see new technologies and other innovations being brought to market, how do we make sure that we align those with the security threats that they can bring? I think things like AI can bring many new innovative technologies. But I imagine that it makes the threat footprint much larger, as well.

Steve: That's right. So much of our business is about triaging. Where we're making sure that we're able to provide the best possible defense on the things that matter the most. But we have to recognize that the adversary is constantly changing the tools that are in their toolbox to have more lethal attacks. A lot of times people talk about AI being a great technology from the cyber defender perspective.

How Artificial Intelligence Makes the Adversary More Lethal

Steve: I think a lot about how artificial intelligence is going to make the adversary more lethal. If you think about some of the things that AI is very good at, it's good at classification problems, so for example, doing victim selection. Why attempt to attack all of the vulnerable computers in an organization when an adversary can use AI to find the ones that have the highest probability of being vulnerable?

Steve: Or if you think about some of the benefits that AI brings around automation, we think about AI for automation from a defender's perspective, such as how do we orchestrate our defenses? But an adversary can take AI to automate things like spearfishing. Now you have a victim conversion rate with roughly the same rate that you did when you did individually researched spear fishes.

Steve: But you can now execute at a much higher volume more analogous to traditional fishing. So, really, create new levels of efficiency for the attacker. And we're just really getting our head around what this means from how do we up our defenses to defend against this?

Eric: And Steve, like most technological advances over history, AI can be used for good or for bad, just like nuclear power, just like airpower, just like gunpowder. Really, there are things that can be used for good and for bad. It's how do we get ahead of the bad? Or how do we control the bad maybe?

Steve: It's exactly right.

The Adversary’s Inherent Advantage

Steve: One of the things that makes it especially difficult is unlike dual-use technologies in our physical world where we can place regulations on the precursors, if you take nuclear as a good example. Clearly controlling nuclear materials so they can be used safely in civilian nuclear power use cases, as well as for authorized military uses, is something that we put a lot of work into.

Steve: In cyber, it's a lot harder because the underlying technologies are created out of thin air. It's digital, it's mash, it's code. It's things that you can download TensorFlow if you're an adversary and build a machine learning model to find the weakest victims, to automate your spearfishing, to make your underlying attacks both more lethal. But also work to evade some of the new technologies that we're using in the cyber defense space in order to detect new attacks.

Arika: Well, I was going to ask you, but based upon this, is that what keeps you up at night, Steve?

Steve: It does keep me up at night partially because the adversary has such an inherent advantage. I think of all of us that are in the cyber defense technology industry, and if you think about when we have an innovative idea, we come up with an idea, it takes some amount of time to get it onto a roadmap, to get it developed by engineering, to get it into product, to go through a procurement cycle, and then to get it deployed in customer environments.

Steve: Contrast that with what an adversary does. An adversary comes up with a new concept for an attack, and the next day it's coded and it's executed.

Combining Non-Deterministic Solutions Essential in Securing the Upcoming Election

Steve: They get to use their victims as their laboratory to make the lethality and the effectiveness more effective. There's an inherent asymmetry between what the attacker and what the defender has at their disposal.

Eric: And they can try as much as they want. They only have to get it right once to get in the door. It's constant iteration, and it's very, very low cost.

Steve: It's low cost, and they don't have all the barriers that we have in the product space. They don't have to go through regulatory. They don't have to go through certifications and have everything signed off that adds a lot of time. Their ability to have a more rapid innovation cycle plays very much to their benefit.

Arika: So, Steve, what do we do or how do we change that? We don't have the ability, to your point to innovate as fast because of some of the red tape. The regulations and just the approvals and all of the things that have to be done. So, how do we go faster but under these circumstances?

Steve: So, for one, we need to look at technologies that are platforms that we can retool the various detection or defense technologies at a more rapid pace than deploying new products. For example, platforms that can take new models. That can take new threat intelligence.

Steve: That can combine non-deterministic solutions with things that we know and understand, like threat intelligence. Putting all of those together doesn't necessarily get us ahead of the adversary, but it does get us a lot closer to the timeline that they're operating on.

Short-Circuiting the Acquisition Process

Eric: Steve, doesn't that speak to scale in cybersecurity though? I mean, right now we've got 4,000, 5,000, whatever it is, vendors out there with their products.  And I know you, I have spoken a little bit about this in the past, just scale though. The ability to bring on new capabilities or features rapidly while avoiding in some cases or short-circuiting, shortcutting the acquisition process in some of the other components?

Steve: It absolutely does. If you think about the impact of operational complexity, operational complexity creates overhead, which is then cost that could be put into better defense. I think of it as an opportunity cost. Whenever you have operational complexity, you have your operators dealing with how do they manage that complexity which could otherwise be spent on defending their organization.

Steve: So consolidation, and whether that means various companies start to consolidate through M&A, or whether we move to more open and integrated solutions where different vendors can interact and interoperate more effectively. Those will simplify the ability for cyber defenders to use technology to defend their world.

Arika: I'd like to pivot for just a second, before we end, and ask you a question about what's going on right now with COVID and just what we're projecting may be a very different election process? I know you've recently written about the fact that paper might still be the safest way, the safest type of technology. Talk to us a little bit about that.

Arika: We're still on day-to-day in terms of what the future will look like, but what are your thoughts as far as how we should approach a digital election process?

Securing the Upcoming Election by Making the Citizens Trust the Election Process

Steve: One of the things that's critical in an election is for both the election to be secure but also to have all of the citizens trust the election process. That means that the underlying technology used to conduct the election is something that every voter must understand and trust.

Steve: Part of the challenge that we have in using a digital set of technologies to conduct an election is it's only people like us that understand some of the details on what would make that either secure or not secure. Also, part of the challenge is that if you look at how an election is conducted, the only thing that a voter sees is the aggregated result.

Steve: At the end of the day, the number of votes for the winner and the loser. They don't actually have a way to track their individual vote. So, if you use a digital election process, when a voter cast a vote, let's say on their PC, the vote that was actually recorded on the back end might be quite different.

Steve: That sets us up for significant interference by foreign actors, really from anywhere in the world. Using well-proven techniques that we've seen in cybercrime and other cyber attacks. Where you're able to present one thing to the person sitting in front of a computer, but actually do something very different on the back end.

Steve: The difference here is, if you change a transaction for a bank account, at some point in time, you're going to see that, and you're going to say, "Hey, I didn't make this a transaction." In an election, you'll have no way of knowing that your vote was tampered with.

A Paper-Based Election at Scale

Steve: The other thing that's unique about paper is, given the nature of the US mail system, it's just inherently difficult to tamper with a paper-based election at scale. In order to manipulate an election, an adversary needs to do things at scale. And the scale part of it is really important to focus on.

Steve: While it's true they could steal a few paper ballots here and there. We saw the North Carolina ninth district congressional race have a fraud related to mail-in ballots. But to do something at scale, especially from remotely, such as another country, would be incredibly difficult with a paper election.

Eric: Where we watch like Facebook and we see nation-states impacting belief systems and creating protests and rallies. Because they can do it at scale from afar, very low cost and easy.

Steve: It's also a question of, practically, could we train the general public and local election officials to have the cyber skills required to conduct an election safely and securely? If you think about the ability to even secure the basic elements of our election process, such as getting information about where, when, and how to vote, we see challenges there.

Steve: We did a study recently where we found over half the domains were neither using encryption. They weren't using HTTPS, and weren't using top-level government domains. The sites voters were going to find out where to vote, had things like .com, .us, and.net. I actually stumbled on this myself.

Steve: I recently moved to Texas, and when I went to vote in the last election cycle and looked up my website for my local election bureau, it was votedenton.com.

What Needs to Be Changed When It Comes to Securing the Upcoming Election

Steve: That's the type of thing that we need to change first before we even consider moving to a more broad digital election process.

Eric: I think from absentee ballots, we do have the mail process down pretty effectively. We just need to scale it out.

Steve: It's been proven that some states have every single voter vote by mail. It's not a partisan area. You have states like Utah and states like Washington and Oregon both using 100% vote by mail. There are currently five states that are completely vote by mail. So, we've proven that it does work, there's not significant voter fraud. It's inherently difficult to manipulate at scale.

Steve: In a year where we don't really know what the world's going to look like from a public health perspective in November. Providing options for every American to exercise their right to vote is incredibly important.

Arika: Well, that's news to me. I did not realize that. That's a good fun fact for trivia. Thanks, Steve. That there are states that have 100% vote by mail.

Eric: Steve, with COVID-19, I want to pivot a little bit here, we've seen a lot more work from home. What do you worry about? What are the things that we really need to think about as a global world? As an economy, the economies around the globe? What do you worry about the most?

Steve: One of the things that we see as we've now moved a large portion of our workforce to working from home is, we've seen a lot of workers become an extension of their IT and security departments.

Turning Your Home Infrastructure Into an Organizational Infrastructure

Steve: Your home infrastructure is now part of your corporate or your organizational infrastructure. You need to make sure that everything in your house that's part of that infrastructure is up to date.

Steve: We've seen vulnerabilities in consumer routers, that they can be taken over from the internet. They need to make sure that you're up to date on firmware. Some companies and some organizations were using desktops in the office. They've relied on users using their home machines.

Steve: Meaning that now those own machines need to be secured from various types of cyberattacks. We've even seen issues with people now sharing their company or organization laptop with other members of their family.

Eric: With their kids.

Steve: Yes, like their kids. You've got your kid who's taking classes from home. And they need to perform some task and your work computer is the best machine. You probably don't want to hand your work laptop to your 14-year-old kid and have them go off in the room to do their assignment. Then when they're taking a break, they're surfing the internet to all sorts of places that teenagers do.

Eric: Arika, your refrigerator was watching you. Now, it's watching your whole company.

Arika: Exactly. It's definitely interesting. I personally have become my family IT help desk.

Eric: Did you teach the Nigerian prince?

Arika: Yes. I phoned my grandmother, "Just say no to all of those emails." But it is true. I do think our home networks are now the critical networks, so it's a good point.

The Foundational Book for Cybersecurity

Eric: Steve, your latest book The Second Economy, which I think is the foundational book for cybersecurity, like a fundamental understanding of the industry. I have yet to find a better read. It's definitely a detailed read, but they're great examples. I love it. What did you get wrong? What do you wish you would have put in there?

Steve: The one thing that I think would be a great addition is something that's going on right now. The structure of the book is written where we look at how the physical and digital world are similar and different. In the physical world, we have ransom, in the digital world, we have ransomware, and clearly, there are differences.

Steve: If you look at our latest global health issue as being a global pandemic, one of the things that strike me is the human inability to accurately assess risk. If you think about how likely a global health pandemic is in any given decade or over any 20 year period, it's actually not that unlikely an event. But yet we seem to be very ill-prepared for it from a global perspective.

Steve: I think the cyber equivalent is very similar. Are we really prepared for a cyber pandemic? And are we thinking about the things that would set us up for a cyber pandemic? And how does that mirror some of the things in the physical world? I think a lot about this current global health crisis is really the combination of a transmissible disease that is both highly transmissible and highly lethal.

Highly Transmissible Cyber Events

Steve: We've clearly seen examples of very transmissible or very lethal in the past. But it's combining these two together, which has made COVID-19 such a strong, impactful disease that's impacting the entire world. I think in cybersecurity, it's exactly the same thing.

Steve: Whereas, we've seen highly transmissible sorts of cyber events. Whether it's Wannacry from a few years ago. We've seen highly lethal activities like the Sony picture or OPM breach. Those were very high impact, but they're also very small in scale.

Steve: It's really understanding what needs to happen for things to align that you end up with something that has tremendous scale or transmissibility. But also a very high level of lethality. That's the equation that I worry about that we really need to give some more thought, to defend against the cyber pandemic.

Eric: That's the next book.

Steve: Cyber Pandemic: Start Preparing Now.

About Our Guest

Steve Grobman

Steve Grobman is Senior Vice President and Chief Technology Officer at McAfee. In this role, he sets the technical strategy and direction to create technologies that protect smart, connected computing devices and infrastructure worldwide.

Grobman leads McAfee’s development of next-generation cyber-defense and data science technologies, threat and vulnerability research, and internal CISO and IT organizations. Prior to joining McAfee, he dedicated more than two decades to senior technical leadership positions related to cybersecurity at Intel Corporation where he was an Intel Fellow.

He has written numerous technical papers and books and holds 27 US patents. He earned his bachelor’s degree in computer science from North Carolina State University.