Podcast #181 Hackable

TRANSCRIPT

TRANSCRIPT

Ken: Good day, and welcome to episode 181 of our Momenta Digital Thread podcast series. Today, I'm pleased to host Ted Harrington, author of the number one bestseller, "Hackable: How to Do Application Security Right." Ted is the Executive Partner at Independent Security Evaluators or ISC, the company of ethical hackers famous for hacking cars, medical devices, and password managers. He's helped hundreds of companies such as Google, Amazon, Microsoft, and Netflix fix tens of thousands of security vulnerabilities. Ted has been featured in more than 100 media outlets, including The Wall Street Journal, Financial Times, and Forbes. His team founded and organized IoT Village, an event whose hacking contest has produced three DEF CON black badges. Ted, welcome to our Digital Thread podcast today.

[00:01:31]

Ted: Thanks so much for having me. I'm excited to be here.

[00:01:33]

Ken: Excited to have you. I know we've interacted a lot over the distant past. And in the interim, you wrote a great book. It sounds like you guys have continued to do lots of great things. And I must say, given everything going on in Ukraine right now with Russia, all the cybersecurity issues around it. This is a very timely topic, so I'm happy you took the time to do that today. I'd always like to start with one's digital thread. In other words, the one or more thematic threads that define their digital industry journey. What would you consider to be your digital thread, Ted?

[00:02:08]

Ted: There are a few ways you might answer that. But if I look at the common thread throughout my life, it's this drive to get better every day. And I don't even think that was something I necessarily recognized about myself until maybe a few years ago, looking back at my decisions. And that might be an odd answer to a question like, "What's your digital thread?" and I'm like, get better. But the reason I state that is that I think that that is the defining trait of what the cybersecurity profession is about. Everyone who excels in security- now, of course, there are people who don't excel, who maybe don't adhere to this mindset. Still, I respect and admire 100% of the people I know across our field; all have that growth mindset. And that's what security is about. People often think about security as can you get to a state where something is un-hackable. You can't, and that's why I titled my book what I did, because I'm like, "Man, people keep thinking this idea that something can be un-hackable. What's the opposite of that?" And so that's how I arrived at the title. But if the goal is not necessarily that you're going to ever be without security vulnerabilities, what is the goal? Well, the goal is you must be better today than you were yesterday. And you better be better tomorrow than you are today. When I look at all the steps along my career path that got me to be in the position to lead this group of ethical hackers and be at the forefront of security research and driving a lot of innovation that's happening that we're fortunate to be part of, it's all because of that mindset to try to get better every day.

[00:03:43]

Ken: Security in general, cybersecurity, specifically, I think many would consider being a defensive activity in the very nature of hacking, ethical- white hat, etc., implies a certain amount of proactivity. You could say offensive in that regard. And so, I think it's interesting to see that drive to get better together because you guys are very proactive in the way you approach cybersecurity overall. I may know why. While researching this, I saw some early entrepreneurial activity and political activism in your biography. I thought that was interesting because I see that aspect of you doing that. Then I see the move into cybersecurity. Is there a connection there, and how did this ultimately lead you to cybersecurity?

[00:04:31]

Ted: Yeah, that was a long time ago. I was very heavily involved with a political action committee trying to advocate for pro-business-type issues in Southern California. I would not consider myself all that politically active anymore. I think I learned from that experience that- wow, this is a nightmare- this stuff. But I guess if I was- I haven't been asked this question before, so I'm thinking about it right now. But if I was going to draw parallels between that many years and that was probably- I was doing that, like 15, or maybe 20 years ago to today, I think that one of the commonalities is that both are difficult. They require you to mobilize a community; you need to have a mission that you can evangelize around and rally that community to support that mission. And you ultimately need to persevere. And all those attributes are found in security too. So even though political activism was not something that was a forever passion for me, learning how to pursue those ideals has been repeatable, and I've carried through even today.

[00:05:39]

Ken: And so, you were right, it was 20 years ago. You co-founded ISC in 2012. The firm, of course, is dedicated to securing high-value assets for global enterprises and performing groundbreaking security research. What is ISC's origin story?

[00:05:54]

Ted: Our origin story. It's funny. In 2012, what I did with my business partner, Steve, was rebooted a company that he had started several years prior. It's funny that we think about the company right now as ISC 2.0. We're a ten-year-old startup wearing a 17-year-old company's clothing. The origin story goes back to when my business partner Steve and his co-founders started the company in the first place as they were responding to this claim, which was rampant at the time. Around 2005, there was a claim that a system was used in automobiles. It's an anti-theft mechanism. It prevents someone from starting the car without the authentic key. And the system was putting this in air quotes right now, "un-hackable." It couldn't be broken; no one could defeat it. The problem is when you say that some hacker-minded computer scientist will gladly say, "Challenge accepted." And so that was what they wanted to look at, they wanted to see- well, if everyone thinks this thing can't be defeated, can it? Let's look at it. This car auto theft is a significant issue. I forget what the stats were at the time, but it was talking about hundreds of millions of dollars in loss is that auto theft represents across the industry. It matters to that sector. And so, ultimately, what they wound up doing was it took a few weeks to reverse engineer the cryptographic algorithm. It took him a few weeks to build this weaponized software radio and then took a few weeks to get it working. But the outcome was that they could use this weaponized software radio to start a car without the authentic key, which the system was designed to prevent. And a cool detail in that story- as Steve will tell it is before publishing the research, they decided, "Well, companies might be interested in this, so let's just form a company and see what happens." Sure enough, as soon as it hit the news, and that was a big story all over the planet, companies came calling. They said, "Hey, you guys understand how hackers think, operate, and brake systems. I've got this system. Can you tell me how it would get broken, and I'll pay you for it". And today, almost 20 years later, that is still the business model where companies come to us to help them find and fix the security vulnerabilities in the systems they're building.

[00:08:23]

Ken: I like that ISC 2.0. Beyond simply doing hacking on automobiles, you guys also, in that time, have done the iPhone, Android OS, medical devices, IoT devices, password managers, and even cryptocurrency wallets. If you had to take that whole time and summarize it into your observations of white hat hacking during that into three key lessons, what would those be?

[00:08:50]

Ted: Well, the first lesson is that security vulnerabilities exist. And what I mean to say by that is that this is not theory. This is not a bunch of paranoid computer nerds in a corner being like, "You might get hacked." This exists; the research proves that security vulnerabilities exist. So that's key lesson number one. Lesson number two is that attackers exploit them. Again, this is one of these things that you see in many boardrooms. People are like, "Well, show me the risks. Give me the number, forecast, the impact, blah, blah, blah." They're trying to think about this theoretical, conceptual thing as if someone would hack a company. But no, the research path shows that number one, vulnerabilities exist. Number two, attackers exploit them. Number three, the lesson that I think comes out of all of this is that when working in partnership, security researchers, ethical hackers, and people from our corner of the world truly can help drive security advancements for companies we're building things. And it's a beautiful relationship. Because if someone's building something, that's their mission. Their mission is they see a problem, and they want to solve that problem, and they're going to solve that problem with technology. Well, they're not necessarily every waking moment of every day thinking about how to break that technology. So that's why you bring in this sort of outside expertise. It's like why companies bring in outside counsel, outside consultants, marketing, etc. You bring in these outside experts who focus on a certain area, have that expertise, and can drive your mission forward so you can focus on your core business. When I look at the many years of security research, it's those three things. Number one, security vulnerabilities exist. Number two, attackers exploit them. And number three, when there's a partnership with ethical hackers, you can drive meaningful security improvements.

[00:10:45]

Ken: Let's hit that point three you mentioned earlier, this idea of community and vision back to your political activism. I know you guys have done a lot of leadership work on IoT Village. It's an event whose hacking contest, as we said, produced three DEF CON black badges. Tell us a bit about this cybersecurity ecosystem. What inspired you to create it?

[00:11:09]

Ted: Yes. IoT Village is- I sometimes call it a traveling circus. That maybe makes it sound goofier than it is; it's a serious thing. But what it is, is we go to different security conferences, invite, or select people who apply to speak, who are doing cool research or whatever. Not all conferences are we having speakers, but in many of them, there's a speaker element. We have a variety of contests like a 'capture the flag style contest where we set up a system of vulnerable devices, and people get certain points if they can attack them or whatever. We have sponsors who sometimes bring their products so that people can poke at them; one year, we had GE- their medical device division and their appliance division also, which are two completely different companies. They brought devices and scooters to the event. I forget what the manufacturer was, who brought an ATM.

All these people brought these things, and people could now go hack on them. And that, of course, enhances the skills of the researchers who are doing that. But it's also a benefit to sponsors like, "Wow, I just got all this essentially free research." And then it's a good look for them to be collaborating with the research community. And community is an incredibly important word, not just IoT Village. To ISC, our culture, like in our mission statement, community is one of the very few words in that statement. We're building a community. I think community is important because even back in caveman days when we were in tribes, nomadic, moving from place to place, survival depended on the people around us before the invention of agriculture. Many aspects of how humans interact with each other come from that sort of tribal instinct that is still ingrained in us many hundreds of thousands of years later. And I think cybersecurity has those same requirements or principles where community matters because you can't secure a company as a person. You can't secure an industry as a person; you can't foster innovation in a brand-new technology category. As you mentioned, cryptocurrency 20 years ago, that idea didn't exist. Or at least in its current format, the idea of a blockchain didn't exist. And by having a community, you now take all these different skills that people have, you're able to combine them, you're able to transfer knowledge from one person to another, and it's the proverbial rising tide that lifts all boats. And that's why community matters. When we think about IoT Village, or our company community is important because we're all in this together. It's a requirement that we all must make each other better. And when we do those things, that's how we'll succeed. But if we do not do those things, we have no chance of winning.

[00:13:54]

Ken: A big portion of the community you mentioned a moment ago is this idea of a rising tide and thought leadership. And you've personally played a leading component by publishing your best-selling book, "Hackable: How to Do Application Security Right." What was the core thesis of the book?

[00:14:11]

Ted: Well, I wrote this book because I saw a couple of things happening. The first thing that I noticed was, as we discussed here, that I'm in this position to lead this group of ethical hackers, so we work with companies all the time. And I found myself having the same conversations repeatedly with our customers, prospective customers, and people out in the industry and the community. And I started thinking about that. I realized that the problems that everybody has when it comes to securing their software systems all fall into pretty much ten categories. Now, not everyone refers to them as those, they might not all use the same words, but the concepts- there's like kind of 10 different concepts. And I thought that was interesting once I noticed it. I'm having the same ten conversations; I thought that was interesting. And then I started thinking about, well, how do you solve have for those ten problems. And that was the moment, the lightning strike. That was like- you must write this book. You are now required to; it is no longer- this would be interesting. It is a mission; you must do this. Because I realized that the conventional solutions, the way most people talk about solving those problems everybody has, were wrong.

Now think about that. Here you have a person, company, organization, whatever. They identify some opportunity in the marketplace, they see a problem they can solve, and the way they want to solve it is they want to solve it with technology. They set out to build a system that will solve this problem; it will change the world. They recognize that security matters and realize they have some problems in achieving a secure system, so they try to solve their problems. And the answers that get how to solve those problems are wrong. That's bonkers. I found that to be completely unacceptable. And I mean, that day, pretty much I outlined the book. That is the purpose of the book, it's written for your chief technology officers or anyone responsible for the security of a system, but security might not even be their whole job. It's also written so that security professionals can understand this aspect of the business. Maybe they're in a different security area and don't understand application security. And then, it's also written so that developers who are building these systems can understand the principles. And the outcome that I hope that people get out of this for those audiences is that they will first understand the problems, understand the correct way to solve those problems, and then have actionable advice about how to solve them.

[00:16:38]

Ken: The way I think about it is solution patterns. Suppose you think of- usually IT architecture. They'll define certain patterned cases and say, here are some best practices towards achieving that. I think beyond that, what you've done is you've looked at this thing, systemically, i.e., this isn't just software, isn't just hardware, isn't just the communications, it's the full stack, the periphery of any of which could form a least common denominator attack. And so, taking a systems approach to this, looking for those least common denominators, is certainly a critical way to approach that. It's an interesting time. I mentioned right up front- of course, I'm here in Europe, and Russia has an unprovoked invasion of Ukraine. And concurrently, the whole cybersecurity attacks that they've perpetrated on Western nations have been unprecedented, affecting the lives of millions of people. What do you think these brutal attacks have taught us relative to critical infrastructure cybersecurity?

[00:17:37]

Ted: Yeah, there's a funny as well, maybe not funny. But there's a saying in the security community, "Never waste a crisis." And I do not mean to make light of a very, very serious situation in Europe. My point was that you're asking this question is itself the silver lining of this situation. You see it the same whenever there is a major hack- that major hack that Sony went through, the major Target breach. All these big issues make people start to think about security differently. And so, while it is, of course, just robust tragedy that's going to echo through probably generations, to be honest, that we're having this conversation, I think, is a good thing. And the reason that I'm pointing all that out is that the security implications, the cybersecurity implications of nation-states attacking each other and attacking critical infrastructure, that issue has been present for decades. But now that we're talking about it, that is what matters. Not that it didn't matter before, but the point is that this issue existed before. We're now finally talking about these things. People are starting to register the average person's awareness that this might be a problem that we have to invest in.

You even look at some things recently in the United States, the Colonial Pipeline issue. That gas was unavailable on the east coast of the United States for I forget how long. I'm going say, like, a couple of days or something, that critical infrastructure was made unavailable due to a cyber-attack. And I believe it was Obama and maybe in his first term, who officially declared cyber as a theater of war. Theatres of war, sea, air, land, and space are now one, and cyber has officially been declared one, and I agree with that. Because if you think about just strategy- I'm not a general, I don't know anything about how to launch a war. But if I was going to say, could I do something that would make critical services unavailable, like first responders, even missile defense systems, whatever. Delivery of power, delivery of water- if I can make those unavailable while also deploying a physical, traditional sea, air, or land-based attack, I would want to do that. If I'm engaged in a war, we're seeing these things happening- nations are constantly attacking each other already. And then when a moment of actual war happens, now we're seeing these things you don't see. You don't see a cyber-attack happening; you hear about it in the background. And then, when a war happens, now it's thrust to the forefront. This is a real problem for all nations worldwide, and the United States included- all nations in Europe. And it's something that every nation will have to contend with.

[00:20:30]

Ken: I like your thought about the theater of war. And one might argue that if you look at Vietnam, it was described as the first war televised by mass media. Of course, CNN got its start doing the same for Desert Storm, arguably. And this war seems to be where that cyber security element might be one of the strongest theaters. Think about the social media campaign that Ukraine has run quite successfully. Think about the cyber attacking of Russian data sources, primarily personnel records for all the soldiers being deployed and spies and things like that. It's interesting that so much of this has manifested itself on the cyber side. Of course, there's a whole set of attacks on OT infrastructure. And by OT, operational technology. The infrastructure is running the energy grids, manufacturing, transportation to war. What changes have you seen in demand for your services relative to what we consider OT systems and use cases?

[00:21:36]

Ted: We focus primarily on the commercial sector, so we haven't been working with- I mean, we do have clients in the government. But we haven't directly been working on things like the power grid. We've done some research in that area, but one of the fascinating things is that people sometimes ask us, like, what are your areas of expertise? We have all the core areas of expertise that you want an ethical hacking company to have but what's fascinating is where the demand is. We can't even reinstall the door; it keeps getting kicked down so hard. It is for application security. People who are building apps, which software runs the world and every function of every business across the planet, are either already moving to use apps to run that part of the business or are on the way to doing that. And so that has been fascinating. People might look at the distribution of our work and say, "Oh, it looks like you don't do as much network security," for example, as application security. And we're like, we can. We have all the people. It's just that the demand for application security is so high. And there are so few organizations that have that specialty. And so, I wouldn't say that necessarily is being driven because of nation-states attacking each other. But I think that is being driven by the economics and business benefits that come because of the value optimization or whatever corporate jargon you want to throw around that software can deliver to businesses and governments.

[00:23:15]

Ken: As investors, we always like to look at interesting trends in the space. We've invested in zero-trust security with a company called Xage in the Bay Area. We've had quite a few companies that have rolled across our radar as of late talking about quantum encryption techniques. What key technologies and trends are you watching relative to the future of cybersecurity?

[00:23:37]

Ted: The big one that I think everyone is talking about- if I were an investor, I'd be thinking about it too, but with a big asterisk to it is things like artificial intelligence and machine learning. Everybody wants these things to solve most of today's security problems. How do you deliver a good service? And people think, "Oh, well. The machines will do it for us." And unfortunately, I don't think that will happen anytime soon. Maybe not even in our lifetime, when artificial intelligence will be able to deliver security as well as a human can do it. And that's crazy when you think about it because we're like, "Well, humans are dumb, and computers are smart. Let's build a computer to do a thing." But I just don't see that. But that is an area that I see many people are interested in. So even if it's not- one day, we're going to get to a point where artificial intelligence replaces the need for humans to secure systems.

There is all subproblem to a subproblem to a subproblem that machine learning and artificial intelligence can help and get smarter at. Wherever there are things that may take a lot of manual effort to do, and we can automate those types of things, that's where a lot of winning is happening for sure. Security is such an awesome space, but the one place that- I just talked about a lot of people talking about machine learning and artificial intelligence, but where I see the most exciting part of all of security is in third party risk management. And that sounds so unsexy just saying that term. I get it. People are like, what? What are you talking about? But what it is-

[00:25:11]

Ken: An insurance company?

[00:25:14]

Ted: It's like, "Well, Ted, way to put me to sleep." No, but it's potentially the most important problem across security, the most underserved, and the most misunderstood. But what third party risk management is, also called vendor risk management- is the idea that every company, every government, every academic institution, and every nonprofit must work with third parties. They subscribe to or license applications. They hire outside contractors, consultants, service providers, whatever. Across the board, they're hiring people or companies or software products to help them. And those people, those companies whose products are not in-house, how do you secure all that? How do you know that when you're entrusting this third party with access to what's most valuable to you, how do you know they're doing it right?

I mentioned Target earlier. That Target breach was like 2013, I think. And that was a third party that was compromised, and because that was where the breach started- it was a supplier that helps with the HVAC in stores, that supplier was compromised, and then with that privileged position, the attackers were able to expand the attack, ultimately get to the payment systems and steal a whole bunch of credit cards. And that's a great example of where it almost- this does not mean to diminish any other part of security. Still, it's almost like if you don't solve that problem, everything else you're doing doesn't matter. That problem is critically important, but it's so hard to solve because it exists outside the walls of any given company. We're so passionate about this problem that we built a software product that helps manage that process itself. Because what happens is a lot of companies do the security assessments either themselves or work with someone else. They make their vendors fill out questionnaires and all this stuff. And how do you manage all that? And a lot of companies, they just- emails and spreadsheets. Their vendors email them their reports; they store them locally, maybe on a cloud service. And then, they have a spreadsheet that describes the status of a given vendor. And we're like, no, there's got to be a better way to do this. And we're not the only people who have identified this as a critical area in security. But that's the area that I'm super excited about.

[00:27:23]

Ken: It's the very nature though of partnerships. You can describe the target HVAC one as a good example. But those are very formal, if you will, one company engaging with another and doing some level of integration given the post-COVID working environment, gig economies, fractional remote workers, etc. In some sense, that plays in small part, but collectively as large of risk as well. You're working with a BYOD or 'bring your own device' scenario with a small one and two-person companies trying to engage them collectively to be part of your company's value proposition. It sounds like your software is well-timed for the big end for the small cases in that regard.

[00:28:06]

Ted: Yeah, right. The way you just described it; I agree. That exact dynamic that you just described is essentially how movies are made. Many people don't know this; many people think- pick your movie studio, you go on to a studio lot. Everyone who's there, from the person operating the camera to the person who puts in the CGI flames, all work for that studio- that's not how it works. The way movies are made is that almost everybody doesn't work for the studio. You've got all these specialists. And then you've got these sort of interesting power dynamics where you've got- if a particular director, imagine someone like Steven Spielberg. If Steven Spielberg wants something, it's happening. He's like, I want to use this person because this person makes the best crash sounds, and I need his crash sounds for my film. That person is just one person. Or, in some cases, two or three. And security is not what they're thinking about. And here's the studio who is making this- maybe they're investing $250 million and making the next blockbuster. Somewhere along that chain is a single individual who does not work for the studio which has access to that digital file. And most of the money that's made in a movie, it's like two-thirds of it or something, is made in the first three weeks of theatrical release. They want to make sure it doesn't get stolen before it hits theatrical release. The movie business has been focused on this third-party security problem for a long time, and it is a massive issue. I'm only describing the movie business because it's illustrative, but this same problem exists across industries.

[00:29:41]

Ken: Yeah, anywhere you've digitized your IP. That's a great case study in movies, especially because many working arrangements are often thought of as bringing together a whole set of creative elements and then disbanding for the next project or company. And I think we'll see more of that with- again, post-COVID working patterns. Ted, in closing, where do you find your inspiration?

[00:30:08]

Ted: Well, I like that question. It sounds trite to say it, but it's the truth. I'm so inspired by the people that I get to lead. They're so incredibly intelligent. When I think about it- you asked about the earlier days of my career when I did this volunteer thing or political activism. At that time in my life, I remember vividly going from the academic experience of being in college. And I was fortunate that where I went to college, I was in awe of the intelligence of the people around me. And I found that such an inspiring place to be. Being surrounded by other smart people is invigorating to me. It challenges me positively, not in a competitive way but a- "Hey, these people are all smart. I got to make sure that I'm bringing it too." And then I remember graduating, going out into the "real world," and realizing like, man. The density of intelligent people isn't the same as in an academic institution. It's just different. Many more people are just fine; they're just coasting in their lives. I remember being disappointed by that. And then fast forward a few years. When I met Steve, my business partner, and ultimately, we decided to do this ISC 2.0 business, and suddenly, I found myself again in that intellectual environment. And I'm just in awe of the things that the people in our organization, the way they see the world and-, and it's broader than just our company. Overall, I think the security community is filled with smart, passionate people who make me think differently and challenge me to be better. I think that's incredibly inspiring when you can see people who are motivated and passionate about the field that they're doing, not just because they're trying to earn a paycheck- I mean, of course, everyone is trying to earn a living- but because it matters, and they can use this profound intelligence they have to solve these problems that impact people all over the planet. How can I not be inspired by that every day? It's a blessing that that's how I get to live my life every day.

[00:32:07]

Ken: Well, passion is attracted to passion, so I'd say that you're doing your part to attract it and lead it simultaneously. Ted, thank you for sharing this time and these great insights with us today.

[00:32:18]

Ted: Thanks for having me. I appreciate it.

[00:32:20]

Ken: Absolutely. This has been Ted Harrington, author of the Number 1 bestseller, "Hackable: How to Do Application Security Right" and Executive Partner at Independent Security Evaluators. Thank you for listening, and please join us next week for the next episode of our Digital Thread podcast series. Thank you and have a great day. You've been listening to the Momenta Digital Thread podcast series. We hope you've enjoyed the discussion. And as always, we welcome your comments and suggestions. Please check our website at momenta.one for archived versions of podcasts, as well as resources to help with your digital industry journey. Thank you for listening.

[The End]