Podcast
Podcast
- 25 Aug 2020
- Managing the Future of Work
Cybersecurity for the post-Covid new normal of work
Joe Fuller: Cybersecurity is something we all know is important, but few of us understand it. Prior to the Covid-19 pandemic, enterprises were relying on more distributed networks, more distributed data—more vulnerable to hackers, criminals, and state actors. The pandemic has merely accelerated trends that were already apparent in the market. The widespread move to distributed work due to Covid has raised the stakes on cybersecurity. Now that businesses and government agencies are beginning to reopen, new threats may emerge. And there are concerns about electoral security. Irrespective, the future of work will be affected by the robustness of cybersecurity.
Welcome to the Managing the Future of Work podcast from Harvard Business School. I’m your host, Harvard Business School professor and visiting fellow at the American Enterprise Institute, Joe Fuller. Cybersecurity expert, Bill Conner, joins me today. A tech industry veteran, Bill is CEO of Dell spinoff, SonicWall. He’s a recognized expert in cybersecurity, with extensive experience supporting the US government, international agencies, and corporations for developing and implementing cybersecurity strategy. Bill’s here today to talk to us about the evolution of cybersecurity, its impact on the future of work, the evolution of demand for skills in cybersecurity, and how Covid will lead to new risks emerging—and perhaps even new safeguards being implemented. Well, Bill, welcome to the Managing the Future of Work podcast.
Conner: Thank you, Joe. It's great to be here.
Fuller: Bill, you've got a long experience in cybersecurity, extended networks. Could you tell us a little bit about your background and also about SonicWall, your current company?
Conner: I have spent a lot of time in telecom, in digital systems, put in the first digital radios, fiber optics in the country, and used a lot of the new encryption technology and compression technology. And, with one of the world's largest three-letter telecos here still, and one of the largest suppliers of equipment to them. As I got into digital, though, I realized, as we went more and more digital, it was all going to now come to security. And so, I carved a company out from one of the providers, a company called Entrust, and I was CEO of that for a while. And, what Entrust did, it was all about encryption and identity, national identity, passport identities, and digital certificates and encryption that would encrypt your personal information, your biometrics, and then make it inter-operate around the world or with the high integrity that you expect from a government. And after I did that, I got exposed to digital communication and in encryption with phones and apps, you could make it so no one can penetrate it. Out of that, and that's where I actually met SonicWall, was when I was at that encryption company and we were both in a private equity company called Thoma Bravo. It got sold to Dell technologies. It went its way. I sold Entrust to another company, and then I got the opportunity to come back with SonicWall. SonicWall had been all about network security, and is now all about cyber security in that. And, four years ago, as they carved SonicWall out of Dell technologies, I was fortunate enough to come back with the team and be the CEO.
Fuller: Well, it sounds like you've really followed the entire trail of the digitalization of networks, all the way through to this—now most interesting in some ways—the most scary part of the implications of those implementations, which is cybersecurity.
Conner: Yeah, I think cybersecurity, for me, is always going to be around, it's the new norm. Having seen this evolution of digital, and now you look at what's happening in the world, where everything is in your home, you've got internet of things and everything in your home and in your business. Everything is digital. All your transactions are more digital. And there's just a tremendous resource gap in terms of people that know it. And there's a tremendous resource gap in capital and expense to keep up against these never-ending, increasing, almost alarming threat rates coming from everybody from state actors to terrorists, to just money-stealing thieves.
Fuller: Bill, cybersecurity, for layman, is a term that's only really come to the fore in the last few years. Could you talk a little bit about the evolution of cybersecurity as a discipline? What have been the consistent themes in cybersecurity and what are the things that have emerged most recently?
Conner: Yeah. If you look at it, clearly, network security was kind of the first piece in terms of government networks, enterprise networks, meaning the digital transmissions and how you sent files and folders and emails back and forth. Web was not as prevalent at the beginning, in terms of it. It was kind of later in the evolution of security as it moved from physical security to more web security that you started to get into the new generation of cybersecurity that was then around, “how can I steal the web information or your communication and information in a web transaction, be it your financial account or your retail account, when you were doing transactions?” Now, with the post Covid environment where everyone works remote and mobile, it's obviously a whole new world in terms of how you can attack homes, how you can attack businesses, and how you can attack governments.
Fuller: So obviously companies are thrown into the deep end in terms of remote operations, dispersed workforce—even at the senior most levels,¬ C-suites right down to customer reps. That's been a big stress test on the internet, on private men networks, corporate networks. A lot of the attention has been on bandwidth and the robustness of applications like Zoom and Microsoft Teams. What have you seen as the key learnings from this massive implementation of remote work? What has it revealed about where we have to go in terms of cyber security in the future?
Conner: Yeah, I think everybody post-Covid—SonicWall included—it was a tsunami that hit us. Everybody had been doing more remote as we traveled more and our workers worked from home more. I'm reminded of one of our Big Four accounting firms that's one of our clients. They travel all the time to their clients’ locations all the time. Maybe 400,000 employees, and they might plan for half of those at any one time to be remote. When I talked to him in March, it was, " Bill, I've got to turn up a hundred percent of 400,000 people in days," and that's what we had to do. It's no longer about just getting access to the corporate network and applications. It's about getting that access globally for all your employees, but also making it secure. I think that's what's changing right now is, people are having to rearchitect their business. Therefore, they're having to rearchitect their networks. We're less data centers and more cloud, right? Less legacy application and more cloud applications like Slack and Dropbox, and Office 365. Now you've got to make those accesses and identities absolutely solid because you are remote, you are mobile and you're therefore less secure because you're at home.
Fuller: Bill, one of the things we've seen in the past and various at elements of work is that when companies particularly have confronted a crisis, for example, the need to cut staff and reconfigure work during the Great Recession, they took some steps that were temporary. But they had a lot of learnings from that that became part of their core practice, that they just adopted as standard ongoing operating procedure. Do you see any changes like that emerging from what companies are learning, in terms of security, as a function of Covid?
Conner: Yeah. I think if you go back, I think, just look at the big things that have happened, right? Post-9/11, we all learned about backup. We learned a little bit about remote working, but we also started to really lean in on cybersecurity and not just the physical attacks on businesses, but the intellectual property attack by country states. The financial attacks by other countries states—be it Russia, Iran, or North Korea. I think what we're going to learn out of Covid is now it's not just the enterprise structure, buildings castles if you will, that you've got to protect. Those end points are now your users, your employees, your CEO, your CFO, your researchers. Now we're learning how we're going to have to bring that protection to the home and when you're in that home, all kinds of other things, or IoT [internet of things], that can be brought into that corporate network. When you're out in that home you are much more vulnerable as an individual and as a company because you don't have all those protections. I think we're starting to learn that, certainly in different verticals and government departments. This is a very different deal now because you see the targeting out of this event being very focused on healthcare. You can see, you can hack for research now in terms of the Covid virus, either to try for the good or the bad part of that. So I think we're going to learn that this new business norm in the cyber business gap is really going to force people to rethink their posture, and not just taking the best of a product, but how do you secure your total business, remote and all?
Fuller: So does that require re-examining work processes? I mean, obviously, there's been a long history of trying to get users to be more compliant with security policies, everything from the dreaded one, two, three, four, five, six, seven, eight, nine passwords to using passwords on all sites or being vulnerable to phishing attacks and things like that. When you think about changing the whole enterprise, what do you have in mind?
Conner: Well, I think you're going to reengineer. I mean, you're going to absolutely make all your applications second-factor authentication. A lot of companies have done that, but now that you're forced out, you could, leave some of your legacy ones only when you're on prem[ises], right? You can't do that anymore. People are going to rethink data centers in terms of how do they balance cloud versus their own physical data center. They're rethinking cloud apps, versus legacy apps—Office 365 and Slack and Drop and all these other applications that are so useful when you're remote as a service, as opposed to having to get back to your corporate network like you used to. They're going to have to rethink, you have your firewalls in your business, we'll do, "Is the individual of the nature that you need a firewall there?" The new layer of security for this new business norm is in a home. You're going to have to have secure mobile access. You're going to have to have something on your laptop or desktop. We call it endpoint technology. You're going to have to have cloud application security turned on. You're going to have to make that tradeoff, in terms of visibility, because you've got to make it seamless across all of those threat vectors so your managers and your administrators can work remotely and push that to you as opposed to having to touch your laptop, desktop, or your equipment. That's the changes that are really starting to magnify in real time. I think one of the problems with cloud apps is people aren't sure who's responsible for the security and privacy. If you look at it as a user or as a corporate user, you think that that's taken care of in the cloud offering in the service, and if you look at the fine print, unfortunately, that's your responsibility. So it really is in this gray zone as we go through these new applications of how do you secure your corporate assets, from your user to those public clouds? And that's why we've come up with something called cloud application security to do that. So if you look post-Covid now, we've always had a lack of security or cyber security skills, right? There's—depending on which report or which school you hear it from—millions of shortages in terms of people that are skilled in cyber security protection. Clearly don't have a problem on the offensive side. There's lots of those, but we kind of call it the cybersecurity business gap. And by that, I mean, there's not enough people. And if you look at the amount of things you have to secure from your laptop, all the IoT devices, and now you think that was one thing in a business, but think of now all the homes and people in homes. You look at all the things that you got to do once you're in a home now; all the gaming console, all the listening devices. So, you've got someone working from home, you brought all that into your corporate network by extension. So there's a different level of thought process now about no longer can you afford just to take the best of technology or best of breed. You need to take something that has more portfolio that cuts across all the different cyber security attack vectors like email, WiFi, your building your home, your laptop, your desktop, your cloud application. So it's a different way of rethinking cybersecurity protection in this new world.
Fuller: So Bill, companies are beginning now to scale back up beginning to, if not get to a new normal, then start thinking through how to reintroduce work, how to bring people back in a more traditional work configurations. Is that going to open any particular problems up, or should that be a reasonably smooth ride?
Conner: Well, I think he got a couple of different dimensions to that, Joe, the way I think about it. One there's a new dimension of you can't bring everybody, or certainly at least at SonicWall, our bigger locations were bringing it back in four steps. So, kind of 25 percent at a time and, giving it a couple of weeks so if there's any physical issues, you don't populate it across the entire group. So, you'll need to think through, and we're thinking through, who needs to be back when and first. But the other side of that coin is everyone's not going to come back. We kind of see three pods of people: people that are going to stay at home and, want to be there and will come in maybe 10 percent of the time, to the other end of that spectrum, which is I'll spend 90 percent of the time in the office and 10 percent somewhere else. And then that middle group that's nomadic, that travels a lot—in the office some, works from home, and is on the road, the road warriors, if you will. So I think as the IS, IT managers and business managers plan for the reopening, they plan for the health part of that and the physical part of that. But now they've got to plan for the workflow and business and security to happen in all three of those settings seamlessly.
Fuller: One of the developments that we're anticipating becoming a major part of life, as we start returning the normal economic activity, is contact tracing. And we've talked to a number of the people involved in thinking through how to set up those systems and support them. When you think about contact tracing, does it raise any particular concerns for you as a student of cybersecurity and the protection of people's privacy over the years?
Conner: Yeah, it really does, to be honest with you, Joe. One of the companies I was at, Silent Circle, we did kind of end-to-end encrypted communications. We had our own Blackphone—it was an Android based system. And what people don't realize on applications is, you're either going to the Apple store to get it, or the Google play store to get it right? Now, both of those companies try to vet those apps, but I just remind everybody when they started that. Remember flashlight apps? People didn't know where they were getting them from. I worry that those apps are not all going to get vetted by either of those two companies. Maybe Apple, more than Google, just with their process, but people are going to load those in. And once you turn that on, you're putting your location information out, you're putting your personal information out. What people don't know—and we did a lot of research on this at Silent Circle—is those apps, once you're in there, people don't read the fine print, and a lot of times you can't even see it. We showed countlessly, especially on Android, how you can turn on the camera, how you can turn on the mic, how you can take the contacts. So those are the kind of things that if we're not careful, the average people that are looking for a contact tracing app won't know what that app is truly doing in terms of that. Put in the wrong hands, and your phone by your bed or in your office, you could have a problem, in terms of it. The other issue on contact tracing is geographic-centered. Right? If you're in certain countries, you don't have an option. They are going to track you; you don't have a choice. Our country, UK, different situation. Now, if the government's doing it for health, with that, that's great. You're still going to have to opt into that, or they're going to override it in some cases, but as you look at that, just remember privacy equals security times policy. And so in these applications, even though they're handing kind of encrypted tickets on your information, it might be good for health of your tracking of who you've been around and where you've been, but in a different court of law, if you're getting a divorce, if someone's looking to harm you physically, those things can be used in a very different way. And I think it's really important for transparency around that. And as we learned with personally identifiable information, just because you have it on and you track it, doesn't mean where it's stored is going to be safe.
Fuller: Bill, not to pry into any client-confidential material, but have there been any significant incursions that you're aware of, of governments being compromised or companies getting in trouble during the Covid episode?
Conner: Well, I certainly can't divulge sensitive information, but I think there's enough public, in terms of seeing hospitals that are getting hit with ransomware. Because with ransomware, clearly, they want money and there's a time bomb to that. And, certainly with hospitals being overrun in their emergency rooms and intensive care, that's a great opportunity. You've seen several of those reported around the world in terms of it. I think it's also fair to say, while not as reported, research institutions, either on the government side or an agency side, as well as in universities and businesses that are doing research around Covid, are seeing an influx of threats, between phishing and intellectual property hunting, to try to understand and get that research and information of these things, not just by country states, but others that could be well-meaning or not so well-meaning in those attempts. One of the other things I worry about post-Covid 19 is, if you looked in the history of ransomware over the last five years, as the US and other countries put more sanctions around North Korea, Iran, and others, what went up? Cyber attempts. They went for more and more ransomware. They went after cities and governments and large enterprises and medium enterprises because they needed more money. Well, in this shutdown of economic reality, I believe you're going to see, progressively, the need for financial assets, be it Russia, Iran, North Korea, even China, that become more important. It won't just be about intellectual property or disruption. They're going to need financial gain. And, now that you have things like Bitcoin and other digital currencies out there that help kind of launder or get that money exchanged. I think in the future, you'll see much more focus on that at an individual level. So, if you're a high-net-worth individual, you need to think about that. And, if you're a business, you need to think about that, because increasingly, you're at home and you pose an easier target in this environment.
Fuller: Bill, when we think about applications like contact tracing, and when you've got customers and their suppliers, and even further upstream suppliers, all working on the same transaction with different levels of physical distribution of their workforce, different protocols, maybe located in different countries that have different levels of public health restrictions in place—what are we going to have to do to ensure sufficient coordination there, so that everyone isn't vulnerable to the slowest boat in the convoy, as we say—the leakiest part of the pipe?
Conner: Well, I think we really have to go back to public-private partnership, Joe. I've long been an advocate, and have spent a lot of personal time on the Hill trying to bridge departments and agencies with their private side counterparts. Think of DOE [the US Department of Energy] right? DOE spends a lot of time with their labs, with universities, with private enterprise working on regulation, “How do you optimize processes,” and that piece. Increasingly, we're going to need to think about the cyber part of that supply chain and that public-private partnership, same with Health and Human Services and CDC [Centers for Disease Control] with hospitals and doctors. No longer can these ecosystems think of just, "I've got to solve the virus and get the vaccines and those pieces out." We've got to think of the other side of this in this new norm, where everyone's remote, and how the supply chain is fundamentally changed in terms of where people work from, and the security associated with that and the risk of that.
Fuller: Are there any jurisdictions or, particularly, countries that you think are further along and closer to getting this right than perhaps the United States is?
Conner: Yeah, I think the U.S. has come a very long way in public-private partnership. I can tell you the day after 9/11, when Bush spoke at night on the joint session, I briefed both sessions jointly on cybersecurity. I was the first co-chair of the public-private partnership for DHS [the US Department of Homeland Security], between the government and the departments. A lot has been done on this. But the problem is, the speed of what we're doing right has not kept up with the speed of the adversary we're fighting. A good example is—in the UK, they created something called NCSC [the National Cyber Security Centre]. It's a national center that actually is charged with bringing the intel and security knowledge of UK government to the private side, and the private side has a way to bring it back. And, I've worked with them for many years. So, really, I think some countries are getting better at it. We've gotten better, but again, a lot more is done, and I think Covid has changed the nature of why that's important now, in terms of how people are working, and all industries aren't equal. But, the adversaries are now looking very differently. You can get hit with a lot of people with IoT. It's not a rifle anymore, it is a shotgun.
Fuller: IoT being Internet of Things. Bill, there's a longer-term question that certainly transcends the Covid pandemic, but one reads that with advances in quantum computing, eventually, that there'll be enough computing power to overcome the type of polynomial encryptions we've relied on to protect networks for a long time. It seems like we're going to hit a whole new level of anxiety about security before we even get ourselves straightened out about the current generation of technology.
Conner: There's something today called side-channel, and all malware goes to your chip to process and exploit your system. There's been about 10-plus research papers that have shown on Intel chips, how you can go in and literally, if I have that capability, because I'm at a chip level, I'm behind and it doesn't matter what kind of encryption, I can steal your information. I think as you look forward, it's not just the quantum piece, I think we've got more legs on that, but it's this next generation of capability that attacks the infrastructure and the chip structure that can really cause a problem.
Fuller: One gets a sense—and not to get too high level abstraction—that we're, in some ways, in this whole domain of system security, data security, we're arcing toward a return to the mutually assured destruction standoff of the depths of the Cold War, as applied to nuclear weapons, that if all encryption can be circumvented, and therefore, leading governments all have the capacity to do incredible violence to the societies of countries they fear or distrust, that they'll have to hold back, because of the response. And, am I making this too melodramatic?
Conner: We're absolutely in an arms race in the cyber world. And it's country state, and others in that, both for the good and for the bad. And, what you've got to think about is, for us, it's an asymmetric war. We are an open society, that's why public-private is so important here. And, we can't have the government holding all the cards and you have to ask to get the right card, because it's too important. Our defense is going to take most, because most of our critical infrastructure is in private hands.
Fuller: Bill, here at the Managing the Future of Work Project, one of the things that we're most interested in is a skills base, how that's demands of companies and big institutions are changing, the ability of the education system and the training infrastructure to keep up. When you think about cyber, where do we stand in terms of skills that are in our capacity to create people with the type of skills and insights to meet the needs that are emerging?
Conner: At SonicWall we call it a cybersecurity business gap. And what I mean by the business gap, is if you look now, especially in this new business norm, we're all remote and working, working from home, look at all the internet of things in your house and in the business. The points of exposure for business network are escalating—almost asymptotically—certainly exponentially. Your resources required to protect that need to kind of follow that same high growth rate, right? And so does your capital or your expense, in a traditional model. The reality is though, we don't have enough people. I mean, depending on your report, it's anywhere from three- to 10 million people short in the workplace with cyber security skills. No company has enough capital or expense to do everything they need to do to lock down digitally and protect themselves on defense using traditional models. So we really think you've got to rethink the model because you can't have the people, the budgets, capital or expense to do that. So instead of doing... you got to look at where the attacks are coming from—from WiFi, from your end point, from your cloud applications—from different threat vectors that are coming into you, email, et cetera, PDFs. We're really seeing a need now for our holistic solution around it, where you can work remotely, you can have zero touch deployment, you can administer across those pieces with one management capability, one resource to go do that. So that's part of what we've been re-engineering over the last four years at SonicWall. And you can see now, you will never be able to keep up against the bad actors in the threat vectors if you try to just take the best of breed up every single point of that, because you're going to have a hard time with resources, capital, expense, and people to keep up with that model.
Fuller: How do you view the whole question of cyber security for elections, whether it's traditional electoral systems or some of the new systems that people are trying to deploy to make counting faster and the process less manpower-intensive?
Conner: In any system, identity is first and foremost and non-repudiation of that identity, meaning it is who it is and one vote, one person, and that person's alive and qualified in whatever your regulations are for voting—whether it's physical, whether it's mail-in, or whether it's digital. That doesn't matter, that's the first level, regardless. That starts to open up, in mail and things, how are you going to vet that, right? In digital, you got to make sure the credentialing system, before you do the electronic vote, is right. I have a lot less fear of the digital at the national level. Those systems, we vetted them in my previous company, there's a whole task force still looking at that with the cyber threats and how they've evolved. But the digital identity of that, the digital signage, meaning that you've made your things, you digitally sign that. And what signing is, is think of it as a non-repudiation, no one can change one of those marks without it being noticed. That's what digital signatures do. And now it then becomes the transmission of that and making sure if someone did it, it's transferred and accounted for in terms of that, and those systems are connected. So that's kind of network security and digital signature technology that does that, similar to what happens in global passports now around the world. So that is pretty comfortable in terms of the security and the protections around that. You just got to have to watch the bad actors that may not send them or may try to alter those boxes in some way. And there's a lot of focus on those to make sure they're not tampered with, either in content or in volume around that. And then in the final ultimate outcome is the posting of it. So I feel fairly strong at the national level that if you got the right piece on the identity getting in, the fundamental security and technology under it is ruggedized enough that that should not be an issue in the US, unlike what's happening in the states and certain parties here in the US.
Fuller: Well Bill, I'm not sure early in your career, when you started making decisions about how to spend your life, you could have possibly anticipated the kind of wild ride you would have experienced, but thanks so much for sharing all your experience and your insight into cybersecurity and everything that the digitalization of processes is going to mean to us now in the post-Covid world.
Conner: Joe, it's a pleasure, it's really fun to have this discussion. Hopefully it's useful for your followers.
Fuller: Well, I know it will be, and we're very appreciative of your time. Thanks for joining us on the Managing the Future of Work podcast at Harvard Business School.
Fuller: We hope you enjoy the Managing the Future of Work podcast. If you haven’t already, please subscribe and rate the show wherever you listen to podcasts. You can find out more about our project on the future of work at our website hbs.edu/managing-the-future-of-work/. While you’re there, sign up for our newsletter.