As vice-president and chief technology officer, Bret Hartman is responsible for defining the corporate security technology strategy for Cisco, whose machines form the backbone of the Internet. Mr. Hartman who began his career as a U.S. Air Force officer assigned to the U.S. National Security Agency (NSA) said in an interview that organisations need to keep upgrading their cybersecurity because attackers would always figure it out to break-in. Edited excerpts:
What are the bets you are making at Cisco and how is India supporting them?
My focus is all around...what’s the future of security? What’s the nature of the attacks? The shifts of things like digitisation and cloud and its impact on security? My job is to try to figure out, what Cisco should do about it. I and my team are sort of the advanced group. We do all the things that hopefully in a few years will become important. Not every bet that we make does become important.
From the standpoint of India, actually, a part of my team is here... Some of the things that we do is a lot of advanced development work. We’ll do the proof of concepts and prototypes [and] will think about new technologies and try to understand are they going to work... That team is part of the bigger engineering team here in Bengaluru. You know, in the big Cisco organisation here, we have about 1,000 security engineers… In fact, some of the work by my group does is secret...A lot of it is focused around the cloud... analytics and machine learning. Another area is around the Internet of Things. So whether that’s in manufacturing, connected vehicles, medical devices, or critical infrastructure, like electric utilities...where there’s a lot of concern about the cyber attack.
With AI technology becoming ubiquitous, how do you perceive the cyberwarfare scenario in the next six years?
For the last 40 years, I’ve worked in cybersecurity from the very early days and military and intelligence communities, and now in the commercial world, and it’s always an “arms race, and always will be.” What that means from a defender standpoint is, you can never stand still. You always have to assume that whatever technology you’re using, it’s going to be less effective over time, because attackers will figure it out.
And so you have to keep to the next thing. Specifically in the area of machine learning, and analytics, it is increasingly really necessary...because it’s the only way to do with the scale of the amount of data that we see. Humans cannot do it. The problems that we face in machine learning is when you have lots of data and analytics, you may not always be right. You may set up a false alarm that you think there’s an attack but there really isn’t one, when you let AI look at the data. The problem in the security space is that those false alarms can make a system completely unusable. If you cry wolf enough times, people will stop using the system. It turns out in cybersecurity, even if you’re very good and may have 1% or 2% false alarm rate, that’s still too high because there’s so much data. So you have to be very accurate.. technology can be used defensively or offensively…[as] an attack weapon. And so certainly the expanse of the use of artificial intelligence and machine learning on the attack-side is also an issue because that allows the attackers to scale as well.
Facebook’s security breach has exposed the accounts of millions of users. Are such breaches the tip of the iceberg and what needs to be done to prevent them?
I can’t comment on the specifics of Facebook. But in general...first of all, privacy and the requirements on user privacy are critical. A lot of the issues [and] these attacks are about stealing private data. And as we think about privacy, often we think about stealing it directly from users and their laptops or their mobile devices.
But the risks we see in many different attacks are on the servers, that’s where the crown jewels are, that’s where all the data is stolen. And so, the vast majority of issues around privacy are really how do you protect those data centres with all that valuable data? Now for organisations, this is the challenge, ‘hard to be perfect.’
And organisations have lots of really strong technology that they use there. But it’s back to that arms race. It’s [about] how do you keep up and have a strong set of solutions there. Some of the things that we do specifically at Cisco to help there...is maintaining things like ‘segmentation.’ Rather than have one huge network where you [can] get access to everything, you segment it and make it difficult for an attacker to jump from one part of the organisation to another. The trend around breaches and cyberthreats [is that it] just grows year after year. There’s no end in sight...We all have mobile devices, use the cloud and the bigger and the more connected the world is, the easier it is for attackers to find problems. One of the bigger challenges is there’s a huge shortage [of cybersecurity experts], whether that’s here in India or elsewhere. So, the ways to help improve on that skill shortage, I think is really the starting point.
How do you view Aadhaar, the world's largest biometric database, evolving as well as the data leak reports?
I’ve heard about the potential risk there, but I really can’t comment on it. I certainly know it’s an amazing initiative. As far as I know, it’s by far the largest cybersecurity initiative in the world. It’s incredible in terms of the scale.
In general, for any of those systems...when you have such an enormous system, there are always risks of exposure. It’s hard to get it perfect. In general, the way systems are built these days [is that] there are two halves of any good security implementation. One half is preventive controls, it’s classically called ‘defense in depth.’ We put lots of security in place to make it very difficult for the attacker to make it in.
That’s never enough. No matter how many barriers you put up, because of that ‘arms race’ somebody may finally make it in. So, the second half of security that’s very important today is threat-based security, being aware of the threats [and able to] see if somebody made it in and stop them. A lot of the focus at Cisco is to do both.
What are your plans to acquire or partner with start-ups in India?
That's a big part of my job as CTO... And it’s actually part of the reason why I'm here… is to establish more relationships with startups in India. I think there's massive potential for a lot of growth around security innovation in India. I would completely expect an explosion there. All the right conditions are present. The digitisation [and the] engineering expertise that's in India around cybersecurity, I will bet you that over the next several years, we’re going to see so many additional Indian cybersecurity companies. Another country I spent a lot of time in is Israel... a natural innovation centre around cybersecurity, I think India will surpass that easily...I want to see if there are ways [so] that we do strategic investments in companies, partner [with them...and] make an acquisition.