The Digital Big Bang: A Podcast with Phil Quade
On this edition of the Early Adopter Research (EAR) Podcast, EAR’s Dan Woods spoke with Fortinet CISO Phil Quade about his new book, The Digital Big Bang: The Hard Stuff, the Soft Stuff and the Future of Cybersecurity. The Digital Big Bang puts forth a big history-style explanation of cybersecurity, a narrative similar to that of Guns, Germs, and Steel or Sapiens, two popular big history books. In the book, Quade proposes a framework for creating a truly scientific approach to cybersecurity. Quade’s ambition is to find a way to systematically address many of the problems that have risen up because cybersecurity was not properly incorporated into the design of the internet.
EAR’s Dan Woods is technology analyst and founder of earlyadopter.com, a research publication that focuses on high value use cases and how to create multi-product platforms to implement them. The Early Adopter team played the role of editor for Quade’s book, which came out in preview at Fortinet’s Accelerate conference in April, 2019 and will be published by John Wiley in August.
Their conversation covered:
* 1:45 – The idea behind the digital big bang
* 6:00 – The need for cultural focus in cybersecurity
* 11:45 – The best ways to build on your fundamental strategies for cybersecurity
Listen to the podcast or read an edited version of the conversation below:
Woods: The book is entitled The Digital Big Bang because you’re trying to draw an analogy between the physical Big Bang of physics and chemistry and the digital Big Bang. And you identify speed and connectivity as the central elements of that Big Bang. What do you mean by digital Big Bang and why are speed and connectivity the central elements?
Quade: Back 14 billion years ago, of course, the cosmic or physical Big Bang that you alluded to created some fundamental forces like time, gravity, and matter. And it wasn’t until about 300-500 years ago that we started becoming masters of our physical environment by recognizing those fundamental elements of the cosmic Big Bang and ultimately discovering or inventing the sciences of chemistry and physics and biology. And once we started using rigor in science to attempt to explain and master our world, we really excelled as a species and now we’re driving cars and we’re flying in airplanes and beyond. And so my thought is at 50 years ago, we experienced an analogous Big Bang. This time it was an explosion of data. And at the time, the “inventors” of the internet were trying to solve two major problems. One, how can we connect more people or things in ways that we never connected before and, two, how can we do so at speeds we never imagined before. So the fundamental elements of the digital Big Bang are speed and connectivity. So my thought, writing the book and collecting my colleagues’ thoughts on this book, would be to make the point that if we’re doing cybersecurity, we acknowledge the fundamental elements of the digital Big Bang: speed and connectivity. And number two, let’s repeat the lessons learned in the physical Big Bang and treat this problem set like a science where we use the right attention to detail and the right formulas, so that we don’t have to rediscover solutions over and over again.
What’s so interesting about your analogy is that the idea is that the Big Bang happened in a physical sense and the universe as a result and it’s played by the same rules, as far as we know, from the beginning until now. But we can change the rules that are happening in the world of cybersecurity and the world of networking. You explain that there are elementary shortfalls. These are things that were problems because they were not designed into the original requirements of the internet. Then there were created fundamental strategies to address those. And then there were created advanced strategies to address those. But all of this takes place in the context of these higher ordered dimensions which are persistent problems that are going to happen because it’s a human construct, no matter what. What are the elementary shortfalls and what happened to create them?
The analogy works well with the physical Big Bang, where there were some things that were ultimately created by that explosion and subsequently inside the nuclear centers of stars. But that created the rocks and the water and the things that exist, physical things that are just the things that we can’t change in our physical universe. But in developing as a culture, we also developed cultural values that became the glue logic among people and enable us to better govern ourselves and govern ourselves in large numbers. So we had some things that were given to us and then we had some things that we invented, and by becoming the master of those things, we’ve managed to do fairly well of a species. As you alluded to, in the digital Big Bang, we also have some things that are tangible — cables that move bits and computers and routers and things like that. But we don’t quite have the culture that needs to exist to complement those physical things in cyberspace with the behaviors and norms that all people can believe in, and when combined with the physical things, can make it a safe and effective way to do business or governance or conduct our personal lives. So the subtitle of the book, in fact, is quite telling. There’s the hard stuff and then there’s the soft stuff and the soft stuff are the cultural norms and the behaviors that we need to solve and oftentimes it’s the soft stuff that is the hard stuff.
It’s convenient for us to imagine that these elementary shortfalls could have been addressed by the original designers of the internet. But you know, they did what they did because they had a certain problem to solve and then they solved it. But you identify that these elementary shortfalls of authentication, patching and training, if we somehow had those solved at the beginning, we wouldn’t have many of the cybersecurity problems we have today.
I do believe that we wouldn’t be sitting here today and there wouldn’t be the cybersecurity business to the degree there is today if we had solved the authentication problem right at the beginning of the internet. But we didn’t, and so we’re still compensating that. We’re compensating for lack of good training, lack of good patching and lack of authentication. And we still need to fix those things, not give up on them, but in the meantime, we’re using some of the fundamental strategies that you alluded to earlier and those in large part were invented to attempt to compensate for those fundamental shortfalls.
One of the observations of the book is that the original principles of the internet, the idea of creating network connections that are speedy and creating connections at scale, if you introduce cybersecurity solutions that violate those principles, you are also going to have a lot of problems.
It’s just like if you don’t pay attention to the laws of physics when attempting to launch a rocket or move it to the right spot, you’re doomed to fail, right? You can’t fool or ignore Mother Nature in the physical world. The same thing is true in cyberspace. If cyberspace were invented, and I think we agree, around the objectives of speed and connectivity, why in the world would you create the cybersecurity strategy or solution that’s not also optimized around the elements of the space in which you’re operating in, speed and connectivity?
Your book isn’t a diatribe against cybersecurity. Section three is about the fundamental strategies that have worked to really help us introduce much more effective cybersecurity. You point to cryptography, access control and segmentation as three fundamental strategies that when they have been applied properly, have really created a reasonably good step forward in cybersecurity.
They’ve served us very well. Cryptography is one of the few silver bullets that exist in cybersecurity. If you pick the right algorithms with the right key sizes and implement them correctly, it’s completely unbreakable by all the computers on earth for as many years as you want to go at it. The second one I’d like to mention, highlight in these fundamental strategies is segmentation. I think segmentation is indeed the most important cybersecurity strategy of our age. Now, segmentation allows you to minimize the number of breaches and the size of any potential breach if you are breached. It also accelerates your ability to recover from one by allowing you to reconstitute one step at a time.
What’s interesting about the book is that you set up each one of these sections with an explanation of the issue, but then you have contributors providing chapters on specific topics underneath each of these sections. And that provides a real world perspective from somebody who is actually fighting the battle. It’s a thought-provoking book and it actually is prescriptive in many ways about in giving you good ideas about what to do.
That’s the hope, that it has a theme that’s accessible to many, that hopefully makes some intuitive arguments, but then it taps a lot of thought leaders in the community and it attempts to get their advice on what they would do about it to prepare the right sort of cybersecurity strategy for today that will take us into the future. I’m very grateful for the contributing authors.
After the elemental strategies, you then define a set of three advanced strategies, visibility, inspection, and failure recovery. Why did you call these advanced strategies?
It’s almost like the Maslow’s Self-Actualization Theory that you can’t aspire to achieve the top of the pyramid, you can’t aspire to achieving these high level strategies and the higher order strategies unless you have some of the more fundamental strategies in place. But I just didn’t want people to think that you could do the fundamental strategies and stop there because there are some important things you need to do to take on the more advanced threats, the advanced persistent threat, for example. That includes making sure you’re inspecting your content to look for evidence of a covert command and control or look for evidence of an insider that’s stealing your IP. Some of these advanced strategies are things that you do indeed need to build on your more fundamental ones. Visibility is another example, and resiliency, the ability to quickly recover when you are breached.
The last section is about higher order dimensions and how it doesn’t matter how good we get at cybersecurity, we are still going to have to deal with these challenges because they are embedded in the world of cybersecurity. Why do you think these are the persistent problems we’ll always be struggling with?
Too often that cybersecurity, and even cyberspace people in general, are often dominated by computer scientists, engineers, and mathematicians and they tend to gravitate towards technical solutions. But the solutions involve a human element. You can’t solve everything with technology. You have to have people to buy into the solutions. They need to have confidence that their privacy is going to be protected. They need to feel good about the work they’re doing so that it’s not so complex that it overwhelms them and forces them into errors. We really need to accommodate the human frailties and the human needs into our strategies and implementations, otherwise we’ll have completely failed.
Woods: Then the last part of the book was written by Michael Xie and Ken Xie, the CTO and CEO of Fortinet, respectively. They talk about why cybersecurity needs AI and the future of cybersecurity and those are really interesting chapters as well.