Connecting Cybersecurity: A Podcast with Brian Talbert of Alaska Airlines

In this edition of the Early Adopter Research (EAR) podcast, EAR’s Dan Woods spoke about connectivity and the IoT with Brian Talbert, the head of networking and connectivity for Alaska Airlines. Talbert is one of more than 30 contributors to a new book from Fortinet’s CISO, Phil Quade, called The Digital Big Bang: The Hard Stuff, the Soft Stuff, and the Future of Cybersecurity. The Digital Big Bang proposes a framework for creating a scientific approach to cybersecurity. Quade’s ambition is to find a way to systematically address many of the problems that have arisen because cybersecurity was not properly incorporated into the design of the internet.

* 1:40 – The connectivity demands of the IoT are unimaginable
* 3:45 – Why this is different than past challenges
* 7:00 – Using AI to keep up with new threats

Listen to or read an edited version of the conversation below:

Woods: In your contribution to the book, you described the connectivity needed by the coming wave of IoT as unimaginable. And what is the math that blows your mind about this?

Talbert: I think proportionately, when we think about IoT, the numbers of devices that are connecting to the network are unlike anything that we’ve seen previously. It’s also somewhat unpredictable. So the math isn’t always exact with regard to the needs of our internal customers. In a traditional network, you’ve got numbers of people who sit in cubicles and you can do some math to determine how many people are going to connect and how many switch ports you need. With IoT, all of that suddenly changes. You’ve got other modes of connectivity, be it wired or wireless, and you also have devices that aren’t anticipated, such as lightbulbs, security cameras, and all of these other things that the business wants to connect to the internet.

It’s just essentially an environment you’re not really in control of?

It is absolutely an environment that we are not in control of.

You said in your contribution that today we have 8.4 billion devices with a projection of 20.4 billion devices by next year. And how is that showing up for you in your landscape at Alaska Airlines?

I think that very broadly speaking, there’s an expectation for all things to be connected to the network. That also translates into this really vast landscape of potential vectors for attack. We saw a couple of years ago, one of the largest attacks the internet has ever seen through Mirai, and that was orchestrated by controlling IoT types of devices, predominantly security cameras, lightbulbs, the two that I mentioned earlier. And so in Alaska Airlines, we’ve got to be able to get in front of that, we’ve got to understand what our end users want to put on the network. We’ve got to be able to detect it. Visibility is paramount. We’ve got to be able to see what the network sees at all times, in all places.

Now, we’ve been told to be afraid of these big changes before. I mean, I’m sure you recall the move to IPv6 and how a lot of people were nervous about that. But that happened and we were able to deal with it. Why is this an intense challenge that we need to really plan for?

I think it is an intense challenge. We should be fearful, but I want to also embrace IoT. And the point there is that these are things that are enabling the business and so there are lots of examples that aren’t necessarily as mundane as a lightbulb that can change color but other items, security cameras for sure, but also the ability to detect a presence of a customer in an airport lounge, for example, the way we do that on IoT devices that connect to the network. So we’ve got to be able to enable the business, for sure. Now, why we should be concerned is that the creators of these devices fundamentally did not begin as traditional IT security-minded companies so they’re not necessarily thinking through all of the possible vulnerabilities that a device may have before bringing it on to the network.

You say that most of the people who are creating IoT systems are experts in whatever their domain is, but they are not experts in cybersecurity and often they don’t give adequate attention to making sure their devices either have or can participate in cybersecurity realms. Now, on the other hand, at Alaska you’ve talked about how you use everything you can, especially innovations of all types including IoT to enhance the customer experience. It seems like what you’re arguing is that you have to accept this risk. 

I think that acknowledging and accepting the risk is where you begin to protect against the risk, right? These things have to go hand in hand. If you don’t appreciate the potential danger, you’re not going to put in the appropriate protection mechanisms. So appreciating the potential danger allows us to enable things such as Fortinet products like FortiNAC in order to control access to the network so we’ve got that extreme level of visibility, so that we can begin reducing the amount of risk.

You’ve mentioned visibility quite a bit. Is there any hope of us getting a real visibility that’s meaningful on that new digital attack surface?

I think there is, but, again, we have to rethink how we traditionally approach the problem. So one of the outcomes of increased visibility is a much larger dataset that has to be parsed, and the traditional mechanisms that we might use in a SOC, for example, don’t necessarily scale to the volumes of traffic that are generated through this increased level of visibility. So things like AI become ever more important. We’ve got to come up with new mechanisms, new ways to be able to identify threat vectors very rapidly. We can’t rely upon humans noticing it.

One way we’re going to keep up with this is AI. Are there any other checklist items that you would offer to people who are going to do what you do, and that is say yes to this because they want to keep supporting innovation in the business?

To go back to Phil Quade’s book and the notion of the scientific approach to these problems, it’s that thoughtful methodology, thinking critically about the problems that are in front of us and putting in place a methodology that allows us to assess the potential risks, what are those vulnerabilities and put into place all sorts of plans, whether they be people-based or AI-based or process-based, in order to address those emerging threats.

You mentioned that innovating the customer experience using technology, including the IoT, was deeply engrained in the DNA of Alaska Airlines. Could you give me an example of how technology has enabled you to innovate with that user experience?

There are lots of things that we do to innovate and improve the passenger experience. That includes being the very first airline to put kiosks into the airport. Well, we’re now leading the edge in taking them away. We want to transform the customer experience, the traditional experience where you walk up to a gate and you’re confronted by a podium with a customer service agent on the other side of the podium, putting a barrier between you and the customer. We want to remove that. We wanted the experience to be more enabled, to have direct interaction between the agent and a guest. And some of the things that we do in order to achieve that is 100 percent mobile deployment. Every single one of our frontline employees is equipped with mobile technology. We continue to expand upon that. When you arrive at the airport, we want to be able to accept your bags without any human interaction. We want to be able to automatically tag those bags and track them from the point that you dropped them off all the way to the point of delivery, and we’re going to do that through a highly connected environment. And so we look to that transformation of the passenger experience as the key to our future success.