McAfee CTO On Election Hacking, Cryptojacking, Quantum Security

Xconomy Boston — 

Election hacking. Information warfare. Adversarial artificial intelligence. All worrisome topics racing through Steve Grobman’s head these days. But the McAfee chief technology officer seems surprisingly upbeat about the prospects of meeting these cybersecurity challenges—or at least putting up a good fight.

I met Grobman at a coffee shop in downtown Boston last week. He was visiting from Texas to give a talk at the AI World Conference and Expo. Grobman previously spent more than two decades working for Intel in California and held key cybersecurity positions there, including his current role as technology chief for McAfee while it was still part of Intel. (Intel acquired McAfee in 2010 for $7.7 billion, then spun the company out last year in a $4.2 billion deal that reportedly gave investment firm TPG 51 percent ownership and Intel a 49 percent stake.)

As CTO of one of the world’s oldest and largest standalone cybersecurity companies, I was curious to pick Grobman’s brain about the latest developments in the industry—and where things might be headed in 2019. Here are the highlights of our conversation:

Xconomy: What are the most pressing cyber threats right now?

Steve Grobman: One of the things we’ve seen over the last few years is cybercrime has become a market-driven criminal enterprise. Cybercriminals will go to cybercrime capabilities that maximize their return on investment.

We saw a few years ago a big shift from data theft and selling stolen data on black markets to ransomware. Ransomware was a very attractive crime because cybercriminals could get paid directly by victims. They didn’t have to worry about the value of the data they stole going away. The problem they had with stealing a credit card number is if the card got canceled, you can’t monetize.

That has started to matriculate from just consumer and individual ransomware to now impacting larger organizations. We saw things shift into targeting soft targets. Like the beginning of last year, we started to see hospitals and police stations and … universities hit by ransomware. Now, we’re starting to see any organization that has something that could be held hostage potentially be a target for ransomware.

The biggest change, as cryptocurrency has become higher value, is a shift to cryptojacking. When cryptocurrency prices shot up, breaching a compute environment and then using it to illicitly mine cryptocurrency was very attractive, and in many cases cybercriminals could get higher revenues from that activity than holding infrastructure hostage for ransomware.

Now that we see crypto prices starting to decline, it would be reasonable to see some of that shifting back to other criminal endeavors.

The important thing for people to understand is cybercrime is just like any other market-driven enterprise, where you will have cybercriminals going through any portion of an inefficient market.

We’ve even seen some innovations in the cybercriminal enterprises, such as affiliate programs. The same types of innovation you see in legitimate businesses are happening in criminal enterprises. There are criminal organizations that set up all the technology and infrastructure, but instead of focusing on executing a ransomware campaign, they’ll make that available to others that want to get into the business. They’ll do things like revenue sharing. It’ll be built into the technology.

If a cybercriminal doesn’t have the ability to build the capabilities themselves, they can go to the underground market and join an affiliate program. They get access to technology, but they’ll be responsible for sending out phishing e-mails and getting victims to fall for the attack. We see more of these nontraditional endeavors.

X: Heading into the recent midterm elections, there were renewed fears that hackers might try to interfere with the process in some way, and reports this week that political groups were again hacked. What’s McAfee’s assessment of how things played out?

SG: There are reports out that there was continued use of information warfare during the election cycle.

A lot of the election infrastructure at the county and state level is lacking even the most basic cyber hygiene controls and is really a disaster waiting to happen. It’s unclear that there was actually mass exploitation [during the midterms]. We haven’t seen reports of that. But what’s concerning is all of the vulnerabilities are essentially there, and nothing would prevent even an unsophisticated actor from tampering with the 2020 election cycle. One of the things we’re advocating strongly is take 2019 and use 2019 to get a lot of that infrastructure in much better control for 2020.

One of the things that is concerning is there are certain information systems that local election boards [run] that are publicly facing—things like the election websites that provide sample ballots, information on where to vote. Part of the problem is everybody does things a little differently. What we’ve found is two major issues that were glaring. One is over 70 percent [of local election websites] don’t use dot-gov top-level domain names. The way this actually came to my attention is I stumbled onto it. I recently moved to Texas, and I needed to find out where do I vote. The website is [For Denton County.—Eds.] It occurred to me, “Wow. Dot-com, really?”

There’s really no governance that says you need to use a dot-gov [URL] extension. There’s really nothing preventing [a malicious actor] from going to GoDaddy and [purchasing] [Notice the hyphen, making it subtly different from the official local election site.—Eds.] Would a normal person be able to know which one of those sites is legitimate? You can’t.

Part of what we’re advocating strongly is we want to get to a point where all local election boards and counties are using dot-gov to make it much easier to give guidance to the general public where we can say, “Only trust a site if it’s dot-gov.” But for now, we can’t even do that.

The other major finding that was shocking was greater than 75 percent of the sites we looked at didn’t enforce SSL. [SSL is a standard Web security protocol.—Eds.] Think about every e-commerce site you go to—any site doing anything of some reasonable level of importance is using SSL. What could be more important than protecting information about where you go to vote? Ensuring information you download about [elections] is accurate? That your information is not being intercepted and stolen?

With the talent shortage we have in cybersecurity, these local agencies are struggling to hire people that have the skills to do even the most basic tasks to secure these environments.

The part that’s more inference than having direct evidence is, if the public-facing systems these [local governments] are supporting lack basic security controls, it would be a reasonable assumption that … voter registration databases and systems that tally up and report votes—it would be difficult to comprehend why they would do a much better job [securing] those systems [than] they would be with the other systems.

The other thing is I was listening to the news today. It sounds like the [National Republican Congressional Committee] had some sort of breach. I think one of the most important things that we make progress on is a commitment from both politicians and also the core media to not treat leaked data from a breach as fact until it can be independently validated.

One of the challenges is when a data breach does occur, an adversary can use legitimate data that’s stolen in order to increase the confidence in fabricated data. They might release some data that can be validated, but then intertwine fabricated information. … That’s probably one of the most effective forms of information warfare.

X: What emerging security technologies is McAfee focused on these days?

SG: The entire cybersecurity industry is much more aggressively taking advantage of machine learning and artificial intelligence. McAfee has very aggressively been increasing our investment in that space. We’re playing the long game, in that we’re preparing for adversaries to focus on evading or trying to manipulate the technology.

For example, there’s an entire technical field, largely in academia, called adversarial machine learning. What is the technology behind fooling artificial intelligence or machine learning? What we’ve found is in cybersecurity, a lot of the underlying technology is incredibly fragile.

We’ve done a lot of research into understanding what techniques could an adversary use in order to evade [an A.I.-based detection system], or what we call poisoning a training set.

We’ve even looked at this outside the field of cybersecurity. My team did a demonstration where we trained a machine learning algorithm to recognize street signs, the same type of thing you would expect to see in autonomous driving. We applied adversarial algorithms: what is the minimum we need to change the street sign in order to essentially have the algorithm think it’s something completely different? We found putting a piece of tape at exactly the right part of a stop sign could make the algorithm think it’s no longer a stop sign, it’s a 55 miles per hour sign. So, really understanding the potential weaknesses in some of these algorithms is incredibly important if we’re going to depend on them for critical safety and security measures.

X: How much are you looking into quantum computing technologies?

SG: The biggest risk to organizations is that the encryption algorithms the entire world currently uses to protect data will potentially be compromised within the next number of years—it’s unclear if it’ll be five, 10, 15 years.

The issue isn’t when quantum computing becomes practical. The issue is [real] today. The reason is, if I’m an adversary and there’s data I want of yours, even if it’s encrypted, I can grab the encrypted data and put it on the shelf. Whenever I get quantum computing working such that it’s practical, I can then take that data off the shelf, [decode it with quantum technology], and have access to it.

A lot of what McAfee is doing now is we’re being supportive of the organizations driving the first phase of quantum computing, but also pushing to go much faster and not operate so linearly. … What I’m advocating is the industry starts thinking now about what we need to do to retool the [existing] protocols and standards.