Sam Curry: The 2020 Crystal Ball

Sam Curry is Cybereason's Chief Security Officer and an award-winning cyber security visionary. Sam & Ran discuss Sam's upcoming webinar, in which he will present his insights into what 2020 will bring for the security industry: the rise of 5G cellular networks, The US Presidential Elections, the 2020 Tokyo Olympics and more.
See here for more details about the webinar and registration form:
https://www.cybereason.com/2020-predictions-webinar-maliciouslife

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Sam Curry

CSO, CYBEREASON

Sam Curry is CSO at Cybereason. He is a security visionary and thought leader and has been interviewed by hundreds of journalists, has published broadly and has talked in media on security trends, threats and the impact of "cyber" on us all. He recently won an Award as a 30 year visionary from SC Magazine and is a Visiting Fellow at the National Security Institure. Previously, Sam was CTO & CISO for Arbor Networks (Danaher and NetScout) and was CSO & SVP R&D at Microstrategy in addition to senior, executive security roles at McAfee and CA. He spent 7 years at RSA (the Security Division of EMC, where he was a distinguished engineer and Fellow nominee) as CSO, Chief Technologist and SVP of Product. Sam also has 24 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs (in the IoT security space) in addition to a number of advisor-ships across the security spectrum.

Episode Transcript:

Transcription edited by @hakinadey

[Ran] Hi and welcome to Malicious Life, we’ve got a special segment for you this week, a little peek into the future.
With us for this segment is Sam Curry, and if the name Sam Curry rings a bell for you, that’s because Sam is a frequent guest in our show. But the reason Sam will be joining us today is that in addition to his day-to-day duties as chief security officer at Cybereason, he also takes the time to try and peek into the future and decipher the trends and technologies that will impact cyber security in the near future. For this work, Sam recently won an award as a 30-year visionary from SC Magazine.
So Sam, welcome to Malicious Life once again.

[Sam] Thanks for having me, Ran, it’s good to be here.

[Ran] Great to talk to you again, and we’ll start by saying that the pace of our talk today is a live webinar that you’re going to host next Tuesday, December 17th, under the title The 2020 Crystal Ball. So we’ll give you more details a bit later for those of the listeners who wish to join that webinar.
But before we do, Sam, who’s the intended audience for these security predictions? Is it the engineers, the executives, the sales engineers, all of the above?

[Sam] That’s a great question, because I think the secret answer is me, I’m the audience. When I write these, I have in mind somebody who is a little bit of an analyst, a little bit of a CISO, but really anybody, anybody could benefit from it. I’ve been in the security industry, as I guess SC Magazine said, for 30 years nearly. And every year there’s predictions, and every year everyone comes out with reports and pounds the podium. And let’s be honest here, in our industry, we have an adaptive opponent.
So if by some chance these gurus on the mountain get it right, and predict things correctly, then it’s really hard to make the actions you should take as a response something that can be used, because the bad guys will adapt. If everybody followed your advice, you would in fact be wrong, because the bad guys would do something else.

[Ran] They’re listening as well.

[Sam] Exactly, they’re listening in. And if a significant number of practitioners suddenly say, hey, Sam, great advice, and do it, then the bad guys will be like, well, that’s a dumb thing to do, I’ll do something else. And so the advice that’s given has to be something that is actionable, and will lead to a material difference regardless of that second order chaos feedback loop.
And on top of that, nobody’s ever held accountable for the predictions that they’ve made previously. It’s sort of like back in the days with Almanac, the Bickerstaff folks, and Ben Franklin, it doesn’t matter if you predict something in the future, because nobody will after the event will come back and check if you were right. You just become known as a person who sees the future. And so crystal ball for me was just a way of having a little joke about that.
I do try to make it practical, and in fact, break it down into what the bad guys are doing, and what is foreseeable in their evolutions that you should prepare for, what the industry is doing, and then hopefully a piece on what we should be doing anyway as an industry. And hopefully that helps everybody understand security a bit, but in particular I’m writing for the me out there, either the younger me who is an analyst or the older me who’s a CSO.

[Ran] And I hear the special emphasis on actionable predictions. Is that right?

[Sam] Yeah. I mean, in the end, nobody is just looking for science fiction, or for, no matter how visceral or entertaining, is looking for the fear, uncertainty, and doubt. What we want is to say, that’s useful to me. And the real reason it’s interesting isn’t because New Year’s is coming and the number changes in the year. It’s because there’s annual budgets that are synced with the calendar year, and as people do their preparations, now’s the time to start saying, think about these things as you go into next year.
In fact, I did it at the beginning of December this year, even to try to get ahead of that cycle a little bit. Budgets are being finalized now in most companies for those synced with the calendar year, which is still the majority. And now’s the time to get in front of them and say, think about these things next year.

[Ran] Great. So we’ve got the schedule for 2020 coming up.
So what are the major events scheduled for 2020 that you feel will have a significant impact on the cyber security battlefield?

[Sam] Sure. And actually, your use of the word battlefield is spot on. I think cyber is both a battlefield in its own right, and it is a domain that affects all the other battlefields. And so what Klauswitz called it, called war, extension of politics by other means.
Unfortunately, when you go to war and you have a skirmish somewhere, or you shoot an archduke somewhere, there are terrible repercussions. Cyber is a better toolkit for the extension of politics by other means. And so really, what matters isn’t the seasonality.
Obviously, there’s the things we expect, like when the retail season peaks. But what matters is the geopolitical events and who might use them either directly for political aims and geopolitical aims, or as a cover. And so the three biggies are the Tokyo 2020 Olympics, I don’t think can be ignored. And every year, I think the cyber dimension around the Olympics, every time, I should say, every four years, or every two years for summer and winter, that is going to climb.

[Ran] Especially, I think, once that we’ve heard actually yesterday that Russia is going to be expelled from the games due to…

[Sam] Right. And everything should go smoothly from that point on, right?
I think whoever is looking at the Olympics and might be disgruntled, like Russia not participating, there’s probably a whole other Olympic competition going to happen and somebody’s going to go for gold and cyber, whether it’s official or unofficial, it probably is unofficial. But the other two big events are, of course, Brexit, which has massive implications for a large number of Western economies, and for Great Britain itself.
And finally, of course, the US presidential election, we’ve seen elections tampering and not just critical infrastructure, where a lot of the attention is, but also the misinformation and disinformation game. Those are huge next year, and I can’t see Russia sitting back among many other nations and saying, hey, I’m fine with not being in the Olympics, and sure, I’m not going to meddle in the US politics, and that Brexit thing, that’s not a big deal. But keep in mind, people will also try to oppose as Russia, and that’s just the first most obvious layer. These are, I think, the big things.
Now, more could happen during the year, but we should keep an eye to the geopolitical scene and to the economic scene if there’s a macroeconomic turn down. We should be looking to that to say, when should I expect the cyber meteorological report to turn ugly?

[Ran] I think that only these three events that we mentioned, the presidential elections, Brexit, and the Tokyo Olympics, will probably give us more than a few future malicious life episodes, to say the least.

[Sam] I think so. I think there’s plenty of food for journalism, really.
I do hope that mainstream media, actually, I do hope that they realize the cyber dimension soon enough. I don’t think they’re thinking in those terms.
They’re gearing up and bringing the vans to the events and getting the satellite uplinks, and they’re forgetting, oh, that is a tenuous threat if the cyber dimension eats up.

[Ran] Yeah. Let’s choose one of the predictions that you’ll be talking about in the upcoming webinar and sink our teeth in it and dive deeper into it. Choose one.

[Sam] Yeah. A tough one to do. There’s so many to choose from.
I think perhaps one of the most topical ones in the mainstream will be 5G. The 5G rollout, by the way, it’s just waiting to escalate.

[Ran] We’re talking about the cellular network’s 5G new standard for communications, the ultrafast standard.

[Sam] Ultrafast? Hugely so. Massive increase in bandwidth, more computing near the edge, but most 5G cells are smaller than 4G, requiring more density.
They also, because the compute is actually closer to the device, the actual 5G device, you’re going to find a lot of physical hacking of those. We saw this in Hong Kong, for instance, where devices were being physically hacked and cracked open and accessed during the riots and during the …

[Ran] We’re talking about Sam, about the actual devices in the user’s hands or cell towers?

[Sam] The cell towers that are now becoming, they will be more common and physical access will expose an awful lot. But having said that, many of the 4G devices can be upgraded to 5G. 70% of those are from Huawei. A lot of the security, a lot has been baked in, so the telcos have started thinking, what do I put in there?
However, a lot of the new attack surface is becoming less predictable in the 5G world and is unknown. We’ve even seen some countries like Switzerland delay or slow down their 5G rollout, pending understanding what some of the security issues are. On the one hand, we’ve got this huge hype coming out of the telecommunications industry saying 5G, 5G, 5G, to the point where even people are using the word at home. And we see the hype like doing haptic feedback surgery enabled by the fact that 5G is ubiquitous.
On the other hand, we have the potential for even massive, due to bandwidth, localized DDoS attacks and physical access to devices and eavesdropping and big security concerns in general. It won’t be a fast rollout. The fact that many 5G cells are smaller than their 4G counterparts, even on upgraded equipment, means that there’s going to have to be a lot of new hardware that’s rolled out.
It will come in cities first, and those cities, ironically, could wind up exposing a lot more privacy and security issues going forward. And so what I’m trying to do with the 5G discussion, and we’ll discuss it more on the webinar, is dive into what are some of the implications and how should people be thinking about what they do for it, how do they accommodate it, what does it do to their trust models, that sort of thing.

[Ran] But aren’t the telecommunications manufacturers, the equipment manufacturers, already battle-hardened and they are probably aware of the cybersecurity threats that they will be facing?

[Sam] I would like to believe so, but in security, we trust but verify. Until I actually see these vendors coming out and saying, here’s the new threat model, here’s where the new vulnerabilities exist, here’s what we’ve done to accommodate those ahead of time, here’s where we’ve tested them, then I still think it’s a rush to get things to market.
Having spoken with a few, my confidence is not there that we really understand the implications of these rollouts on a wide scale. It will still happen, just as technology always rolls out. One of the things to really watch in 2020 is as these things start to gain significance. If you’re a CISO or an analyst out there, do keep in mind that this could have a massive impact based on where your users are on what it does to your security.

[Ran] Very interesting. One of the very interesting characteristics of the 5G technology, the new standard, is the very low latency of communications and there’s lots of talk that this lower latency will enable many more interesting implementations and applications of that technology, such as, for example, better autonomous vehicles, because communications will be faster with the base stations, so maybe we have also not, let’s say, the classic DDoS of interrupting the flow of communication, reducing or halting the communications and making the latency too high for the correct implementation in the application.
That’s interesting.

[Sam] The availability impact, confidentiality, integrity and availability, they’re all important. The example I just gave was this notion of surgery. The haptic feedback is the tactile feedback that a surgeon would have from doing the surgery themselves so that somebody remote could have a scalpel and as they go to cut in a 3D visualization, on the far end, a robot makes the same motion. If the robot achieves resistance, the haptic feedback to the surgeon also provides resistance. That is entirely dependent on tiny, tiny latency. You can’t have a lag measured in greater than 100 milliseconds for that. The human mind perceives about 150 millisecond latency and so it’s got to be better than that in order for it to have the same tactile experience with the surgeon and then hopefully the same results.
Now, if you get latency introduced from DDoS in that world, that’s devastating when doing very fine surgery. In the case of the automotive industry though, I think we need massive redundancy. We need to be able to say, if 5G went away, could the car still drive? I think they’re thinking along those lines, especially with short-range communications protocols. In other words, you have to be able to survive an earthquake and power going out and cells being sabotaged, all of that and the cars can’t all be colliding with one another.
There’s an awful lot to this and I think the biggest thing with 5G is it itself is an issue but we have to think about what it does in a world where more OT and IoT devices come out. The fact that they don’t necessarily have the right hardware roots of trust or trust models inherent to them, it hasn’t been built in, so you’ll have a bunch of devices coming out which are weak from a security perspective, connecting over a network which has new potential to exploits and vulnerabilities. In this, you want to overlay your own personal security, either as an individual or a company.
It just requires some thinking and I think I chose that one because I can predict, sure the bad guys will do more files malware next year or fill in the blank. I want to get away from that.
If I predict it and people follow advice or if they start thinking about it, then it would somehow become less valid as a body of work and I think all of us in 2020 should be paying close attention to 5G and especially how it combines with some other trends around cloud and edge computing and IoT as well.

[Ran] Very interesting, I mean only 5G by itself is almost a kind of a new battlefield for cyber security, to continue the analogy that we started with.
Sam Curry, thank you very much for joining me today. I hope you and your audience will have a very interesting and productive webinar next week.

[Sam] Looking forward to it. Thanks again, Ran.

[Ran Levi] Thanks again.
The webinar itself will take place on Tuesday, December 17th, 1 p.m. Eastern Time and 6 p.m. Greenwich Mean Time. You can register. Registration is already open at malicious.life/predictions.
I will say again malicious.life/predictions and thank you again Sam and I hope you the listeners have a great week ahead of you and we’ll meet again next week for another episode of malicious life.