Long View Vision of Cybersecurity with Vishal Salvi

Yulia De Bari: Welcome to the Knowledge Institute podcast, CyberBites Edition. In today's podcast, we are talking about where we are on the cybersecurity curve. We are covering the history of cyber threats, the evolution of CISO’s role over the years, and giving you our long view vision of cybersecurity. I'm Yulia De Bari, cybersecurity lead and podcast producer for the Infosys Knowledge Institute. Today, I'm here with Vishal Salvi. Vishal is senior vice president, chief information security officer, and head of the cybersecurity practice at Infosys. In December 2020 a major IT firm was hacked. The breach of SolarWinds went undetected for months and could have exposed data in the highest reaches of government, including the US military and the White House. It is a reminder that even those at the very top of the cybersecurity industry can be compromised.

Vishal Salvi: It's ironic that one of the topmost cybersecurity consulting firms was impacted and had to actually disclose a very large cybersecurity breach. The first thing that the hackers did was that they identified vulnerabilities in the SolarWinds' cybersecurity architecture or controls. And they exploited that vulnerability to get into their systems. Once they were there in their systems, they could get access to their CI/CD pipeline, which was developing the core for their software. And once they got into that, they could go and compile a malcode or a backdoor into their software, which was called Orion. And it became an update. So it got compiled, the code was compiled with the malcode installed by the hacker onto the Orion software as an update, without any errors. After that, it was around 33,000 customers that they had for SolarWinds Orion. 18,000 customers downloaded that update, which installed that backdoor successfully onto those 18,000 organizations or 18,000 instances.

Vishal Salvi: Clearly, if SolarWinds had a good cybersecurity posture, then they could have prevented this. Because for somebody to go and compromise your CI/CD pipeline and get a malcode compiled into your official release version of your software, is an extremely rare event. You will have to bypass and understand everything about your compilation for that to happen. In my mind, that is the root cause of this problem.

Vishal Salvi: And I think this lesson is a very important lesson for every software development organization, or every software product development organization, that integrity of your code has to be 100%. And I anticipate that there will be a lot more standards, which will come to ensure that we get more assurance on the integrity of your code in the future. Especially if we start seeing more of such attacks coming in the future, then that regime is going to be a very important aspect.

Yulia De Bari: This recent attack was very sophisticated. To develop the best practices for fighting frequent and sophisticated cyber attacks, companies need to leverage cutting-edge technology and be ahead of the curve. In this episode, we will try to understand where we are on the curve.

Yulia De Bari: It all started as an innocent experiment. The 1970s marked the beginning of the era of experiments. That's when Bob Thomas created Creeper, one of the first successful self-replicating programs that could spread itself over the network, moving from one computer to another.

Yulia De Bari: The program did no harm but displayed a message on the screen saying, "I'm the Creeper. Catch me if you can." To catch the creeper, Ray Tomlinson developed Reaper, a program designed to catch the virus. Reaper was the first step towards creating an antivirus program. But the first true antivirus programs were developed 20 years later.

Vishal Salvi: And as we know, in every aspect of our social or professional life, there are always adversaries or people who want to break the norms and societal rules for their own benefit with nefarious activities.

Yulia De Bari: The era of experiments ended with the Morris worm in 1988. The program was created with no malicious intent, but it got out of control and caused serious economic damage. Also, the worm did not delete or damage files. It made computers so slow, they were basically unusable.

Yulia De Bari: The incident showed how vulnerable computers were and forced software vendors to take flaws in their products seriously. The Morris worm not only exposed computers’ vulnerabilities, buy it also inspired criminal minds. In 1989, the era of innocence came to an end. Over the next 10 years, the foundation of cyber criminality was laid down. Criminals realized that breaching computer systems could be profitable.

Vishal Salvi: That has been the evolution of cybersecurity. And so, we started seeing malcode being written, without much of an adversarial motivation. But then, over a period of time, we started seeing easier methods by which one could write a virus or malware, and then extract and start having financial transactions or unauthorized transactions.

Yulia De Bari: In 1994, Vladimir Levin tricked the Citicorp system and transferred $10 million to accounts located in different countries. Eventually, Levin was caught and the bank recovered all the money. So what? What did it lead to?

Yulia De Bari: By the mid-90s, businesses recognized a need to create specialized cybersecurity offices and CitiCorp Bank created a new C-level position, known as a chief information security officer. And just like that, Steve Katz became the world's first CISO. After the CitiCorp hack, security became more than a technology issue. It was a business risk. But was the CISO role the same as today?

Vishal Salvi: And perhaps he was the first CISO that we know of, but my sense is that the role came into prominence only in the early 2000s. Until then, it may not have been called a CISO, but it was still a responsibility to manage the information security risk for the organization.

Vishal Salvi: So back in 1990, this was not a well-defined role at all. And I almost got into cybersecurity by accident and not by design. And that is the case with most of my colleagues during that time. So initially, it was a part of the IT operations. It was called IT security. And then I think the role has evolved. It started transforming into a management and leadership role in the 2000s.

Yulia De Bari: By 2000, the internet had spread massively throughout the world. Hackers started to target servers and public websites. They quickly learned how to exploit internet vulnerabilities and do more damage. Attackers could infect PCs, steal information, send spam, create fishing pages and direct an entire network of computers to launch DDoS attacks.

Yulia De Bari: During the internet era, the number of known computer worms circulating around the internet has spread exponentially. By the mid-2000s, there were more than a million. Frequent attacks made companies reconsider their security priorities and recognized cyber attacks as a major corporate issue.

Yulia De Bari: In 2004, the global cybersecurity market was worth $3.5 billion. In the mid-2000s, cyber threats became political as governments realized that digital attacks can be used for spying purposes and cause physical disruption. Cyber criminals started to target states, cities, and critical infrastructure.

Yulia De Bari: This impacted national security and cost businesses millions of dollars. During this era, the first state-sponsored cyber gangs were formed. It also became evident that any country with a sufficiently well-developed network infrastructure is vulnerable to cyber threats. But why businesses should care about all these geopolitical tensions?

Vishal Salvi: There is the issue of collateral damage because there are many fish in the pond. When you put out bait, you don't know which fish is going to catch the bait. So whenever you put malware or a threat on the internet, although it may be intended for a particular set of organizations or targets. Given the nature of how technology and digital are, the moment you come in contact with a threat, you are likely to get impacted because you have the same vulnerabilities that others have.

Vishal Salvi: So, I think if you look at the modus operandi of the state-sponsored advanced persistent trend, we all know that they would prefer to be in the stealth mode. The SolarWinds attack is also, the intention was never disruption, or ransom, or any financial gains. It was all about collecting data and you could collect data from any potential asset of interest.

Vishal Salvi: So you will spread your net across various organizations. And invariably in today's connected digital world, there is interdependency between different countries. There are trades, money markets, capital markets, everything is linked and hyper-connected. Something happening in one continent or one country impacts the rest of the world.

Vishal Salvi: So, therefore, what happens is that when you start propagating these threats and malware, even if it is not intended for you and you become a victim, you will always have some information that will be of strategic interest for an adversarial country. Whether you are collecting data from defense organizations, or collecting data from government organizations, or collecting data from national critical assets. So, therefore, you need to worry about it because it's real.

Yulia De Bari: So, during this period, organizations became more risk-oriented. CISOs adopted a risk-based approach. They had to assess the big picture risks and report to the C-Suite. 2010 marked the era of expansion, also known as the era of major breaches. Attacks got more expensive and could damage physical infrastructure.

Yulia De Bari: A cyber attack could affect a company's reputation, result in an outflow of clients, and even bankruptcy. During this era, hackers frequently launched their attacks, compromised smart devices. and used aggressive social engineering tactics. They also interfered with presidential elections and altered the public's opinion by spreading false news.

Yulia De Bari: In 2011, the value of the global cybersecurity market was $64 billion. It grew 100% by the end of the era. In 2019, the global cybersecurity market's estimated worth was $156.45 billion. This era saw the introduction of new tech, such as the Internet of Things, migration to the cloud, and social media becoming widely used. This led to the creation of new privacy and data regulation laws, like GDPR and CCPA.

Vishal Salvi: The interesting aspect of cybersecurity has been that it has been a gradual change. In a certain way, it has been a cat and mouse game. There has been a massive adoption of digital. Especially if you look at the last two, three years, when we're talking about cloud, we talk about the dispersion of data. We talk about the inversion of the data centers into the cloud and endpoints.

Vishal Salvi: There are multiple trends in terms of adoption of open source, adoption of containers, DevSecOps, multiple things happening at the same time in the technology world. The foundational message for us in our role here at Infosys is the message of secure by design. So whenever you're designing or building new solutions, think about security.

Vishal Salvi: When the internet was born, nobody really worried about the security of the internet. That's how it was designed. And only when we started seeing the flaws being exploited did we start thinking about what we need to do. When we now look at the 2020s, a lot of boards are taking a direct interest in governing the way cybersecurity is going to get managed within an organization.

Yulia De Bari: New technology and new regulations added another function to the role of a CISO. They not only had to assess strategic security concerns and unknown risks but also know how privacy regulations affected their organizations, where the data was stored, and how it was secured. In 2020, we entered the mainstream era where cybersecurity has become top of mind. Cybersecurity now is on the board agenda.

Vishal Salvi: The way the role has changed is that it is a role that is accountable to provide assurance to the board. But also, the board itself has started playing an important role in governing and ensuring that there is a proper strategic intent that an organization has in terms of driving the issue of managing the cybersecurity risk for a given organization. 50% of the boards are directly taking responsibility for cybersecurity. And I think that percentage is going to grow rapidly and it's going to become 100% in the next year to 18 months.

Vishal Salvi: So, as a result of that, CISOs would be expected to elevate their narrative. And should be in a position to engage at the various leadership levels and various board levels. And should be able to give that assurance by fundamentally also making sure that assurance is on the sound foundation of a very robust cybersecurity program. So in a nutshell, you need to have a very sound leader who is delivering on the goals. And then, is also able to communicate that effectively with the board.

Yulia De Bari: CISOs play a crucial role in organizations. Since the mid-90s, their role has evolved from mainly being IT security administration, to a multifold complex C-level position. They have a multifunction where they need to understand cutting-edge technology, regulations, and privacy laws, assess risks, and have board conversations.

Yulia De Bari: Today's cybersecurity solutions focus their defenses on workplace transformation, cloud adoption, digital transformations, and borderless architecture. According to Infosys Knowledge Institute's recent TechCompass report, digital technologies, like 5G, software-defined networking, artificial intelligence, machine learning, blockchain, big data, and open source are also rising.

Yulia De Bari: The global cybersecurity market is rapidly growing and it is projected to reach $326.4 billion by 2027 according to Grand View Research. So, what can we learn from history? Will we face more cyber attacks? And what is the future of cybersecurity?

Vishal Salvi: If I could just put a crystal ball and gaze in terms of what can we expect in the future, it has to be looked at from the context of where we are. And we know, for example, the internet as we know it, will continue to exist because I don't see there is an alternative.

Vishal Salvi: In fact, if you see, the internet has become more robust, more stable, and more reliable than even your corporate connectivity models. That is the reason why we are able to effectively communicate and be hyper-productive in the times when most of the people are working from home.

Vishal Salvi: So, with the resilience of the internet, the adoption of digital, and the fact that we have always seen a high frequency of attacks happening every year on year, it is fair to expect that this problem is only going to grow and become more and more mainstream as we go into the future. And so, the world of cybersecurity and professionals will continue to exist for at least two to three decades, as we have seen in the last four decades.

Vishal Salvi: But at the same time, the situation as it is right now, it's a problem and it needs to be managed. So, it's very difficult to say whether the number of breaches can come down or we can have this problem completely under control because there are a lot of things that have to happen for that to be in place.

Vishal Salvi: So if you want to really solve this problem, one is we need to fundamentally resolve the way in which we are able to connect. This means right now, there is a big air gap between a human and a computer. And that air gap is a big problem. Attribution is very difficult and so on and so forth. So that's number one.

Vishal Salvi: Number two is we need to ensure that we are able to apprehend and attribute these attacks to the individuals. At this stage, it is very difficult to do attribution and it is very difficult to apprehend people. And that is because it is very difficult to have international cooperation. It is very difficult to trace individuals. And even if we trace the individual, we have local country laws, international laws, and it does not allow you to do that.

Vishal Salvi: And the big challenge is that there is a race for cyberwar. It is very easy to orchestrate espionage and do your spy games using cyber as compared to traditional warfare, which is expensive and has physical and border constraints. So this race needs to stop and we need to start putting some controls and balances.

Vishal Salvi: Now, all these three things are extremely difficult things to achieve in the short-term. But hypothetically, if these three issues, and there are many more than these three prominent issues that come to my mind, are tackled, then there is a hope to reduce the number of attacks in the future.

Yulia De Bari: So, the future of cybersecurity depends on the choices made by companies, governments, and law enforcement agencies. With better cooperation and secure design of the solutions and software codes, we can secure our future from more sophisticated attacks.

Yulia De Bari: You have been listening to the CyberBites Edition of the Knowledge Institute podcast. You can find details on our show notes and transcripts at infosys.com/iki in our podcast section. We hope this discussion will help you make the right decisions to secure your future.

Yulia De Bari: If you are interested to learn more about the different cybersecurity eras, read our new article called Long View Vision. Don't forget to hit the subscribe button and give us a rating and review. Until next time, keep learning and keep sharing.