greater than 75 percent of the sites we looked at didn’t enforce SSL. [SSL is a standard Web security protocol.—Eds.] Think about every e-commerce site you go to—any site doing anything of some reasonable level of importance is using SSL. What could be more important than protecting information about where you go to vote? Ensuring information you download about [elections] is accurate? That your information is not being intercepted and stolen?
With the talent shortage we have in cybersecurity, these local agencies are struggling to hire people that have the skills to do even the most basic tasks to secure these environments.
The part that’s more inference than having direct evidence is, if the public-facing systems these [local governments] are supporting lack basic security controls, it would be a reasonable assumption that … voter registration databases and systems that tally up and report votes—it would be difficult to comprehend why they would do a much better job [securing] those systems [than] they would be with the other systems.
The other thing is I was listening to the news today. It sounds like the [National Republican Congressional Committee] had some sort of breach. I think one of the most important things that we make progress on is a commitment from both politicians and also the core media to not treat leaked data from a breach as fact until it can be independently validated.
One of the challenges is when a data breach does occur, an adversary can use legitimate data that’s stolen in order to increase the confidence in fabricated data. They might release some data that can be validated, but then intertwine fabricated information. … That’s probably one of the most effective forms of information warfare.
X: What emerging security technologies is McAfee focused on these days?
SG: The entire cybersecurity industry is much more aggressively taking advantage of machine learning and artificial intelligence. McAfee has very aggressively been increasing our investment in that space. We’re playing the long game, in that we’re preparing for adversaries to focus on evading or trying to manipulate the technology.
For example, there’s an entire technical field, largely in academia, called adversarial machine learning. What is the technology behind fooling artificial intelligence or machine learning? What we’ve found is in cybersecurity, a lot of the underlying technology is incredibly fragile.
We’ve done a lot of research into understanding what techniques could an adversary use in order to evade [an A.I.-based detection system], or what we call poisoning a training set.
We’ve even looked at this outside the field of cybersecurity. My team did a demonstration where we trained a machine learning algorithm to recognize street signs, the same type of thing you would expect to see in autonomous driving. We applied adversarial algorithms: what is the minimum we need to change the street sign in order to essentially have the algorithm think it’s something completely different? We found putting a piece of tape at exactly the right part of a stop sign could make the algorithm think it’s no longer a stop sign, it’s a 55 miles per hour sign. So, really understanding the potential weaknesses in some of these algorithms is incredibly important if we’re going to depend on them for critical safety and security measures.
X: How much are you looking into quantum computing technologies?
SG: The biggest risk to organizations is that the encryption algorithms the entire world currently uses to protect data will potentially be compromised within the next number of years—it’s unclear if it’ll be five, 10, 15 years.
The issue isn’t when quantum computing becomes practical. The issue is [real] today. The reason is, if I’m an adversary and there’s data I want of yours, even if it’s encrypted, I can grab the encrypted data and put it on the shelf. Whenever I get quantum computing working such that it’s practical, I can then take that data off the shelf, [decode it with quantum technology], and have access to it.
A lot of what McAfee is doing now is we’re being supportive of the organizations driving the first phase of quantum computing, but also pushing to go much faster and not operate so linearly. … What I’m advocating is the industry starts thinking now about what we need to do to retool the [existing] protocols and standards.