Andy Ulrich, Head of Security for the Americas at Ericsson, described how IT has evolved into biology and what that means for security.
Ulrich kicked off his keynote presentation at the 2017 Chief Information Security Officer Leadership Forum held in Dallas on September 26 by asking the audience, “Where are you? Even if we don’t know where we are, our devices do,” he pointed out. “It wasn’t always like that. Figuring out where we are and how to get to where we want to go was a problem that people had to figure out centuries ago. The seafaring people were the first to do it. Latitude is relatively easy to figure out, but longitude is hard, because the earth rotates. It wasn’t until the 1700s that we had accurate navigation. Before it was possible to determine longitude, ships sailed due north or due south to the latitude they wanted and then sailed east or west,” he explained.
“What’s changed over the history of navigation?” Ulrich asked. He mentioned a few key things:
• “The required skill has dropped to practically zero. All you need is your GPS device or your phone.”
• “Accuracy has gone through the roof. Regarding GPS, we’re now down to a probability area that’s smaller than the vessel you’re on.”
• “The tools have gotten much more complex—satellites, rockets, ground control, etc.—but this complexity is abstracted away from us, so we don’t need to do any of the work.”
Ulrich asked, “So, why am I talking to IT people about this? Our computers and processors have become almost inconceivably complex, and, if we zoom out and look at the infrastructure, it’s done the same thing. We’re stuck with a lot of old things we don’t fully understand. We don’t start over, because it’s too expensive, so we add on to what we have. And, we have to provide security for all this stuff that we don’t fully understand,” he said.
“Our computers and processors have become almost inconceivably complex, and, if we zoom out and look at the infrastructure, it’s done the same thing. We’re stuck with a lot of old things we don’t fully understand.”
“We tend to think of computers and IT as deterministic. Deterministic systems are systems that, with a given set of inputs, will always produce the same output. Are they really deterministic?” he asked. “Maybe, but there are so many variables now that to create the same thing twice is nearly impossible. For all practical purposes, what we’re operating with looks like biology, not technology. It’s that complex. There’s so much unpredictability. It’s like an organism. If we unplug this one box that we don’t think we’re using anymore, we don’t know what will happen. This is a problem. In a lot of ways, what we’ve built is more complex than biological life. It’s not documented well, it’s not predictable, and yours is unique. Whatever you have, it’s the only one like it,” he observed.
“For all practical purposes, what we’re operating with looks like biology, not technology. It’s that complex. There’s so much unpredictability. It’s like an organism. If we unplug this one box that we don’t think we’re using anymore, we don’t know what will happen.”
“We do what are essentially health diagnostics on our systems. We do as much testing as we can, but, like our own health screening, not every problem shows up. It’s also expensive, invasive, and disruptive to do this. We essentially do clinical trials using a test environment, which is often not like the real thing. People not in IT don’t understand this complexity. Also, we in IT treat this like a machine, like we know what we’re doing, but I’m not sure that’s right. Doing so brings its own risks,” he stated.
“We do what are essentially health diagnostics on our systems. We do as much testing as we can, but, like our own health screening, not every problem shows up. It’s also expensive, invasive, and disruptive to do this.”
Here are the takeaways Ulrich described that IT, as a community, could do:
• “We have to get used to talking to the board and executive community about ‘unknowables.’ We've been painting the picture that we know what we’re doing, and we don’t.”
• “Getting to this point [of talking about unknowables] is evolutionary. We can’t just do this tomorrow, and we have to do it together.”
• “We need to change the expectations. We need to understand our infrastructure as if it were a 70-year-old person who’s led kind of a rough life. But the good news is, we’ve got the whole team managing this patient’s health.”
• “Be suspicious of the claims of anyone trying to sell you a tool. Your infrastructure is unique, so general claims about a tool may not work for you. Always expect it to be harder than you're told it will be.”
In summary, Ulrich stated, “I think we need to change our thinking. I don’t know how to get there, but I want to start the conversation.”
ABOUT ANDY ULRICH:
As a young child, Andy Ulrich discovered and was delighted by the fact that, by simply pushing buttons on a telephone keypad, he could nearly instantly cause a random person half a world away to stand up and walk to their telephone. (His parents were not amused.) Thus began a lifelong interest in telecommunications and IT. His nearly 30 years of experience includes a career in the US Army, culminating in a role as the operations chief of NATO’s information security organization, and his most recent previous job as the CISO for MoneyGram. He currently heads the security program for Ericsson in the Americas from Plano, TX.