Asia's Source for Enterprise Network Knowledge

Saturday, March 23rd, 2019

Security

'There is no greater currency than trust'

There is no greater currency than trust’

To reap the benefits of a connected society, people must be able to trust the connected devices they are using, and how their personal or business data is being shared, used and monetised, according to the chief technology officer of BlackBerry.

“In today’s hyper-connected world, there is no greater currency than trust,” said Charles Eagan, CTO of BlackBerry, in an email interview with Networks Asia. “It has never been more important for individuals to trust the devices they use and how they share information. And even more importantly, it has never been more critical for people to be able to trust the organisations responsible for holding and using their personal data.”

Eagan went on to explain that trust is built on two things in our ‘Internet of Things’ world – security and privacy. “To truly achieve this for governments, organisations and individuals, cooperation between industry leaders is critical. This doesn’t mean just talking to each other and sharing solutions – it is about taking action.”

In the interview with Networks Asia, Eagan also talked about the impact of Internet of Things endpoint on security infrastructure and how companies should be securing them. He also discussed concerns regarding artificial intelligence and machine learning.

The following is an excerpt of the interview:

We've always spoken about security cooperation between businesses, vendors and governments. What is still lacking?

BlackBerry’s CEO John Chen recently published an article called: “The Simple Solution to the Technology Trust Crisis” which discusses the economic, social and ethical, responsibility of technology leaders to build security and privacy into their products by design.

He says, ‘The ask is not a tall one’.  First, build products that have security ingrained in each layer of the product and commit to no backdoors. Second, respect that an individual’s personal data is theirs and do not profit from the data or use it without their consent, which must be transparently obtained. 

He also says, ‘The answer is a simple one’. We must own our individual data and be given the transparent choice to monetize or otherwise leverage it. The problem only becomes complex when organizations put profits before ethics.

We have come a long way as an industry – recognizing and mitigating new threats, investing in developing new skills and taking active measures at deploying security solutions.   However, ‘cybersecurity’ is often thought of as an ‘IT’ responsibility – when it should be approached from all parts of an organisation, at every layer, from the admin staff and suppliers and contractors used, the machines that are connected… right up to the board or head of state who is ultimately responsible. 

Individually, consumers also have a responsibility to take an active role in our own digital security and data privacy.  That being said, industry and government need to provide better education for consumers.

At BlackBerry, we have always worked with governments, enterprises and individuals to address risks and threats to data.  As our world continues to reap the benefits of connectivity, we want to see governments put effective IoT security regulation in place.  For example, BlackBerry wants to work with policymakers to ensure things such as sensible passwords, labeling requirements, privacy protections, and appropriate disclosure are part of the equation, not just software updates.

The problems are not impossible and can be solved. But we need to come together on common ground and have the resolve, both collectively and personally, to drive for and demand what is in our best interests.

Why is it always easier for the bad guys to talk and cooperate compared to the supposed good guys?

I don’t think it is that black and white – or indeed, grey.

In industry speak, a black hat hacker is one with malicious intent.  White hat hackers are however employed to use their skills to help companies to identify vulnerabilities and weaknesses in systems.  We employ our own team of white hat hackers here at BlackBerry to test our own systems – as well as provide that service for our customers.

Then there are those who are somewhere in the middle – intentionally testing systems for vulnerabilities without permission, then expecting a fee in return for the disclosure. 

Like in the cyber-world, people in the physical world are also motivated (and communicate) in different ways.   And criminal behaviour is mitigated by laws, fines, punishments and rehabilitation. 

Online, there is no question that cyber-criminals are motivated to make money through malicious intent, uninhibited by regulations and laws.  It is often described as a borderless crime – with those ‘bad guys’ targeting global audiences with no scruples.  Ransomware attacks are especially hurting vulnerable small businesses and healthcare organisations (health data is now 10 x more valuable than your credit card).

Whatever ‘side’ one is on, there is no question that there is significant opportunity in cybersecurity – but it’s a risk and reward game. Once again, to get ahead of this, the onus is on the industry and government to really band together, break down silos, share information, collaborate and take action to help develop a global framework that identifies and prosecutes criminals in a way that increases the risk – and acts as a deterrent. 

Right now, criminals consider it to be less ‘risky’ in the cyber world.  Significant and very public action will only serve to increase that risk, impede those motivations and hopefully deter future crimes.

As we go increasingly digital, isn't it even more important that there be some level of cooperation or coordination to keep data safe? 

In 2018 there was a tiring pattern of an ever-increasing number of security breaches with larger and more significant consequences. While the media, policymakers, and electronics industry started talking about the security risks that come with a hyperconnected world, there was no real discussion on how we solve this growing problem and who bears the responsibility.

It’s time to say, ‘enough is enough’ and realize that the only true answer to solving the security problem we face every day is a three-way partnership between government, industry, and consumers. Each must recognize that they have a role in addressing the security and privacy issues we deal with every day.

At BlackBerry, we work with all 7 of the G7 governments and 16 of the G20 governments. We believe in the collaboration of the private and public sector at the highest levels of classification to help keep data safe – but as an industry, we can always do more.  Data integrity, business continuity and risk management are high on the agenda for many of our customers in 2019.

As an example, BlackBerry protects millions of people in thousands of organizations worldwide with its crisis communications technology (BlackBerry AtHoc), including the US Department of Defense and US Airforce, universities, manufacturing, maritime and many other areas.

When a cyberattack happens, we usually think of the digital impact: incident occurs, data is lost, breach is detected, recovery begins. The reality is, just like physical threats, large-scale cyberattacks are also impacting human lives. One example would be how the Wannacry ransomware led to UK hospitals having to reschedule urgent operations for patients.

A breach that compromises data also impacts any system that uses that data. This is changing how any organization with a duty of care is planning for risk in an increasingly complex world.

Alongside strategies to train staff and put cybersecurity software in place, we see a lot of opportunity for the government and private sector to enable more coordinated, effective and cost-friendly critical communication networks. The end goal is this – to ensure that organizations are more crisis-ready and cyber-resilient, regardless of the threat.

Another good example is BlackBerry’s SHIELD Advisor program, which aims to help partners better manage risks and improve the security of IoT devices in the workplace. With the SHIELD Advisor accreditation, Solution Providers can access BlackBerry’s mobile security framework and comprehensive IT risk assessment tools to help customers manage their endpoints, guard against threats, and most importantly, make better security decisions.

With the rise of IoT, endpoints, analysis and communication are another facet of security we need to worry about. Are we securing them the right way?

According to Gartner in its most recent Internet of Things Backbone Survey: security was cited as the top barrier to IoT success (35%), with privacy concerns (25%), and potential risks and liabilities (25%) also in the top five.

Going back to my earlier point about TRUST – to reap the benefits of our connected society, people must be able to trust the connected devices they are using, and how their personal or business data is being shared, used and monetised. 

According to a new survey commissioned by BlackBerry, approximately 80% of consumers in the U.S., U.K. and Canada do not trust their current Internet-connected devices to secure their data and privacy. Additionally, when asked about future purchases, respondents said they were more likely to choose a product or do business with a company that had a strong reputation for data security and privacy. And many expressed willingness to pay up to 20% more for security.

IoT device manufacturers often have to be convinced that consumers and companies will care enough about security to pay attention to what is needed and make the investment. This holds true for highly-regulated industries such as healthcare, which tends to be more vulnerable to attacks and breaches.

Ultimately, the industry needs to realize that security is not an added cost but a valuable differentiator that will not only give them what they want but also protect their company’s brand and reputation, which is undoubtedly much more expensive.

At BlackBerry, we believe that security should be deeply embedded, at every layer – in the hardware, software, apps and we work hard to secure entire ecosystems not just certain areas.

So, we are answering the needs of consumers and the industry, recently announcing BlackBerry Secure Feature Packs which gives IoT device manufacturers our trusted software and proven framework to securely build smart products – from health trackers to Alexa-enabled speakers – without having to develop the technology and deep cybersecurity expertise internally. In fact, we demonstrated at CES in January how AI-powered digital voice assistants such as IBM’s Watson and Google Assistant, can be deployed safely and securely within connected cars.

This is not a new approach.  We have taken what we used to do to make the world’s most secure handsets – to now secure all connected things.

Now, with our cities getting ‘smarter’ – the safety of people and data in our connected world is at a critical stage. ‘Smart Cities’ are using technologies and connected data sensors to enhance infrastructure and city operations – ultimately, to enhance the way we live and work.  However, to be truly ‘Smart’ – cities must be safe and secure.

This is why BlackBerry also now offers a new Security Credential Management System (SCMS) service, giving private and public sectors around the world the ability to accelerate the development of Smart Cities and Intelligent Transportation Systems.

This is just scratching the surface – but to be successful, technology, standards and regulations, alongside responsible human behaviour – must all work hand in hand.  

Is the data generated being dealt with correctly as we plan for ML and AI? How much of AI can we look forward to, or are we looking merely at augmented learning or deep insights?

From AI and Machine Learning (ML to drones, our customers are embracing all kinds of new innovations and the benefits that will drive for their businesses.  With regards to AI, there is a lot to look forward to in 2019.

Both AI and ML require access to large sets of data to help tune the software to function most effectively.  This collection and use of data has already raised concerns among consumers and businesses – and this will only increase.  At BlackBerry we have never monetized our customer’s data and believe it is very important for companies to be upfront and transparent when it comes to how data they collect is used.  Customers must be in control of “their” information, regardless of where it resides.

At BlackBerry, we are investing in AI to not only help our customers to stop attacks and breaches, but to anticipate and prevent them. Soon, we will close the acquisition of Cylance, an artificial intelligence and cybersecurity leader which will widen our capabilities in end-point management, security and threat detection and prevention.

Cylance’s technology uses artificial intelligence, algorithmic science, and machine learning to proactively detect and prevent threats to the devices it manages. The software resides on the end-point and operates when the device is online as well as offline. Moreover, it is relatively light, requiring a minimal amount of memory and power to function, potentially making it useful for both regular computers as well as small connected devices.

We look forward to sharing more about this when the acquisition closes. 

How is BlackBerry’s move away from your traditional base going? how will the recent acquisition fit into your plans and what can customers expect from you? but you're not the only vendor providing such solutions, I mean look at Samsung and Good Technologies, so how are you working to stand out?

As a company that has transformed through significant disruption, BlackBerry is not just moving with the changes, but is several steps ahead.

BlackBerry hasn’t moved away from our enterprise customer base, we have just changed the way we serve our customers.  No longer a hardware company, we have taken nearly 35 years of experience in secure communications and 80+ security certifications and applying that to help governments and private enterprise to fully embrace digital transformation.

In finance, healthcare, automotive, manufacturing, legal, insurance, oil and gas – all critical infrastructure that powers Smart Cities – our technology secures information at every layer (network, software, device) to allow millions of connected end-points to truly trust one another, communicate securely and maintain privacy. 

In September 2018, we announced BlackBerry Spark is coming in 2019, a next-generation platform that will allow enterprises to leverage AI and manage smart ‘things’ regardless of operating system.  It will also allow people to use and trust any hyperconnected end-point by making military-grade security easy and intuitive to use.

BlackBerry Spark customers will be able to create entirely new user experiences that take advantage of hyperconnectivity. For example, in a hospital, a patient’s slowing heartbeat can trigger an alert to the right medical team and simultaneously prepare the patient’s room for emergency care. This includes automatically raising the bed to the right level, starting up a ventilator or pump to deliver prescribed treatments, and bringing elevators to the floors where key personnel are located.

I’ve mentioned Cylance, our largest acquisition to date, which is yet to close. Cylance’s leadership in artificial intelligence and cybersecurity will immediately complement our entire portfolio, BlackBerry UEM and QNX in particular. As an integrated solution, it will mean BlackBerry will be first to offer an intelligent solution for protecting and managing fixed and mobile endpoints.

In terms of what we can share at this point in time, John Chen recently said: “BlackBerry has always been a mobile-first company, and yes, we do protection on mobile devices but we don’t do it as much on so-called fixed assets — the laptop and the PC and the network gear and all of that — and Cylance focuses on all of that, so the combination is synergistic from that perspective.”.

“We’ve got about 120 million users of our car software, and a big part of future business relies on the safety and security of cars, especially when cars drive themselves. They need to achieve a certain standard. I think that what Cylance does, using AI methodology to detect and analyze if there is a threat, then isolate it and fix it. I think that’s a really useful technology for us to inject into the automobile and the autonomous platform, and not only the car but the plane and the train.”

We believe adding Cylance’s capabilities to our trusted advantages in privacy, secure mobility, and embedded systems will make BlackBerry Spark indispensable to realizing the Enterprise of Things.

Can you provide some customer success stories that have come as a result of the latest Enterprise of Things (EoT) security solutions?

As a leading enterprise software and services company that secures and manages all end-points, BlackBerry is helping customers across the region to defend against cyber-security threats, mitigate risks and protect information, infrastructure (things), and people.

The Asia Pacific region is an important growth engine for BlackBerry’s global cybersecurity and software business.  In a region as diverse as APAC, every nation is at a different stage of digital transformation, but all have the same challenge – protecting data, enabling productivity and advancing innovation.

In South East Asia, which has such vast array of sectors at different phases of the mobility lifecycle, we are working with a diverse mix of customers – from the largest banks in Singapore and Indonesia, to fast-growing start-ups in the Philippines that require scalable solutions for large Android fleets.

Three success stories in this region that I’d like to call out would be Sarment, a luxury lifestyle service head-quartered in Singapore, Bank BRI, one of the largest banks in Indonesia and ride-hailing start-up MiCab in the Philippines.

Firstly, Sarment announced in November 2018 that it is partnering with BlackBerry to co-develop KEYYES CHAT, a highly-encrypted messaging application to provide identity and overall data security management for Sarment's rapidly growing ultra-high, and high-net worth user base.  The KEYYES CHAT application was developed with the BlackBerry Spark Communications Services SDK, which provides end-to-end encrypted chat, voice, video and data transfer functionality. It includes FIPS-validated, app-level, AES 256-bit encryption to ensure data is always protected on a device, across the mobile network and into the enterprise infrastructure.

KEYYES delivers a useful service for high-net worth individuals, whose data may be of value to those with malicious intent and being able to trust in the integrity of the chat system will be a primary decision-making factor for them in considering the service. With the BlackBerry Spark Communications SDK, KEYYES CHAT allows seamless communication between members, partners and employees while protecting the privacy and security of its users.

Over to Indonesia, where Bank BRI serves approximately 30 million retail clients through more than 4000 branches.  It was imperative that the financial data of these customers was protected whilst enabling employees to effectively collaborate. BRI turned to BlackBerry and deployed the BlackBerry ® Unified Endpoint Management solution.

Part of the BlackBerry Enterprise Mobility Suite, UEM provides a single view of all devices, apps, and content connected to BRI’s network, with both integrated security and connectivity. With UEM, BRI now has a complete endpoint management and policy control solution for its diverse, fast-growing fleet of devices and apps. More importantly, it ensures BRI is well-positioned to comply with any new privacy and security regulations.

Lastly, in the Philippines there is MiCab.  The company needed solution that would be able to support their compliance and mobile working requirements, without compromising on security. The company rolled out roughly 12,000 seven-inch Android tablets to its fleet of drivers secured by BlackBerry UEM (growing soon to 15,000), supported by local carrier Smart, which were fully integrated with Android Enterprise.

The solution combines the ease-of-management and gold-standard security of BlackBerry Unified End-Point Management (UEM), with the flexible, customizable nature of Android Enterprise and network connectivity and devices from Smart. Together, the partners are enabling ‘mobile-first’ company MiCab to securely manage and connect thousands of drivers with millions of passengers via a fleet of tablet devices.