As October and Cybersecurity Month wrap up, NCTA caught up with Steve Goeringer, principal security architect at CableLabs®, to delve a little deeper into the work that is going on behind the scenes to secure the networks and user experiences of today and to prepare for the emerging technologies of tomorrow. Goeringer, whose background includes engineering stints in the U.S. Army and at the National Security Agency, is not your traditional engineer with your typical set of technical certifications. Instead, his work brings a whole new mindset on how to rethink how the industry discusses and approaches cybersecurity.
"You need a higher level thinker who has awareness of the networks and the ways that users experience them and the ways that adversaries are going to think. You need a wide range of experiences [of people working in cybersecurity] and lots of diversity to understand how the world works and to come up with ways that will ensure a great user experience," said Goeringer. Goeringer works on projects that range all the way from securing interoperable systems for healthcare providers to support positive patient outcomes, to securing future AI systems—and protecting the user experience in every circumstance.
See the Q&A with Goeringer below to learn more about the strategies and the kind of creative thinking that will help to better secure our future and take a user’s internet experience to a whole new level.
What are a few of the cybersecurity projects you are working on right now?
That's always changing, continually evolving with the state of the industry and the nature of threats to broadband and wireless. My main focus right now is on healthcare and I get to work with the Center for Medical Interoperability where I focus on helping to achieve secure, interoperable systems for care providers. I think broadband is essential to the long-term scalability of healthcare and I think broadband can help achieve great patient outcomes even more often than we see today.
One project I get to help with at CableLabs is the MicronetsTM security project. This project is about taking customer-premises networks to a new level of security—easy to use, automatic network segmentation to better contain vulnerable devices, and better ways to deliver services securely. I think this will really change the nature of home and small business networks by bringing enterprise-grade techniques and security controls to the consumer in a simple-to use-manner.
I also am working on evolvable cryptography and thinking hard about how to secure future AI systems. I want to make sure that as new tools for encryption and authentication are developed over the next decade, and longer, that broadband operators are able to adopt those capabilities with minimal disruption to their infrastructure and subscribers. And, as neural networks, deep learning, and machine learning solutions are adopted more and more widely, I want to make sure users' experiences are protected. AI may introduce new threats and vulnerabilities and we need to be proactive.
CableLabs has developed a series of Near Future videos to show what the future might look like. Can you use examples from the videos to explain any cybersecurity concerns you see in the technology being used?
I don't think you can find a single example from the series where security was a concern. That's by design—good security should require minimal user engagement. There isn't a single case where you can see somebody in the videos having to enter a password or activate an account somehow to enjoy the experiences that are shown. There are tens of thousands of security engineers across the globe right now working to ensure we have a more secure future and I think we are making progress.
Of course, there are and will continue to be serious issues. For any service to be useful by anybody, it must always be vulnerable to some degree; e.g., allowing basic nominal access creates a vulnerability. There is always a way to misuse or change the use of a device or service. And no matter how many people vet a given security control, there's always the chance that somebody else who is smarter will find a hole. The trick here is to keep trying and to make sure you can update your system as you learn. We have to think not in terms of security, but rather in the context of an "adversarial engineer."
Speaking of, can you explain the difference between security engineering and adversarial engineering, and why is this important to the cybersecurity discussion?
Too often, our focus in "security" is about compliance and controls. People tend to look at security controls as things that detract from our ability to do what they want. And, so we focus on what we want to do first and then bolt on security as we find we need to later. This is expensive. And, it results in a lousy user experience.
We need to start to use security capabilities as the magic sauce to ensuring that users get the experiences we promise them. For example, rather than focus on identity management as a control to keep bad people out, focus on identity management as the solution to seamless and secure onboarding and service delivery. Security is the key to the magic product "that just works."
Of course, we need to realize that other people want to use our services in ways we don't intend. They want to use our resources, and our subscribers' resources, to do other things—from crypto mining to botnets to identity theft. So, we must design security in from the start and I think the key to that is to be in the mindset that every engineer developing a connected device or service is in a fight. We do have adversaries, and we need to embrace that and start thinking in terms of our adversaries. We need to be "adversarial engineers" with a mindset focused on ensuring our users get the experience we intend.