On this week's episode Gar talks with Shishir Singh, Executive VP and CTO at BlackBerry Cyber Security. Shishir is a globally recognised cybersecurity expert with a career spanning 30+ years.
In this conversation we discuss BlackBerry's pivot into cyber, IOT and protecting EV's. We then talk through the findings in BlackBerry’s 2022 Threat Report, including the vulnerabilities that SMBs are facing.
The Get Cyber Resilient Show Episode #116 Transcript
Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Garrett O'Hara. Shishir Singh is a globally recognized cybersecurity expert with a career spanning over 30 years, including previous roles at McAfee, Intel and Cisco. Today he is executive VP and CTO at BlackBerry Cybersecurity. In this episode, we get to pick his brains on BlackBerry's pivot into cyber, IOT, and protecting electric vehicles. We talked through recent research on cyber insurance of BlackBerry's threat report for 2022, and observations for SMBs.
We did have some issues with recording quality and internet connections, so my apologies for the dropouts you're gonna hear. It's not you, it is us. Over to the conversation. Welcome to the Get Cyber Resilient Podcast. I'm Garret O'Hara, and today I am joined by Shishir Singh, who's the executive VP and CTO at BlackBerry Cybersecurity. Welcome to the podcast today.
Thank you so much
Shishir Singh: Garret for having me.
Garrett O'Hara: Absolute pleasure to to have you here. And I, I do understand you're, you're visiting Australia, so we were lucky to catch you while you were over here. So thank you for taking the time
Shishir Singh: out.
[laughs] Yeah, thank you. Thank you for having me.
Look, it would be lovely if we could just as a, as a, by means of introducing you to the audience, just to get a sense of how you arrived to the position you're in today with BlackBerry as the executive VP and, and CTO over there.
Shishir Singh: Yeah, yeah. You know, I joined BlackBerry in January of 2022, and I was watching BlackBerry from McAfee and from the, you know cybersecurity days. And company had pivoted to the IOT software long before this moment. But I had been, like I said, observing this transformation during my career with a great interest, right? And this is a brand, I think we're all, you know, very, very fond of. We know about it, and I would say that this is probably one of the most underestimated brands in cybersecurity and IOT.
And that is perhaps one of the things that excited me most, to come and join this this company. And, you know, I joined from McAfee [inaudible 00:02:11] how BlackBerry's nearly 40 years of security and privacy has been successfully integrated with the AI and machine learning capabilities of Cylance which was acquired in 2018, a- as you probably know. And it is really exciting stuff because now I'm responsible for driving the strategy of BlackBerry Cybersecurity division and what we do next. I think that will be all, depend on all of us, how we can take this forward.
Garrett O'Hara: absolutely. Like, that's a good way into the, the conversation today actually, Shishir, is that, like I know, that that that transition from smartphones to cybersecurity was really interesting, and for many of us, and I'm one of them. I, I hold such fond memories of BlackBerry devices, and that was the thing I used for communication for so many years. And I know that this year, was actually just this year, right? That you guys decommissioned the infrastructure and the software that actually supported the, the BlackBerry phone operating system.
So it's actually pretty recent that that's, you know, really gone away. It would be great to get a sense of how and why did BlackBerry actually make that transition into cybersecurity?
Shishir Singh: No, absolutely. I mean, i- if you look at the announcement about the end of life of BlackBerry devices by our CEO John Chen you know, it, it might have felt by many one of us, I mean, many of us, like we just talked about, that, "Hey, we were using this smartphones, we are really in love with this thing." This was the first, you know, kind of a corporate email secure messaging platform, which was provided as a device to all of us. But however, this announcement might be just the beginning for millions of customers we serve already from fed governments to small businesses.
You, I, I, I don't know if you know, but today BlackBerry protects over a half a billion connected endpoints, and its software is actually in over 215 million vehicles. And I speak to so many people that have a story about their first BlackBerry and how they trusted sharing information using this device. I mean, productivity-wise, some say they could write emails under a desk while having a conversation with someone because of that iconic keyboard, like we all, we all know that part.
That was one of the key innovation of that whole platform. But, you know, the trust, the mobility, the security, privacy of that actually is associated with the device, but it is also that company's using all of that asset in the software part of it. So think of that from physical device, we moved into much more of a digital transformation. So we might not be, or the people might not be seeing that in the physical form or having the device, but it's all there around us.
BlackBerry is actually now more part of people's life than it was before, they just don't see it in a physical form, like I said. Right? The car you drive, the laptop or phone you use or work, or even your energy provider or perhaps the connected solar panels we have all on our houses. BlackBerry is all around us. So to answer your question, why did we pivot it? It was actually before my time, so I don't have all the context, but the, the competitive landscape obviously changed in the early 2000s, with the arrival of the iPhone.
And, you know, that's all documented because most of the stuff moved from enterprise to consumer and all of that. So, you know, it's interesting, but I would say that there's still the asset, the IP, the whole secure connectivity, the infrastructure, which is kind of a BlackBerry DNA, still stays with us.
And we're going to put that in use from the IOT device point of view as well as from the cybersecurity point of view. And that's the two business we have currently in BlackBerry, how we we have been operating and both are fantastic. You know, if you look at from the synergy point of view, how this whole AI email can be used in both of this landscape, it is very
Garrett O'Hara: fascinating.
Yeah, mo- most definitely. It'd be good to get a sense. I mean, obviously that transition happened. Was there any learnings that BlackBerry took from the world of smartphones into that world of IOT as, as the kind of transition
Shishir Singh: happened?
I mean, I would s- I would say from the learning point of view definitely like I said, the, the lot of part of it, the whole the connectivity of it, I think that is one, say we, and we integrated that as part of the AI in which we acquired in 2018. The Cylance Company.
And intent was that we can take a lot of these things and make much more, you know, security to a level where we can use that in the digital transformation, in the context of cloud adoption and, and all of that. So I would say definitely the DNA still stays everywhere as part of our BlackBerry product suite and, and, and the, the portfolio, what we are carrying now.
Garrett O'Hara: Yep. Yeah, definitely. And look, part of that transition, obviously is that you've got, got a huge presence in the automotive industry and, and particularly in the EV space, which is becoming just more and more popular. Obviously EVs have a massive role to play in the plant's health going forward, but also, you know, thinking about a way to protect a country's supply chain when you're using distribution that's powered by renewables and EVs, et cetera.
And so I guess the question is, as EVs play a bigger and bigger role in supply chain, in physical distribution, it'd be great to get a sense of how, how you consider risk when it comes to protecting electric vehicles?
Shishir Singh: No, that's really a good question. And I don't know if you know, we all know that BV actually works with 50 auto makers. We are actually in 24 outta 25 EV manufacturers, and they all rely on BlackBerry software for a broad range of critical systems, for the vehicles of today and for the next generation of software-defined vehicles for the future, which we call that as IBY. This is a platform which we're providing in the cloud. Having said that, you know, it's, it's interesting that whenever there is a software, there are vulnerabilities, right?
And we need to make sure that some of these software, which is the way it is getting used we have the same way of protecting them, because that becomes more like a host. You, you are dealing with exploits, you are dealing with malware, you're dealing with threats, you are dealing with much more targeted attacks. And it becomes even more important because there is a human life are involved actually, right?
Because when you're driving a car at a hundred miles per hour and all of a sudden somebody hijacks your car controls and all of that, now we are talking about-
... you know, a very, very dangerous situation. It's just not about just the blueprint of your screen, but also we are talking about human lives at stake. So we can take all of these learnings and take the Cylance AI/ML as part of the DNA and see how we can provide an integrated solution, which can cut or intersects IOT/OT, as well as some of the, you know, traditional network companies and enterprise companies there.
Garrett O'Hara: Yeah. That, that absolutely makes sense. And, and obviously we've just talked about EV, but there's a bigger conversation here, which is around your, your presence in IOT more generally and I suppose specifically medical devices where, you know, when you talk about you know, the risk to a human life because somebody takes the control of the car through a maybe a breach or a, a compromise, when you think about medical devices, the stakes are even higher and the risk is even higher. How do you think about securing medical devices? What are the things you're thinking about that are maybe different versus EV or just general IOT?
Shishir Singh: I mean, the healthcare and some of those devices we talked about already, Cylance AI the endpoint agent you know, the signatureless or the AI/ML-based techniques are already used in some of those healthcare devices. To answer your question I feel most of these devices are very custom-made or they have a very proprietary protocol. So we have to-
... be, you know, providing a solution which is much more in a ER gap environment. And we are trying... We will, we, we should be able to get that in a solution in a way that some of these hospitals and some of these devices which is being used is much more effective to our customers. So it's not only about the protection, but also making sure that some of the I would say intrusion prevention or some of the network-based analysis, some of the behavior-based analysis is also performed along with that one, so that we can actually-
... understand how the attack is happening and we can prevent it before the attack happens, we can be much more predictive, which can be... We can be much more proactive in that sense.
Garrett O'Hara: Which is, is definitely gonna be a good thing when it comes to medical devices specifically. You know, IOT, IOT is just everywhere these days. You know, I'm looking around the, the sort of office that I'm in, and I can probably point to 10 places where I suspect there's embedded devices and there's IOT at play here. It would be good to, to get your thoughts. In terms of security certifications or standards for IOT, I know the Department of Defense in the US has started to introduce you know, their, their certification levels for IOT devices if you're gonna sell into Fed government in the US or, or certainly the DOD.
And Australia has introduced principles, but they're not mandatory. What are your thoughts around security certification standards for IOT, whether that's consumer business or, or even government use cases?
Shishir Singh: I think the the security certification you know, definitely I would say is required, but it is a little bit more trickier on that one, because, you know, there is no one size-fits-all kind of thing, right? So you have to see how this this IOT and OT devices is segmented so that we can be much more effective in getting the certification and also giving you know, more of assurance to our customers that they are safe and sound, right?
And like I said, you know, the, the BlackBerry QNX solution are used in more than 50 types of medical devices already, right? Such as surgical robots and infusion pumps and pacemaker. And they're like life-saving thing I'm talking about, this is. And, and, and when you go through the certification process for some of these things, I think it has to be a hundred percent accurate. So we need to understand every nuts and bolts of how we can make sure the certification is effective and not only that it is giving a platform, it's giving an approach to customers to be, you know, a little bit more you know sure about that certification is giving them everything, whatever they needed. Right?
But, you know, that makes sense, because I think the medical manufacturing industry operates in an environment that is much more intense. It has tremendous amount of pressure, very, very stringent safety regulations and cyber threat concerns. So we have to bring it, all of these things together to get the certificate, but at some point I think we will have no choice but get there.
Garrett O'Hara: Yeah, no, absolutely. I've, I've spoken to people in the healthcare industry and, you know, people who operate as, as practitioners, cybersecurity practitioners in healthcare, and one of the comments they've made about medical devices is that quite often, the, the ability to upgrade them is imp- impeded by the need to re-certify the device at a, you know, a full-device level. So, for example, operating systems are really old because when you upgrade or patch a system, it actually has to go through a full re-certification with the, the TGA here in Australia.
So it's, it's weird. I don't know if you have any thoughts on that, like the, the idea of certifying medical devices or IOT, but actually that then being an impediment to good security practices because you need to re-certify or re... you know get the standard each time there's a change to the device?
Shishir Singh: Yeah, I mean, the bar is very, very high and that's why there are so much you know stringent regulations are there. But I, I would say that e- even if you're changing a small piece of code or a small piece of component having the whole recertification process might be overkill a little bit, but I think-
... it is required, given the stake what we are going through there. You know, I, I, I think this is, I mean, I can tell you, I've just met with some of our healthcare customers here in Australia, and the one big takeaway was that they, they were all making I would say the first attempt to get to the prevention-first approach. They wanted to make sure-
... that they are using a modern technology like AI and ML software, which can give them the protection, what they really need, and they're moving away from, you know constant push of content signatures into the devices because that brings a lot of changes. And healthcare, one of those things they were not very happy with that, or they were not very satisfied with that. So I think they're making, they're moving in the right direction. They're definitely taking this you know, in the, in the right way, but I would say that, you know, certification and also some of those things should be seen in a much more holistic way.
Because you, you might think that I'm changing just a small piece of code, why do I have to go and certify? But I think this is, this is what [inaudible 00:15:53] taking that risk.
Garrett O'Hara: Mm-hmm. Yeah. And, and sometimes one small change in code actually has a huge impact to the overall functioning of a device and, yeah-
Yeah, that makes sense. Le- let's pivot a little bit. I know BlackBerry has actually done some research into cyber insurance and it's very topical. I know that the premiums are getting higher and higher every single year. And your research did call it some of the, the issues that companies, companies actually face, so things like lack of coverage or, or being underinsured, you know, where there is insurance, but maybe it's not covering everything that's needed. What were the, the big results out of the research that BlackBerry
Shishir Singh: did?
Yeah, I mean we did lot of research on, on that one. And I, I want to say that the, the most of the criminals are becoming much more ruthless, right? They will iterate threats and wait patiently in order to extract maximum damage, right?
And for uninsured or underinsured organizations, this potentially puts them in extreme jeopardy, right? The cyber underground is increasingly sharing even learnings and partnering to make threats as efficient as possible, right? So they're, they're in a very... they're working in a very coordinated fashions, right?
And I would say the SMEs are feeling the heat now of... The, the businesses under like 1,500 employees, or, you know, they have only 14% of co- coverage limiting excess of $600,000 and things like that, right? So, you know, the recent Forrester Report estimated that a typical data breach would cost the average organization of 200- $2.4 million to investigate and recover.
Now, over one-third, around 37% of respondents aren't currently covered for any ransomware payment demands, while 43% aren't covered for auxiliary costs such as code fees and employees downtime and all of that. So at the same time, the cyber insurance has become harder to get because of this increased software requirements placed by the insurance brokers. I would say that over one-third, around 34% of respondents have been denied coverage because they, they're not meeting specific endpoint detection response software requirements. They might have the EDR device in their environment, but they might not be using it effectively.
And this is putting, you know, increased requirements or in- increased pressure that, however, that real impact on reducing the ransom payouts is not solving it, it's not inc- decreasing there, right? Because they might have all the gadgets, but they're not using it properly. So I, I would say there is a need for us to, you know, the cyber insurance companies to work closely with, you know, the cybersecurity companies to make sure they understand the gaps, they understand where the configurations can be optimized to have the best efficient way of detecting threats so that we can provide the better protection and better understanding to our customers.
When they get a policy of a big amount, now, what can they do to reduce that part? How can they mitigate the risks and all of that? See, so we have done lot of research there and we are working with some of these companies to see how we can help both, like help each other, right? Customers as well as the cyber insurance companies as well.
Garrett O'Hara: they, as they work together. Yeah. Look, that, that absolutely makes sense. And I think it's, it, it's sort of an interesting one to me 'cause I think cyber insurance is a good catalyst for better cybersecurity. As you said, you, they, they're gonna analyze and audit an organization before they provide the insurance. So yeah, hopefully that's a, a good, a good outcome there. One of the things we're seeing here in Australia, but I do know it's a, it's a global issue are rocketing cyber insurance premiums.
They're going up just so, so much. And at the same time we're actually seeing that the cyber attackers are sharing that intelligence. You mentioned this a little bit earlier, on which companies have insurance, and the assumption that if you have cyber insurance, well, you're probably gonna pay out. And it's a really good example of, you know, what's called the, the COBRA effect or that, that kind of perverse incentive. You think [laughs], it's a good thing to have cyber insurance, which it is, but actually there's this this kind of unintended consequence. How do you see that playing out? How do you see cyber insurance in general, again, with, through that lens then playing out in the coming years?
Shishir Singh: I mean, I, I, I feel that, you know, the cyber risk now equals business risk, right? The survey reveals that the cyber incidents or a lack of it impacts business practices.
You know, the three in five respondents, like 60% say they would reconsider entering into a partnership of agreement with another business or supplier if the organization did not have comp- comprehensive cyber incidents. More than two-thirds, like 68% of the IT decision-makers are likely to do a reassessment of the partner or supplier agreement because of their cybersecurity practices. So the insurance companies are having trouble understanding the security postures of organizations and explaining what... even though a company might have it, yeah deployed, but the, like I said, the insurer is not able to determine if they're using it in the right way or not, right?
So I would say you will see, in future, there'll be little bit more closer coordination between the cyber insurance companies as well as the cybersecurity companies so that they can, they can really partner well and, and get to the right outcome. And the right outcome in my mind is to provide the safety and, and, and a, you know, secure environment to our customers. And they can start trusting, they start believing that the, the policy which they're paying is actually based on certain conditions or based on certain security maturity gaps and things like that. And they can, they, they will be, they'll have more incentives to, you know, improve that over a period of time.
Garrett O'Hara: Yeah, absolutely. And, and you've s- you've sort of touched on this, but when... as you talked to that, like are there ways or things that you could recommend that organizations to do, can do to kind of best set themselves up so that they get lower premiums and also that they're ensuring that they, they're not underinsured, that they, they've actually got good insurance coverage?
Shishir Singh: Yeah, no, absolutely. I do have advice for that, and I would say that even for... I, I would say for the SMB companies they should definitely think of prevention first as they, as the first step in the right direction, right?
Make sure that they have got a very modern way of protecting themself, because that's the fundamental part of it. The second part is that, you know, their asset, their applications, their users, their services, they're all segmented in a way which is much more structured, right? And it doesn't take it doesn't take a lot of effort to do that one. It is just thinking about it and making sure that they're involving companies like us who can do tech health check, who can provide recommendations, what to do it.
And the third thing I would say is that, you know, given the whole cybersecurity, the lack of skillset in the market, they can outsource and say like, "Hey-
... companies, please make sure that you are my dedicated sock. Right? You can do a incident response, you can come back and share intelligence with me that if my vertical, if my segment is getting attacked and what I should be doing differently or, or, you know gimme gimme solution" so that we can get in front of those things sooner, so that they don't have to actually no, face any problem or face any attacks.
And if they have got that right infrastructure, right you know you know, design of their security environment, then I'm sure they, they can go back to the insurance company and say like, "Hey, I've got everything in place. Like these are all the best practices I have heard about from the companies. I got this implemented. Now you tell me what the gaps I have and here is how you should bring my premium down." I mean, that's, that's the, that's the right approach, and I think that's, that's what I would recommend.
Garrett O'Hara: Fantastic. Yeah, that's, that's some really good advice there. I'm keen to pivot again a little bit in, into sort of your threat reports that you guys produced for 2022 and, and very, very, very detailed. It actually covered a very wide range of topics in, in cyber. It, it felt like you actually, you hit on so many, so many things there. What were the big themes or the tre- the trends that people should be aware of in, in BlackBerry's threat report for
Shishir Singh: 2022?
Yeah, I mean, if you see the, the BlackBerry Threat Intelligence Report, basically, I would say there are two areas of cyber crime, right? The... One is a financially-motivated and APTs governments all that. Australia also, which, [inaudible 00:24:56]. You know, a couple of things just comes to me is you know, the first one is Red Ladon. I don't know if you've heard about. This was a phishing attack on fed government employees. The second one was that agent ransomware. This was basically targeting education and health in Australia, Thailand, and some other places across Asia.
The third one, which recently it, it just comes in our report was that the Mustang Panda, I don't know if you have heard about that. They were basically hiding code in legitimate software bypass technique. So we are seeing a new trend where you know, some of these codes, some of these malwares are getting hidden into the software, which is basically signed by major software suppliers, right?
So people don't doubt it. But the, the cyber criminals are working more like a participant in an affiliate teams, you know charge money just for getting access to a certain company's network information.
And this is why you see such a spike in credential stealing, right? And, and, and the data is sold onto the groups like nation states and things like that. So, you know, you, you will see that in the next few years to come, there'll be a lot of exploitation in the cloud. There'll be a lot of, lateral movement will happen, you know, once they get into your environment. You know like one of the things which I was told, that in the last nine months, we have seen, we have seen close to 11,272 malwares, which was just detected by BlackBerry.
And this is looking into our customers' tenants environment, right? And we were able to get to our customers, you know, give them the intelligence, say, "This is what is happening, this is what hackers are going after. And you can actually go and do something about it." You know what I mean? So, I mean, those are the trains we will continue to see there.
Garrett O'Hara: absolutely. Absolutely. And look, you know, in preparing for today's conversation, obviously I kinda went through the report, but one of the things that kind of jumped at me... I'm actually, I'm actually gonna just quote the report, so I'll just gonna read what I, what it said. "While attacks on large organizations dominated the 2021 news cycle, small to medium-sized businesses, SMBs, also suffered countless attacks both directly and through the supply chain." you just kinda mentioned that.
"BlackBerry threat research has discovered SMBs averaging 11 to 13 threats per device, a number much higher than enterprises." That's really interesting to me. What, what do you think is going on there?
Shishir Singh: I think, I, I would say that mostly it is because of the, you know, the technologies and some of the, the gaps in the human part of it. You know, there's a, there's a, there is an increase in the threat landscape. And, and the cloud has definitely given a very different you know, attack surface which is making it easier. And the reason I say is that some of the DevOps kind of thing there is a urgency of getting the code in the cloud as quickly as possible.
The security practices are not getting integrated as part of the development process and, and things like that. The second thing I would say is that some of the older machines in the lab, which is not getting patched and, you know somebody's not paying attention and some... you know, it's there on your network, that becomes the easy target.
So hackers are looking for those weaker links. Working from anywhere has created another you know, another way of exploiting some of the, the VPN-related you know loopholes there, right? So those are all the areas, is where I see the hackers are trying to come in. Those are all the trends they are seeing it, and that's the reason you see a lot of the increase in the, the crime and, and, and the threat
Garrett O'Hara: there.
Yeah, that absolutely makes sense. As we're about to run outta time here, I've, I've got one very last question. But this is a really, really interesting area that I think is starting to get much more coverage, which is around the the world of post-quantum computing and, and some of the, the stuff that's happening there in terms of you know, the potential for things like PKI to be at risk. And obviously the, the, the threat report does cover this, and it has, what I, I kind of think might be a little bit of a controversial take on the risk of post-quantum computing to, to that current encryption and PKI which is the risk being, of PK- post-quantum computing being minimized by prevention first.
I'd love, could you talk us through that perspective as it kind of seems to run a little bit counter to the assume breach philosophy of Zero Trust that's very popular today?
Shishir Singh: Yeah, I mean, see, Zero Trust, I would say that i- if we understand Zero Trust, I would say there are three parts to Zero Trust. One is the secure connectivity part from managed and unmanaged devices, right? Making sure that you are connecting to those applications which you are authorized to access, right? So there is a differentiation between authentication as well as the authorization part of it.
I would also say the remote offices and branch offices also falls in that category. Now, once you have got that secure connectivity in place, then the important part is to making sure you have the right threat protection and data protection, data awareness in the backdrop of you know, hyper-scale edge, which can scale in a much more effective way, right? Now and the third part of the Zero Trust is, you know, just making sure your SaaS applications, your IS applications, your private applications, you know, all of that is actually organized in a way that you can actually, you know, decrease your, your risk exposure, right?
So if you see those three parts of the Zero Trust the, the quantum computing and some of those things we are talking about, definitely the cryptographies and some of those things, you know, w- we have been using RSAs, CC and you know, those kind of DSE and all those techniques forever, right? And, and these are all based on the public key and you know, infrastructure part of it. Saying that the PQC could put some risk on there, probably, but I, I still think that there is a, there is a time, I think those algorithms need to be proven, the compute power, whatever you need to build those algorithms, crypto algorithms.
Because it is all based on a very interesting pseudo random-generating algorithm, which follows a very [inaudible 00:31:44] distribution type of model you know, if you follow that thing. And this is very logarithmic kind of computing we are talking about, where you can do the encryption as well as the authentication in the same way. So I think the time will tell.
I'm watching this field very, very closely, I would say. And one of the things I can tell you, that getting li- little bit more exciting for me is the you know the password or, or you know, the concept of creating some of the pseudo random-based password, which is completely not following any of the normal way of... I can see there is a change, but I still feel like there is, there is time to go and prove those things.
Garrett O'Hara: Yep. I think that's it with, with with post-quantum computing. I think it is time and it's just a matter of how, how much [laughs]. But, but speaking of time, Shishir, we, we've pretty much run out of time. But I, I wanted to thank you so much for joining us today. It's been great to get the insights into what BlackBerry is, is doing, the, the sort of cyber insurance side of things and obviously your threat report. So thanks so much for joining us today.
Thank you, Garrett,
Shishir Singh: thanks for having me, and really good questions. Appreciate
Garrett O'Hara: it.
Thanks so much to Shishir for joining us, and as always, thank you for listening to the Get Cyber Resilient Podcast. Jump into our back catalog of episodes and like, subscribe, and please do leave us a review. For now stay safe and I look forward to catching you on the next episode.