Webinar #5: Zero Trust and 5G Mobile Phones

Zero Trust and 5G Mobile Phones with guest Junaid Islam

5G and cybersecurity expert Junaid Islam discusses with us how the future of 5G presents even greater cybersecurity challenges for the future.

Webinar Transcript

Marv: [00:00:03] Junaid, thank you very much for honoring us by joining our webinar today. Junaid and I have worked together for several years, although I didn’t know him in this early career. But he’s one of our national heroes that is taking care of special networks for the nation for decades now. And he’s willing to share his new knowledge about 5G and how that relates to zero trust and so on. Junaid, give us a little bit of your background so people can understand that better, and then we can get into the subject.

Junaid: [00:00:36] Sure. Well, thanks for having me on this call. So I’ve been involved in secure communications and I’ve just realized not 30 years from thirty two years. I graduated in nineteen eighty nine. I got hired by the US government, specifically the national security team, right out of school. In fact, I cannot left the university. Somebody hired me as I was walking down the hallway and I should warn anybody who goes through that never take a job from somebody you don’t know as you’re walking. But I as the as the United States was deploying its first set of secure comms around the world, I was involved in really as an installer. And that’s how I started. And I have to give a lot of credit to the people who hired me, because not only did they train me a lot in a lot of advanced secure comms techniques, but then they also trusted me to do the work. And I supported U.S. personnel around the world in combat missions and counterterrorism missions, not as a fighter, but as an installer. After that, I went to a safer career path. I started developing network protocols or actually I’m suspicious. They put me in that job just to have me sit behind a desk. But I helped create MLP, which is still used today in weapons control systems. So that red launch button, there’s a protocol for that. And I created the frame really prioritization scheme that would have been a little bit later. Nineteen ninety five that I did emplace routing. It’s just going to the Bufferin Key Management. After that I got hired by netcentric warfare. The people who knew me right at the beginning, my career and I work on mobile. I could be six which became a part of 5G. Then after that I actually got hired by the US intelligence community to work on access control for us, which became a part of eight hundred two of seven zero trust. And yeah, so I’ve been doing this a long time. Kind of sad seeing job for the last thirty two years, but I’m happy to be here and share any answer, any questions you want,

Marv: [00:02:45] But we’re glad to see you got onto the forensic cyber side of it before the cartel guys found out about it.

Junaid: [00:02:54] But yeah. Yeah. So yeah, as you know, there’s a lot happening in cybersecurity in five key and zero trust. And I look forward to this conversation.

Marv: [00:03:05] So tell us a little bit about what you’ve been doing in 5G and why you’re so concerned about cyber security. I know you have a lot of concerns about where we’re going and where it might lead us in terms of vulnerability. And I know that ties back into your zero trust background. So just explain that a little bit to us.

Junaid: [00:03:23] Yeah. So the big difference between five key and 4G is they’re completely different. So the most important thing I would want people to get out of this short video is don’t assume that because it’s called 5G, it’s like 4G except faster. That’s the mistake everybody makes in 4G. You know, your phone is your phone. It’s a phone. The network that handles your phone is like a switching network right now. No more advanced, but the same thing in 5G. Everything is a compute device. Your phone is not a phone. It’s actually a computer that’s running a program called Phone to allow you as a human being to interact with it with a dial pad. The network itself is completely software defined, how it routes to call, where it does to call processing. So the good news about 5G is it’s very powerful. It’s actually a programming language. You can move the modules to software modules around in a five network from the edge to the rand to the core to the Mac node. Right. And it gives you huge flexibility. You can actually create services and 5G for smart transportation or autonomous cars or entertainment systems. The downside is all this flexibility is introducing huge new vulnerabilities and risks into our communication system that we were never designed for. So if you just think about let’s let’s start with something very simple. Here’s your phone and you talk to it. Right. In a 5G network, someone can add software or change software on your phone, which is this is a feature 5G.

Junaid: [00:05:00] Right. So all of a sudden, someone could turn your phone into a speaker phone and you would do that. Or the other thing that happens in 5G is when two people are talking, if we’re talking on a five call, there’s actually a data path between your phone and my phone. And some of the packets are voice, but some of the packets are control packets. So, you know, you can do funky things with five phones that don’t exist in 4G. Like you could have one phone take over another phone. Now, this wasn’t done in a mean purpose. This was all done in the future Iot context where you might have smart transportation systems and you’re pushing forward software and you want to create auto update. These are all good reasons. Right. But you can understand from a national security risk perspective, this whole host of new features has shown up on the shores of America. And really, we’re not prepared to understand it. We’re not prepared to to kind of manage it. And it’s it’s kind of caught us off guard. And, you know, this is where everybody and the national security side has to really look at this and do a lot of things, expand the risk models, change procurement, look at software much more critically. If you remember the solar wind’s attack, it was pretty bad. Now, imagine the solar winds attack on everybody’s phone in America would just be it’d be kind of devastating.

Jim: [00:06:29] So you need to know the net net of solar winds was we don’t really look at logs. So now this big observability buzzword is where we’ve got to continuously monitor everything, which is kind of part of the five pillars of zero trust. So do you could you maybe explain where it is? Do we have to get really quick up to speed on zero trust before we can make 5G work, or is it a parallel effort or.

Junaid: [00:06:55] Yeah, so I think that’s a great question. I think zero trust gives us a great model. Right. And the most important thing in the words your trust is, is let’s start with the words your trust. Right. So Zero Trust basically says if you have something like your phone, you need to not trust it because unlike you know anything about phones from 60 years ago, the cable. Right. At least you know exactly what it was doing. And yes, someone could tap the line, but it was within a boundary of, OK, the only cyber attack is someone tapping my phone line with 5G. They can actually someone can redefine what your phone is into something totally different. I mean, they can turn it into a surveillance system. So this notion of zero trust is actually a useful tool, both mental and security framework for everybody to adopt. Right. So, for example, in the classic Dodd approach to vendor procurement or supply chain risk, we will look at the vendors to make sure they’re not foreign companies. Look at the people, give them security clearance. Right. What we find is now with 5G, we have to extend that model. So maybe somebody that you know and love the. He has been a friend for decades, he’s doing something, but because top five, she has all these soft four blocks coming from a global supply chain, maybe somebody infiltrated the supply chain, 10 or 20 companies down. And now that person you trust that, you know, is actually using a block of code that’s been infiltrated. Now, having this notion of zero trust, which is OK, we can’t trust anything, even if we trust the people, then the question is what kind of automated systems do we put in systems to look for modifications and code? So an example there is taking the hash of the libraries that developers do and then keeping a copy of the hash so that when you use that software, it’s exactly what the developers gave you, because by the time someone writes a piece of code, even if they’re fully clear as a duty vendor, right.

Junaid: [00:08:55] By the time that code bounces around and gets in a tactical system, you know, there’s many places where the code could get swapped. Right. And so we have to think about risk in a much deeper, broader perspective, because these five G systems use a lot more software, more over five GS designed from scratch to update software. It’s one of the features of 5G. You don’t have to like, you know, like as Martineau’s bring a ship back to port and take two years to fight this 5G. You can do really clever things, but that also introduces risk. So to your question, Jim, I think zero trust is a good philosophical model, which is and it’s not about people. It’s not saying, hey, we don’t trust American vendors and all this other stuff. We’re saying the system complexity is so high that even people you trust, they could be infiltrated and not knowing it. So we need a zero trust architecture that’s looking at all of the software components in our system on a on a nationwide basis.

Marv: [00:09:59] And we haven’t talked about this, but you’re making me think about it. So why don’t we control all this software that’s part of 5G through some kind of a authorized block change system where you keep everything in these hash blocks.

Junaid: [00:10:16] So that’s an idea that a lot of people have been thinking about. I mean, they’ve been thinking about this for a few years. And I think the silver lining of the solar wings attack is people realized, hey, maybe this is this old idea of basically tested software. Now people are realizing, hey, maybe this is important. And if anything, I think that this is something that you can do. It’s relatively inexpensive. It’s actually relatively inexpensive idea, which is all the good vendors where they are. They take Pasha’s of their code and then we put it on a block chain and then you run agents and anything, your navy ship your plane and it checks the inventory. And the beauty is people might say, are we disclosing something classified? And the answer is no. It’s just the hash. The hash doesn’t say what it is. It doesn’t say satellite imaging system or it’s on a fighter plane or this is just a radio for a soldier. Right. It’s basically a big set of numbers with another set of numbers. And then the other thing you want to do is replicate this hash library around the world. So if you’re on a Navy ship, they can just verify very quickly whether the software is there. And and because this is a such lightweight process, I would say let the agents run all the time because, you know, I mean, you got computational systems go up and down. So during quiet periods or night time or when they’re out of service, they can be scanning all the code because there’s always the opportunity for foreign agents to basically stop or replace code right there.

Jim: [00:11:50] There was so go back, but 14 years I consulted for four to five and they couldn’t get anybody in defense to scan source code. So they were smart. They went to Congress and got it written in congressional law. So here we are 14 years later. And now the challenge is, yeah, it’s great to scan source code once or twice for every year. But now this new idea of observability is you have application performance monitoring and you put snippets of code in the application code so you can actually monitor the application while it’s running. But that’s a culture shock to like, you know, I’m going to monitor geeks while sitting on the USS Roosevelt and I can tell when the database is down. So I think it’s again, it’s Observability Buzz. Word is still catching on. There’s you know, there’s new there’s a company called Observed that started their Splunk doing it. Now elastics doing it. So it’ll be interesting if they understand you’ve got to actually monitor that, because in the old days, we still just we’re going to monitor logs

Marv: [00:12:52] So that the replacement for for continuous monitoring,

Jim: [00:12:56] It’s a subset of observability is logs plus metrics plus application performance monitor. But it’s the idea that you’re just not monitoring the net. Traffic or monitoring the system logs. But you’re actually monitoring the actual application and you can see when there’s an anomaly in some applications running and suddenly it does weird things, right. So it must be has malware or something you introduce to it. But again, that’s a that’s a culture shock because I still go in the programs and are like, oh, we ran four to five, six months ago. So it’s all good.

Junaid: [00:13:28] Well, so this is a great example of zero trust the philosophy. Right. You could say in the past used to do annual security review or wish to do a vendor review, make sure the vendor is good and the people have security clearance. Right. But now in this world of very complex software, the person you love and trust, their software could have been swapped and they don’t even know over before it comes all the way to a Navy ship and then it gets locked by somebody else. Right. So if you say, well, we could have a cyber attack any time from anybody, then we say, oh, well, why don’t we adopt a zero trust architecture? What does that really mean? It means constant re-evaluation. So the way we calibrate and monitor our systems is different. Right. So we need to move to an environment of continuous monitoring of the whole stack. Looking at not only the classic cyberattacks of, say, credential theft, somebody pretending to be somebody else and coming in to new we’re lateral moving malware, which is how Russia attacked Ukraine in twenty. Seventeen is also how Iran attacked Saudi Arabia in twenty seventeen. You know, to look at these connections that are coming from nowhere, going to nowhere to what we’re just discussing. Well, now we actually have a global supply chain problem. Right. Where are code. It is so complex and we are using libraries and maybe the library is good at one instant in time, but someone changes the library. Right. And now this is a very tricky right.

Jim: [00:15:02] I use solar winds for my security and I must trust it’s good because.

Junaid: [00:15:09] Right.

Marv: [00:15:10] So so relative to your point about the things that need to be done about this, what is being done is the national security community embracing any of this and actually trying to work on trying to change the paradigm rather than just trusting Verizon and AT&T?

Junaid: [00:15:28] I think everybody is thinking about this, which is good. I think the recent cyber attacks at Colonial Pipeline were an example of how something relatively simple like a ransomware can create national scale problems. My hope is that at the national security level, we do start making some changes, as both of you know. Well, you know, the DOD and intelligence community are gigantic bureaucracies. And, you know, they’re going to have to institutionalize not just cybersecurity, but I would say technology. I mean, part of the problem is we’re just talking about 5G. I mean, people don’t understand the technologies. And if you don’t understand the technologies, like in the sense that five G’s of programming environment is very hard to understand the security risk and then what to do with it. Right. So we’re seeing this as a symptomatic issue. I mean, let me just pick a random topic. Quantum computing, right? I mean, is it a threat to America? Is it an asset? You know, and what you find is it’s both depending on how much effort we put into it. So I think we need to do more in terms of security, but not security in the classic sense of let’s call a security product.

Junaid: [00:16:55] We need to do more in terms of rethinking how do we build these big systems, architectural issues. So what are the reasons Nyst called it? Is your trust architecture versus your trust security? The Nyst people are 100 percent correct. It’s actually the architecture. Right. So that means you are secure by default or secure by design. That means how is the whole architecture built? Having all of the security just talk on a Navy ship context of. If the whole Navy system, if on a ship, the weapons control system in the imaging, they’re all intermixed, right? I mean, it doesn’t matter if one system is secure, it’s connected to all of the other systems. Right. So how do you think about it? The security has to be integrated in the architecture, has to be secure within the blocks of code, need to be secure. And this is where I think. It’s great the leadership at the national security level is looking at this, but we now need to start doing this and I think that’s a long way to go still.

Jim: [00:18:00] Can you can you comment? So I’m I’m in we’re involved in some deficit ups, right? The idea of go fast. We can’t we can’t wait eight years to build a system. So the idea of micro services and putting everything in Carbonetti containers. But then part of that old deficit jobs is again, continuous monitoring, but it’s like insisting on a positive. They’ve gone from IMF to this idea of continuous APIO But again, the challenge of really going to connect to that Joint Strike Fighter and upload software in real time without the old traditional, I’m going to test it for two or three weeks or a month and maybe comment on what do you think the culture will change where we do trust a software upload to a major combat system or what?

Junaid: [00:18:47] Well, I think that’s a great topic. So I think just using your trust, your trust, really the way we think about it today is as a network technology. And there’s great companies like Palo Alto and these are doing it. But we have a new wave of trust companies who are focusing on APIs and data. So there’s a company called Coursera which is doing API based Zero Trust for the Air Force. And there’s another company called Message, which is doing zero trust data protection, where they take a block of data and they wrap it in a MEDITECH. So the good news is there are a portfolio of new tools, zero trust tools coming out. The tricky part is basically merging, adopting those in an organization as large and complex as Dodie’s. And that, I would say, is a leadership issue. And I say that in a good way, not in a mean way. There’s a lot of pressure. If you’re admiral or general, you got to like an infinitely long to do to have like one other item is it’s kind of stressful. Right. But but having said that, I think technology and cybersecurity do do what’s the word deserve a spot at the weekly national security briefing. I think it’s become that important where we as an American are a technology based society now. And I think it you know, it’s risen to that level. It should just be a standing item at the National Security Council.

Marv: [00:20:29] A you know, you and I both know from our previous experiences frustration with how do you get a leader to understand enough about what the technology and the challenges are to actually try solutions because they’re bombarded by a thousand solutions every day or every week. And everyone says the same thing. We got the answer, just trust us and buy it. And so they have a hard time trust who decided who to trust in their secure cybersecurity chain. And then even in the cyber security chain, we have turned it into a into a cottage industry. So a lot of the people in the cyber security chain don’t have very much knowledge either. So we get overwhelmed by complexity. And in my opinion, it makes people have a hard time to add to make decisions about it.

Junaid: [00:21:16] So I think you’ve actually touched on an interesting topic, which is. One that I’ve experienced personally, and that is technology really in the past, has never been a first a career path to the GOP. I mean, if you think about it, I mean, the career path of the DOD is all of the more fighting level. And I mean, that makes total sense. Right. But as technology becomes a part of warfighting, what happens is most of the senior leadership. And they’re all great people, they’re all American heroes, aren’t really experts in technology, and this is very tricky for them. Right. And some of these things require knowledge that takes 10 or 20 years to gain. You know, I’ve you know, I’ve been in meetings, which I think you’re kind of like hinting at, you know, where you meet somebody very important, you know, and, you know, they call together experts. And I’ve been at these meetings and I know others have been. And the meeting is always the same, where the first is extremely important person thinks all those technical people for their decades of service. And then they say, well, what this topic and we start talking about something like quantum computing and it goes well. And then we start talking about entanglement or you talk about prosodics and then you talk about material sciences or you start talking about 5G and then you talk about the complexities of our I think your friends joining and military millimeter wave calibration and always the important person at some point at the meeting I’ve been through, this will look back and say that’s that’s a lot to think about.

Junaid: [00:23:00] I’d like to thank everybody who’s in this briefing to provide this valuable information. So at that point, you know that you kind of lost the right. But so I think I think DOD has to take a hard look and the intelligence community and say, you know, they created some of this problem. They didn’t create a career path for purely technical people. You know, I mean, if you just think about the ranks, there’s not a career path for someone to, you know, who might have started as an install and comes that to stay within the architecture and rise to a senior rank, to become a general and admiral, to become the director of the CIA, that that career path doesn’t exist. And we as a country are now facing issues that have a big technology component where you have to understand a lot about material sciences before you understand, is hypersonics feasible or not? You have to understand a lot about physics before you can make a judgment on should we burn a couple billion on quantum computing or not. You have to understand a lot about communications to understand how do we connect warships to fighters, to submarines and do these techniques. These are trivial decisions. These are require a lot of depth. And I think the DOD needs to take a hard look at attracting engineers and then keeping them for the 20 years it takes to groom a general. I mean, it really takes that long to to groom somebody, right. And you can’t have somebody drop out after three years. And I’m going to work somewhere else,

Jim: [00:24:40] Like in the Navy. The engineering the career path may be less acquisition centric and maybe more technical. And I think it’s going to be even more amplified with A.I.M. and you know, who pushes the button to a hypersonic threat. It’s not humans that are going to be involved anymore. Yeah, going to be an algorithm.

Marv: [00:25:00] So, so, so an interesting comment about what you’re saying, Junaid, is we do have an example in our history where we created a technical career path around a very serious problem. That’s nuclear power, our submarines and ships. And it was done primarily because Hyman Rickover was the officer who started that whole culture, and he was dedicated enough to spend his entire career in the culture. And Congress was smart enough to make sure he stayed in that culture to continue to shepherd it. So right up until he was in his 80s with Alzheimer’s, he was still in the Navy as a Navy admiral, but he literally created the career path of people that could understand nuclear power, run nuclear power plants and make sure that nothing happened. And the net result is if you look into the records, the submarines and the Soviet Navy have had a large number of very serious nuclear accidents and we’ve had no serious nuclear accident. But how do you recreate that in this new world without finding some new 5G cyber security person that’s going to carry those reins forward? It’s a that’s a tough cultural challenge. And I think you’re right.

Junaid: [00:26:16] Well, I think we have no choice. We have to create a career path now where the DOD gets people in at eight at the age of 20, trains them. I mean, I was fortunate that I got trained 30 more than 30 years ago and I benefited that from my whole life. But in my case, there clearly wasn’t a career somewhere else. Right. They have to do the opposite. They got to get young people. And the great thing is young people are excited to join the service today, but then they get kind of disenchanted and leave. While they’re excited, train them, let them do things, let them create 5G networks and then give them a career path to become a captain and and create those career paths so they can become a general or an admiral or the head of an intelligence that that is. I think what you said about the nuclear power plants in submarines is one hundred percent spot on. The reason the United States has a fantastic war fleet is people. It’s not the contractors, it’s not the defense contractors. It’s all about the people who have stayed with nuclear submarines decade after decade. And having been involved in technology, I can tell you right now it’s the people you can have whatever, Whiz-Bang, whatever. If you don’t have the people who understand it, understand how to use it appropriately, but also understand how not to use it. Understand the limitations. We’re talking about things like network tactical warfare systems. Jim just mentioned and you also mentioned machine learning. Right. Machine learning can be fantastic for attack target acquisition, but in the wrong hands, you know, it’s going to kill the wrong people very quickly.

Junaid: [00:27:57] Right. So you need it takes a long time to understand machine learning. It takes a long time to understand how the coefficients and the algorithm can change decision making. Then when you have the complexity, know this is actually connected to a targeting system, you know, that’s kind of terrifying. Right. And it takes decades to build that experience. So I hope that DOD will will take this to heart. You know, again, realistic that this is just the webinar, but really do the right thing for the young people in their 20s. And then as they mature through the system, then they will have the right effect on procurement because the DOD contractors will have someone who is their equal or greater right. Right now, the duty contracts, again, great people. And I’m sure you’ve been in meetings where the person in uniform is nervous about arguing with the defense contractor. Right. Because they’re talking about these technologies and the people in uniform are very polite. So they’re sitting and smiling. Right. But they won’t ask questions. Right. And that’s only going to happen with someone who’s been there for decades, been trained, had that experience. So I think if anything, I think duty should take this new technology, heavy, cyber heavy direction we’re going in and really, you know, get these people in their 20s as they graduate, also get grad students, PhD students and give them a career path. I think that’s the most important thing.

Marv: [00:29:28] So we are getting along towards our 30 minutes, Jim’s got other questions, I was going to let you maybe wrap up some of your thoughts by thinking through. We really had the ear of the current by the administration in these areas. What would you recommend that they do that could be done on a timeline, that an administration can actually start to make a dent in it? Because we all know Washington runs on administration time more than time. Time.

Junaid: [00:29:55] So I think the best thing we could do, which will cost taxpayers nothing, help America, is get people to talk right now. All the technology discussion discussions that are treated like weapons procurement. You’re on a base and you need let’s not do that. Let’s get people in uniform out of the base, talking to start ups, talking to big companies, little companies, talking to inventors, talking to professors. If there’s one thing Americans love, they love seeing people in uniform. They just get a kick out of it. They just do. Right. I mean, everybody knows that. They just love seeing people who just joined the service. Take advantage, push them out there into the world, just get them talking. I think that’ll help a lot because then it’s not a procurement decision or it’s not. You know, it’s just like just talk to people and there’s startups everywhere that have new ideas. Don’t make it a problem. Send them over, send them out of the base and talk to them. What did you invent? Can you show me? You got a new battery? Show me. So one duty has to change his posture when you get to what could the White House do and did do together? I think we need to create more small experiments that are about learning, that are more in the two to four million dollar size, not one hundred or billion dollar procurements where we find a somebody who’s invented a new kind of millimeter radio.

Junaid: [00:31:19] Great. Let’s give them two million bucks and say part of that two million, you’ve got to train these people in uniform on your system for better or worse. And then you guys in uniform who just learned this, you’re going to work with this other team, with what you learned and now you’re going to do something. So we have to get that going right, because we need people who have that knowledge. And then the other thing I would ask the White House to think about is just what we discussed at the White House has the capability in cooperation, coordination with the Department of Defense to now create a career path. And they should mandate the first general, our first technologists general. So and that position now and let’s fill it in a decade. And now let’s let’s short list ten thousand young people and tell one of those tech you. Among the first ten thousand will be America’s first DOD, general CTO, general technology. Right. Something like that. Where I does I think the White House can easily do that. The other things the White House doing is good, like the stimulus. And obviously there’s a lot of people working on that. So I think I don’t want to add any comments there. But I think on the people side, I think the DOJ can do something very sort of the White House can do stuff very quickly that can make a lot of changes.

Marv: [00:32:46] Well, I hope that that’s what happens, because it certainly needs to happen quickly if we’re going to start to turn this around, because we do have probably more national security challenges now than we’ve seen in a long time. And clearly, the Chinese are very dedicated to taking their place on the on the hierarchy of countries in the world. And so we’re going to be watching to see where that goes. Your last comments, Jim?

Jim: [00:33:10] No, I’m good. I really appreciate the discussion. And probably we’ll have some more follow on Twitter.

Junaid: [00:33:19] Great, thanks. Thanks for having me. And I hope this is useful. Take care. But.