In an interview this week, Young spoke about the progress that McAfee has made as a separate company over the last one year, his views on the online security market, the biggest threats that individuals, companies and governments are likely to face this year, and the pressing need for security in a world of connected devices. Edited excerpts:
How often do you visit India, and how important is this market for McAfee?
I came to India about 15 years ago. I have been coming regularly ever since. One of the reasons I am here is because we have an important partner and customer base here. Most products in our organization have some, if not all of their products developed out of here. We also have about 2,000 employees in India. I try to spend an equal amount of time with our teams, customers and partners. India is unique because many global service providers cover customers from here. We, too, have a growing customer base, given that the Indian economy is growing.
There are numerous online security vendors. Is McAfee any different?
Most organizations in the cybersecurity marketplace are small and have one-two products. We are one of the few companies that provide solutions for both companies, corporations, governments, as well as consumers. Our business today is to protect our 400 million consumers, which is a sizeable footprint for us. We work with our partners extensively not just in the PC (personal computer) ecosystem but with telcos too. An important part of our strategy is that we are here to protect our customers’ data to stop threats on any device users use, including applications and data our customers are running in the cloud. We do that uniquely through an open ecosystem to integrate their architecture and increasingly provide more intelligence in every aspect of the cybersecurity service stack that we provide to our customers.
What are some of the biggest threats that individuals, companies and governments will face in 2018?
Cryptojacking is the biggest threat right now. It is another recent interesting example of the way attackers can monetize by using machines and their compute cycles effectively to mine for cryptocurrencies and then cash it out. It is more interesting from a criminal justice perspective because you haven’t stolen anything. This is why cryptojacking has risen—because the consequences would be very low unlike large data breaches and data thefts where hackers take that information and monetize it in the open market, exposing themselves to a lot more risk.
The other one I suspect would be the US elections in 2018, which will have quite a bit of activity related to cyberattacks. It’s not just attack on the infrastructure—it’s about using information to mislead or misdirect people. There are very basic things, like you see attacks that happen where an attacker might take over a website and send voters to the wrong voting address, as an example.
Have security threats ballooned because of the IoT (Internet of Things) trend?
The attacks that we will see on the connected devices are yet to take shape in a broad-based way. The Mirai botnet (a malware that remotely attacks connected devices) attack we saw on the internet service providers in 2016, was one of the largest we had ever seen. Those were based on botnet armies that were built off connected devices. I suspect that as other connected devices come online—as we go to self-driving vehicles and continue to have smarter homes and smarter workplaces all through connectivity and data analytics—it’s going to open other surface areas for attacks. Currently, there is not enough financial gain that criminals can get from such attacks—cryptojacking being one. But we will see evolution of attacks over time.
What are the learnings from the Intel chip (Spectre and Meltdown) flaws?
This issue (Spectre and Meltdown are the names given to the vulnerability that affects nearly every computer chip manufactured in the last two decades) threatens the foundation of computing itself. Industry players took it very seriously. We collaborated and worked very quickly to make sure that remediation is in effect and help was at hand for organizations to deal with the risk presented by the issues.
Aren’t such threats making the Dark Web more imposing?
Whenever you see one of these new methodologies take off, they usually start out as attacks and then they evolve into kits and software that get developed sometimes as Software-as-a-Service. That way, attackers can focus more on the attacks and less on technical development. The Dark Web is most often associated with TOR networks—acronym for “The Onion Router" technically. Ironically, it was created by governments as a communication mechanism to be off the traditional internet. It was designed to facilitate things like free speech but has evolved into a medium by which different players, who seek not to be identified easily, use the Dark Web or TOR network as a way to communicate.
How big as a percentage of the total internet, according to you, is this Dark Web?
I have never thought about it. I suspect it is quite large but given the size of global internet, it is hard to pin down how one relates to the other in terms of actual size, number of nodes or transactions or bandwidth, etc.
How do you see the role of newer technologies (artificial intelligence or AI, machine learning, etc.) in addressing sophisticated cyberattacks?
I think that advanced analytics tools, AI and data science methodologies are having, and will continue to have a large positive impact on cyberattacks. These methodologies are about pattern recognition and training. We are always very cognizant of the fact that our adversaries will study the methodologies that we employ and try to find ways to either misdirect or mislead or avoid, or cloak, their activities in a way that makes it harder for us to spot them.
But I do think it’s going to raise the bar with these advanced methodologies. We are using deep learning, machine learning, among other methodologies that fall under AI or data science, to extend more and more extensively across our products portfolio. For instance, we just shipped a new product called McAfee Investigator, which uses deep learning.
In the broader context, do you see all these cyberattacks escalating into the large-scale cyberwars between nation states?
One mistake that you could make, looking at the digital space or cyberspace depends upon what terms you choose to use, is to assume that everything will be like the physical world because it won’t be—it’s a different paradigm. Geography doesn’t mean anything inside the space as an example—our laws and regulations as they relate to adversaries don’t necessary mean the same thing in cyberspace. I do think that cyberspace will become a medium for certain type of conflicts between nations but I hardly predict exactly how conflicts would play out.
You also serve as a member of the US president’s National Security Telecommunications Advisory Committee (NSTAC). What is the nature of your role there?
NSTAC has been around for over 30 years. Started under former president Ronald Regan, it is a forum created for the executive branch of the government to work with CEOs and senior leaders, technology companies, telecommunication companies on issues related to security. Traditionally, telcos were part of that group. But the scope has broadened over the last few years to include matters related to cybersecurity. I was appointed over a year-and-a-half ago. I came during the latter part of the Obama administration. We work with the administration and executives who are focused on cybersecurity. We have worked with the department of homeland security as well as White House. We work on various projects. For example, we tackle issues like IoT and think about the considerations for the government from a policy and public-private partnership perspective. We produce studies/papers, meet senior officials from administration and homeland security officials and other parts of federal government who work on these issues, and also provide them with insights.
You also helped establish the Cyber Threat Alliance (CTA), and are on its board. What progress have you made as part of this alliance?
We have done a good job of collaborating with other cyber security companies around specific topics. For example, we have been able to produce a series of research reports, playbooks, have been regularly producing IOCs (Indicators of Compromise) for the industry. We share all this information among different companies that are part of CTA. Originally, there were four companies—McAfee, Symantec, Palo Alto (Networks) and Fortinet—that have been working together for about three years. Last year, we formally established the CTA as an independent alliance. We have brought a number of new members on board—for example, Cisco and Check Point (Software Technologies). We are pleased with the progress that we have made. There is still a lot to do. The threat landscape is multiplying and we see tremendous innovation on the part of our adversaries. But we are working hard individually as an organization and together as well as part of CTA to raise the bar.
On the academic front, you hold a bachelor’s degree from Princeton University, then MBA from Harvard Business School. Did you ever imagine that you would land up in the security business?
When I was in college, we did not call it cybersecurity. A lot has changed. I started a company in 1997 called Cyveillance (acquired by LookingGlass Cyber Solutions in 2015). That company was one of the early players in the broader spectrum of cybersecurity. Even back in those days, we would call it info-sec or IT security. When I was in college, I never imagined that I would necessarily be into this. Today, there are great technologies and tools, and improvements that can through technology make our lives certain without trade-offs of losing too much of our safety and security in the process.