Fighting Federal Cybercrime with FIDO2 (S1:E8)

March 10, 2022

Humans in Tech | What Is FedRAMP? (S1:E7) In this episode, we are joined by John Guerrero, Business Consultant for Identiv. John’s tech roots run deep and he discusses how federal government agencies can be more intentional about aligning their operations to the latest industry standards and protocols. We also cover how FIDO solutions and FIDO2 hardware security keys are increasingly being recognized as the responsible way to solve government cybersecurity challenges.

Full Transcript

Speaker 1 (00:01): You're listening to Humans in Tech. Our podcast explores today's most transformative technology and the trends of tomorrow, bringing together the brightest minds in and outside of our industry. We unpack what's new in physical access, identity verification, cybersecurity, and IoT ecosystems. We reach beyond the physical world, discuss our digital transformation as a species and dive into the emerging figital experience. Join us on our journey as we discover just how connected the future will be and how we will fit into that picture. The US federal government is a complex heterogeneous ecosystem of departments and agencies creating, disseminating, and storing significant amounts of often sensitive data. This sector is no stranger to the scourge of cyber crime. Identiv tackles cyber crime in the US federal government with hardwire security keys. Leigh Dow, VP of Global Marketing at Identiv is joined today by John Guerrero, business consultant at Identiv to discuss how security keys are increasingly being recognized as a sensible and responsible way to solve the federal government data security challenge. Leigh Dow (01:15): In 2018, over 31,000 cybersecurity incidents were reported by federal agencies. The following year, the US government accounted for 5.6% of all data breaches and 2.1% of exposed data in the country. October 2020 saw an attack by Iranian hackers on state election websites aimed at downloading voter registration information and conducting a voter intimidation campaign. Just one month later, multiple US government agencies revealed breaches by Russian hackers. Speaker 1 (01:42): What action is being taken to fight this wave of attacks? Leigh Dow (01:45): A recently issued data breach notification bill, the Cyber Incident Notification Act of 2021, would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, better known as CISA, when a breach is detected so that the US government can mobilize to protect critical industries across the country. Speaker 1 (02:10): So, what's the biggest challenge to put this into play? Leigh Dow (02:12): One of the pervasive challenges to building impenetrable federal government cyber defenses is human error, often the weakest link in the security chain. Government employees are prime targets for cyber attacks, because they have access to sensitive data such as financial, economic and military records. Hackers typically target government employees using phishing scams posing as trusted sources to access login credentials. But there's a solution and we've got John on today to talk more about it. To start, John, maybe take our audience through your background. Your roots with Identiv run pretty deep. John Guerrero (02:44): Yeah, I've been affiliated with Identiv for probably 18 years now, back when they were SCM Microsystems. I started my career in multifactor authentication and cybersecurity as a technical supplier in the industry, and quickly Identiv became one of my primary vendors. For the course of the next, I don't know, 10 years after introductions with them, we worked together. When I decided to move on to my next phase of career, Identiv reached out and it was a perfect fit. I joined the Hirsch access control team and worked there for I think five or six years as a global VP of sales and services, and received one of those offers you can't refuse from MasterCard. I jumped on that for a little bit and then it looked like a family issue popped up, and I had to relocate back to Arizona. At that point, Dr. Mueller invited me to join his team, and it took all of about 30 seconds for me to say yes, having such familiarity with Dr. Mueller and everybody else on his team, really. It was just a logical progression for me. Then with 2020 being the tumultuous year that it was for everyone, I had some adjustments to make for family from health issues and just adjustments to the whole norm of working remotely. Again, I decided to move out on my own, start up another business, and fortunately I've been consulting with Identiv now for a little over a year. It's been a good fit and we've had a lot of focus on specific products, and it's been great. Leigh Dow (04:35): So, I have a similar journey. Definitely been consulting for a long time and then came across Identiv, and of course Dr. Mueller as well, and I just have really enjoyed working with him. What connections can you draw between the work you were doing with federal physical security 10 years ago, and identity devices today? What's really changed? John Guerrero (05:00): Well, it's funny, because it's what hasn't changed I think is where the biggest connections are. It's what hasn't changed that's brought about a lot of change. I'll try to explain myself there, but 10, 12, 15 years ago the federal security platform was built around PKI, and the technology today still remains in place. There have been some advances in the technology, but the fundamental foundation of the platform is still the same. With that, the CAC and PIV initiative started for the federal space for all the civilian DoD users. It's just one of those things that that authentication method has stood true, it remains the primary authentication measure for the federal space. Both the physical and logical access teams that I work with with Identiv have always built solutions and supported solutions around the advancements in the technology and the growing use cases. I think just as equally important, the user experience around those CAC and PIV initiatives, because we're not talking about one agency, we're talking about all the agency and literally hundreds and thousands of millions of users globally. So, it's that whole commonality there and the change that came within that commonality of the technology, that's kind of been the glue of the relationship I've had with Identiv and both teams. Leigh Dow (06:39): Can the federal government agencies become more intentional about aligning their operations to the latest and most robust industry standards and protocols? Is that necessary? John Guerrero (06:48): It is absolutely necessary. I think what the question is there really is how do you get this 900 pound gorilla that is the federal government to adjust accordingly to the fast-paced changing IT security landscape? In my opinion, one of these steps, and probably one of the biggest steps is opening the lines of communications. I think the federal government took a good step towards that with the development of CISA, the Cybersecurity and Infrastructure Security Agency. That was developed in part, not the only part, but in part to open up the communication between parties and address new technology. That technology can be used to either help secure data, or conversely be used by the distractors out there to steal data. So the more communication and information that can be shared and flows, the better prepared the federal government can be to address these efforts. Leigh Dow (07:53): I definitely see more legislation around security these days. My background, I worked in the Senate for a bit and drafted legislation, and just in the last probably seven or eight years, I've definitely seen much more legislation around security and more mandates around security in the federal government. Now, the trick is that many of these mandates are not funded or the funding isn't earmarked for the mandate, and so now it's going back and saying, "Okay, well, these security measures are super important, but the funding isn't there, or how does the CIO or the CISO earmark those dollars to make sure that the mandate is implemented?" John Guerrero (08:42): Yeah, and I think unfortunately, and this is, again, just my opinion, I think inevitably what's going to drive that funding is going to be the unfortunate incidents like we recently had with the pipeline hack. It's going to take some unfortunately bad things to happen to really make the government sway into saying, "Okay, this must take more of a priority." I mean, that's how initially the CAC and PIV initiative started. There's just a lot of things that really, it's unfortunate to say, but have to go wrong in order for people to really wake up and pay attention. Now I think they've understood this, but again, the advancement of CISA, some of these initiatives that you've mentioned that as of late the presidency has enacted, but really in order to not just be a passing fancy, it really needs to be maintained, funded, watched, and advanced. Leigh Dow (09:47): I agree. I think security companies and our associations that we're members of are doing a lot to try to also increase the education about these technologies, because it is complex. John Guerrero (10:00): Very much so. That's the one thing that I've always enjoyed about working with Identiv. They've been so entrenched in the federal business for so many years, that they are a voice to be heard. They have a great technology on several levels of the different team teams with different solutions, and there's a big understanding here of what needs to happen, how things need to happen and how we go forward to become that voice that says we understand what you need from a security requirement and we understand how you need it delivered, and we understand the importance of the support and the user experience going forward. Leigh Dow (10:39): Through its program, the US General Services Administration, GSA, has rolled out a single sign-on approach across different agency applications. Use of FIDO, Fast Identity Online, is obviously one option. Tell us about your experience with FIDO and FIDO2. John Guerrero (10:56): So from the inception of FIDO, which goes back a few years, we're talking 10 years here, I've really been a fan of the technology. Now I've only been involved in it for probably the last five or six years, but without making this a conversation or discussion on where passwords fail and without making this a really technical conversation, I will say that it's fairly easy to break down what I like about the technology. Having a history as deploying and supporting MFA and PKI solutions, from a high overview, the FIDO solutions, they're very strong authentication methods. It utilizes standard Public-Key Cryptography, so it is truly a strong authenticator. The open standards that FIDO and FIDO2 are built on make the technology so scalable. So that opens it up for not only applications, but to be taken advantage of by the user base that it's out there. It could be easily integrated into applications, which is another great point. It's not as complex as some of the other solutions that are out there to integrate, but not only is the integration easy, but it's at a lower deployment cost. So with that lower deployment cost, you also get lower support costs. Everybody that's inherent about designing in a security solution understands the importance of keeping the cost down on that. One of the, I think, advantages that it has that doesn't get much credit is it's the easy user experience. It's very easy for a end user to grab a security key, register a security key on an application, and then use that security key and know that, or maybe not know, but at least there should be an understanding that they are using one of the strongest authenticators out there on the market to secure the data that they're accessing. Leigh Dow (13:04): I was talking to someone the other day about FIDO, and I was telling them that for the first time I think ever I saw FIDO being talked about in a very consumer-oriented technology magazine. So, really seeing FIDO start to take off and become something that not just people in the security world are talking about. John Guerrero (13:27): Yeah, and I think what's driving it is that there are a lot of applications out there that are used by just every day citizen in the US and other countries that utilize the space, they understand the importance and the sensitivity. When you start looking at an organization like Facebook and they're allowing FIDO security keys to authenticate to their application, they understand that people are putting information out there that they don't want just anybody to access. They don't want access to their information to be just distributed worldwide. It's not just the high profile users that are out there, the celebrities and everybody else, it's the everyday user. If there's money to be made, somebody is out there looking to try to gain that information to access your data. Leigh Dow (14:21): Hardware security keys are increasingly being recognized as a sensible and responsible way to solve the federal government data security challenge. Can you talk about how Identiv's current uTrust FIDO2 security keys are a part of that? John Guerrero (14:35): Yeah, so Identiv is not the first obviously to come out with a FIDO security key, but what I will say is that it's built on the FIDO Alliance Standards. There's also some additional security protocols that are available on the keys, like one-time passwords or OTP, as well as the PIV applets that are on there for digital certificates. So it's a very secure measure, as we said, it's a strong authentication method, but I think what really separates the Identiv keys is the experience Identiv has in supporting the US federal CAC and PIV initiatives, as well as the longstanding history Identiv has as a manufacturer of hardware security devices. So as far as long as I can remember, Identiv has been in this space, and the long history of support gives Identiv insights and understandings how to best support the needs of the federal space from a security supplier, as well as just a manufacturer on the cusp of developing, I'll say new edge technology. Not necessarily bleeding edge, but new age technology. Then the history of being a manufacturer for over the 18 years that I've been associated with Identiv, it just speaks to their ability to produce a quality product. More so that experience has always led that product to be introduced at a very, very competitive price point. So while products are able to [inaudible 00:16:17] TAA compliance or are assembled here in the US, they still remain competitive to some of the foreign manufacturers out there. That's a big deal when you're dealing with agencies and organizations that are so budget-oriented and scraping together to try to meet the needs that they have. Leigh Dow (16:38): Also, like you said, still being assembled in the US. Yeah. John Guerrero (16:43): Exactly- Leigh Dow (16:43): That's important. John Guerrero (16:44): That's a key critical point. Leigh Dow (16:45): So, what's next on the horizon for Identiv's Security Keys? John Guerrero (16:51): Right now, Identiv is always on the hunt for what's going to be the next big thing. When you're looking at that, you have to take a look at all the different technology advances. The new use cases are always an importance and they'll always drive product development. Specifically Identiv right now is looking at biometrics and Bluetooth for integration into their next generation of keys, but there are also a couple other things. That Bluetooth and biometric technology will enhance security, but there's also a big user experience that Identiv is looking at, where they try to reduce the form factor size to be something that's more easily handled, carried and used by the end user. I think I first heard this from the Identiv CEO, Steve Humphreys, security will only be used as long as it's convenient, right? Once you lose that convenience, then you lose some of that grasp that people are going to have on the necessity for security. We're talking about end users. IT teams will always want that security, but the end users try to skirt around it if it's not convenient. That's what Identiv is always looking at is how do we maintain a top level security product, while still looking at addressing the needs and the use cases that are out there for the user experience? Leigh Dow (18:18): Well, government employees are always prime targets for cyber attacks, because they have access to such sensitive data. So, thank you for sharing with us some solutions for that. John Guerrero (18:29): No problem. I'm always willing to chat about security, especially when it comes to some of the Identiv solutions and the history I have with them. So if there's anything ever else, please feel free to reach out. Leigh Dow (18:40): Excellent. Thank you so much. John Guerrero (18:42): Thank you. Speaker 1 (18:43): Eliminate the risk of data breaches, phishing, password theft and replay attacks with hardened multifactor authentication cybersecurity. Passwordless logins are simple and secure with uTrust FIDO2 NFC+ Security Keys. Insert the device, tap the button and get secure access. It really is that easy. Learn more at Physical security, identity verification, the IoT, the hyper-connectivity of our lives will only grow more pervasive. As technology becomes more automated and experiences more augmented, it's up to us to preserve our humanity and use new tools and trends for good. The only question is are we up for the challenge?