Technical Director of Cybersecurity
Technical Director of Cybersecurity
Choose your preferred format
Velkommen til Lørn.Tech – en læringsdugnad om teknologi og samfunn med Silvija Seres og venner.
SS: Hello, and welcome to Lørn, I am Silvija Seres. Our topic today is cybersecurity, and my guest is Frode Hommedal, a technical director for cybersecurity from PWC. Welcome!
FH: Thank you!
SS: Frode, we could talk Norwegian, but we both thought this is so internationally relevant, we should do it in English.
FH: Yeah, i have some friends abroad who would be really, really mad at me if I did this in Norwegian, if i could do it in English, so that’s why we’re doing this in English.
SS: Very good. We are going to talk about basically the state of tech when it comes to cybersecurity, quite broadly. And in my introductory letter to you, I said you know the style of Lørn is usually very positive and very concrete in examples and then you told me: «well, i don’t know how to be very positive about the state of cybersecurity.» So we will be real, when it comes to cybersecurity.
FH: Yeah, this will be a slumber episode.
SS: At the same time I think we can have fun with some of the aspects of cybersecurity, but before we do that Frode, would you mind telling us a little bit about who you are and why you care about cybersecurity?
FH: Wow, well that was a long journey. So I’ll have to do that really quickly. I’m from the west coast of Norway, I was brought up as a sheep farmer and a fisherman, so just a cultural journey from the roaring parts of west coast Norway to Oslo has been a long, quite a journey.
SS: So from fishing to fishing?
FH: Yeah see, that should be my memorization right there, from fishing to fishing. People would be like what? I kind of stumbled into cybersecurity the same way I stumbled into tech. It was a moment of: «wait a minute, how does this actually work? Well this was interesting.» So i was going to be a chemist, but then I travelled abroad with the armed forces in the UN to the Balkans in the 90’s. I worked at a hospital with lots of really, really, highly scaled and trained surgeons and nurses and stuff, and it was super interesting to see how professional they were, and that experience kind of shaped me, I have realized in later years.
SS: But how tech?
FH: Yeah exactly, and because I was the only person there who had ever touched a computer before, I was given responsibility for their satellite-link to Karolinska hukwarden in Sweden, and all of a sudden, I started becoming interested in how this technology was working. And so when I came back, I switched from chemistry to electronics, so I have a masters-degree in electronics, and my first job was creating hardware, and crypton hardware.
SS: Which also helps a lot if you’re going to understand cybersecurity.
FH: Oh absolutely! Honestly sometimes I think that, I’ve made some stupid choices in my life, but the choice to do electronics and then add on some software has given me an intuitive understanding of technology that has really helped me, and security was the same thing, I just stumbled, you know during my masters I stumbled into encryption and Bruce Schneier, applied cryptography, and i was just «wow, this is so cool. I want to learn more about this».
SS: You thought cryptography is cool, so now you’re my man. But other than that, i have to ask you because most people are pushed into cybersecurity, they are told by their employers or their parents or somebody: «this is going to be big and important and lots of jobs and go do it», while you almost did it the other way, you kind of thought, this is fun.
FH: But I’m old, I fell into security before it was cool.
SS: Okay, well that’s the right time to fall into things though.
FH: Yeah, but I had worked at this hardware startup and then I went working for Opera Software, you know the browser company? That was really cool by the way.
SS: I was on their board ages ago. I was in love with opera software as well, I still am, I guess.
FH: Maybe I should not say this, but I just started using Vivaldi, and it’s like «Oh, it’s like having Opera again.», but then I saw a job ad from Norcert national security authority. «Hey, you wa nna come work at the national cert with a national sensor grade and everything».
SS: Norcert is like one of these really difficult names, it sounds like you know it could be anything from you know, from ice cream to, it depends, but they are real heroes, when it comes to thinking about digital safety, right?
FH: Yeah absolutely, and I saw their job ad, and I was like, «Okay, this seems cool, this seems to sort of combine all the stuff I find interesting.», and then I started working there and I was like «Woah, okay! I can never have another job.» I sort of find my true calling in security monitoring, and especially incident response, and I stayed there for seven years, and the funny thing is, I came onboard one year after they reformed, and so the first generation of norcerters are basically now just everywhere.
SS: It’s probably the best education or post-education education you can have when it comes to cybersecurity in this country.
FH: Right now, I think there are more places you can get that, but at that time, which was back in 2007, it was unparalleled.
SS: So, help us understand, what does security monitoring mean?
FH: Security monitoring, for people who do not know security, all right.
SS: I mean people imagine somebody who sits and looks at big black screen with lots of green numbers on it, but why?
FH: Yeah, so, security monitoring is kind of like being in the ICU, intensive care unit? Yeah, you know when you’re being hooked up to you know all kinds of monitoring equipment, you know.
SS: Things that keep you alive, or?
FH: Actually not to keep you alive, but to monitor you. Like monitoring the O2 contents of your bloodstream because that must not drop too low, and you know, heart-rate and blood pressure, and you know, they come and they take like two-three times a day, they take blood samples, and you know, figure it out.
SS: So you have lots of these kinds of sensors on all parts of our network?
FH: Yeah, exactly. It is basically exactly the same thing, just in technology. It is just sensors and measures put in place to monitor the patient, and the patient is you know, where we work. That is a bleak outlook on life, like, what? You say all organizations are like patients? And when it comes to security, it is kind of like we all just caught this disease that could bring us down, you know like at seconds notice.
SS: The virus is in all of us, it is about how immune we are, perhaps.
FH: Yeah, you can say that it’s because no companies are the same, but there are some trans and you have very few companies who do this really well, and they are able to fight it well, while others, they are,
FH: You know what I think? And this was kind of my pet peeve with security, I don’t know how long ago, but quite some time ago, I realized that my most important job in cyber security was communication, because this is about understanding complex problems where your brain does not give you any help in understanding what’s going on, because we do not have any sensors as humans, to understand what is happening inside computers. We cannot see inside computers. Like if you go into a room, and there are a bunch of people there, you are equipped both with physical sensors like your eyes, but also cognitive functions, and emotional intelligence.
SS: You can see who is sad, who is happy and who is dangerous, and who is sick, right?
FH: You can spot that in just a split second, looking at your computer, you have absolutely no idea the state it is in, no idea. So, what people refer to is: “Oh, my computer was slow, so maybe it has a virus.”. Being slow is a very, very rare symptom of a computer virus, can it be slow because of a virus? Yes. And in the case of say running somewhere, yes, it will be slow, I mean, it is taking it over, you know, like.
SS: So back to our simplification project, so we’re monitoring, we have all this probes in the network and we are basically importing network hubs, but also in network notes, in companies, in their individual computers and servers. And what are we looking for? Weird patterns in traffic, or what?
FH: Yeah see, that is the thing.
SS: And sometimes we do not know what we’re looking for, because there are these zero-day attacks which nobody has seen before, which are the best and the baddest, right?
FH: So, that kind of depends, so zero-day, then you’re talking about vulnerabilities and actually in cyber-attacks, exportation vulnerabilities isn’t all that common, most of the time attackers, and I have to say, my background in cybersecurity is critical infrastructure government and espionage, I have almost exclusively worked with espionage.
SS: So you work more with, you don’t think in general about, you know a company and their data and that kind of problem, but you’re trying to find digital spies, or used to.
FH: Exactly, used to. Now in PWC I’m not actively looking for spies, or dealing with incidents, I’m helping other companies build capabilities to do that, but there is a thing out there where people think, “you know what, I don’t have to worry about spies' '. And first of all, that’s just playing wrong, espionage is now so rampant that if you’re a big company or even a startup like we’re at a start up lab right now and I mean if anyone here has a really brilliant idea, and I can command an espionage apparatus, “oh wait, this fits right into some strategy we have'', let’s just go steal it, let’s see what they have. This has become a part of the economy in so many countries now, that if you think that you can run a business and not be at risk for spying, I’m going to be so blunt and just say “You are playing wrong.”. There are no new anises to this, it’s like “nah, but”, there is no “but”. This is the new reality.
SS: So the most common attacks you would say have to do with this kinds of espionage and network listening? Help us understand a little bit because this is such a complex landscape.
FH: It is. So I wouldn’t say it’s the most common, I’m pretty sure in sheer numbers, attempts on fraud, you know like credit card fraud or whatever, is probably bigger in sheer numbers, like spam emails trying to fish your credentials to whatever, to steal some money, but if you look at, if you read the newspapers these days, there is a lot about cybersecurity all the time, but there is not really a lot of stories about huge big catastrophic incidents. That is what anyone is afraid of, the big catastrophic incidents, but they are actually pretty rare, what people should be much more worried about is the stuff that you never find out, because who ever is doing it has so much to gain by you never understanding that they are there, and that definitely includes espionage.
SS: So, you have basically many of these kind of silent gardeners in your computer, in your network, and you just should assume that they are there.
FH: Yeah actually that’s like a, that was a paradigm shift in security when everyone sort of adopted assume breach, you know. You would go about your security monitoring and response planning under “assume breach” paradigm, where you say “okay, I am probably breached”.
SS: Not only once at a time but continuously
FH: Continuously, yeah. “I’m continuously breached, how do I deal with that?”, and of course one way you do not deal with that is to put your security people in your corporate IT environment under the same active directory as the rest of the corporation, because if you assume breach and you’re going to find it and deal with it, can you do that within an infrastructure that you think is breached?
SS: This is really interesting because you’re in a way you know planning digital fortresses for companies. You are helping them, you know, we have parallels from the real world, but we now have to think about that in our architecture, we have always architected systems for efficiency, but now what you are saying is basically, think about these, you know, firewalls are not only for one kind of thing but many, many kinds of firewalls, basically a plan for different kinds of invasions.
FH: Yeah, so what we did I think, with digitalization, is that we just saw the possibilities, you know the efficiency, the user friendliness, the huge potential to get rid of offices and just have, you know people do their work themselves you know web pages and stuff like that. Where they are like: “Oh, this is awesome, we need to do this.”, and when we did this, 20-ish or a little bit more years ago, we didn’t understand just how vulnerable we made society. I’m thinking about this like, you know old cities in, you mention fortresses, old cities in medieval Europe.
SS: They have different kinds of walls and towers.
FH: Yeah because there were threats there, you know. It was like “oh look a field, we’re gonna farm this field, it’s awesome, it’s so fertile!”, then just build a city within weeks, and get raided, right. And same with pirates, if you go further up history, you know you had pirates, and then you had to build navies. I mean before pirates, navies looked different, you know. So, we have all done some stuff and then been like: “oh, wait a minute, we need to adjust this for the real world”, and what we’re doing with cybersecurity now is that same thing.
SS: In the digital world?
FH: Yeah because everyone was like “oh, look at the upsides of digitalization and computers!” and then we did not realize that we are building something that is so easy to tap into, and you know steal from, you know if you go downtown Oslo, you expect not to be robbed. And if you get robbed, you expect to get help. And of course, if you’re just pick pocketed then no one is coming, but if it’s something serious, like if someone attacks you, you expect the police to be there, like this. You expect the ambulance services to be there to take you to hospital. We have this whole infrastructure for physical safety.
SS: Frode, we are running out of time, but I think your story is brilliant, because I think this transition that you talk about is super important for people to understand. I was just thinking, you know, there is this really wonderful tagline that the defense forces have, “for all we have and all we are”. And I think that sort of thinking for our digital safety is what we really need to understand is necessary now, because we are threatened in just as dangerous ways there, and there is this overlap. The civil sector, the private sector will need some help from the government and from the authorities, and from the good helpers because we are not able to provide for our own safety in this digital world the way that we thought we would.
FH: Oh definitely, and the thing about IT is, it is just brilliant, because you can configure in you know, a thousand different ways, and it would still work. You know IT is so robust when it comes to working, anyone can make almost anything work. Now it’s getting a little bit more complex with huge cluster technologies and whatever we’re sort of moving into a different realm now I think, but still, IT will just work. You can configure it a thousand ways, three of those ways are safe and secure, so that gap between what’s possible and what we should do, that is really big and that’s where we are now, trying to figure out how to do this. The problem is, going from choosing any of these thousand to those three has a cost.
SS: Yeah, so I want to spend thirty seconds talking about PWC because I was always thinking about them as bean counters, and then I met brilliant people in absolutely all kinds of, well bean counting, but in addition compliance and regulatory and now IT, and the sort of IT reviews that you guys are doing revisions auditing for big banks, for many other big organizations, have to do with basically securing both the things that are relatively safe now, but also architected for a safe future, right?
FH: Exactly, because that’s now where we have a huge technical debt right, stuff was architected before we realized what is necessary to be safe. So yeah, so cybersecurity within PWC is only two years old, you have other IT services that are older, but PWC only started two years ago.
SS: And it is probably growing to be one of the biggest.
FH: Well, that is why they hired me, kind of, because I’ve been tasked to build a technical team, type of cybersecurity people like me, who have a technical background and who worked hands on.
SS: And who don’t just talk marketing I guess, but they say “guys, this is a dangerous state of affairs and we need to clean this up quickly.”.
FH: Yeah, so actually we are now challenging the way that incentive systems and organizations are happening within PWC, because what worked for the accounting force, doesn’t necessarily work for the new technology force that we’re building.
SS: It’s a different way of helping the customer, is what you saying?
FH: It’s a different way of managing people too, because if you go into a big consultancy company, you gotta have that dream of one day becoming a partner, but for cybersecurity people, tech people, the goal isn’t you know, to become a manager, your goal is to become an expert in your field. So instead of having a vertical career, you want a horizontal career where you go from being a novice to being a renowned expert. For people like me, I don’t dream about being a partner, I dream about being an international renowned cybersecurity expert, right? That’s what I want to be when I grow up. That means that we have to do stuff a little bit differently, so that’s what we’re thinking about now. So I actually have a project that is literally called “creating a home for tech people '', to make sure that we can actually onboard tech people and make them thrive at PWC.
SS: You do that right, and I think that you’ve done a fantastic thing for PWC actually as well. You and I spoke a little bit before we started this recording and there’s so many things I would like to do for Frode, but I think we have to have a follow up. One of them was to talk about, you know what this actually mean now with artificial intelligence and machine learning applied to cybersecurity, another thing we didn’t talk about is internet things and 5G and you know internet actually coming into our bodies and maybe even our minds, and how do we keep that safe. All the chemical hacking and so on, and the other thing I thought would be fun, we talked about that you actually need to teach people the basics so they are at least so comfortable with cybersecurity to understand the sort of threats they should worry about. So, we talked about these magical creatures and cybersecurity virus worms, trogons and tried to do a zoo, and Voldemort, he’s out there, and he’s organizing. But we’ll get back to that. Do you have a quote you would like to, no first of all, what would you recommend people to read, or to watch as an inspiration or desperation?
FH: Yeah so, this is gonna be kind of like reading about the atomic bomb for the first time, and starting to realize it’s destructive potential, but I really think that at least tech people should watch the movie “countdown to zero day”, and see what the big nations are able to do through technology. I mean if one of the big nations wanted to shut down Norway, like just completely. They would be able to, they wouldn’t even sweat. They have all the capabilities, they have the manpower, it’s all about will.
SS: And some of these don’t have to be big countries, I mean yes there is Russia and China but it’s also Israel and some others that have done a lot in cyber security that I think we underestimated.
FH: Yeah so, we should be really, really glad that supervillains are mostly a thing of movies, because if you had a supervillain with a bit of a budget, if that person asked me: “could you assemble a team?” who wanna bring down let’s say Norway, because saying someone else would be like “what, you said that country?”. I would probably be able to do it, I know the people with the right skills, I know approximately what goes into it, would I be very effective at it? No. But given budget and intention, would I be able to? Yeah, I probably would, and that’s the scary part. Right now, the only thing between us and like a cataclysmic cybersecurity breakdown of society is that no one is actually motivated to do it. I don’t think that’s how we should build a digital society, that is not sustainable. So I’ve started thinking about sustainable digitalization, and just like with climate change, we need to start thinking about digitalization in terms of sustainability.
SS: The house is on fire, panicking people, as Greta Thunberg would have said.
FH: Yeah kind of, but there has been a lot of fear mongering already from the cyber security industry.
SS: Didn’t work?
FH: Well yeah absolutely, it did work, to some extent, but now we’re heading into a territory where you gotta do more than just scare people. I mean it was right to scare people, it is actually still right to scare people, because most people don’t understand just how scary this actually is, and the implications it can have, but now is the time to inform more and you ask me about quotes. One of my favorite quotes is: “to inform is to influence”, and that’s why I’m here. I wouldn’t prioritize this if I didn’t believe that talking about this is part of the solution, and it is.
SS: And then maybe you can teach people to sort you know the really dangerous from science fiction and so on. We need to make a TV series with digital James Bond, I think that would’ve been fun, don’t you think?
FH: It would be fun.
SS: So anything worth doing is worth doing right?
FH: Oh yeah, so I am at war with “80% is good enough” people.
SS: Because when it comes to cybersecurity that’s a dangerous way to go.
FH: Yeah, that’s one thing, but it’s just on a personal level. I do not feel any accomplishment unless I can look at something. Some people would be like, they want to go through a to-do list and if they have ten things on the list and they check if you know every item, they feel accomplished. I do not feel accomplished by that. What I do is, if I do something right, and I’m happy with the quality and how it’s worked out, then I feel accomplishment so yeah, that’s the reasoning behind that quote.
SS: If people have to remember one thing from our conversation, what would that be? Digital James Bond?
FH: No, sustainable digitalization. They need to start accepting that that is actually a thing.
SS: Not quick and dirty, but actually thinking of long term safety.
FH: Yeah, if I want people to do anything different after listening to this podcast, I want them to, you know, from time to time stop and think like what we’re doing now, is this sustainable? Like this guy he said: “sustainable digitalization, you know this project we’re running now, is this sustainable? What’s the cost for the company, for the empire, for the public, if we do this?” Because right now it is possible to do so much, and especially with data, which I hope we can talk more about one day, especially with data, but just because it’s possible to do, and it has some short term gain, doesn’t mean it’s a good idea, doesn’t mean it’s sustainable.
SS: Frode Hommedal, technical director from PWC, I loved the way you tried to get people to see both the good and bad of cybersecurity, thank you for coming and talking with us at Lørn.
FH: Thank you for having me.
SS: Thank you for listening.
Du har lyttet til en podcast fra Lørn.Tech – en læringsdugnad om teknologi og samfunn. Følg oss i sosiale medier og på våre nettsider Lørn.Tech.
What is the most important thing you do at work?
To develop and disseminate knowledge so that people and leaders in Kardemommeby can make good decisions related to the use of IT as a tool.
What do you focus on in your technology?
I am in many ways a strategic and tactical advisor who helps people build security capabilities to fight threats.
Why is it exciting?
Because it's about our digital future and about being able to reap the benefits of modern IT, without having to take all the negative sides.
What do you think are the most interesting controversies?
Everyone wants to use data, but very few are interested in talking about how excessive use of data can take us as a society. And threat denial, where there are an incredible number of people who try to pretend that the world is a much kinder place to not think about it.
Your own relevant projects last year?
Now I will help PwC build a team that in many ways will be an extended CAC for hire.
Your other favorite examples of your technology internationally and nationally?
Internationally, it is good to see that the authorities in the UK, via the GCHQ front NCSC, issue a lot of good and concrete advice on security. Nationally, I think it is very positive that Telenor has decided to get on the field for safety, and I am impressed with Mnemonic.
What do you think is relevant knowledge for the future?
Use of data, machine learning and artificial intelligence. In addition to strong technology understanding coupled with good understanding of human cognitive function. Philosophy and knowledge of how the freedom of thought and democracy work is also important.
A favorite future quote?
To inform is to influence.
Main points from our conversation?
The threat picture is escalating. Enormous data capture combined with ML / AI and cynical actors is a threat to the individual's autonomy and democratic processes. None of this is sustainable, and therefore we must work to understand and for sustainable digitization.