Doug Fisher 00:12
Everyone in the company has to take training, has to have their system with the latest patches and updates, otherwise, they don’t get on the network. I’ve sent emails to people, the highest levels in the company, “I will be removing you from the network tomorrow.” You cannot take anything for granted.
Camille Morhardt 00:30
Hi, and welcome to today’s episode of InTechnology. I’m your host, Camille Morhardt. And I have with me as co-host today Mohsen Fazlian. Our guest is Doug Fisher from Lenovo.
Mohsen Fazlian is Corporate Vice President and Intel Product Assurance and Security General Manager. He’s a 27-year Intel veteran and is responsible for Intel’s trust & security and confidential computing roadmaps. He’s also responsible for implementation and operationalization of proactive security and risk prioritized measures, security, governance and oversight and continuing to foster the security-first culture in Intel’s product development.
Doug Fisher, our guest is Senior VP and Chief Security Officer of Lenovo. He’s responsible for the integrity of Lenovo supply chain, products and services, and its data. Before he joined Lenovo, Doug spent over two decades at Intel where he was most recently Senior VP and GM of the software and services group. Welcome to the podcast, gentlemen.
Doug Fisher 01:37
Thanks. Great to be here.
Camille Morhardt 01:39
And I’d like to begin by getting to know each of you just a little bit. I know Mohsen that you ran assembly and test factory as well as a fabrication facility for Intel in your career. And I think this is arguably one of the things Intel does the best in the world. And so I was just curious if you could take us behind the scenes a little bit and tell us was there anything that was unexpected to you when you took on these roles?
Mohsen Fazlian 02:09
Sure, I joined Intel as a product development engineer, mostly CPUs and chips and products. In 2006 timeframe, I had the opportunity to go and run one of our assembly and test manufacturing facilities in Costa Rica. I went from a position of a supplier to becoming a customer. And that truly changed my worldview as far as how the customer and supplier relationship should work, even though it was an internal supplier customer interactions. And then as I move from ATM to Fab 12, one of our facilities in Arizona, again, I went from being a customer to becoming a supplier. And as I came back to product development, engineering, and now doing product security for Intel, I think I have benefited from that journey as far as understanding the entire supply chain–again, internal and external. And it has given me a different point of view as far as how I look at the supply chain, especially when it comes to the transparency and security of the supply chain that you manage.
Camille Morhardt 03:23
So I’m going to ask Doug, also, to get to know you a little bit, perhaps. I did find in researching you that you enlisted in the Navy when you were 17. That seems very young to me. I was wondering how that maybe shaped part of your career or your approach to solving problems or looking at business over the last decades.
Doug Fisher 03:47
Yeah, to say I enlisted it sounds like I volunteered. I was pretty much a troubled teen. My parents decided the best solution was to put me in the military at 17 years-old. And it turned out great. To be honest, I credit my time in the military to my success today. It just reshaped me as a person drove a deep level of commitment, teamwork, and discipline that I still carry forward today. And I’m forever indebted to my service to the country as well as my experience in the military.
Mohsen Fazlian 04:21
Hey Doug, I know you and I started interacting a couple of years ago. And I know you are the first to occupy Lenovo’s CSO position. Has it been challenging? Can you share some of your journey with us?
Doug Fisher 04:35
Yeah, sure. So, it was about three and a half years ago, I was asked by the General Counsel, CEO, and some of the board members if I’d be willing to take on a new and unique challenge within the company. And at the time, you can look back three and a half years ago, security was certainly important. And I went through a lot of it when I was at Intel. Certainly a different environment today than when I took the job. As I jokingly say, some of the things I’m dealing with were not in the brochure when I took the job. But yes, it is extremely challenging, and it gets more and more difficult every day. There’s new technologies, there’s advancements and capabilities. The challenge is enormous for all of us in security.
On top of that, the new regulations and stipulations put on people in security makes it even more regimented in what you do and how you achieve it at the company. But it’s been very rewarding. Having the visibility and the opportunity to educate, drive, and really help get support from everyone on executive staff is a tremendous gift; it makes my job much more impactful. And having the support of the board of the CEO is instrumental along with all the executives. So it’s been a great journey. Continues every day, as you know.
Camille Morhardt 05:50
Both of you are running these security organizations, and responsible for helping product divisions ship out product that’s secure. And yet, you’re not in the organization of the product division. So I’m wondering how you integrate that, when you’re organizationally not integrated, how you integrate that philosophy of security-first.
Mohsen Fazlian 06:12
One thing that I learned early on was that, you know, security is not just a feature; it truly is a mindset. And based on that, we started an activity at Intel to start influencing and changing that mindset, we were very clear that we truly want to get to a point that all of our engineers as they architect, as they develop our product, as they design or validate our products, that they truly think like a hacker; I always say I want them to break what they make, to think about what one can do with this product that I’m building or architecting and is forcing it to do something that is not supposed to do–which goes against the traditional way of how we’ve been architecting and validating our products, which has been, we architected we build our product, then we validate to make sure it does what it’s supposed to do positive validation.
And the negative validation or negative testing is looking at it from a hacker point of view. And when you go at it from that angle, it really changes your worldview, again, about how you, architect, develop, right coding or programs, and validate your product. So going to the foundation of how you train, and you change the mindset and the culture regarding security has been fundamental for our approach at Intel. And that’s one of the ways that we continue to measure our progress forward.
Obviously, the journey never ends. But it is fundamental to the success to make sure that you truly are evolving and changing that culture to make security be at the forefront of what we do and not just, you know, side-job that somebody needs to do at some point, for your product development.
Doug Fisher 08:16
I mean, if you look back years ago, it used to be that whole mantra was around quality. How do you design in quality? How do you design in manufacturability? Well, now it’s how do you design in security? But it really goes back to our most was speaking about it’s a culture, it’s not just one thing.
You know, I took this job, the first thing I did is demystify what security really was. It often goes to either a product issue or something to do with infrastructure, but it’s actually a collection of a lot of capabilities all working in unison. And when I started this job, we really had an opportunity to turn up the contrast at how we take this as a cultural element at Lenovo. And what I’ve done in that space is require everyone in the company, and I say everyone, I mean everyone in the company, has to take training, has to have their system with the latest patches and updates, otherwise, they don’t get on the network. And what I mean everyone I mean, everyone on executive staff has to take this training, including our CEO. I’ve sent emails to people, the highest levels in the company, “I will be removing you from the network tomorrow if you don’t take your training.” And it’s actually, shockingly, I get apology messages versus some sort of pushback. And we do this across all elements. It’s actually quite draconian, but you have to, you cannot take anything for granted.
If you have a system on the network, we don’t know who the manager is of the system, the patches aren’t updated. We used to work to try to find who the owner was, trying to make sure that they get the right elements in place. I took a different approach. I said, “Cut them off the network.” I made sure that the CEO and execs all knew that I was going to take systems down, and there may be some business impact, but it’s far less impact than if we had some situation that a vulnerability was exposed. So I’ve shut those off, just like you shut the air supply off on a scuba diver to the surface. And we got all that cleaned up very very quickly.
And when you look at the pantheon, the top part of the pantheon which is supported by our foundation, which is our culture, and the four pillars–which is product security, supply chain security, physical security, and infrastructure security–all those four elements are all in place to do one thing, the most important, which is protecting our customers data and privacy, and our employees data, as well. So we take that very, very seriously, I have to tell you, I’ve talked to a lot of customers and partners, named companies in the industry outside of our industry, well over 70, closer to 80% of vulnerabilities occur at the employee level; they are our biggest asset in the company, however, they need to be trained.
Mohsen Fazlian 10:50
And Doug, I think you hit on training, which is a very important pillar of evolving or changing a culture. And one of the challenges that we always face with training is, you know how to make training fun. And one of the items that we found very effective, is what we call red teaming, or hackathon events. And initially, this starts with, you know, a handful of security experts. But eventually, we try to get non-security expert people engaged and hands-on in this activity.
And I never forget this, as we were trying to instill this security first mindset into the organization, I approached one of our design managers, and I asked him if he was willing to partner with us to attack one of the modules. And he said, “Sure.” So we spent about two weeks basically going deep during the hackathon, or red teaming event on that module. And we found ten serious security vulnerabilities on that module, which if he would have let the product out, he’d have to re-spin the silicon. And for him, that was the turning moment that he needed to invest, he needed to take this very seriously. And from there on, we have been using the red teaming or hackathon events, as some of the fun activities to truly, you know, let the engineers find the security vulnerabilities by themselves. And the moment they do that, then they start seeing the value in investing time. And you know, learning more.
Doug Fisher 12:34
Red teaming is a great example where we use it, as well. The key to anybody in security is, you know, the things you don’t want to have happen. You don’t want them to get the data and you don’t want it to move laterally. And so red teaming really helps you exercise that muscle. Are you protecting the data? And are you protecting any vulnerability from going lateral? If they get into your environment? Can you stop the lateral movement?
Camille Morhardt 12:58
Doug, you mentioned the human element as one of the major points of vulnerability like phishing attacks. But I’m just wondering, what are your customers noticeably concerned about right now in security? And I also just want to lead the witness a little and ask our people starting to worry about AI and how that’s going to become or help advanced threats?
Doug Fisher 13:23
So they’re worried about the same thing, primarily, like you said, the employee. Now, it’s always been a challenge. But you all know, you get these phishing emails, and they were so rudimentary for years–broken sentences, unstructured, the wrong choice of vocabulary, all the things associated with a very poorly written phishing email. Today, with the element of AI helping curate who you are as a person, because a lot of executives have exposure on the internet, so they can pull all that information and curate who you are, and write a much more specific email to who you are as a person. They can also write it much faster. And so they can make it very realistic.
I just had a situation, I was out of the country. I hadn’t dealt with PayPal for years, I had to use PayPal for something. And two days later, I got an email, “Hey, we have the invoice for PayPal.” And so it registered with me, it must be what I was trying to achieve. And so I engaged in this. And it didn’t look familiar. And so instead of clicking “Accept,” I did take the time to call PayPal and walk through it with them. The fascinating thing was, it was very specific to me and the email. I couldn’t believe it. Neither could PayPal. But we researched it, it’s true. The email address it came from was a legitimate PayPal email. It wasn’t a pal pay or some other variation. It was their email and I had them send me an email from that account. And we compared them. No difference in email. Somebody is able to intercept and spoof email addresses now. So really sophisticated capabilities.
AI has gone even further. Now. It’s voice imitation. So I do a lot of keynotes, they can capture my voice. And so voice verification is going to be a new challenge because they can certainly use my voice and rephrase anything I say. And then video, give a great example. I don’t know if you read about it in Hong Kong, there was a situation where a company somehow I don’t remember the specifics, but they got a video conference with who they thought was the CFO, if I got the story, right. And the CFO walked through, I think a deal or some suit, some mechanism, taught to everybody in the end, they cut a 20 million pound or $25 million in that range transfer of funds, they lost it all through simulating a person that they thought they worked for. Now, the specifics may be a bit different. But the fact is, it’s happening; people are spoofing all this stuff. And so it’s very scary. And I’m, spoiler alert, I’m using this approach for our kickoff, and a lot of my speeches, now, it’s gonna make it a lot easier on me to write the script, they’ll do a video of me, I’m doing that this week, we’ll write the whole script, and I sit back and I don’t do anything. AI does my entire talk. And then I’ll step in at the end and say, “by the way, that wasn’t me.”
Camille Morhardt 16:21
God, that’s crazy. Mohsen save us here and tell us is there any, like, sort of positive use case or emerging use cases for AI that are driving new models here for security?
Mohsen Fazlian 16:25
You know, it always reminds me of the old radar detector scheme. Police will come up with a better scheme to capture a speed and the radar detector will come with something to mask that one. And it was always a race. I think the radar detectors have gone. And, you know, I’m glad that that was the end to that game. But with security vulnerabilities and AI, it is a race. I mean, in the past, some researchers used to spend a lot of time to, I would call it, daisy chain known vulnerabilities to come up with new ones. So they literally will go and read all the known vulnerabilities that you have published, some of your aspects that you have published, or even auratus that you have published, and then connecting all of those, they will find a new way to break your product. And today usage of AI is, you know, they can daisy chain those known vulnerabilities in a matter of minutes, and come up with a new attack vectors.
But obviously, you know, the security teams are not sitting on their hands either. So we are coming up with new ways of finding those issues and patching them before, obviously, you know, the bad actors do that. And obviously, enhancing all our own internal security tools and scanning using AI. We have a initiative at Intel, which is AI for security and security for AI. So first priority security for AI, making sure that the AI products that we are developing and we are designing and shipping is secure–meaning we have enhanced security capabilities inside our company, whether it’s security development lifecycle, content, scanning capabilities, again, red teaming hackathons, and there security for AI is also again, using AI to enhance your security capabilities inside the company. So that’s one item.
The other one is, as Doug mentioned, customers do care about the security and privacy of their data. I think when you reflect back on the past couple of years, the security of the data in-transfer has come a long way, as you’re sending emails or as you’re having a transaction with your bank, that data transfer is much, much more secure than what it used to be, you know, a few years ago. The new focus is on the confidentiality and security of the data in-use. So when the data arrives in your call it the processor unit, whether it’s a GPU or CPU or so on and so forth, what’s happening inside that processing unit, up to now, it’s been open; meaning if somebody found a way to hack into your processing unit or your data was exposed. And the confidential computing is where we are starting to treat that data the same way as the data in transit. So it’s encrypted it’s protected. It’s confidentially, again, protected. So this way, you know, the customers the enterprise, can self assure that even the data transaction within the CPU or within the CPU and memory, those are all protected. At Intel we started with SGX and then TDX to protect that data.
And then the next logical step is confidential AI, which is how you use this capability to enable different companies to be able to collaborate without really having to worry about sharing their confidential data. As I said, it is a race. As far as, you know, the AI for a good guys and AI for the bad guys are enhancing and developing. But obviously, I’m glad that you’re on the good guy side. And, you know, continue to work to make sure that the data for our customers and for our end users is absolutely secure.
Doug Fisher 20:40
As Mohsen said, there’s two sides of it. But let’s start with the bad guys have a lot of money; it’s profitable. This is why there’s still a lot of hacking going on. Oftentimes people think it’s somebody with a, you know, a low-end system, that’s clever. No. These people have high end systems, they have the best in technology, that sort of we, and one of the advantages we have is our data.
Now, I’m responsible in my authorization for our data retention policy as well. What data you collect? How long do you keep it? When does it get disposed of? You know that hygiene is so critical for our customers to ensure that they don’t give us data we don’t need, we don’t keep data we don’t need and we get rid of data we don’t need so that we don’t have data disclosure for our customers. And then we obviously spend our time focusing on protecting it. But we can also use data about our employees, and what’s their behavior, what applications they use, what type of procedures they use to go through what’s their normal day and use that data, the information to look for anomalies. That’s fascinating. Doug just logged in, you know, why Seattle, Washington for the last three months, and now he’s in Cairo? Maybe we should ask him a bunch of new security questions that we normally don’t ask, because this isn’t normal behavior. He never has accessed this application before. Maybe we should, you know, ask a few more questions or a few more security hurdles before we allow access.
So you know, taking advantage of AI to look at our data, and then understand the behaviors, things like that can be applied with artificial intelligence, along with some of the regulations that are occurring unilaterally in government agencies across the globe. So it isn’t all lost. But we’re gonna keep busy.
Camille Morhardt 22:29
One thing that you had mentioned before, I think, Doug, is that you’re responsible for protection of the supply chain. And I just wanted to go back to that and understand a little bit more from you about how you even begin to look at protecting the supply chain?
Doug Fisher 22:44
That’s a great question. You know, we have tens of thousands of vendors and components we put into our systems. What we do is isolate the active components, things that could have a potential vulnerability; we don’t do as much on a capacitor and a resistor or a piece of sheet metal. But if it’s memory, or CPU, or whatever, an active element in our platform, then we actually have a very rigorous process that we work with the vendor to understand their security posture. Do they align with our security requirements? We have a contractual relationship with these suppliers, and then we have the right to audit these suppliers. It’s called the trusted supply chain. So we have a very rigorous process that we employ at Lenovo to ensure that we know what the vendors are, know what their security posture is, know if they need it, and help them remediate any issues.
Then we have an active list. And it happens at times when we have a supplier–this happens across the industry–where there’s a component that no longer is one we should be using, we instantly pull that out, replace it, and ensure that we minimize just like other companies in the industry. So that’s our trusted supply chain. Now we go a step further than I think anybody else in the industry in our field. And that’s partnering with Intel on what’s called transparent supply chain. And that is a real advantage for what we do in supply chain, where we work with Intel to basically create a fingerprint attestation of what was built in the factory. So whatever you build, and by the way, this is why physical security is so important as an overlay, because you have to know who’s in the factory whose has access to it. Once it leaves the factory, who’s the shipping company, you know, who is touching this thing all the way along the path, we have that as an overlay on top of our products, along with this transparent supply chain, which is going through what we call zero trust supply chain with Intel. And what we do is take a fingerprint attestation of what is in this platform; its encrypted. It goes through the entire supply chain process and lands on a customer’s environment. Now they have a web portal and they bring it up and it compares hashtag information, decrypts it and compares, is what we built in the factory exactly what you have brought into your environment? And if there’s any difference, obviously, it’s alerts and that system will not come online. So we protect it in that way, as well.
I tell you when I go out to customers I do a lot, that’s one of the key topics, they really phrase it in business continuity. But it really is your supply chain resiliency and security.
Mohsen Fazlian 25:20
I think as you mentioned, Doug, Lenovo was the first company that actually partnered with us and took the transparent supply chain to production. One thing that, you know, I have always said is, when it comes to the supply chain, I truly look at it and I want Intel to look at it from sand to sand. So from the time that you turn the sand into silicon and goes into building a platform, and then that platform gets transported, as you mentioned, to your OEM and ODMs, and then gets deployed. And during that deployment, you know, gets updated with security updates to keep it always up to date to a point that it retires and it gets grinded and turns back into sand. I think that’s the entire supply chain that we are looking at. And the TSC 2.0 is coming about, which will have more capabilities to enhance the transparency and security of the supply chain.
One other thing that I wanted to offer here, Camille, was getting the platform to end users, as Doug mentioned, to make sure they receive what they’re supposed to receive is very important. And at the same time, keeping it up to date to make sure it’s always secure is as important. There was an article awhile back about Intel secret lab. And what is this secret lab and basically what it is it’s we come to realize that in order for us to be able to provide security updates to our platform, as old as you know, you know, platform that being launched almost seven to ten years ago, we needed to be able to have those platforms available to us. And because when we are doing a security patch, again, we go back to those old platforms, validate the patch to make sure that it works. So that created this long term retention, or we call it a mega lab that we have at Intel, which has about 4,000 platforms today. And it’s probably going to grow to about 6,000.
Camille Morhardt 27:32
So you’re talking about when you say platforms, you’re talking about like a PC, or a server literally sitting in a physical location somewhere, should something go wrong in the future–even though Intel’s no longer and Lenovo maybe is no longer selling the system anymore. It’s like, should there be a problem, you have an ability to quickly go and tackle what it is?
Mohsen Fazlian 27:55
It’s not just about the PC, it’s also about the software that goes on top of it, and then all the debug tools that goes along with it. So you’re correct that, you know, if you have a microcode patch today, or a security patch, or they might not impact the product like Broadwell, or Hazwell, but you never know what security challenge you run into tomorrow. But we have that capability.
And some of our platforms, by the way, when we tried to end-of-life those platforms, even past seven years, customers came back and said, ”Hey, we don’t want you to end of service those platforms. We want you, Intel, to continue supporting those platforms for us.” And that’s how the extended servicing sort of a capability or business came about. So for some reasons, we do hold on to platforms even up to ten years, because customers are asking for it and they’re willing to pay for that extended servicing.
To answer your question. Yes, these are platforms in a form of a PC or you know, bare metal server with all the peripherals and software stack that is needed to run that platform in a production environment.
Doug Fisher 29:04
You know, you asked me earlier about my learnings in the military. Let me tell you the best training I got as a leader was at Intel. And it’s phenomenal. And I’ve went through a lot of the heartburn and scars that Mohsen’s talking about when I was there. And I think I’ve been able to bring that into Lenovo.
Camille Morhardt 29:26
What has been applied at Lenovo?
Doug Fisher 29:19
Well, it’s a broad set of things. We have a centralized security review board out of Morrisville, and so all elements go through that. So it’s a central pipeline that trains the experts in a consistent way to review our products. The other thing that’s really fascinating is because of how we built up Lenovo because of the assets we acquired from IBM and from the Motorola assets from Google, we have a steep heritage, a IBM heritage primarily, and my organization has all the security experts that came over when we acquired the Motorola capabilities are still working for us, and they put a level of rigor around some the key components that we provide to our customers; one of those because of the acquisition, we build out what’s called our Ice Lab, for example. And the Ice Lab is a secure lab for our critical firmware that we build for our data center products. And the Ice Lab is biometrically controlled. So you have to have access and has to be authorized. Once you get into that lab, you had to have been a US passport holder. So we have a steep level of rigor to even get access.
And then you have to have the same credentials to sign the firmware. And so that level of rigor really assures our customers that we know who’s working on our firmware, we know who’s touching it, we know who’s signing it. And we use that information to help reassure customers what is happening.
Camille Morhardt 31:00
Well, thank you very much, Doug Fisher, Senior VP at Lenovo and Chief Security Officer, and thank you for co-hosting with me today Mohsen, Corporate Vice President of Intel’s Product Assurance and Security Group.
Doug Fisher 31:12
Thanks. It’s great to be here.
Mohsen Fazlian 31:13
Hey, thank you so much, Doug.
The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.
