Interview with Paul McGough, CTO, Qwyit
Paul McGough, Founder and CTO of Qwyit, LLC, a leading cryptosecurity technology firm, is a telecommunications expert with over 35 years of progressively responsible experience managing IT technology teams for the development, integration, implementation and support of financial, project management, database applications and security systems.
QwyitTalk Security as a Service platform provides the proven TLS process using our patented authentication and encryption protocol. Any network, any application, every communications product can instantly offer secure, private messaging by simple, universal connection to our globally available QwyitTalk SaaS platform. Our performance and efficiency are order of magnitude improvements over current TLS methods.
Tell us a bit about yourself. What made you get into the business of cyber protection?
Even while growing up, I always focused on Science and Math. It was a natural progression to gravitate to the explosion in personal computing and technology that began in the early 80’s. I worked in radar manufacturing, moved to DoD government telecommunications programs, and then worked in the classified communications world for over 10 years. This is where the original ideas for our Qwyit authentication and encryption methods began – I sought simpler means to accomplish what took massive computing power and lengthy messaging streams to accomplish: secure communications. I thought, “There’s got to be a better way to do this!”
The core thinking began by studying trust; how it works, for whom does it work, when and where it works. Then I learned that combining unique provably secure mathematic equation sets with simpler pass-through and federated trust models provided an order of magnitude improvement over the current techniques. Qwyit has blossomed from there.
Which industries see a higher tendency to be victims of a data breach? What are the factors that contribute to being a target?
It’s all about The Money! Obviously, the new cryptocurrencies, their exchanges, are ripe – and rich – targets. All of the other victims are spread across many industries and include everything from small businesses to those large incidents with which we’re all familiar. And they have several things in common: something of value is stolen (actual monetary theft like re-directing a wire transfer), leveraged (like identity theft) or replicated (for instance credit and/or banking info). The obvious contributing factors are the amount of data available (Experian) or the high dollar value (cryptocurrencies, individual retirement assets). After targeting value, the main contributing factor is ease – how lax is the security, how fast and how often can it be accessed and moved, etc.
If your data has any value, whether individual elements or collectively in total – and you’re not being security conscious and diligent with its protection from both the customer and employee perspective – you’re a target. Sooner or later.
How does enterprise protect itself currently? How effective are these measures?
The current protection systems include a widespread combination of policy, processes and practices. Policies include, and range from, employee work and computing requirements, data handling, customer reporting legal standards, etc. Processes cover the breadth of the organization, and are mandated for types and levels of employee, for physical access, device specifics and requirements, the installed software and update intervals, etc. Practices cover the organization’s depth and include all the actual specifics of customer and employee Internet connectivity, email handling, operational device management, data integration, transaction processing, etc.
Unfortunately, the effectiveness of a comprehensive, diligent pyramid of protection can only be measured in the negative – if you haven’t been attacked, it’s working…up until it doesn’t. And then ‘it didn’t, so what do we do now?’ needs a recovery process. I’ve told this story before: The University of Maryland’s graduate offices were attacked, and afterward, the President told of just having updated all of their protection with ‘new’. So then, he said, they’d have to ‘double their efforts’. Not knowing what that meant, I came to the conclusion that while a comprehensive protection application is important, in order to actually increase effectiveness, the tools themselves need an order of magnitude improvement.
Tell us about three of the latest trends in cyberthreats, and help us understand them.
My entire focus – and that of our authentication and data encryption methods – are all about end-to-end security; so I’m not a detailed examiner of trending threats. And the reason is simple: there shouldn’t be ‘trending threats’. What can help you to understand this, is that attacks are directly related to the strength of the protection method. Just imagine a cardboard box in your closet holding your money – or it’s in the world’s strongest metal box on a platform in the middle of a military installation surrounded by active, armed soldiers. Right? The highest possible number of ways to steal your money exists in the weakest installation; the method of protection limits attacks. ‘Trending threats’ exist – and will continue to do so – if protection is only focused on stopping existing or imagined attacks, instead of strengthening the actual methods used for protection so those attacks don’t exist.
The best protection is end-to-end. For instance, if I encrypt my social security number and only give out the encrypted version, it doesn’t matter how any recipient stores it. It has no value without my key. And if the storage location needs to ‘use’ it, they ask me for the key. As long as the transmission method, and the authentication of the requestor, used unbreakable methods, then I can give them that key.
Then I change it and re-store the newly encrypted version. My SSN is protected end-to-end, and the access is controlled – and identifiably liable for any damages. If all SSNs were stored and accessed this way – there’d be no value in stealing 140million of them; as an attack, it simply doesn’t exist. End-to-End stops ‘trending threats’!
How do traditional cybersecurity measures hold up against increasingly sophisticated e-criminals?
There are several different reports output about US cybercrime. Every one of them indicates that cyberattacks are the fastest growing crime. Period. If it was bank vault robbery, you’d rightly assume that ‘traditional measures’ were no longer working: the criminals have figured out how to melt steel! But what is happening electronically, is that a convergence of the increasing amount and value that is being transacted and stored, is meeting headlong with an increase in the sophistication, understanding and capabilities of those bent on stealing it. So some of the crime is ‘melting steel’ (attacking traditional measures), while some is just an increase in capability – and creativity.
I just happened, today, to be at my bank to wire some funds to a home builder. Lo and behold, about three hours after accomplishing the transaction at the branch, I received a call from their National transaction center, saying my transaction had been flagged – and held – because of a recent scam involving wired funds and home transactions (because of the substantial value!). Seems the criminals scan open emails from identified home-related businesses, garnering personal info, wiring instructions, etc. – and create fraudulent emails with instructions to send to their accounts instead. There is no recovery from this – everyone loses. My bank’s diligence, and personal involvement, verified the transaction. So there is at least one ‘traditional measure’ that is still effective against cybercrime: personal, authentic, service.
The disturbing aspect is the cost, and the unavailability of providing this ‘fix’ to daily, lesser valued assets – but these are just as important to all of us individually. As I stated previously, the real fix is in end-to-end security: if I sent the wire to the wrong place, they wouldn’t have been able to use it without the key to open it – and that would have been sent, authentically only to my builder. We’d just wire it again, to the proper destination – no harm, no foul. And no cybercriminal would ever have created such a scheme because there’s no value! Oh – and how about end-to-end email security in the first place…
Can you talk us through authentication versus encryption and why one might confuse one for the other?
Authentication is making sure something is what, or who, it’s supposed to be. Encryption is using something to hide a message (encrypt) that only someone who has the same ‘something’ can use to reveal the message (decrypt). In electronic communication, that ‘something’ is a digital key. While using encryption, you may confuse the two, if what is being hidden is authentic!
Suppose you and I are throwing a surprise party for our friends next week – and we get together and share a ‘key’ that we’ll use to hide our messages to each other in planning for the party (because our friends always shoulder-surf and read our emails when we look at our phones!) When we send messages back and forth, we use our key for encryption and decryption. After I send a message to you, you can read it – but how do you know I’m the one who sent it to you? Maybe I wrote down our key, and one of our friends saw it! That’s the authentication part – and how it’s different than the encryption part. You’re sure it’s a real message because it decrypts into what you expect: but how are you sure that I wrote it?
In today’s systems, the authentication is covered by a different exchange using Public Key technology; and then that authentication exchange includes sending a new key that we’ll use for encryption in subsequent messages. As you can see, this answers your question about any message that includes the authentication exchange – but if we don’t do it every single time, can you really be sure it’s me? Unfortunately, this dilemma exists in today’s Public key: authentication isn’t used in every message…and that is one of the ways cybercriminals can attack.
Are AI-companies more at risk? If so, how?
I don’t believe AI companies are at any more risk than any other – but their AI technologies are so incredibly vulnerable it is frightening. I’ve used this example before, and its pertinent here: when in recent memory, in all the stories about the AI evolution in Autonomous Vehicles, have you read a single article that instead of questioning capability or morality (the Trolley Problem), you read about the security of technology to thwart outside attacks and interference? Do you remember the recent, famous hacking escapades of a couple researchers who took control of a late-model car while it was being driven by a human? What does that say about what could/will inevitably happen when a fleet of sitting-duck AutoCars are just idling in some garage? AI technology is going to revolutionize something, alright – but it isn’t travel, it’s hacking – as someone makes those cars tootle around wherever they want! The danger of the weak security is absolutely startling.
There is no greater risk to the acceptance of this revolutionary AI next-step commuter’s dream than using traditional security system authentication and encryption methods: just one single hacked crash fatality will, rightly, destroy the $ Billion industry before it even begins. And this is just one of the first AI endeavors. The risk greatly exceeds the current security.
What trends do you see in the cybersecurity community and what can we expect in the immediate future?
The absolute best trend is awareness and diligence – and a motivated, concerted effort to try new ideas. Things like Machine Learning as applied to cybersecurity, SAO marketplace maturity, efforts in the IoT marketplace are all immediately at hand.
How does Qwyit’s technology offer protective and responsive functions to protect their customers?
QwyitTalk, our Security as a Service, is the first and only TLS methodology improvement since its inception 20+ years ago – it also happens to be the only unbreakable security technology available today. TLS is that lock on your browser indicating secure communication – and it’s the only global secure communications protocol. We provide the exact same authentic and encrypted time-honored process – but we provide it as a uniform, universal service that any network can instantly join and then deliver unbreakable communication security for their application customers.
QT provides every participant in secure communications with an order of magnitude technology advancement over current TLS: For networks – performance and efficiency. For business – unbreakable assurance for data control. For users – simple and flexible use without maddening new ‘stuff to do’. For developers and administrators – straightforward, streamlined, universal, uniform implementation. For everyone – unbreakable end-to-end security.
How has mobile banking and cryptocurrency changed the game? Are we in more danger now?
More danger? In a word for both: YES. There are two major security issues with mobile banking – the mobile part (the connectivity networks, the devices, the integration, the providers, etc.) and the banking part (even more integration, transaction networks, hardware, participants, etc.) The sum is more than the parts: the difficulty in providing end-to-end security requires substantial methodology improvements – and without them, as more and more of the banking value (transaction volumes, and amounts) are performed using mobile, the more attack points and profiles will surface. The convenience can’t be beat: security needs to step up.
Cryptocurrencies, while still operating in a cloudy regulatory environment and as demonstrably shown in the constant huge monetary attack losses at exchanges, are a nightmare waiting to turn into a daylight tragedy. The main danger is that the best of the security technology industry isn’t focused on improving this market; as its sustainability as a viable business partner is lacking. There certainly is danger lurking there…just ask Mr. Wozniak.
Thank you Paul! That was fun and hope to see you back on AiThority soon.