Interview: Charles Palmer

IBM’s T.J. Watson Research Center in Yorktown Heights, New York
IBM’s T.J. Watson Research Center in Yorktown Heights, New York
Charles Palmer, IBM
Charles Palmer, IBM

Nestled in New York’s lower Hudson Valley, I arrived at IBM’s Watson Research Center on a day that made you wish you had just stayed inside with the air conditioner – a kind of rainforest-type humidity that turns the air translucent.

Being a journalist, I often find that knowing exactly where to start off the conversation can be the most daunting obstacle when sitting down to interview someone. I found out quickly that this would not be the case for IBM’s Charles Palmer, as our conversation about cybersecurity was in full swing before we even took our seats.

Times have evolved, things have changed, and it has become very clear that some of the very areas where IBM has deep strength is in the area of security, says Palmer. “Clearly this cyber thing has a lot of people spooked.”

“What they don’t know is terrifying”, he continues in a rather matter-of fact fashion, speaking about organizations of all stripes. In his experience, Palmer says that management from both the private and public sectors, when questioned about whether they’ve been hacked, almost always say they have not.

Palmer recalls that his response is typically: “Then how would you know? If I did it”, he added with a note of pride, “then you wouldn’t know”. What else can we expect from the man who is CTO for security and privacy at IBM Research and the associate director of computer science at the company’s Watson Research Center? As one of the founders of IBM’s ethical hacking team more than 15 years ago, his security street cred is unquestionable.

A Legacy of Vulnerability

He paraphrases one colleague’s characterization of the cybersecurity landscape at present. “There are companies that are about to be hacked, companies that have been hacked, and companies that are about to be hacked again. Pretty much that’s it”, Palmer confirms.

The IBM CTO says that it’s a simple fact of life that we cannot live without computers, and with that comes government’s realization that it must pay attention to cybersecurity.

The need for investment in security has never been clearer in Palmer’s opinion, because many infrastructure-related systems were not built with computer security in mind. This recent focus by the previous and current presidential administrations is the bright side of the cybersecurity equation.

Increased awareness, and even focus, smacks right into the face of reality, however. “Some of those devices don’t have the brains to do it; they don’t have the muscle to do crypto or any kind of authentication”, reveals the self-proclaimed propeller head.

To him, it’s the legacy effects of current critical infrastructure systems that must be overcome if we are to begin taking up the cybersecurity challenge.

"Eighty-five percent of the critical infrastructure is owned by the private sector, and so Uncle Sam can’t do it by himself"

A smart grid, in addition, presents even more unique challenges, says Palmer. “Whether it’s the transportation system, the power grid, whatever, there’s the ongoing physical challenge to keep the stuff working at that level. And now the fact that you’re plugging it into a network just adds to it.”

It may not necessarily be the case that systems run by the public and private critical infrastructure organizations are the biggest security risks in a smart system setup. Palmer believes that it’s really “all the other little gadgets” tapped into the same systems that may present the most danger from a cybersecurity perspective.

Controllers implemented on sensitive infrastructure systems, such as energy generators or pipelines, are now connected to the network. They must have a way to validate communications with the proper source, and not a hacker. He says the proprietary network protocols used by these controllers are no longer a secret to the hacker community.

“Like anything else with security, as soon as it becomes interesting, either financially, [a] technical challenge, hacker points – flip the scoreboard purple – then boom, there they are”, he says of the hacker’s propensity to take up projects based on incentive, or sometimes for just a plain wow factor.

The primary security dilemma expressed by Palmer: “These controllers have to have some way to know that they are talking to momma. And they don’t always have that.”

Far from being all gloom and doom, he assures me that IBM’s security teams are working hard on the problem – along with many others in the field – while keeping the legacy implications in mind.

Yellow Means Danger

With all he knows about cybersecurity vulnerabilities in the US transportation sector, Palmer can’t help but have a sense of humor about the whole thing, regardless of the daunting task facing cybersecurity experts like himself.

At a recent gathering of government security people, he recalls someone asking what kind of damage a hacker could do to so-called ‘smart city’ infrastructure networks. One person replied they could turn all the lights red, as if to metaphorically bring the world to a halt. Palmer replied that a smart hacker would turn traffic lights yellow, so everybody would speed up dangerously. “All of the sudden you’re in Italy”, he jokes.

"Part of the reasons we have all these problems is there has been a market failure. There has been no motivation to make your systems more secure"

He argues that cyberattacks of the future will be more subtle – the types of attacks that are not immediately detected. This is for good reason, because attackers with ill intent, the smart ones anyhow, will want maximum impact with little exposure.

If you hack eBay, you would inconvenience a few thousand people for a brief period of time, which Palmer implies is the least of our worries. You’ll simply wait to resume this interaction at a later point, he assures.

He immediately turns contemplative, and asks me to consider “cybersecurity”, in rather Socratic fashion.
What would happen if someone attacked networks used by New York City? Or those that run the power grid? The questions were directed at me, but they were quite rhetorical.

“Now you affect a bunch of people – seriously”, Palmer responds. “And so everyone is concerned for a variety of reasons.”

“The interest level is extremely high”, Palmer continues, insinuating a glimmer of optimism because politicians, businesses, and even individuals now see value in the need for cybersecurity investment. It is quite obvious to me that despite all the challenges he has laid forth so far, the government’s ramped up interest in security has Palmer visibly enthused, most likely because he’s thinking about all the different ways to throw up an effective defense.

All of the sudden Palmer’s engagement ratchets up a bit, talking about the US government’s recent finding of the cybersecurity religion. “A lot of cool things are happening, and it became very clear that we needed more geeks in this space.”

Partners in Security

It’s not only IBM that needs these cyber geeks. It’s HP, Microsoft, the Department of Homeland Security, private vendors, public security people, anyone who participates in this private-public partnership that Palmer moves our discussion toward.

"Anyone can be a hacker, but it’s a much tougher job to think evil, and then do something about it"

Government takeover of the power grid in the US? “Good luck!”, Palmer exclaims. “[The government] does not have the people to understand it, to manage it.”

“They don’t have the deep geeks. Things have gotten so complicated that the government cannot possibly manage this all on their own.” He believes the government would give it a go and try to run something as complicated as the power grid in an emergency situation, but they would ultimately fail.

Palmer contends that this is the reason why the private-public cybersecurity collaborative we currently find ourselves with is an absolute necessity. “Eighty-five percent of the critical infrastructure is owned by the private sector”, he adds, “and so Uncle Sam can’t do it by himself”.

The IBM Institute for Advanced Security, based in Washington, DC, should be a vital part of this partnership if Palmer has his way. He reflects that, until recently, market demand for security was lacking. “Part of the reasons we have all these problems is there has been a market failure”, he confides. “There has been no motivation to make your systems more secure.”

“We’ve been doing it right for a long time”, he says confidently, insisting that security has always been a concern at IBM, irrespective of market forces. The new challenge both Palmer and IBM’s security researchers now face is how to make sense of all the information generated by security technology – finding solutions that provide real-time, streaming analytics for private and public sector organizations alike. “We have to find a way to put this all together and make it all stick”, he maintains.

“When I first arrived in this building, I was told by my boss at the time to ‘Do something cool’ ”, recalls Palmer. Cybersecurity, which can be viewed as a rather unsexy topic by some, is far from mundane to someone with this sort of enthusiasm, in spite of its serious implications. The art of defense and the challenges it presents appear to keep Charles Palmer fully engaged, which is reassuring to know that people like this are on the job.

“Anyone can be a hacker”, he tells me, “but it’s a much tougher job to think evil, and then do something about it.”

What’s hot on Infosecurity Magazine?