Thomas Glocer, a 1984 graduate of Yale Law School, has been helping to fend off cyber attacks for nearly two decades. As the CEO of Thomson Reuters from 2001 through 2011, his firm’s trading platforms were a target that needed to be secured. His fascination with the multi-faceted demands of cybersecurity grew while chairing the committee responsible for technology on Morgan Stanley’s board of directors. Today, Glocer is the co-founder and executive chairman of the cyber defense firm BlueVoyant. In a conversation with Yale Insights, he discussed cybersecurity, and its limits, as well as a radically new model for privacy and protection of the data we all create as participants in today’s digital world.
Q: How did you get into cyber defense?
Cyber defense brings together issues that interest me—compelling technological challenges and a geopolitical overlay where foreign-state actors might want to compromise not only government and military systems but financial services, the power grid, etc.
When I ran Thomson Reuters from 2001 to 2011, we were subject to significant amounts of electronic probing, in part because of the electronic trading systems we operated in foreign currency and fixed income. As a result, I fell in with a group of, call it, concerned cyber warriors who were worried that the nation’s banking system wasn’t adequately protected.
Later, on the Morgan Stanley board, I chaired the operations and technology committee, which was responsible for oversight on cyber defense. I thought cyber defense would be a good area to start a new company. I launched BlueVoyant with Jim Rosenthal, who had been the COO at Morgan Stanley and directly responsible for cyber as well as all the rest of the tech work at Morgan Stanley. I’m BlueVoyant’s executive chairman, and Jim is the chief executive.
Q: What does the company do?
The company does three main things: threat intelligence, managed security, and proactive professional services.
Threat intelligence provides actionable early warnings about the bad things that are out there. That’s typically for larger companies that have a security operation that will know what to do with the information.
The managed security service is typically for companies that haven’t invested tens of millions of dollars to build their own cyber defense operation; they can hire us to provide it. We can build and monitor a security stack.
The third piece is cyber forensics and incident response services. Whatever happens, we can do something about it, either remediating remotely or sending in human beings.
Because of my background and Jim’s, we work a lot with financial services. But we have customers across pretty much every industry because, unfortunately, everybody is subject to hack or attack. I wouldn’t have thought Sony Pictures was at a big risk of cyberattack. But obviously they were and a very crippling one.
Q: How well prepared is financial services at this point?
In my view, financial services overall is quite well defended. The bigger firms themselves recognized relatively early what the threats were. They typically have very good technology operations and spend a lot of money. The threat, I think, is more in the medium and smaller size institutions—the savings and loans, the community banks—that just can’t spend that amount of money but still have assets that are attractive to the bad guys.
Q: What are the key threats?
I am told by the people who know that if, for example, the U.S. or the Russians or the Israelis really want to be in your network, they will be in your network. You won’t know it until something bad happens. And something bad may never happen. They may just be there to be prepared or to look at your information.
We don’t purport to stop those highest-level, most-advanced, persistent threats out of a cluster of governments with the most advanced cyber capabilities. But we can stop a lot of other things, including second- and third-tier nation states and criminals who unfortunately now have, not only their own tools, but some of the tool sets that nation states develop that have been released through earlier hacks. There’s a famous NSA tool set out there.
These days you can go on the dark web and, in effect, rent a very high-quality attack platform. You don’t even have to be able to develop malicious code yourself; it’s all there for hire. There’s quite an underworld ecosystem.
Q: How do you keep up with the ever-evolving threats?
Well, it takes a fair amount of ongoing research efforts. The way our threat intelligence works at BlueVoyant is we own multiple data sets. We see something like three million events a second as they occur out in the internet. If you run these electronic events, this internet traffic, through the right big data analytics, folks who know what to look for can pick up the very subtle signals of, for example, a command-and-control cluster being formed or the early moves for an attack.
What everybody wants is time. It’s the most critical factor. Everybody says, “Give me warning. Let me do something. Let me add a malicious IP address to my blacklist on the firewall before it gets through. Let me cordon off a section of my network.”
Q: How did you decide where to focus the company?
The good news for business and for society is there are a lot of cyber defense companies. Thanks to some of the older, larger established players pretty much everyone has a firewall and anti-virus software. As the threats became more significant, others have founded companies to offer additional tools like predictive analytics that run over network traffic or software devices, things like honeypots or watering holes which can attract traffic that you can then either analyze or isolate.
We studied the market and identified a number of opportunities where we saw a product-market fit. One was advanced threat analytics, especially third-party vendor vulnerabilities. On my way up here, I passed a room that had a class on supply chain management going on inside. Supply chain management has meant one thing for a long time, but increasingly it should also refer to the chain of vendors that have points of digital entry into your company.
For some companies that’s tens of thousands of vendors. Maybe you’ve done a decent job securing your own infrastructure; how secure are your vendors’? How do you evaluate that? That’s a service we offer. We saw a real opportunity in that threat intelligence, so we aligned a good part of our operation around it. I could tell a similar story about our managed security service.
Q: Thinking about vulnerabilities of the average person, should we be more concerned about our data getting hacked or everything we implicitly share with Facebook and all the other tech giants?
It’s an interesting question. I’m not a conspiracy theorist but I would worry more about Facebook, Twitter, Instagram, etc. I think what happened, certainly in the U.S. but across many countries, is before people realized some of the darker uses that their information could be put to, the convenience and attraction and above all the initially free price tag of using many of these services meant that we essentially clicked away permission like sleep walkers. Often, we grant very significant data accumulation.
I think the average person can’t begin to understand the sheer enormity of the information that’s collected—every like, every click, every single website you’ve been to in order and your geo-fence location when you visited each site. All of that is recorded and owned not by you but by the variety of services that you use. And while each data point in and of itself seems pretty harmless, taken as a whole and running some decent data science across it, you can find out some really surprising and very personal things that you probably wouldn’t want to have get out there.
Q: I think people worry about privacy, but they’re not sure exactly why. Should we be worried about the intentions of the big tech companies?
I guess I have the shortcoming of knowing a lot of these people personally. I don’t believe that Mark Zuckerberg or Sheryl Sandberg or the folks at Twitter set out on an evil conspiracy to deprive us of our privacy. Ditto for Google, which is an enormous store of data. These are thoughtful, and in general, well-meaning people. They are also leading enormous, profit-making, public companies, and they typically monetize through selling advertising against that data.
The extent and uses of the data have never been an explicit contract with the users of the services. So, I don’t think one has to posit any evil intent to understand that as businesses get larger and larger, it can move beyond leaders’ ability to personally control and police all the uses of the platform.
Q: You wrote a blog post proposing an alternative model for data management. Could you explain the idea?
There’s a fair amount of thought leadership around the edges of technology, philosophy, and government on the question of, “Whose data is it anyway?” One idea is to flip the model completely. Imagine if you held a digital vault, on your phone, let’s say, or secured in the cloud, and that vault contained your entire browsing history, your pictures, your entire location history—all of your various electronic bread crumbs organized into different collections or time series of data.
Because you control your vault, Google, Facebook, Instagram, or Twitter might come to you and offer to pay twelve cents every month for your browsing history. Somebody else is training up an AI and they’d like access to every photo you keep in online photo services, so they offer to pay for it.
It’s a model where you control the data and providing it to companies requires a much more explicit authorization. You’d probably only be receiving micro-payments, so you might just decide, “Well, actually I’d rather keep things private.”
It’s sort of cool to find out where your great-great-grandfather came from, but maybe you’d rather not have your genome sitting up in the cloud. Did you agree to your genetic sequencing being sold to an insurance company or not? Can that data be used to catch a serial killer? It’s great that a serial killer was caught, but it is also an unforeseen use which made a lot of people concerned about who can access that data.
We’ve gotten to this point with little fanfare about who owns our data and how technology can be applied to it. We may need to have more of a discussion and make some more intentional choices.
Q: Is it still hypothetical or are we hitting a tipping point?
Well, I think the last U.S. presidential election and the things that have been coming out in the congressional hearings suggest they are more than hypothetical. I also think we are pretty clearly moving in the direction of legislation which will affect the platforms.
The UK has developed far-reaching legislation that would put the burden on the platforms to essentially police hate speech and the like on the platforms. And with respect to privacy, a California law went into effect which mimics the EU’s GDPR legislation on data management and privacy.
I think we will only see more of this as people understand how much they’ve given away.