Marking another revealing chapter in our 2024 Cyber Defenders interview series, we spoke with Philip George, executive technical strategist at Merlin Cyber, for his views on both the encouraging trends – and the challenging ones – on the cybersecurity horizon. Read on as Philip takes us through the importance of tech advancements at the data level, and the security complexities that are flowing from growth in artificial intelligence (AI) and machine learning (ML) applications.
MeriTalk: Philip, congrats on your Cyber Defenders award! Can you tell us a little bit about your job and what security work you are doing for Merlin Cyber?
George: My job as an executive technical strategist is to understand how and where emerging cyber threats intersect with our customer’s mission. With the goal of identifying the best cyber capabilities to mitigate identified threats and provide the most value to the customer’s mission.
We realize there is a lot of technology spend happening across the public sector, but not all tech spend is beneficial for the mission of the Federal agency or the department that’s consuming it, so we take a very empathetic approach to engaging our customers and listening to their feedback on their current operational posture and specifically, how technology is being utilized. Thereafter, having a better understanding of the current state of capabilities, we can more effectively assist the organization with getting more value from their technology investment. Whether this means changing our products or spending time helping them optimize existing implementations and improving the quality of data being produced. My role basically comes down to reconciling mission needs with cyber technology capabilities and finding opportunities to add value on both sides.
MeriTalk: In the bigger picture of security, what are some recent policy and tech trends you are seeing that are helping to improve security that we should be doing more of?
George: I am encouraged to see a growing focus on better understanding how data is being utilized, as well as the potential threats that come with making data more accessible at large.
The advent of machine learning and large language models is putting greater focus and scrutiny on the data sources that feed those programs. As organizations look to identify ways to employ machine learning and artificial intelligence across their business areas, it’s giving us an opportunity to actually perform due diligence and analysis around who’s accessing the data and how to better protect it– as well as the LLM or AI that’s being developed around it. Because the last thing any organization would want to do is to invest into a new ML/AI product only to see it turned into a malicious source of information or worse yet be weaponized.
This scenario is now affording us the opportunity to bring better hygiene into data collection and aggregation, while simultaneously supporting ZTA modernization objectives as well.
The post-quantum discussion in particular is one that relies very heavily on data security and ciphers that are used to achieve, protect, and assure ML/AI outcomes. So in stroke, cover both of those emerging technology protection areas when you start assessing and enhancing data protection strategies. Such a modernization effort also presents the opportunity to explore new cryptographic concepts like crypto-agility, which provides organizations with the ability to dynamically change cryptographic algorithms/ciphers without the need for rewriting software code.
MeriTalk: Also in the bigger picture, what looms large for challenges in improving security?
George: With all the excitement to adopt ML and AI, comes a plethora of opportunities for exploitation because of a poor understanding of your now expanded attack surface. I’ve seen organizations do the minimum amount of work necessary to stand up an ML or AI workload without actually understanding what it takes to provision the access, maintain high integrity around that access, and the fidelity of information that the ML/AI is training or learning from.
There’s also a substantial increase in complexity, which can quickly erode any defense in depth or traditional boundary protections for the affected data sources. The outcome of such being an interconnected system of systems for data lakes, neural networks, and training data which could be ripe for poisoning and result in a greater potential for hallucinations or outright malicious manipulation. So you very quickly are dropped in this expanded ecosystem of jargon, capabilities, and data sciences that very few cyber organizations are resourced to properly deal with. Which leaves cyber (as time has shown in the past) with the challenge of keeping up with the needs of the business from an innovation perspective. While also staying relevant in the discussion and not being viewed as just the naysayer.
Being able to demonstrate technology enablement without substantially slowing down adoption at the speed of business is a really big challenge, as well as the overarching complexity of our interconnected systems and environment. Which makes it even harder to follow and protect the data because you might hit a roadblock.
MeriTalk: How did you find your way to the tech security field, was it something that always seemed like a natural path or was the path more complicated?
George: At the end of high school, I was recruited to join a physics program that sought to attract more minorities to participate in college level physics and sciences. I ended up working for NASA in college as a student researcher and member of the National Society of Black Physicists (NSBP) where we developed a program that was focusing on identifying extrasolar planets, sources of gamma ray bursts, and characterizing active galactic nuclei.
During that time, I had to set up a network – a VPN between multiple universities – and as a student physicist a common motto of ours was that you never asked for help, you did things yourself. This meant we had to build our own computers, code our own software, and build our own networks. I realized that these IT projects were actually very interesting and a growing field in their own right. So I shifted from the physics and astronomy major into computer information systems and shortly after graduating was hired as a contractor with the National Nuclear Security Administration. It was truly a fortuitous turn of events and in hindsight I am extremely grateful for the opportunities the shift afforded me.
MeriTalk: And finally, what do you enjoy doing in “real life” that doesn’t have anything to do with technology and security?
George: I really enjoy spending time with my family which is now comprised of my two daughters, wife, two nephews, and one brother and sister. Having lost both of my parents over the last two years, family time has taken on a whole new meaning. So when we do get to spend time with each other, we enjoy going on simple stay-cations, and deep-sea fishing which was a pastime that was started by our late father and it continues through our family today. Lastly, we really enjoy star gazing and just looking up at the tapestry in the sky.