Legends of Tech: Episode #23
A weekly podcast where Chris Georgellis, on the Customer Development Team, interviews people across the tech industry. From veterans, to hall of famers, day to day tech industry people as well up and comers. Get to know them as individuals, find out what drives them, how they got into tech, and what they see now.
Good afternoon, good morning, good evening everyone. Welcome to episode 23 of Legends of Tech.
Today I am super pumped to have this guest. His name is Dr Chris Peiris. He's currently the Cybersecurity Advisor at the Department of Defense in Canberra.
Chris was previously with Microsoft and Avanade Australia as the Director of Cybersecurity.
He's a passionate cybersecurity professional and has assisted many Fortune 500 customers to unblock cybersecurity blockers to enable large digital transformation power projects.
As a former Asia-Pacific and Japan cybersecurity lead, he has assisted creating government-wide secure threat management frameworks in Taiwan, Singapore, New Zealand and Australia.
He has also created an incident response security operations center, cyber fusion center, advisory services and threat intelligence capabilities to build cybersecurity capabilities across Asia -Pacific and Japan.
Chris's experience in building large-scale cyber fusion centers led the leveraging private cloud, hybrid cloud and public cloud protection and detection service providers around the world.
His current passions are quantum -proof cyber cryptography, polymorphic ransomware and Zero Trust architecture.
That's a tongue twister, isn't it, Chris? Chris is also an author and has 24 years of experience around the world.
Please welcome Dr Chris Peiris.
Thank you. Thanks for having me. Thank you very much. Glad to be here.
Thank you, Chris, for the opportunity. No dramas at all. Well, mate, how is everything in Canberra?
Well, it's a beautiful sunny day today. So we had a bit of rain, but it's great.
So you know, we've been blessed with good weather and hopefully we'll get a bit of cricket on the weekend also.
Fantastic. So you're a bit of a cricket fan, are you?
I am. I am. So, you know, it's funny enough to I know we're talking about technology, but my life actually started in Australia as a cricket player.
That was my first job. Yeah. So I was a migrant. I was born in Sri Lanka in Colombo.
This is the 80s and the early 90s, for example. And I'm not sure whether you guys are aware of there was a civil war going on for Sri Lanka for 30 odd years.
Everyone was affected, my family. So I came here to Australia, to Melbourne as a student.
And the only job I could find was playing cricket. So how did you go from cricket into cyber security?
Ah, look, it's a it's an interesting story.
Look, first of all, me being in IT is an accident. And second of all, me being in cyber security is an accident.
So let me let me expand on it. So look, I like I said, when I when I migrated here, I spoke very little English, frankly.
My mother tongue is Sinhalese, which is very different. So I never had formal English education, if I can say.
So when I came here as a student, I didn't really have any qualifications to enter into tertiary education.
The only the amount of marks I had to get into university was for Bachelor of Business Accounting, frankly.
So I remember turning up to what it used to be Caulfield Institute of TAFE, which is a Caulfield campus for Monash University today.
If you're familiar with Melbourne, so I rocked up to F Block, which is one of the very old buildings in CIT.
And I was filling out a form for Bachelor of enrolling in Bachelor of Business Accounting.
And there was a and I was told and I didn't really understand all this.
I was told in order for you to do the degree, you have to have a minor being enrolled.
So I said to them, what is a minor?
And they said, no, there's a thing called this computer science thing, you could do computer programming, you could do as a minor.
And and I don't know, maybe I'm showing my age, Chris, this is probably before your time.
But back in the 80s, there was this thing called MS-DOS and Microsoft DOS and basic programming language.
It used to be before the C++ and Java and things like that. So I was lucky enough to do a basic course earlier.
So I had some knowledge of programming. So cutting a big story short, I ticked that box saying I'm going to do computing as a minor.
So then once I got into it, I started enjoying it more, you know, C++ programming.
I got heavily into coding those days. This is the late 80s, early 90s.
And I remember this thing called the Internet was taking off and it was talking about it.
And just to share with you, there's a romantic flavor here. My girlfriend was actually in the U.S.
I was trying to figure out a way how to connect with her because we didn't have the money to, you know, there's only phone calls these days.
There's not even email. If you remember, we didn't have email. So somebody told me in IT there's this SMTP protocol and HTTP protocol and work out something called the Internet so you can send free emails to your loved ones overseas.
So I got into it and there was my IT. On a serious note, I was very lucky.
I was to be in the position when especially at Monash University around 95, 96, if memory serves me correctly, there was an initiative by Microsoft that they realized this Internet is coming and they need to change everything from client server architecture to Internet distributed architecture.
So they were revamping their platforms with something called .NET framework.
I'm not sure whether you guys are aware of it, but .NET is the foundation of the Windows operating system essentially, which is built for multiple WANs and Internet technologies as opposed to client server point-to-point technology, which was calm those days, if you remember.
This is going back a few years. So what people may not know is actually some of the initial research for .NET framework was actually done through Monash University and Melbourne University in Australia.
And there was a project called the Mono project that I worked on, which started my association with Microsoft that's been going on for what, 25 years, 25 years.
Thank you. So anyway, it's a long, I don't want to take up too much of time.
I love the story because I must say we must be the only industry or one of the only industry in the world where we've come, you know, we fell into IT or we did a course that led us to somewhere else or we met someone that did something.
So your story is fascinating. So growing up as a kid, did you ever have technology in your mindset?
No, I mean, to be honest, if you're growing up in a third world country, I didn't, we didn't even, we didn't have a 386 computer, to be frank with you.
The only 386 or 286 computer, if you, and probably the viewers may be scratching their head.
286 is way before the Pentiums and all that stuff, you know, in the 80s.
Only people who had that was, like I said, small, my school had a, like a computer course.
I had like three or four computers and we had 286s and 386s there.
And that's the only time we got exposed.
I mean, my family did invest in a computer a little bit later, but, you know, we didn't really have much resources, frankly.
Yeah, fair enough. No, I find it fascinating because, you know, even myself, you know, I got into technology through, you know, a random way, but I guess I grew up in the 80s.
So for me, it was all about, you know, video games and, you know, picking around computers, but I always find it fascinating to use everyone's background.
I mean, the fact that you've, you know, immigrated to Australia, you're playing cricket, you're studying business, and then you signed up for a computer course is quite fascinating.
So when you went from, I guess, what you're studying to computer science, what was that transition like?
And how, I guess, how did you approach that part?
Was it a difficult transition? Or was it something that you just picked up naturally and sort of ran with?
Yeah, look, I think it was something that's natural to me.
I found something that I'm passionate about. Because anyone who's into coding, you know, basically working with IT, it's a bit of a, frankly, it's a bit of an addiction, to be honest with you.
You know, you, I remember staying up most nights just with coffee and just, you know, plugging away, coding in C++, etc.
So it just became a lifestyle more than anything else. And to me, it was a, and again, I don't want to, you know, spend too much time, you know, on the coding aspect, but I'm always fascinated by the people in IT, you know, it's a disruption part.
I mean, I didn't really understand that. Back then in my younger days, you know, I did for fun.
But what we were doing was we're disrupting the business models that was going ahead.
And what we were doing was people and process was changing because of that disruption.
And that's what's happening today, for the last 20 years.
So to me, that's a fascinating journey. So you know, simple things like, like I said before, so in order to call your loved ones from overseas, we had to pick up the phone and we had to, those days was more than a dollar a minute or something that from memory was very expensive calling overseas.
And the fact that when we invested, I remember spending a lot of time on voiceover IT, once we got IT to work, we did a lot of research simply because the driver was, we just want to call the people we love, you know.
And that actually drove a certain behavior, creativity, if I can say.
It's disrupting those business models when it comes down to it.
That is the everlasting impression to me as IT people standpoint to society.
Yeah, that's, it's a definite, it's a definite evolution, disruption, all that.
So how, so how did you, how did you now, you know, fast forward a little bit, not a few years later, how did you get into cyber security?
What was the... Yeah, yeah. So again, that's a, again, it's another accident.
So if I can, if I can start off from where I left off earlier. So I got into some of the coding from a university perspective, working in most Microsoft things.
That actually led me to some really interesting projects, like, for example, Commonwealth Bank.
So I spent a lot of time doing the Commonwealth Bank securities.
You may know comsec.com.au, for example, I was one of the very first architects who built that, very first version back in the late nineties.
And then the Com-C platform that the Commonwealth Bank uses today, even for security was, I was part of doing that, you know, the implementation for them.
And so I was more of a, you know, more of an architect doing big projects.
I joined Microsoft as a full-time employee in the early 2000s, spent some time in Redmond, and also then came back here.
And, and I was working mainly because I'm based out of Canberra.
I have this long association with the Department of Defense, frankly. And around 2005, 2006, if you remember, Microsoft was going through a really bad patch when it comes to security with the SQL blaster and all kinds of zero days happening, et cetera.
So simply the government and Department of Defense specifically came to us.
I was one of the consultants and said, look, this is your technology, Microsoft, you know, and we are getting issues here.
Can you do something about this?
So that was the brief, basically. And that actually started this chain reaction of getting into security.
Cutting a big story short, what it comes down to is, you know, we, not just as in whole of Microsoft, there's multiple parties, you know, there's a very big investment, I must say, from I've worked for many other organizations afterwards, and I've been a partner with other organizations, but frankly, I haven't seen any organization such as Microsoft, roughly, they put about $1 billion a year, just for research on security, basically.
So that is a very big commitment. Back from those mid-2000s.
So essentially, what we did was we re-engineered the whole Windows platform from ground up.
And what we end up doing is essentially make the whole Windows platform, the sensor, essentially.
So what happens is, like, you know, being in the industry, what a lot of threat vectors are all about is, you know, they use what we refer to as a rootkit.
And for the listeners who don't know what a rootkit is, it's just a combination of proven attack vectors bundled together, because from an adversary threat actor perspective, what they care about is one single way to get in, but they don't know which way to go.
So what they do is they package all these things together in a rootkit, and they execute this rootkit.
So usually there's about 700 to 800 different attack vectors in a single rootkit, usually, and you just need one to execute for them to find a backdoor.
But if you think it through, and I'm not giving away too many secrets here, but if you think it through, remember by executing this one single rootkit, you're creating a lot of noise in the underlying fabric, right?
So in order for one to succeed from 700, 699 should fail.
So that actually creates a lot of noise in the background. So that's what we use.
We use that methodology to re -engineer the Windows platform to capture that noise, so we know we are under attack, so we can actually take some preventative strikes, for example.
So, you know, it's funny enough that, I don't know whether you've heard of a product called Windows Defender ATP, and that was the very first implementation of Defender ATP back in 2006, 2007.
So yeah, so that's how I got into cyber.
Then, you know, I was privileged enough to then work with many defense organizations in many countries around Asia.
So Singapore, Taiwan, especially Taiwan, I helped them build the whole government-wide security framework, the defense framework, which was quite exciting.
I spent a few years doing that around Asia and U.S.
Then I did a bit of, came back and I was doing some of the RF assessments, if you remember.
So RF is a predation platform in Australia, where in order for any agency to use IT capability, it has to be assessed through an RF framework, especially when it comes to cloud computing.
So I was helping about 100 plus services to be RF certified for protected, for unclassified protected.
So that was a great experience too.
So yeah, so that's been the journey so far, Chris. Just a question I've got.
So you've worked with other, I guess, sorry, defense organizations across different countries.
When you look at their priorities, are they similar or are they different depending on which country you operate in?
Look, defense, to be honest with you, is quite simple, frankly.
If you want to distill the ethos of any defense organization, it's to support the war fighter.
Simple as that. In one line, I used to support the war fighter and everything is secondary, if I can say.
But at the same time, that actually introduces some very unique challenges when it comes to defense intelligence.
Because when you support the war fighter, which basically means you're going to go and get the best submarine out there.
And that submarine comes with their own IT system. Then go and get the best jet fighter out there.
And that jet fighter comes with their own IT system.
So none of these systems are standard based, because they're done through very specific military contractors.
And by definition, they don't want to do standards, because that's a security risk by itself.
So it is an interesting area to be.
Look, I see banking, you know, open banking standards. Manufacturing is open banking standards.
Logistics is open standards. So if anything, they're coming closer and closer together, if I can say, with open standards.
But unfortunately, defense, I'm not saying they're getting apart, but they haven't really made much progress in the last 20 years.
They have fancy weapons, but all those fancy weapons come to this proprietary technology, which is not open.
I can imagine.
And I guess now as, I guess, as time progresses forward, I guess, are the efforts now being, you know, we talk about physical defense, military, army, has, I guess, has the attitude of the priority changed to more of the cyber centric defense challenges that we're facing?
Yeah, look, you're right.
Certainly, we are moving from that parameter security, you know, defense is very, I'm not talking about just defense here, defense general worldwide.
So like I said, I've been privileged to work in U.S.
defense bases of most of Asia, key ones, and they have that parameter security, you know, mindset.
So they're certainly moving away from them.
And I've seen, and this is just a trend, I'm not saying it's happening, but this is the trend.
You know, five years ago, defense was still, defense intelligence are very particular about having their own data centers in their own, you know, own data center, data center locations, and their own people just doing it, you know, just physical security.
But now they're slowly getting into more the hybrid cloud, in some cases, the public cloud.
In some cases, like for example, at AWS and Microsoft, especially in the U.S., I'm not sure whether you've heard of it, but this is again, not a trade secret.
They have what we call a sovereign data center.
So essentially defense have a dedicated data center on premise, sorry, as in country, apologies, not on premise, in country, because the biggest problem, one of the biggest problems with any classified defense intelligence is the data sovereignty.
So citizen data stays within the shores of the country and it doesn't go anywhere else.
That's by legislation. So there's several, you know, but I think I see the trend happening.
You know, they're certainly open to look into the value proposition of the cloud computing capability, but I still think it's a journey and we're only scraping the top, frankly, there's huge, huge potential for organizations such as defense, not just defense, Homeland Security, sorry, Home Affairs in Australia, for example, any Intel agencies, ASIO, ASD, et cetera.
There's a huge potential still that they can leverage across platforms.
Yeah, absolutely. And I think, you know, there is a clear parallel between the technology shift being perimeter based in the outset anywhere, protection anywhere and everywhere.
But just from a national security point of view as well, we've, you know, we've pivoted to that sort of area as well.
I mean, yeah, it's one thing trying to protect the physical assets physically, but now, you know, we're hearing undercurrents of, you know, cyber threats to take an infrastructure at a technology level.
So it's quite fascinating.
Certainly, Chris, sorry, certainly the nation state part, you know, we can talk about the assets and the hardware part, the T4 security data centers and et cetera.
What is clear is, you know, the nation state attacks has skyrocketed.
Just to give you some context to the viewers. And again, my information is probably a year old or 18 months old.
I remember when I was doing some cyber defense operations center work for Microsoft, we looked into some of the, you know, again, you know, all the time when I was in Microsoft, we were getting tangled up with NSA and CIA and all kinds of stuff, which is to be honest with you, it's just noise, frankly.
There's no back doors. I can tell you in my teams and all the stuff we did, there was no back doors and this and that to the technology.
And I'm pretty sure that's the case for other CSPs also, frankly.
But the point I'm trying to make is when it comes to nation state attacks, one time we worked out, if you put the developers available in the all top five IT companies at that time, so the Google, the Microsoft, the Facebook, you know, et cetera, Apple, and I can't remember the Oracle, I think, so top five developers, we came to a figure around a quarter of a million to 300 developers, you know, basically cutting code, if you like.
But if you and I'm not going to name names here, if you look at one of the biggest threat actors from a nation state perspective, we figured out that point, they were investing double that people, 600,000 people just dedicated bringing down the defenses of other nations.
So it is a fascinating area to be in. And, you know, if I just digress to cybercrime, you know, the latest reports say, I was doing a presentation the other day, by 2021, by the end of next year, they're estimating the global impact of cybercrime will be in the vicinity somewhere around 6 trillion US dollars.
That is a big number. And a lot of people don't even understand or comprehend how big that is.
But if you put in the context, if cybercrime is a country by itself, it is the GDP of cybercrime, the country is only smaller to the United States of America, and China.
So it will be the third largest country GDP that cybercrime will be in the world.
So just to give people some context, it is that big, and the organized crime behind it as astronomically gone, you know, it's, you know, it's very sophisticated, they got their own supply chain, they hire their own, you know, you can have work for hire for cybercrimes now.
You know, I think we offline, we had a good chat about, you know, service attacks.
Now you can pay someone 100 bucks a day with the SLA, the service level agreement to get that capability into your, your, your ecosystem and bring down your competitor, for example.
So anyway, so sorry to digress, but it's a very fascinating area to be nation state and cybercrime.
Yeah, definitely not digressing, because I think everything's part and parcel.
And I think there's just so many things to think about.
It's like, you know, what sort of what area do you pick on? So it's just fascinating to get, I guess, a different perspective of, you know, you know, I work, I work on the vendor side.
So we have a very different viewpoint of the world.
And it's a very, I guess, multitude of different things that we need to viewpoint.
But I guess, from your perspective, again, you've got a different view, different level of experience and different background.
And I think that's, you know, it's really important that I think as as a as an, I guess, as a sector that we that we communicate and be open around what's happening in the world.
And we share our experiences and our different knowledges around that, I think it's super important.
Now, just on the, I guess, on the learning side of things, you know, when you look at, I guess, your career and what you've done, are there any specific lessons that you've learned in your travels?
And I guess, have you passed on any specific lessons in your in your world as well?
Yeah, look, I've been a bit lucky, Chris, because, you know, I've always had a, I mean, interesting thing about me is I always had my academic career path parallel to my professional path.
So that's something I consciously did. And and probably, you know, that that goes into my book writing and my publishing and stuff like that.
So and that's something lessons learned, as in, I would like to encourage others to do, because some people did this for the university degree, just to get a job, and they never come back or they, you know, officially stop learning from academic perspective.
But if you can put if you can have like a one foot in both cams, I think it works certainly for me.
So I'm not saying it's going to work for everyone. But I quite enjoy the teaching part of it.
I quite enjoy the research part. And, and it feeds off each other, that my academic career and my, my professional career, I guess, lessons learned perspective.
I mean, look, what I've what I've learned, and I've been lucky enough to work in, you know, multiple parts of the world fortune 500 companies, the requirements are usually the same, frankly.
And, and what we have, what we're noticing is, you know, what used to happen is security used to come right at the end of any project or discussion.
And that's why there wasn't much focus on it.
And there was all these zero day attacks and all these loopholes in the system.
But what with cloud computing, what's happening is the shift to the left, if I can say, is basically means identity and security, actually, the very first thing is to be done, which is great.
Right. So that is a key lessons learned, I think, for us for the industry that and, and our industry cybersecurity is just going to grow and grow and grow.
So as a heads up, I think it's estimated what 3.5 million jobs outstanding in the in the cyberspace around the world.
So there's a huge demand for professionals.
So, so certainly our work is going to grow more and more.
So concentrate on now someone's acquiring some of that skills as lessons learned, from my perspective.
But I think, on a general term that can touch on everyone, and the older I got, I think I tend to listen more, if I can say, and especially now, especially now, in our industry, when we're doing an incident response, for example, so I've been I used to run the incident response team earlier, it's a very stressful situation.
For a lot of people, you know, you're, you're almost guaranteed, if you use a scissor, you're going to get fired, if there's an incident, and then you're trying to stop the bleeding, if I can say, and you're trying to get everything together, you're trying to get the communications to the upper management and board.
So in that situation, you've got to be very empathetic.
And you have to listen. I think you have to have a sense of calmness.
So, so those are some of the professional lessons learned, from my perspective.
Yeah. Perfect. Dr. Chris, I don't want to, I don't want to cut you off too early.
And I think I really think we need to have a second, second session, because we haven't even scratched the surface yet.
And I don't want to, I don't want to get you into a topic where I have to cut you off, because we do have about a minute to go on the session.
But yeah, I'd love to have you back on the show again in the future as well.
I'd love to, is it you know, is there a piece of advice you can give either to people doing academia, or even people, professionals, that you'd like to give before we before we close off?
Yeah, look, I think that's a very key point, Chris.
So, so look, I get this question all the time from my students, etc.
So just very quickly, the key advice I want to give you is, you know, a lot of people think cyber, cybersecurity and cybercrime and all this stuff is very complicated and very technical.
Yes, there is, you know, I've done that part, but let me tell you, that's only five to 10% of the work we do.
But there's all this compliance work.
For example, me being an accountant, the great thing that I had was my business knowledge and the, and the ideas of risk mitigation, auditing, there's a lot of compliance rules out there, guys, guys and girls.
So you know, go for those, you know, don't get sidetracked with the technology.
So that's number one.
And get certified, get certified. There's great, great courses available.
There's great university in Australia, places like RMIT, places like University of South Australia, places like University of Canberra that I teach, for example.
So get, get territory education, and also get industry qualifications. For example, CISSP is a key industry qualification.
If you're looking for some other courses, when it comes to threat hunting, the SANS Institute, SANS, US Institute has some great courses.
So get certified. And finally, if you can get a get a security clearance, having a security clearance is quite vital to do some of the advanced workloads.
So they'll be my my key, you know, key messages to 12 of our colleagues out there.
Beautiful. Dr. Chris, thank you so much for your time today.
I really appreciate it. I'll look forward to catching up with you in a couple of weeks and look forward to having you back in the segment.
Thank you, Chris. Thank you for the opportunity.
See you later. Bye bye. Thank you. Bye.