Matt Wyckhouse
Co-Founder and CEO, Finite State
More than 15 years of experience developing advanced software to support offensive and defensive cyber operations led Matt Wyckhouse to found Finite State in 2017 to focus on the unique challenges of cybersecurity in the IoT era. Matt spent most of his career at Battelle, the world’s largest private R&D company, where he was the technical founder and CTO of Battelle’s Cyber Innovations Business Unit. In this role, Matt oversaw dozens of intelligence and security programs supporting strategic global missions, many of which were focused on discovering vulnerabilities in IoT and other embedded devices. Through that experience, he saw how devastating IoT device attacks can be, which is especially concerning given the explosive growth of IoT. Matt has a bachelor’s degree from The Ohio State University.
ABSTRACT
Software Provenance – Where Do We Draw the Line?
There has been a lot of uproar about supply chain security – from 5G deployments around the world to threats to our power grids – and it seems that a day doesn’t go by without some new threat or government action. Many governments around the world, and in particular the US, are trying to “solve” supply chain risk management by introducing regulations focused on banning vendors from the supply chain. Notably, the US has taken several actions to try to limit vendors from potential adversary countries (such as China) from being involved in supply chains for certain types of critical infrastructure.
In this talk, we discuss how simple analysis of a vendor’s country of origin is a failing and incomplete model of supply chain risk. While geopolitical analysis is an important risk factor, the truth is that every device, every software application, and every vendor has some level of geopolitical risk. We live in a world that is fueled by global supply chains and open source software that is built by global, distributed teams of engineers. So where do we draw the line?
This talk discusses the need to pivot the approach from purely assessing risk based upon vendor provenance to a more fine grained approach where every device and software application being placed on critical networks is being screened for real threats and vulnerabilities.