Rebekah Johnson: Welcome to Tuesday Talks, a live discussion series where we bring truth and shed light across the brand identity and communications industry. I'm Rebekah Johnson, founder and CEO of Numeracle, and I'll be co-hosting today's session with Dean Coclin, Senior Director of Business Development at DigiCert. Dean brings more than 30 years of business development and product management experience in software, security, and telecommunications to DigiCert. He is responsible for representing the company and industry consortia and driving the company's strategic alliances with technology partners. He is also the current chair of the CA Browser Forum and chairs the ASC X9 PKI Study Group, developing next-generation PKI standards for the Finance Industry. Welcome to the podcast, Dean.
Dean Coclin: Thank you very much, Rebekah. I'm really looking forward to it today.
Rebekah Johnson: DigiCert is not Numeracle's typical guest on Tuesday Talks. Normally, our guests are from specifically the telecom industry-- standards bodies, government enforcement-- all around the nuts and bolts of telecom. DigiCert is a name I think most people in most industries are fully aware of, but don't necessarily see the correlation to telecom. It sounds like that's why you're there at DigiCert. So, we're going to get more into that aspect and really why I reached out to have you on this show. But first, let's take some time to talk about who DigiCert is and then we'll dive into why I think DigiCert, and especially you, are a great addition to the Tuesday Talks podcast. And before you share about DigiCert, I wanted to share one little tidbit that I found when researching and I came across the story of why it was founded and I found myself relating to this ever so much. DigiCert was founded out of frustration, full stop. That's literally on the website. I thought, oh, man, that's enough to start a company. And what that frustration was rooted in was the process of buying a certificate-- it was painful, it was a time-consuming and frustrating slog through technical jargon and phone trees. On that note of frustration driving innovation around trust, something I know ever so dearly, please share a bit about who DigiCert is, what its key role is in the industry, and why trust is at the core of all your products and services.
Dean Coclin: Well, you gave a lot of background there and I'll capitalize on that and give you a little more. I think DigiCert is probably not a household name, but I think a lot of people know the name VeriSign. VeriSign was established in 1995 as the first public certificate authority to issue certificates for websites, mostly. That company continued and grew until 2010 when it was sold to Symantec. And then Symantec had that business until 2017 when they sold the PKI business to DigiCert. So, DigiCert was founded in 2003, as you said, because of frustration with the installation of certificates. People just didn't know how to do it and certificate authorities were not providing good instruction. So, that's how we were founded. Then, when we acquired the former Verisign/Symantec business in 2017, we became the largest publicly trusted commercial PKI provider on Earth. That's a very important role today because it's not just for websites, it's for many, many different things where certificates are needed. For example, we need to secure IoT devices, email, software, code, and many, many other things that have to be trusted online. Establishing trust online is what we are all about. That's kind of our background and we are sort of the experts and the authority on digital trust. That's something I think we're going to get into a little bit more in this conversation.
Rebekah Johnson: Yes, trust is exactly where I'd like to pick up and explore for the majority of our time. I started Numeracle out of my frustration with terminating carriers labeling legal calls as, essentially, untrustworthy. That's your "spam," that's your "scam," that's your "fraud." And establishing and transferring the legal identity in the phone network and having that be trusted really seemed like an insurmountable obstacle. In some ways, it still is that way. But we've been innovating at Numeracle, so I'm hoping we're going to solve that problem. For today, I want this episode to really be rooted in education. I want our listeners to walk away more informed, perhaps inspired, to learn more, and hopefully take up the challenge to bridge trust concepts that DigiCert has worked so diligently to adopt and employ over into telecom, whether it be at the network layer, standards layer, regulatory layer, device manufacturing, or the presentation layer. The end-to-end pathway, if you will, on the establishment of identity and secure delivery. This is where an article that you shared on LinkedIn caught my attention as we in telecom grapple with the concept of trust, alone. Let's put the technology aside. We just grapple with what trust is, who to trust, how to trust, where to trust, all of those concepts. This article was titled "How Zero Trust Can Enable Digital Trust" and was written by Jason Sabin, the Chief Technology Officer at DigiCert. I believe we're going to share that article. Absolutely, read it. It is a good introduction and has a lot of interesting links that will help you in exploring all the different concepts. For today, let's just start with that. What is the difference between Zero Trust and Digital Trust?
Dean Coclin: Well, that's a very good question, Rebekah, and a very common question that I hear all the time. So, Zero Trust is a security architecture that is used to verify identities, verify intent, and then allow or deny access to a resource, a place, a person, or anything that it could be. Digital trust is really focused on validating identity and giving us the confidence that we can have online transactions securely, privately, and authenticated. This is something, as I mentioned earlier, we are experts in and an authority on digital trust. So, doing that verification and authentication of those identities online is our bread and butter business. Zero Trust is, as I said, an architecture that can use the concept of digital trust to do the validation, whereas Zero Trust does the verification of the identity and the intent.
Rebekah Johnson: Where are some examples that DigiCert is applying these concepts that our listeners would relate to and maybe understand?
Dean Coclin: I think probably one of the biggest examples that's easy for people to understand and that they can see starting actually just last year in their email inboxes, especially if they use Gmail. A new feature has been rolled out called BIMI, which stands for Brand Indicators for Message Identification. Now, when you see a logo in Gmail, you will see next to that logo a blue checkmark. And what that means is that that logo and that domain have been authenticated by a certificate authority, and a digital certificate has been issued to that company, which is now used by Gmail to display it to the user. So, think of it this way, the digital trust part of that is the certificate that has now validated the organization, validated the domain, and validated the trademark logo. The Zero Trust is basically what Gmail is doing and saying, "Okay, I see this email here. Let me check and see if it has a certificate, and if it does, I'll display that logo." So, that's the way to think about it. And this is starting to roll out. Actually, it's been rolled out now for over a year, but more and more people are going to start seeing these logos as brands adopt these, and they can have confidence that the trust is there, because behind that is a certificate authority that has done the work to validate the identity.
Rebekah Johnson: Dean, have you ever met my friend, Mr. Elon musk? I really think the two of you should meet. I think there's a lot that he could learn from you. Why in the world do we not see that level of detail and attention and trust applied to these independent social networks?
Dean Coclin: Yeah, that's a good question, and I would love to have an introduction if you have the opportunity to do so. But we are trying to talk to folks and establish digital trust as a mainstay of online confidence for consumers, end users, and businesses as well. One of the things that is incumbent upon digital trust, is sort of like the ground floor of it, is industry standards. And you have to have standards that the whole industry agrees on. Otherwise, competing products or other types of environments can't have that digital trust if they can't all agree on what it is, the standard is for establishing that trust. So we're very proud of the fact that, as you mentioned earlier, I'm involved in several standards bodies helping to decide what those standards are. Many of my colleagues are also playing with those standards bodies from NIST, from the IEEE, and other well-known established bodies. This is a very good foundation for digital trust going forward. It would be great if some of these other organizations, especially in social media, that claim to have identified logos and identified people, would subscribe to that same idea.
Rebekah Johnson: So, you're saying it takes more than an email address, credit card, and a handle name? Is that what I'm hearing? Maybe just a little bit more.
Dean Coclin: Exactly. We have to go beyond that. We have to verify people's identities. We do that just the same way governments verify identities and other organizations where security is important. On social media, we've seen a lot of flaws because of security issues that have caused damage to people's reputations or to their bank accounts. So, having trusted identities is something that we support, we're behind, and we're an organization that has the ability to help organizations do that.
Rebekah Johnson: One thing I think you said that is incredibly important for our listeners is that digital trust is built on standards for establishing trust. Dean, I'm going to label that as a call to action. That is a call to action for the telecom industry, especially the standards bodies, to pick this up and address it and truly close the loop on establishing what trust is. We've been arguing trust for years and one of the things that, this is just my opinion from where I stand, is that the only thing that's really been contributed to establishing trust is, "Oh, we're the authoritative company for a database that holds data, therefore you can just trust us and that's it. Just trust us." That doesn't work. What would happen if you've already deployed these solutions in the trust framework approach? What's your idea of how that would play out if it was just established that way?
Dean Coclin: I get messages on my phone, and phone calls that say "potential spam." I answered the call one day and it turned out it wasn't potential spam, it was a call that I was expecting. Or I'll see a call from something that identifies a name and I answer it and it's not that name. So, there's an aspect there that can be remedied that's not being addressed. It seems that as you said, organizations are saying, well, trust me, I have data about these numbers and who they belong to. But in reality, it sounds like there's a lot of spoofing involved there, which fraudsters know and they're taking advantage of that. Now, one thing I'll mention in telecom is there is an effort underway to authenticate 911 networks and it's called a Next-Generation 911. And this does involve security. This is a well-thought-out public key infrastructure that involves issuing certificates and trusted identities to different bodies on the telecom system for 911 calls. In fact, I believe it's being rolled out in Fairfax County near you. So, it's something that I think we're going to start seeing more authentication around that. It's too bad that that concept hasn't spread more in the telecom industry.
Rebekah Johnson: Yes, I agree with that. It is something I definitely want to do a little bit more research into and see what it is that we can extract. I know the standards for 911 are also covered by the same individuals who look at telecom from a broader spectrum. I do know one of the sticking points, I would say, for moving forward in this concept is the terminating side. So, I would think of it like Google, who is the recipient of the emails, Microsoft the recipient of the emails; those responsible for accepting the information and rendering a display. There's a lot of resistance from the terminating side, and we can't ignore their concerns. They are valid in that they just don't trust the network that would deliver the information to them. How, at least in the email, is this across the board? Is everybody adopting it and okay with it? Or are there some presentation terminating providers of emails who are like, "Nah, not going to participate?" What has been your experience?
Dean Coclin: So as I mentioned, BIMI is a fairly new rollout in the last year and a half or so. I also mentioned that Gmail is supporting this with over 1.8 billion email inboxes that they have. Apple has recently signed on to this. We see Yahoo, AOL, and some other foreign, smaller country-based email providers doing it. We'd love to see more adoption of this because it does provide authentication of the sender and can help decrease phishing. Not only that, but from a non-security perspective, think of the branding aspect of this. Now you're getting your brand, your logo, which people see in your bricks and mortar store, in your online presence, on your website, and in your collateral. It's now going into the email. When you think about brand impressions and how much money marketing organizations pay to have their brand out there on different websites and different getting to users, this is a really low-cost effort to get your brand out there. Now, as you said, we're not seeing this universally yet. Some of the larger email providers are not supporting BIMI today. I think probably one of the biggest ones is Microsoft. They haven't yet decided to sign on to this. Now, maybe they will. So, I don't want to say anything negative about that, but maybe they will, and I'm hoping they do. But that's a big component of B2B email, right? I mean B2C. Gmail web or Gmail phone. That's fine. But for B2B, companies use Outlook, no question about it. Even companies that are using Gmail use Outlook to read that Gmail and those logos do not render in that application. So, we need to see some more of this adoption of BIMI and Verified Mark Certificates in order to get more trust in the entire ecosystem.
Rebekah Johnson: That whole conversation is exactly what we have in the voice space. Just replace every time you say "email" with "call." It's about authentication, verification, trust, and brand assets. That's how we refer to it on the telecom side, these are branding assets. And that is a bit of a cluster right now because we don't have this ingrained in the standard all the way down to trust. We will talk all day long about the delivery of bits and bytes that we'll get to the table on. Have a beer, talk about it, and everybody's happy and good, and we're all just discussing that. But when it comes to how that information gets put onto the network, what process did it go through to be verified, authenticated, and validated? Then, on the terminating side, what gains, what special treatment? That's the blue check mark, that is a special treatment to say, "Hey, I've gone through this rigorous process" that's that end-to-end. It's the origination of the data and then the display of the information that is just MIA right now entirely.
Dean Coclin: Are you telling me that that green check mark I see on my phone calls does not mean anything?
Rebekah Johnson: Worthless. It means somebody followed the rules and implemented STIR/SHAKEN. That's what that means. It doesn't do anything for us to actually combat fraud. It does absolutely nothing for us on any kind of indicator of verification or that when the consumer answers that call, the person or the entity on the other end is, in fact, who they say they are. With email, what I would expect as a consumer is that when I get that email and it says "Marriott" or it says my bank, it absolutely is them. And I don't have to do the whole, like, let me open it up, let me go look at what the email URL is like. Is this legit or not? Because they're using the email content looks legit, but I have to go do a little bit of research. I would love to be able to know with confidence that when I get those emails in they are my bank. And I can reply back and know that my information is going to go back to my bank and my bank alone.
Dean Coclin: And I don't know if you've noticed recently, but I'm glad that you go in and actually look at the domain name to see where it's actually coming from. Most people don't do that, but if you try to do that on your mobile phone nowadays, what a lot of the scammers do is they create a really long domain name so you can't actually see what's after the period. And so you're trying to examine it on your mobile phone, you can't see it, right? So there's another attack vector that they're using.
Rebekah Johnson: They always get smarter and figure out new ways. And really this is bringing me to, we didn't talk about this in our prep, but this is my greatest fear, at least within the voice. And this is a very real thing that can happen right now because we did not establish a trust framework first. We went immediately to branding. So in your world, imagine that you enabled Logos branding all this information without first establishing verification, authentication, and trust. So, we do that in the telecom space because there's money in it. Why not? Let's get to the money first. Trust stuff? That's just annoying. It's frustrating, right? So guess what happens now? We've created this environment where a fraudulent actor can deliver a voice call and have it displayed as a bank. And this happened to me. So I had fraud on my credit card. It was like two or three months prior. Someone used it at Walmart online, whatever. So thankfully it was a real call that I got like, "Hey, there's been a fraud activity. Let's verify the transactions we go through." They go, "Okay, we're going to shut it off, sorry." And I was on vacation. It always happens when you're not at home. So, I can't use a card anymore and it's like, no problem, thank you, send me a new one. So I got the new one, a few months later, guess what? I get a call and it is a number from the bank. And they start to talk to us and they go, "OK, you've had fraud activity." My first red flag was the fraud activity was exactly the same as the prior. So, somehow they got information about what the fraud activity was that occurred and it's, like, really? Walmart? Again? That seems a little odd. This is a brand-new number. I didn't add this new number to anything yet. Then we start questioning saying, "I just don't really feel like this is a fraud call." Oh no, this is your bank and we're calling to protect you. We need to get your credit card number so we can verify. Stop right there. That's not real. Look at the number I called on. I mean, I looked up the number and it came back. When I did a Google search, it was the right number and it said the bank's name. So it's like, okay, but my gut is telling me this isn't good. The person goes so far as, "Hold on a second, I'll tell you your balance." So pull it up on my app, wait about 15 seconds, and he comes back to the dot, boom. So there's an IVR you can call in and if you have the last four digits of the credit card number, you can actually get account balances. They're literally using the IVR to do that. But it was a moment for me because of the predictions that I made on what happens when you deploy identity solutions without trust validation and authentication. All you do is create another avenue for fraud. And they're sitting back going, thank you. That made our job easier. That's the reality. I know that's shocking to you with all that, you know, and all your experience and expertise.
Dean Coclin: I'm thrilled that you were able to determine that it was a fraud and that you didn't get caught up in it. And most people will. They would give away their information willingly once they hear their bank balance. I think the question you should ask is, what was the last transaction? How much was it?
Rebekah Johnson: Initially, I just hung up because he got belligerent and he's like, I'm your bank and I'm trying to protect you.
Dean Coclin: Unfortunately, a lot of senior citizens will fall for that hook, line, and sinker, especially when they get belligerent and things like that. Okay, fine. Yeah, here it is. Leave me alone.
Rebekah Johnson: Before we close, because we are coming up on time, what I want to call attention to, which your article called attention to, is this whole Zero Trust concept is not a new fancy lingo to use. It's not this new thing that you're trying to sell. This has the attention of our Executive Office in the United States of America. That's right, they're called out in the article. Zero Trust has been increasingly adopted in recent years, and it's really, as of late 2021, US executive Order directing the Federal government towards a Zero Trust approach. And that's because Zero Trust can help mitigate security risk and reduce the time it takes to detect a breach. And I want to read from the letter from our President's office what he had stated and said in May of 2021, under issuing the Executive Order improving the nation's cybersecurity to initiating a sweeping government-wide effort to ensure that baseline, this is just a baseline, security practices are in place to migrate the Federal government to a Zero Trust architecture and to realize the security benefits of cloud-based infrastructure while mitigating associated risks. A transition to a Zero Trust approach to security provides a defensible architecture for this new government. As described in the Department of Defense, Zero Trust Reference Architecture, the foundational tenet of the Zero Trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in the philosophy of how we secure our infrastructure networks and data, from verifying once at the perimeter to continual verification of each user, device, application, and transaction. We, the telecom industry, have failed, failed at such an egregious level. So that's what strikes me and hits my passion; we have got to take up the call and actually implement what even at the attention of our Federal government is begging. But they've now ordered. So it's kind of a begging, but telling you, you better do it. We can't keep being lackadaisical about it. It's time to start implementing it. If we don't guess what? We're that vector that you can exploit and then the attacks will only increase from that perspective. At least, that's my take.
Dean Coclin: Yeah, I agree. I mean, look at the Federal government really pushing Zero Trust right now. As you read from that directive in the Department of Defense, but also in commercial industries as well. Digicert and a bunch of other companies like Broadcom, and Cisco are involved in a project going on at the NCCE (National Cybersecurity Center of Excellence). It's called implementing a Zero Trust Architecture. I just put the link in the chat to the project. A lot of companies are involved with this and it's important because it's been going on for almost two years now. But's important because it's basically, once it's done, it's going to be a reference architecture that any company could implement using the products that the participating companies have donated to this project. And I think that just speaks to the fact of how important this is. As I mentioned, it's been going on for two years. So, this is not just because that directive came out. This didn't just start. We've been working on this for two years and digital certificates form an extremely important part of this architecture. I kind of liken digital certificates now to a utility. I mean, you plug in your fan or your toaster into the outlet and you expect electricity. A lot of companies now have implemented digital certificates, whereas when you plug your laptop in or you connect to WiFi, a certificate is automatically issued to that device, and that guarantees authenticity. Also, the privacy if you're doing encryption between the devices, the integrity, making sure that the information has not been tampered with, and the nonrepudiation making sure that I can't deny that I sent that information to you. All of these concepts are extremely important to digital trust, which are then used in Zero Trust.
Rebekah Johnson: Well, Dean, I really appreciate you taking the time to join us on Tuesday Talks. I think this one is incredibly informative and hopefully, it's inspiring to our listeners as well to join this initiative to bring trust back to communications.
Dean Coclin: Thank you. Thank you very much. It's been really enlightening and I hope your listeners find it the same. And I'm going to talk offline with you more, a little bit more about what's going on in the telecom industry because it sounds like help is needed.
Rebekah Johnson: It's a sea of opportunities. Absolutely. So we'd like to thank all of you for joining us for another episode of Tuesday Talks. Your engagement and enthusiasm fuel our conversations and we hope you found today's discussion enlightening. We'll be back live on Tuesday, September 5th, when we'll continue to tackle the ever-shifting landscape of the telecom industry with in-depth analysis expert opinions, and a forward-thinking approach that keeps you at the forefront of innovation and best practices. Whether you're a professional in the field or simply interested in the world of technology and communication, there's something valuable for you here. Thanks again for joining us today, and we'll see you next time. Bye.