CTO Q&A with John Graham-Cumming

During HackIT 4.0 we had a chance to sit down with John Graham-Cumming, the CTO of Cloudflare, and ask him a few questions. We talked about the bug bounty industry, his impressions of the conference and a few smaller topics.

Is this your first time in Ukraine?

John: Yes, it is. Although, I have a lot of colleagues in London who are Ukrainian and they’ve been telling me to come over and over again. So, finally, I got the opportunity with HackIT.

How can you describe your experience in Ukraine so far?

John: It’s been exceedingly smooth and fantastic. The airport, getting into the hotel, everybody has been extremely welcoming, the city has been great and the weather here has been fantastic. I have had a great impression.

What role do bug bounty platforms play in the security of mainstream businesses today?

John: I think the important thing to realize is that businesses that are on the Internet are already getting tested by hackers. It’s just a question of whether they’re paying them or not. Businesses are already getting tested. There is a market for this. People are making a living out of it, so bug bounty programs are an important part of that. You can coach people to actually tell you what’s wrong with your application and bug bounties are a part of it. Whereas, public ones are when you find something outright and private ones are where you get together with a set of hackers and agree to pay them in advance to look for vulnerabilities. I think they’re an important part of the overall cybersecurity landscape.

Any thoughts on how cybersecurity solutions for businesses will evolve over time?

John: I think what’s happened over the last couple of years is that all businesses have suddenly realized that cybersecurity is important for them. I think at some point, cybersecurity was thought of as something that only banks and some online businesses needed to worry about. Fundamentally, everything has moved to the Internet and email is often the most obvious way that attackers get entry to companies.  All companies have now gotten used to this. And what’s going to happen is as that develops there will be more and more businesses providing cybersecurity solutions, consulting, all sorts of things companies need to understand it. Because everyone from small businesses to large ones has cybersecurity problems. We’ve seen, for example, DDoS attacks against florists around Valentine’s Day. That may be a tiny business but if you can knock your competitor offline, you get more business at that time of the year. We’ve seen students doing DDoS attacks against the online exam systems in their countries so they don’t have to take their exam. So, this is not just a problem for a political group or large companies. It’s everyone’s problem.

What role do bug bounty platforms play in converting black hat hackers into white hat hackers?

John: I think what hackers want is recognition. But why do they want recognition? They get it from somewhere whether it’s as a white hat or black hat hacker. I think it’s important that people have an outlet to actually express themselves. Because many hackers are really smart people and the sorts of things they are finding are very difficult to find. So if you can encourage people to do that in a white hat way that helps in general, it helps society, it helps companies and it helps the hackers because they are getting paid for it. So, platforms which give them the ability to get work are very important.

What surprised you about the HackIT conference?

John: First of all, thank you for inviting me, that was very kind. I think, the biggest thing I noticed was the three people who spoke before me. We had a senator from France who spoke about the challenges in his country, and then two ministers from the Ukrainian government. They spoke about governmental involvement and I spoke coming from a business background. Immediately after it got very theoretical. There was a shell up on the screen. It was a nice combination of these different things because people often concentrate on one aspect as if it is isolated. They do just technical stuff or just government stuff or just business. But these things are entwined in society and it’s very important to cover them all. So, it was great to see all of these different perspectives coming together.

Do you think hosting conferences like HackIT is important for cybersecurity community?

John: Yes, absolutely. Most people meet online and they don’t meet in a space like the one we’re in right now. So, it’s important that there is a place where they can get together and meet each other. There’s something about the bandwidth of human to human communication which is just so much harder to replicate on the Internet. You can do a lot but there’s nothing like face-to-face interaction. Conferences are a very good way to do that because the presentations are probably interesting and it’s great to hear from different speakers, including from someone like me. But more important than hearing me is meeting other people and getting new contacts.