Camille Morhardt: [00:00:00] Hi, and welcome to this episode of What That Means. Today we’re going to focus on Fearless Compute. I’ve got with me today. Abhilasha Bhargav-Spantzel. She is a principal engineer at Intel. She has a doctorate from Purdue University and she focuses on hardware-based security product architecture, specifically focused on virtualization.
So Abhilasha, could we start by having you define first of all? Hello and welcome.
Abhilasha Bhargav-Spantzel: [00:00:33] Hi, it’s very nice to be here.
Camille Morhardt: [00:00:35] Can you start by telling us what you mean by fearless compute?
Abhilasha Bhagrav-Spantzel: [00:00:39] Yeah, absolutely. Uh, the concept is very simple. Uh, consider how the computing has evolved. A computer used to be like a tool for very specific tasks for specific people. And now, as we know, it has become an essential part and a very integral part of our lives. So in various surveys, one has seen, like on an average people have six to 10 devices. And these are very essential for us, not just for, um, like entertainment and communication, but also for our health care, for our finances, et cetera.
So for something which is so important and so essential, there’s a great deal of uncertainty and fear. And, um, this is something which is just not right. When we want to, uh, look at, uh, what we want to do in the future, uh, the kids and the next generation is a really great way of like assessing it. So I love working with, you know, cyber security education and the kids. And when my 12 year-old daughter, Heidi, she basically was talking about “Wouldn’t it be great if we can actually, um, download anything, build anything and create anything without that constant, annoying fear of being hacked?” And that, that is exactly the, you know, the concept and what we want to achieve with fearless computing.
Camille Morhardt: [00:01:57] So you’re after a, uh, an unhackable solution or at least making it very, very difficult to hack?
Abhilasha Bhagrav-Spantzel: [00:02:02] Exactly. And the, you know, not always being afraid, you know, it’s a user experience that we want to drive. Currently, you know, if I talking to anyone it’s. The first concept is, “Oh, should I click on this? You know, am I going to be phished if I clicked on this?” Or “this amazing app, you know, everybody’s talking about it. But can I download it or is it going to start spying on me with the microphone and the camera, or even worse if it stays in, persist on my system and starts accessing the rest of my private data?”
So there’s a lot of fear associated with trying new things and the ability to do that and innovate and experiment is the key idea.
Camille Morhardt: [00:02:42] You’ve mentioned being hacked, which I always think of as, um, somebody draining my bank account or posing as me. Whereas the other thing you mentioned was privacy, right?–something being spying on me. Do you also consider that hacking?
Abhilasha Bhagrav-Spantzel: [00:02:56] Yeah, absolutely. It comes in all shapes and sizes, right? Like the ability to get into your account starts from being able to know who you are. So if I know this is Camille, you know, you’re, you know, if you love those yellow flowers, maybe this there’s some information that you can gather from just, uh, knowing a person and the kids are awesome at it–like the sleuthing thing with social information, your favorite bag, mother’s maiden name, et cetera. And from that comes the next level. Like what do you do once you’ve gathered enough data? You can start sending them a mail saying, “Hey, I’ve got this amazing bouquet or this amazing deal.” And, um, the next thing is being able to lure the person to clicking something. Those are the social engineering attacks, which could then result in accessing your bank account. So they are pretty looking at information can lead to some dire consequences. So every little step.
Camille Morhardt:: [00:03:52] Do you think that kids are better at avoiding or recognizing those kinds of attacks today than we adults are?
Abhilasha Bhagrav-Spantzel: [00:04:00] That’s our goal is they’re relentless and we’ve been at my experience, working with the kids is that the stock from scratch. They’re not afraid of anything, which is what we want to continue. But to help them understand what are the signs of a phishing email? What can an attacker do if you just download this app without verifying? And showing them, we have a lot of ethical hacking sessions with them to better understand how they could compromise the system, but in terms of what some other actual bad guy could do.
So, uh, the ability for the kids to understand these is definitely better because they question everything. They are learning everything from scratch. Uh, sometimes we are more trusting, like, Hey, I, this looks good and more, there’s a certain generation that may go with common sense and saying, “why would anyone want to call me and say that my son is an accident and he knows he needs so much money?”
So they, you expect a certain level of decency or, you know, that’s something, nobody would do the wrong things, but I like to tell the kids that, you know, “think bad, but do good.” So think what else could go wrong, but at the same time, uh, see how you can protect yourself better and protect others.
Camille Morhardt: [00:05:18] And you specifically, your doctorate, you did your work, um, around identity and security. And you focus on cryptography and biometrics. Can you talk a little bit about how those two things play into it?
Abhilasha Bhagrav-Spantzel: [00:05:34] Yeah, I just love identity. It was always being user-centric. What I really liked was numbers and how cryptography came together to better protect users from identity theft. So what if you were able to sign in to applications or get, go to a hospital and get care without having to put your social security number? Because your social security number has nothing to do with the healthcare service that you’re getting. But our identity system is a front door to any access, whether it is in healthcare finance, anything. And the ability to protect that became my, um, my focus even then and it’s been almost two decades or so, and it’s not a single day, goes by with the importance of being able to protect identity through crypto, through biometrics and actually to deal with legacy systems and bringing it all together to see how we can keep raising the bar as we go.
Camille Morhardt: [00:06:34] Well, let me ask you one thing. When we talk about biometric, this is like my fingerprint or my eye or my facial recognition. So how is it private if a system is using that to identify it?
Abhilasha Bhagrav-Spantzel: [00:06:46] Yeah. So this is an interesting thought because if I take a screenshot of a conversation right now, I already know how you look like. But that’s not enough for me to log into a system which requires your face. A lot of the biometric authentication, for example, requires to make sure it’s a 3D, alive face. A person is actually blinking. It has some temperature behind, you know, the skin and so on. The biometric verification is about making sure it’s the right person, but there’s lightness analysis, there’s replay attacks. You don’t look the same if you know, any two days.
Camille Morhardt: [00:07:22] You’re talking about making sure that it’s accurate. Um, and then I can’t spoof it, but I’m wondering if a system is using a biometric, uh, as a password or as authentication, then it’s, it’s got to know something very personal about me, which is, you know, the shape of my face or my fingerprint. So how does that intersect with privacy?
Abhilasha Bhagrav-Spantzel: [00:07:43] Ah, that’s a really good point, right? Somebody needs to know, but there’s somebody doesn’t have to be the whole world out there. So for example, what we built once was, um, the ability to authenticate locally. Authenticate is that process to make sure that are very unique characteristics. Is that really you? Keeping that inflammation protected in the chip and then, um, releasing only the password or just a cryptographic credential then say, “yeah, I did the hook. This person was in front of that PC is actually coming up because I checked the distance between the eyes. I checked the face. I checked her fingerprint, et cetera.” Using not just one thing, but multiple factors. That’s a concept which you will hear a lot more about in the industry for multifactor authentication. It allows you to build confidence by verifying multiple things, how you’re typing your voice, how you’re speaking, et cetera. A combination of that provides you this assurance that. Yeah—
Camille Morhardt: [00:08:39] Are you saying then that that’s coming out of something within the computer, let’s just say, or phone itself. As opposed to being stored somewhere that it could be that in and of itself could be hacked?
Abhilasha Bhagrav-Spantzel: [00:08:54] That’s exactly it. It’s about local authentication. Like not releasing this information. Your PC for example, is in your control. It’s not going anywhere and not too many people will have access to it and potentially use it in a ways that you did not expect it to be used. But if that same information was in the cloud somewhere, just fundamentally by design, you don’t have control you just trusting that the, the cloud entity that has collected this information is only going to use for that purpose and nothing else. They’re not going to match it against some known database of other features at all, you know, try to use it for any number of other reasons.
So this, you know, user-centric, having privacy in a way that allows you to do the most locally to get global access to a bunch of other services.
Camille Morhardt: [00:09:41] Okay, that’s very interesting. I want to then, all right, let’s talk about virtualization then, because you know, you, you, virtualization is also, I think by definition in the cloud for the most part. So talk to me about that.
Abhilasha Bhagrav-Spantzel: [00:09:55] Yeah. That’s a very good way of putting it because like we talked about fearless computing, you know, the ability to do things without fear. And I, from one of the things, uh, that we have done is to see how, uh, fundamentally rethinking security would lead to getting ahead of the attackers. We’ve been losing, you know, it’s a whack-a-mole. Always getting this brand new ransomware attack and then trying to hit it. And then something has come up and we become immune to seeing big, huge numbers of data compromises, etc. So that’s not working for us.
Uh, but, server-side as you say, the cloud is already virtualized. And they did it primarily for consolidation and using applications in a much more efficient way scaling the cloud. But on the client side, this is the new thing that is happening, which is just like the server we are working on virtualizing the client itself.
Camille Morhardt: [00:10:47] The client is like a PC? This is a computer?
Abhilasha Bhagrav-Spantzel: [00:10:49] A computer. Yeah. So essentially taking that PC and virtualizing it. What that means is that you can isolate your applications and your workspaces. If I’m looking on Facebook and I’m having a Zoom call–just note there are like 400x Malware and Zoom. So if you just happen to jump on a Zoom call and then, um, you have your top-secret document on the other window, one potential compromise from one application could potentially compromise the entire PC in a traditional way.
When you virtualize the system, there are actual partitions that allow you to work like on different types of workloads and isolate them, like fundamentally they’re isolated. So something goes wrong in one, it doesn’t impact the other. And one of the key things here is, um, just like our COVID case, the spread of the virus is the biggest thing. Right? And what we did was we landed up, isolating us as, you know, social distancing. The same deal with that malware. It loves to spread. It loves to find its way into every application, down into the kernel levels and across the systems that it can reach. And if you isolate them fundamentally, its reach has already been contained. Being able to ensure that it doesn’t persist, it doesn’t spread. So these things will help us get ahead of the curve and we can try new things within these workspaces with more confidence.
Camille Morhardt: [00:12:20] Is this almost like a shift in use case. I mean, I think as you described it, virtualization became widely adopted on servers for better efficiency. So if I’m uploading a bunch of my photos to the cloud, for example, I don’t take up an entire server for myself because I hardly have any storage compared with what a server can handle. So it would package me up with a whole bunch of other people. Um, and that, and thereby being more efficient and that can happen across companies.
Whereas on a PC, you’re saying it’s less about that efficiency, cause I’m the only one that’s going to use my PC. It’s more about, uh, isolation of, uh, security, essentially isolating the individual applications, um, or the internet versus the top secret private documents on that I might have on the hard drive.
Abhilasha Bhagrav-Spantzel: [00:13:14] Yeah, you got it. Yeah. It helps in the privacy and security both. And one interesting thing is it also gives you better access to things. Like virtualization by definition, doesn’t tether you to a certain types of OS like saying, “Hey, are you a Windows person or are you a Mac person? “And so on. I want to use Linux and Android and everything on my same PC for example, and virtualization not only brings you the security through isolation, but it can also basically allow you to do a lot more experimentation and creativity like we talked about. Like you can try new things and you’re not tied to an operating system environment. And that’s another benefit
Camille Morhardt: [00:13:53] because virtualization or partial, uh, machine layer, I guess, is underneath the operating system on top of the hardware, but below the operating system.
Abhilasha Bhagrav-Spantzel: [00:14:04] Yeah. So there’s something called a hypervisor. It’s like a machine monitor, it’s a thin layer. And then it allows multiple operating systems to co-exist on the same system as if they were many PCs on top of your actual, real PC.
Camille Morhardt: [00:14:17] Hmm, do you, so I do want to ask you a little bit about COVID. Well, I don’t want to ask you about COVID. I want to ask you about fearless computing in the time of COVID and as we move out with some kind of hybrid returns to work and school. I mean, do you think things are going to be moving– you know, how are things going to change, I guess, particularly with respect to, uh, virtualization? or privacy and security?
Abhilasha Bhagrav-Spantzel: [00:14:44] Yeah. I mean, especially with, um, the sudden change that has happened, at least in the enterprise space, we’ll start there. You know, just you and I, all of us became remote workers in a day’s time. And a lot of the times there was break the glass scenario where we just needed the users to be able to access these contained applications in some way or fashion. And that’s not sustainable because the threat landscape continued to grow. Nobody was waiting for things to stabilize before they can start trying to attack the systems. So there was a spike in, and you can see the numbers out there in the number of attacks that increased during the last several months. And, um, we still need to be productive.
So being able to contain our applications, making it available to people, this combination of security with productivity becomes even more important with this whole zero trust environment–meaning that I don’t have a firewall in my home. You know, I don’t have a big, huge next generation firewall and intrusion detection systems and everything protecting my work environment at home. So you have to depend a lot more on making sure that the PC for example, has the right capabilities. 15:58 – Like with, uh, B Pro Platform and Intel hardware shield, we are starting to build a lot of these capabilities as part of the system, so that as you bring this PC into workspaces, which you don’t have control over, you can still trust it and you can still protect your IP in that.
Same thing as we look at, um, other vectors in healthcare–the tele health is becoming so much more important. You would ask me about the identity. Like you really want to know you’re treating the right patient with the right medicines. You know, making sure it’s the right user for health insurance and other things. Education with my kids, always in front of the PC. There’s the idea of being able to protect their privacy and being able to continue the education in an effective fashion. We just need to make sure that we help the actual people behind the systems, you know, with some of the experiences that we are building.
Camille Morhardt: [00:16:55] Can you tell me, I know you’ve done a little bit of work with kids. I know you’re personally passionate about STEM and K through 12, uh, cyber security education initiatives, and you’ve done some work with kids around, um, actually, today around COVID with some engineers. Can you talk about what, what you’ve been doing?
Abhilasha Bhagrav-Spantzel: [00:17:16] Yeah, absolutely. This is like my most favorite thing to do. Um, just being a mom of my two little kids, as well as working with the community. You know, the COVID, hasn’t been easy on anyone, but the, uh, the kids on the other hand to that opportunity working together with them to make a lot more classes. Like we’ve been doing cyber security education for years, but last year we accelerated it like five times more, the number of workshops and classes, just because now kids we’re teaching kids, you know, about these classes. And we continue to build awareness and with that awareness came more hunger. Like, “Hey, I want to learn more.” My nine-year-old son also is jumping saying, “Hey, there’s so many hackers out there. We need more cyber defenders.” And how do we do it?
Camille Morhardt:: [00:18:00] So I was talking with Claire Vishik, who’s a fellow at Intel. And she, um, she was talking about how it was really important to explain well to anybody, but especially kids who are newer to kind of so much online presence that, that they have been in the last year, of the fact that applications interact with each other and may share information. So possibly just because you’re allowing one application to do something, you may not be aware of the level of, I guess, sharing to put it nicely or contamination to put it less nicely of the data. And I can’t help wondering is, is virtualization one way to kind of protect against that, like if the kids sort of have school on one thing or, um, personal internet or?
Abhilasha Bhagrav-Spantzel: [00:18:54] absolutely. In fact, they are a lot more familiar with this sometimes than the grownups. We work on virtual machines all day. Um, making sure that I give them this little play zone or how you want to call it the sandbox where they can play and try out. We do a lot of ethical hacking, even with kids almost grade three and above, and they understand what can happen. With cyber security being sometimes a bit bleak and you know, there lots, a lot of bad news, uh, on this side it becomes a very exciting because they are so energetic and they’ll not stop at anything.
There for them, whether it’s virtual and next generation virtualization or the traditional stuff, everything is on the table. They’re ready to learn and see what can happen. What really helps is our hands on activities. Like we actually don’t just teach about that, we make them do it and then they don’t stop. They just keep learning. They keep going to the next levels and they also apply it to, um, very community service driven things.
So we are applying it, whatever they learn we go to, for [00:20:00] example, uh, some of the senior citizen homes and they get to teach. So we had behind the scenes at some point, and then they’re the ones who are making this part of the DNA, like, you know, they’re teaching other people in the process learning a lot more.
Camille Morhardt:: [00:20:13] Can you tell us a little bit about the work that you’ve been doing with, uh, kids and up and coming engineers uh, as it relates to COVID?
Abhilasha Bhagrav-Spantzel: [00:20:21] Yeah. So there’s a really great example that we worked on over the last, uh, last month. And this was basically trying to get the underserved community access to the registration for the COVID vaccination. So while the pandemic has been very hard on all of us, but especially out on those who don’t have these compute resources. And what we did was we worked together with the kids and they were about 50 kids who volunteered in matter of three days. And we got the kids together and we trained to build this virtual phone service that allowed the people who just had access to a phone to call the kids who registered them on their PCs.
And, uh, as we were preparing for this and brainstorming on what we should and shouldn’t, it was really great to see how the kids were thinking through how to protect from phishing attacks, how to make sure we collect the information so that it is not compromised their privacy. And this was really great to see it. It wasn’t just getting a job done, a really important job done, but keeping security and privacy in mind. So that was very proud of them. It was a wonderful experience and that’s what we want to do is to build this next generation of citizens and engineers who have security mindset and doing the right things for the community.
Camille Morhardt: [00:21:39] Abhilasha, thank you so much for taking the time to have a conversation today. I really appreciate your energy and your dedication to the community, uh, and all, all of these things that you’re doing aren’t sort of your, even your day job of architecting, kind of hardcore virtualization, security, and [00:22:00] encryption for the chips that we make at Intel. So thank you very much.
Abhilasha Bhagrav-Spantzel: [00:22:03] Thank you. Great to be here.
Camille Morhardt: [00:22:06] Thanks for listening to What That Means fearless computing today. And if you want to hear a little bit more, uh, deep dive on privacy and actually the policies that are set around the world with respect to protecting identity and privacy check out Episode 25, where I talk with Claire Vishik, who’s a fellow at Intel and focuses on privacy and it’s policy.
