Gregory Hoffer Of Coviant Software On What We Must Do To Create Nationally Secure And Resilient Supply Chains

An Interview With David Leichner

Establish cybersecurity regulations that set a relatively high bar, along with reviewing and enforcing them (this is the “stick” in the “carrot and stick” approach). This will surely include complex international agreements to enforce security of supply chains that extend beyond our borders.

The cascading logistical problems caused by the pandemic and the war in Eastern Europe, have made securing a reliable supply chain a national imperative. In addition, severe cyberattacks like the highly publicized Colonial pipeline attack, have brought supply chain cybersecurity into the limelight. So what must manufacturers and policymakers do to ensure that we have secure and resilient supply chains? In this interview series, we are talking to business leaders who can share insights from their experiences about how we can address these challenges. As a part of this series, I had the pleasure of interviewing Gregory Hoffer.

Greg is CEO at Coviant Software, responsible for company operations as well as the product design and software development of the award-winning secure file transfer automation platform, Diplomat MFT.

Previous to becoming CEO of Coviant Software, Greg was an executive at a global MFT software provider, where he was the primary architect of a suite of enterprise-grade secure file transfer products, and led the team responsible for their development, and market delivery. Under his leadership the company and its managed file transfer technologies were lauded by industry analysts as a market leader.

Today, Greg brings his nearly 30 years of computer science and software development experience, combined with his 20 years of experience in the managed file transfer space, to Coviant Software, helping deliver exceptional products to market.

A proud native of San Antonio, Texas, Greg graduated from the University of Texas at San Antonio (UTSA) with a master’s degree in computer science, and from San Antonio’s Trinity University with a bachelor’s degree majoring in computer science and economics.

Greg is a frequent speaker on issues related to data management, data security, and quantum computing. He has presented at RSA Conference, U.S. Fintech Symposium, the Payments Canada Summit, and more.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was raised in a family by parents who encouraged academic exploration. My father was an English and linguistics professor at Trinity University and was one of the first to work on computer-based language processing for Japanese to English translations. When I was about 10 years old my father bought our family a Commodore Vic-20 as a Christmas present. After many hours of BASIC programming and typing in machine language codes with my brother, while reading from Dr. Dobbs Magazine, and then graduating to a Commodore 64, the fires of Computer Science curiosity had been set ablaze and I pursued my interest fervently.

I was the only student at my high school to take four years of Computer Science (they had to make up two courses just for me), and then went on to major in Computer Science at Trinity University, followed by a master’s degree from The University of Texas at San Antonio many years later.

I have always loved the challenge of solving problems with computers, and by designing and writing software that is both powerful and easy to use. I started my career as a high school Computer Science teacher, then entered industry as a software developer. Having been a small fish in small consulting companies to an executive in medium sized enterprise, I have recently settled into a wonderful role leading a small, narrowly focused software company to modest growth.

Can you share the most interesting story that happened to you since you began your career?

The most interesting and rewarding experience was back in 2014. I was invited back to the company I had worked at for 10 years (2000–2010), because the leadership was dissatisfied with the progress of the Software Development team. That team had been grappling with some tough design challenges for the flagship software product, deliberating design choices for over a year with no discernible progress. Always the pragmatist who relishes challenges, I told the leadership that if they hired me back, I could lead the team to building the desired capabilities within six months. I assembled a great team, led the charge, and we delivered and released a successful product at the six-month mark, accomplishing the feat which had eluded the company for over a year. I was living one of my favorite quotes by Walter Bagehot: “The greatest pleasure in life is doing what others say you cannot do.”

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

I constantly teach that pragmatism is critical to success. I have been around too many idealists or pessimists, both of which will drag a team down in their own way. One strives for perfection at the expense of progress. The other finds problems with everything, slows down progress, and brings down team morale. A good example of pragmatism is the experience I had shared about my six-month project. The former team had sought ideal solutions without compromise, which led to nothing ever getting done. I came in and made pragmatic choices to move the software forward in ways that solved customer problems in a “good enough” way, leaving room for future improvements down the road.

Another character trait that is critical to success is service-first leadership. Some leaders are handed a team, others get to build their teams from scratch. Often it is some mix of the two. Regardless of the team, if a leader fails to put themselves in service to the team, morale and coherence will fail, and projects will follow. As a leader, I make sure to understand the people I work with as humans, not just resources. I make decisions that help the team succeed, rather than focusing all my attention on raw productivity numbers and treating people like replaceable parts. If someone is sick or on vacation, I fill in. I make everyone has the opportunity to explore their creativity, learn new skills, or has the materials they need to be happy, not just productive.

Finally, acumen is a trait often overlooked in good leaders. We often look to people skills, or inspirational abilities, but even a charismatic leader needs a clear and accurate plan to lead people to successful destinations. The path is determined through acumen — understanding the business, the marketplace, the customers, the technology, or whatever the team is working toward. When I lead software teams to develop enterprise class software, I do not just focus on burn-down charts, feature points, test failure rates, etc. The best written software in the world is useless if no one uses it. So, it is imperative to me, as a leader of software product development teams, to understand what technology challenges our customers face, what the market forces are, what technologies are on the adoption upswing, and so on. In short, I am constantly building my acumen on the technology, business, market, and customer areas.

Are you working on any exciting new projects now? How do you think that will help people?

Here at Coviant Software we are always working on making file transfers more secure and more easily automated to help customers manage their diverse and challenging file integration scenarios (often with regulatory compliance challenges thrown in, like HIPAA/HITECH, GDPR, and PCI/DSS).

We recently launched software that assists in securing the perimeter of our file transfer server, ensuring neither data nor credentials are ever stored in the relatively insecure DMZ. We constantly explore industry trends in security, evolving our product to meet modern demands. Take, for example, Quantum Computing (QC) and its potential effects on cryptography. There is a lot of work on developing cryptography that will be safe in the face of QC, some of which looks promising (and some of which has already been broken). We expect to keep an eye on this trend and fold QC-resistant cryptography into our solution in the future.

Generally speaking, though, we talk frequently with our customers to understand how we can make our solution work better for them. Sometimes these are usability tweaks for productivity, or new reports for operational management, or even adding new protocols — as more customers embrace cloud and hybrid workloads, we see more requests for specific functionality. For example, Diplomat MFT already supports transferring to and from Azure Blob storage, but recently more and more customers are asking us to help with transfers to Data Lakes as they build out their AI/ML strategies.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. What does the term “supply chain” encompass?

The term “supply chain” refers to a network of suppliers, manufacturers, and consumers, each a step along the way in a process that produces and moves some good or service to the next step. We often think of the final step in that supply chain as the consumer. For example, consider the last thing you purchased on Amazon which was delivered to your door. Let’s say it was a new Bluetooth headset for your mobile phone.

Working our way backwards along the supply chain, the headset was delivered by UPS in a box that was made by a paper company, both of which are supplied to Amazon. The packing material from the headset was obtained by the manufacturer from another paper store, and someone in that manufacturer’s company hired a marketing firm to create the user manual. The headset itself was designed by one firm, and manufactured in a Chinese manufacturing plant, and shipped on a cargo container through various ports. The manufacturer got the plastic, copper or wires, LED lights from a set of providers — you get the point.

There is a whole lot of interaction between companies to generate a consumer good, like a Bluetooth headset, that ends up at our doorstep. That process, from manufacturing to packaging to shipping, is the “supply chain.”

Can you help articulate what the weaknesses are in our current supply chain systems?

Supply chains are both wide and deep, leaving a lot of room for error. Some supply chains are tightly controlled (like shipping ports, where accuracy and thoroughness is important for tariffs), and others not so much. In my world, any portion of the supply chain that uses software (pretty much all of them) is susceptible to software supply chain attacks, like those ongoing reports of poisoned packages in public (and widely used) repositories. It is hard for any given company in the supply chain to balance the ability the need for speed and profitability with security. Not every company along the supply chain has a massive budget for security training, deep code security analysis, or risk assessment and mitigation capabilities.

Traceability is also a challenge; it is important that we understand the accurate and verified steps along the supply chain. Computer supply chains need to be free from malicious software in open source or vendor supplied libraries, and the physical components need to be free from prying eyes or backdoors. And consumers increasingly demand ethically sourced and sustainable goods, which requires the entire supply chain to adhere to these demands.

Traceability is a challenge that is starting to get addressed by the Blockchain. Computers have come a long way since paper manifests and reports filed in cabinets at the long room in ports; however, we still have many independent systems of record, any one of which might introduce an error, and reconciliation is very difficult. Imagine a world where each step in the supply chain records traceability data to a universal distributed ledger (aka Blockchain). That would solve a lot of these accountability problems — if we can all agree on the technology and implementation.

Can you help define what a nationally secure and resilient supply chain would look like?

I cannot speak to the physical security of the supply chain; that is outside my area of expertise. My particular expertise is in cybersecurity so I’m particularly passionate about this topic, and the fact is that the world still runs on files — and the supply chain in particular. Take a look at the ANSI X12 standard for electronic document interchange (EDI). There are over 300 types of documents defined. Computerization of these data interchanges means better automation and, therefore, speed, accuracy, and efficiency. But it is susceptible to all the classic security threats of any data interchanges: data leakage, data tampering, forged authentication, ransomware, falsified audit trails, and the like.

To be secure and resilient, the entire supply chain must be secured with state of the art information security techniques. Like any chain, a weak link anywhere can cause the whole chain to fail. Likewise, a supply chain must apply rigorous information security standards from end to end. This is obviously a big challenge with an international supply chain with numerous country standards for security, different budgets for IT security, and different skill levels across the chain. One can imagine that standards need to be in place to ensure minimum levels of security (think FIPS, Common Criteria, or ISO 27001 certification). This will undoubtedly involve a large amount of political maneuvering among nations to ensure global supply chains adhere to rigorous security standards.

Can you share some examples of recent and notable cyber attacks against our supply chain? Why do you think these attacks were so significant?

As a software developer in a software company, my focus tends to be on the information security of software development. This can pose great risk to the supply chain, for example take the very recent news that a 15-year-old unpatched Python library is vulnerable to a pretty serious threat to users of that library — and this is just one of many recent such reports. With numerous links in modern supply chains, each of which undoubtedly runs software to handle automation, information exchanges, data verification, and so on, the risk that at least one of those many participants in the supply chain has a vulnerability like this is shockingly high. Malware, ransomware, or data exfiltration along the supply chain can lead to devastating results.

A recent concrete example of this is the ransomware attack on the UK’s South Staffordshire Water Supply. It is scary to think of what might have happened not only to citizens of that community should something bad happened to the water, but also the supply chain implications for all industries in the area that source their water from that water company. South Staffordshire is just outside of Birmingham, the second largest city in the UK.

And this doesn’t even touch on the “wetware” attacks of social engineering. The annual Verizon Data Breach Investigation Reports consistently show Phishing and poor credential management as the largest source of cyber security incidents. So even though what I focus on — cryptographic confidentiality, integrity, and authentication of the data as it moves between systems — is important, it is just one piece of the overall security puzzle.

Security is hard, especially with fallible, emotional, distracted humans involved.

What would you recommend for the government or for tech leaders to do to improve supply chain cybersecurity?

The first thing is to take cybersecurity regulations seriously. Every organization is vulnerable. Every organization is connected to others. We all have a responsibility to protect ourselves and, in doing, we help protect others. That said, we must also recognize that cybersecurity is not a one-size-fits-all proposition. Strategies must reflect the needs and composition of individual organizations and the vast disparity in skill levels.

There’s an old adage that you can’t legislate intelligence and common sense into people, but I think we can all agree that the we can all work toward a safer future, even if it takes some hard work. We need to increase cybersecurity education to narrow the skills gap. We should consider mandating cybersecurity training for corporations. Standards such as ISO 27001 and CISA Cybersecurity Framework provide excellent guidance for companies to be more secure, but they are heavyweight and complex, and can be difficult to implement properly — especially for smaller companies.

In June of this year, the U.S. government signed into law two cybersecurity acts to help make our government more secure. We are taking steps forward, but it is up to all of us all to continue to walk together toward a safer future.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Create Nationally Secure And Resilient Supply Chains” and why?

1. Establish cybersecurity regulations that set a relatively high bar, along with reviewing and enforcing them (this is the “stick” in the “carrot and stick” approach). This will surely include complex international agreements to enforce security of supply chains that extend beyond our borders.
2. Establish and fund programs that help companies achieve compliance. Cybersecurity is hard, and many companies will need help in closing the skill gap to achieve the levels of security that we all need for a safe supply chain (here we have a “carrot”). As an example, look at the great work done at The University of Texas at San Antonio’s Center for Infrastructure Assurance & Security, an excellent program that is developing our top digital defenders of tomorrow.
3. Ensure proper traceability of the supply chain through blockchain technology. A blockchain can reduce costs, improve visibility, and decrease counterfeiting. I am an advocate for something other than proof-of-work in such a blockchain; we don’t want our supply chain blockchain to add even more wasteful electricity use. Right now, proof-of-stake seems to be a viable alternative (Etherium recently switched to this), but there are other candidates out there right now, and still more being researched.
   A follow-up to this is that once we have full visibility into the supply chain, we can all become better consumers (and producers) by understanding exactly where our goods are sourced, and make decisions about our suppliers intelligently and safely.
4. Physical security of supply chain is definitely critical, so I will include it. Securing our power generation and distribution, water and food supply and distribution, and so on are all vital to a nationally secure and resilient supply chain. But, since it is not my area of expertise, I will leave it at that.
5. Post-Quantum preparation! Quantum computing is getting ever closer, and we all need to prepare for the challenges that it poses to traditional cryptography. NIST is already working on safe, post-quantum cryptographic algorithms, but it is proving quite difficult so far. I speak on this topic regularly; we absolutely must start preparing now, because we humans are historically bad at transitioning from something that works to something new.

Are there other ideas or considerations that should encourage us to reimagine our supply chain?

One of my favorite quotes, attributed to Voltaire, is, “Perfect is the enemy of good.” It is common for many people to fight tooth and nail to get the perfect solution in place, overlooking the fact that piecemeal improvements are often a more optimal route to the same end goal. We should not spend numerous years debating the perfect vision of a nationally secure supply chain, and dig our heels in against any minor improvements in fear that we will never get the perfect answer.

This is a long, uphill battle and we need minor victories along the way. For example, funding any governmental program is always going to spark debate, so perhaps cybersecurity education benefits or incentives is going to take a while (perhaps in partnership with industry?). Let’s not let that prevent us from other steps forward, like establishing minimum security requirements on supply chain entities, or developing a blockchain-based system for supply chain traceability.

You are a person of great influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Eduction is one of my great loves. My father was an English and linguistics professor at Trinity University for over 30 years, which inspired my love for lifelong education. A movement I would love to see is an educational program for cybersecurity that is understandable, accessible, and helpful to people of all ages and skill levels. Though I understand that educating our cyberwarriors to defend against the complex and serious attacks is an important part of staying safe, I also know that helping grandma learn how to avoid Phishing scams, or preventing a small business owner from suffering through a ransomware attack, is also important. Surely, we can find a way to help everyone be safe, not just the IT professionals?

How can our readers further follow your work online?

My company has regular blog posts on www.coviantsoftware.com. We encourage people to follow us on LinkedIn (https://www.linkedin.com/company/coviant-software/) and subscribe to our weekly newsletter there, and also to follow us on Twitter @coviantsoftware.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.