EPISODE 1788

[INTRODUCTION]

[00:00:00] ANNOUNCER: BlackBerry is a Canadian company known for its pivotal role in the smartphone market during the 2000s. Today, BlackBerry has adopted a major focus on cybersecurity. John Wall is the SVP and head of BlackBerry QNX overseeing engineering, product, and operations. Ismael Valenzuela is the Vice President of Threat Research and Intelligence at BlackBerry, where he leads threat research, intelligence, and defensive innovation. John and Ismael joined the podcast to talk about cybersecurity at BlackBerry, including secure communications and embedded systems. 

Gregor Vand is a security-focused technologist and is the Founder and CTO of MailPass. Previously, Gregor was a CTO across cybersecurity, cyber insurance, and general software engineering companies. He has been based in Asia-Pacific for almost a decade and can be found via his profile at vand.hk. 

[INTERVIEW]

[00:01:06] GV: Hi, John and Ismael. Welcome to Software Engineering Daily. 

[00:01:09] IV: Hello. Thank you, Gregor, for having us. 

[00:01:12] JW: Yes, great to be here. 

[00:01:13] GV: Great to have you both here, both from BlackBerry, which is a company that I'm sure our listener base definitely know of. But I also suspect that quite a few listeners maybe don't know of it beyond the handset business. I'm sure many had handsets back in the day, like myself, a product that I love dearly. Today, we're not here to rehash the history of BlackBerry. I read the book Losing the Signal. It's a very good book if the history lesson is what someone wants to dive into. It inspired a film as well. That's where we'll leave that. Today, we're going to be speaking about the QNX platform. We're also going to be speaking about threat intelligence and cybersecurity at BlackBerry, which is a huge part of the company offering today. 

We're going to start with you, John. You have quite a deep history with the QNX side of the business. Love to just get a bit of a history actually on you first. What was your journey through? I mean, I think QNX is quite, excuse the pun, embedded in your work history. 

[00:02:14] JW: Absolutely. 

[00:02:15] GV: Then, yes, how has that led into QNX today? 

[00:02:17] JW: Yes. I mean, some will say I came with the building. I've been at QNX since 1993, when QNX was a private company building embedded software running on x86 PCs at the time, really focused on industrial automation and factory control and medical devices. Then towards as we got closer to the 2000s, we started getting into automotive. We had Delphi as our first customer, so Delphi being a part of GM at that time. Spun out. We were doing systems for GM. There's a little company in Germany that noticed what we were doing called Becker that happened to be owned by Harman. Harman, when you think of JBL, Harman Kardon, etc. 

The biggest part of the Harman portfolio was the Becker Automotive Group in Germany. They bought us, and we really started getting heavily into automotive. I personally was the person that was nominated to interface to the parent company. I built a team. That team was there to serve the parent company in all their programs. Very, very difficult. Lots of automotive programs, infotainment programs. A lot of pressure. Seven days a week, 14-hour days. Regular trips to Germany. A lot of yelling and getting screamed at by automakers. But it was an amazing journey. It taught us a lot. 

Then In 2010, we got sold to BlackBerry. It was very interesting because it was a technology buy, wasn't for revenue or for anything else. It was strictly a technology buy. The idea was for the QNX operating system to become the foundation of the BB10 phone. Interestingly enough, while I was managing the group that was interfacing to our parent company, once we got bought by BlackBerry, the independent part of QNX started working for BlackBerry on building the handset. I stayed back and said, "No, I want to continue this automotive thing that we're doing. I want to continue to sell QNX as an independent product." We rebuilt QNX from that point on. 

You could imagine in those days, 2010, BlackBerry was still a huge company. QNX was a rounding error in comparison to the amount of revenue that was coming in from handsets. I was able to keep my head down, operate it out of sight, and start to rebuild QNX. We really started focusing on not just infotainment but where the cars were going with autonomous drive, focused on safety software. 

Obviously, as the company's fortunes in handsets started to diminish, QNX started playing a bigger and bigger role. As we got more successful in automotive, as cars and other devices that they became more software-defined, especially when you're thinking about mission-critical software, mission-critical devices, that is what our products serve, we started to grow in BlackBerry and become less of a rounding error and a little bit more important to the revenue of the company. That brings us to where we are today where we feel that we have a very good future ahead of us. We play, I think, an important role within BlackBerry. 

[00:05:42] GV: Yes, very interesting. We're going to talk a lot more about the automotive side and some other industries. Just flipping back very briefly to your history, have you always been in embedded systems? Was QNX a sort of accident almost to get involved with? Or what was the story there? 

[00:05:56] JW: Yes. I mean, I graduated in 1992. I'm an electrical engineer. We were in a recession. I had a friend that worked at QNX. I never intended to get into software. I was more of a hardware person, an analog person. I started working at QNX. Obviously, I started at the very bottom. I started in tech support, which, believe it or not, in those days was a phone call or a fax. There was no email. We were dealing with the customers directly. I really enjoyed the customer-facing part of it, and so I tended to gravitate. 

I moved up within the organization from an engineering perspective, from a tech support, to an engineer, to a development manager, to a director. But I always stayed on the side that was more customer-facing, engineering services. The groups that tended to have to deliver to the customers. That was something that I found very fascinating, and I really enjoyed having an outward view as opposed to more of an internal view. I always gravitated towards the jobs that allowed me to be in front of the customer. 

[00:07:01] GV: Yes, very interesting. Yes, talking about QNX, let's stick on automotive briefly. I mean, there's other industries that I believe we can also talk about. I guess it's just trying to set the platform in context. Could you give some examples? You've mentioned, obviously, JBL, Harman Kardon. That might give some hints as to what QNX can help with. But what systems are we talking about, and why do we need such a, I guess, specific or proprietary embedded system to run these things? Let's just stick on automotive for now. 

[00:07:30] JW: Yes, maybe a little bit of a history lesson there and maybe to talk about the progression. When we first got into automotive, it was infotainment. Android did not exist. iOS did not exist. QNX had a very rich environment for infotainment systems. We had multimedia engines. Our founder at that time was fascinated by becoming the next desktop and competing with Microsoft, Windows 95, et cetera. We had all the elements needed to build infotainment systems, and we became the dominant force with well over 60% market share of infotainment from 2004 to 2012. That's really where we cut our teeth in automotive. If you were driving an Audi, or a BMW, or a Porsche, or a GM vehicle, or a Chrysler vehicle in those days, the infotainment system would have been based on QNX. 

Anywhere from 2008 to 2018, most of the vehicles out there were running QNX infotainment systems, so your navigation, your multimedia, your iPod integration, your iPhone integration, Android. But then in around probably 2013, we started to see that Android was coming on and trying to recreate the handset experience every single time with every single OEM was not going to be possible. That they were going to take Android. It was a full platform. It had everything you needed for the experience within the vehicle. 

Then we started to look at, "Well, where is the car going?" What we could see even in 2014 is if autonomous drive is going to be a thing, it's going to require a lot of CPU. It's going to require a lot of processing power. It's going to require a high-level operating system like the type of operating system that we have. It's going to require real-time operating system, so deterministic operating system. Above all, it's going to require a level of safety certification that is very difficult to achieve and very unique to niche players. We really put our heads down, really focused on that. 

Today, what you'll see us in, if you look at Mercedes that announced the Level 3 drive system that they have in California and in Germany, that's a QNX-based system. If you look at BMW that announced a Level 3 drive system, that's QNX as well. If you look at probably most of the cars out there, I think our stat is 24 or 25 EVs and all the other cars. Any safety-based system that requires a high-level operating system, i.e. is running on a high-performance compute, is running QNX. 

For instance, if you look at NVIDIA that have the NVIDIA drive, the operating system is QNX. If you look at the Qualcomm Solution, Qualcomm Ride, it's running on QNX as well as an operating system. Just about every advanced driver system out there today is based on our software. 

[00:10:36] GV: That's fascinating. I think it's fair to say that most of our listeners will have interacted with a QNX-based system at some point. 

[00:10:42] JW: They will. They absolutely will. The other area that is very popular is what we call a digital cockpit. You used to have your infotainment system. Now, what they've done is they've consolidated the infotainment system with your digital instrument cluster, your HVAC, used hypervisor virtualization solution to be able to run Android and to be able to run maybe some safety systems like the cluster. We are dominant in that as well. 

[00:11:11] GV: I mean, there's obviously quite a few areas to unpack here in terms of how this all works, I guess, under the hood. I'm aware there's this idea of microkernel architecture, I believe. I can only imagine that leads into quite a few areas, performance, also just the real-time capabilities, et cetera. Could you speak a bit to what is that microkernel architecture? Why and what does that make possible? 

[00:11:32] JW: I think the why is the history of our founders. The university project that they did was a microkernel approach. Just to give your listeners a little bit of knowledge of what this means is in a microkernel architecture, it means that everything runs in user space. Your drivers, your applications, they all run in user space. They can be stopped. They can be started, whereas with a monolithic kernel, you're talking about something like Linux or Windows, where everything is linked into one blob sharing the same address space. 

The advantage that that gives us is it gives us a big advantage on reliability. One application or one driver does not take down the system. It also makes the approach of safety certification much easier for us based on the architecture. It really allows us to be able to update systems in the field that have safety requirements without having to redo a whole recertification of the system. 

The disadvantage of a microkernel is you have to be much more careful about how the system is designed to achieve performance. Because you are in different address spaces, there's context switching as you go from one application to another. Your drivers are all separate, whereas in Linux, they're all in one space which makes it very efficient from a performance perspective. But we have all kinds of ways of mitigating that. But it really gives us an advantage for making the system robust and also for making the system, I would say, self-healing. So that if something does go down, you're able to catch it, and you're able to restart those applications without bringing the whole system down. 

[00:13:15] GV: Yes. To just, I guess, give a very layman example, being able to reboot just the nav system without touching the flight control and that kind of thing. 

[00:13:22] JW: Yes, exactly. Yes. And have the rest of the system continue to run. 

[00:13:27] JW: Yes. It's probably fairly clear, I think, to our listeners listening in terms of why that is so important. As well as I'm sure maybe older cars that they've run and there's been some aspect of the system that's stopped working. But, ultimately, it's not the whole system. Is it fair to say, again, being Software Engineering Daily, the analogy of microservices versus monolithic? Is that a good analogy as well? 

[00:13:50] JW: Yes. You know what? That's a very good analogy, actually. That's exactly how we would look at it. You can add services. You can take services away. You can restart services. Yes, that's a very good way. From a software update perspective, you can update the system without having to take down or rebuild the kernel. That avoids - for instance, if I want to keep the iPod driver or the iPhone interface fresh, I don't have to update the entire operating system. I can just update that particular piece of the system. That's a good analogy. 

[00:14:24] GV: Awesome. Yes. I mean, there's a couple of other areas. I mean, talk about - I think it's called QNX Accelerate, which is a cloud piece to this as well. Could you speak to that? Because I'm curious, how does Cloud now come into this? 

[00:14:36] JW: To be clear, our approach with everything is cloud first. A big initiative that we have, one of the pain points for our customers and not just automotive but across the board, is vendor lock-in on hardware. We take very seriously the idea of standardizations that separate hardware from software. Our operating system is fully POSIX-compliant. We have made a lot of investments in something called VIRTIO, which is shared interfaces to shared drivers. 

We've worked, for instance, with Google very closely to have a design where you can take Android from Google and drop it on any hardware without any changes ,whereas, typically, if you're getting Android, you're getting it from the hardware vendor. You're getting a version from this hardware vendor because they're making all kinds of adaptations. 

One of the ways to really force that issue is you do cloud first, where you have to abstract. There is no dedicated hardware necessarily. In a lot of cases, you're doing either an emulation, or you're doing a software implementation. The idea is cloud first. Start your development in cloud, even if the hardware is not available, even if you haven't made your decisions on which hardware to select. We have all the hardware that is typical for those different domains that we're dealing with already supported with that platform. You can develop in the cloud. 

There are so many advantages of developing in the cloud; keeping your tools straight, keeping your software versions straight. When you look at some of these really large software programs at automotive customers that they're around the clock around the world. There's teams in India. There's teams in China. There's teams everywhere. The biggest problem is keeping everybody in sync across the world. Cloud removes a lot of that complexity. That's very important for us. 

[00:16:27] GV: Yes. I mean, in terms of DevEx effectively, does QNX have, I don't know, its own IDE? Or how does it look when a developer is wanting to interact with QNX? 

[00:16:37] JW: That's a great question because this is something that we're being very careful about. We are not creating a CI/CD environment. Our customers have their own CI/CD environments. Very complex CI/CD environment. What we do is, obviously, we have our own tooling. We have an IDE. We have VS Code. We've just moved away from Eclipse to VS Code, and a lot of the reason was for cloud. But we're really focused on how do we provide microservices that can plug in to the customer's CI/CD to provide artifacts like skew management, safety artifacts, SBOM. The software bill of materials is a huge topic these days. Cars can't ship in Europe if they don't have a proper bill of materials. While we don't provide an end-to-end CI/CD, we do strive to plug into them in a generic way. We're working with the superscalars to do that, as well as our customers. 

[00:17:31] GV: I'm aware, I believe it's QNX 8.0 is the latest and greatest. Could you speak a bit to just like what is that kind of brought over? I think 7.1 was the last version. 

[00:17:41] JW: Yes, correct. 7.1 was based on the kernel that we had developed in the early 2000s. It was developed with SMP in mind, symmetrical multiprocessing. But at the time when we were doing that, especially in the networking space, you were talking about two distinct power PC chips with a bridge. We scaled really well with two cores. We're now in the area that it's not unusual for even a mid-level processor to have 8 cores. We were running into a situation where you would have a deadlock on the kernel because you had all these cores that were trying to do kernel messaging. 

The big change that we did with SDP 8 is we redeveloped our kernel for the first time in 20 years, 20 some years. We now have the ability to scale one-to-one as the number of cores increase, whether it's 16, 32. Our target was to match Linux on performance. We wanted to retain the pedigree of safety, the pedigree of security, the pedigree of determinism, real-time response, but be able to match Linux on performance. That's what we've been able to do with SDP 8. It's a monumental change for us from 7.1. It's the foundational product that will carry us into the next 10 to 15 years. 

[00:19:09] GV: Wow. We're going to move on to more in the security space, like pure security, shortly with yourself, Ismael. Just kind of wrapping up for now on QNX, I mean, I imagine just, I guess, from what you've said, 8.0 being like a pretty major rewrite. Security must have come into that. Things have changed dramatically. Not to say, obviously, 7.1 obviously was trying to keep pace, I imagine, with the threats of today. But just in terms of it's a very specific context of how security can affect a vehicle or QNX is in medical devices and this kind of thing, what are the security considerations? Again, maybe what does 8.0 do differently there? 

[00:19:48] JW: 7.1 was very focused on security. That was the difference between the previous versions and 7. We had put in a lot of gear for security. I think what's different with 8 is there's now standards around security 21434. There's WP.29, 155, 156. We are now certified for security, the same way we're certified for safety. I think more than mechanisms, I would say it's more processes that have evolved to consider security more at the same level as we've treated safety. It's a heavy lift. I mean, there's a lot of work that goes along with this. 

Obviously, we've added more mechanisms to SDP 8 as well from a security perspective. But 7.1 was quite good, was quite good. It had all the mechanisms you would expect. We also have a lot of third-party partners that we work with that do binary sealing. They add a lot of things that even on top of that. But I think the biggest change has been the process that we've instituted where we now look at security as being the same thing as safety from a process perspective. 

[00:21:00] GV: Fascinating. Okay, thanks so much, John, for all of that on QNX. We're going to move slightly sideways or diagonally to Ismael. You're VP of threat intelligence. Is that right? 

[00:21:12] IV: Threat research and threat intelligence, yes. 

[00:21:15] GV: Fantastic. Yes. I mean, again, for our listeners, BlackBerry today is quite a fairly sprawling company. It does have a few arms in different areas. I'd love to just - first of all, again, a bit of your background. You have quite an illustrious background from a security standpoint, and then how did that lead into BlackBerry? 

[00:21:33] IV: Well, just like John, we've been doing this for quite some time. I started doing, well, cybersecurity. We call it cybersecurity now, right? But we call it back then information security at the end of 2000, 2001. Yes, I've been doing this for quite some time as a practitioner, doing hands-on work, working as an instant responder, as a consultant, walking into large environments when we're on fire when the adversaries were there maybe ransoming the environment more recently. Or back then, it was just like botnets or directed targeted attacks from different threat actors, including nation-states. Then, well, helping these customers save the day. 

Then more on the proactive side, defending organizations, building security operations centers. For the last few years, more on the research, engineering. Supporting data science and engineering in building products for defenders, right? That's what I like to think myself of as just a defender that is trying to help organizations. 

[00:22:33] GV: Nice. I think you joined BlackBerry almost three years ago. If one, let's just say, goes to the BlackBerry website now, security is just everywhere in terms of that's almost the face of the business now. If there's one thing it should be known for, it's security. What does your role encompass? I'm curious if it does stretch across into anything to do with QNX. But broadly speaking, what is it you deal with day-to-day? 

[00:22:57] IV: As you just said, right? The history of the company has the foundation in protecting devices is something that we have continued, right? John talked about how we have continued that on the automobile side, but also in many other type of endpoints, medical devices and other type of endpoints. We continue to protect mobile phones as well, right? I mean, the audience cannot see my phone right now, but I'm holding it. If I open my phone, I can just go on to the BlackBerry UEM, which is the Unified Endpoint Management, which protects my data here, my corporate information. 

We have software to protect communications with military-grade encryption and threat intelligence, which is essentially what my team does, so the research part. It's about learning, studying what adversaries are doing to try to anticipate their moves and to translate that into what we call actionable countermeasures or defenses that we can implement in the products, and that we can also implement in our services because technology is just part of the problem. 
It's also about humans, human beings, understanding the context, the business.

If we take it to the safety side, this is all very related to each other. We also have software that helps to protect people in times of crisis because secure communication is also essential in critical event management. 

[00:24:17] GV: One of the key products, Cylance and CylanceMDR. That was, I believe, an acquisition. Back then, AI was being talked about as one of the key drivers, I believe, for bringing that into the portfolio. I'm curious, how have you seen things evolve from then to now in terms of the usage or the application, I guess, of AI? Plus, I guess, the work that you do, which is, if you want to go almost pure human to understanding threat intelligence, and then how do we translate that into something where AI ends up doing the heavy lifting? 

[00:24:51] IV: Good question. There's a lot to untangle there. But, yes, BlackBerry bought Cylance in 2019. I remember back - well, before that, Cylance was known for being the first technology endpoint solution to essentially focus on detection based on AI and machine learning models more specifically. I remember back in the day, 2017, 2018, people at Black Hat laughing about these things and saying, "Oh, that's not how you do detection on the endpoint." 

Fast forward to not even 2024, but even during the last few years, there's no vendor. No one that would dare to say that they're not using AI and machine learning in order to scale your detection capabilities. Because there's no way to do this when attackers start throwing at us a lot of malware per second as we report in our research. That's a fundamental aspect of that. 

Obviously, we have continued to build on this platform adding more machine learning models. I think we have released up to 18 new machine learning models in the last 18 months for various things that we see as a result of our research, working together with engineering and data science. We evaluate these things in realistic scenarios. 

We do this, as I said before, in a proactive manner, trying to anticipate it. Doing purple team in exercises, which is essentially a way of emulating an adversary and having the blue team, the defenders trying to catch these adversaries and trying to prevent these attack chains as soon possible. We do a combination, obviously, of AI, machine learning models with any other effective way of stopping these adversaries, including humans, right? Human beings that are monitoring and reacting to these type of alerts.

[00:26:35] GV: There's CylanceMDR which managed detection and response. And I think just pure endpoint as well. Is that all part of the same product portfolio? Or MRD, that's where the human side sort of they come and actually do a lot of - essentially, a team at BlackBerry kind of helping you? Or how do you sort of explain the difference there? 

[00:26:56] IV: Yes. It's part of our portfolio, right? If you look at our website, we have a CylanceMDR. That's the human team or SOC that is 24/7 reacting to these type of alerts, being proactive, working with the customer, and making sure that they have the necessary defenses in place to be able to take the most out of this. 

For example, right now, we back this up with a one-million-dollar guarantee for all of our customers and then the rest of the products, the technology, CylanceENDPOINT. As I mentioned before, BlackBerry UEM to manage devices, not just phones, but also laptops. It's very common these days to have people, the workforce distributed, working in hybrid environments. These type of solutions are important. 

Talking about that type of communication, CylanceEDGE as well, which is a zero-trust type of remote access solution and our [Name inaudible 00:27:44] suite of solutions as well for secure communications. 

[00:27:49] GV: Yes. Secure communications, I wanted just to touch on that. Again, I think a lot of the history, I guess, of BlackBerry was that the handsets were these incredibly secure communication devices. I believe it was fairly well known that Obama refused to let go of his for that reason, even as other devices were becoming the more popular at that point in time. How has the pure handset business - and then now we're talking about secure communication. I believe it's application-based that can be on any kind of device. Or maybe you tell me. What is the secure communications business today? 

[00:28:27] IV: Yes. It's essentially about military-grade encryption and securing communications in a way that you can control this encryption also end-to-end, that you can control both sides of the communication. In the beginning of BlackBerry days, you would have like a BS server where you would control all of these in-house. Now, it looks like we went onto the all cloud based. Let's use applications like WhatsApp and any application that anybody can download the phone to do this type of encrypted communications. 

There's a lot of caveats there, by the way. A lot of people think it's encrypted end-to-end or secure. It's not that much, right? We can get into that if you want to. It looks like we're now realizing that there's a big need for privacy, especially when it comes to government communications. We have a lot of government customers and when it comes to corporate communications as well, when it comes to mergers, acquisitions, and a lot of the other confidential data that is exchanged by executives on a daily basis. 

We have seen very recently, for example, the US government talking about the threat of certain Chinese groups that are infiltrating into telecommunication companies and urging people to use secure comps. There's been some fines even by the SEC in the US, Secure Exchange Commission, to certain executives that have been using what is supposed to be a secure platform, for example WhatsApp, for certain things that should be confidential. There's a lot of realization right now that there is a need for this type of secure communications. We're a very strong player in that business. 

[00:30:08] GV: To clarify it, I guess the format that takes is more, I guess, at the server level as opposed to application level. Or is it is it both or?

[00:30:16] IV: From a technical perspective, it required a hardware token back in the day. But these days, it's something that you can do on software. These encryption keys are managed by the server that you control that you have on-prem. These encryption keys are distributed to the users that you provision, with the devices that you provision. This will enable that end-to-end encryption where not only the data is encrypted. Also, the metadata is encrypted which is a big thing, right? 

Going back to the news in the last few days, a lot of this information metadata could be very useful for attackers to figure out trends, who is calling who at what times. That can be very valuable information that we need to protect. 

[00:30:57] GV: I mean, you're just talking about, well, the threats and staying on top of that. There's quite a move now. For example, there's a company over here in Singapore that does attack surface management. But the way they're talking about it, and I say talking about it but actually deploying it, is they have very much in-house threat research, threat intelligence, and is very much bleeding edge. What they are uncovering day to day is in the platform tomorrow. What kind of similarities would you say you have at BlackBerry? 

[00:31:25] IV: My team specifically is a global team of researchers that are located all over the world, not just for a 24/7 coverage, which is important, but also because these threats are specific to the geographies that we work on. For example, you mentioned Singapore, right? We have recently published a bunch of reports on threats that we see specifically in Southeast Asia. Those threats are very specific to the region, very specific to the geopolitics, very different from what we see, for example, in Latin America, or in North America, or in Europe, or in Middle East. That's why it's important that we have these researchers in all these locations. They know the language. They know the culture. They know the politics. They're able to interpret, right? Why do we see something specific? 

I have seen, for example, around Singapore, Southeast Asia a lot of attacks against poor authorities by specific threat actors that have geopolitical interests in the area. I think we all understand what's the role of China and how they have been promoting this from the government, sponsoring this type of campaigns to, well, stealing of intellectual property or stealing some other military secrets, things that could benefit an economic position of a specific country or what's going on with Taiwan. All of these things shape the threat landscape as well at the cyber and security level. 

[00:32:47] GV: Yes, very fascinating. I actually want to move this, bring you back in, John, in terms of, I think, some of the examples you've just given Ismael on threats. All very pertinent and probably some that are quite familiar to listeners, some maybe not. But then when it comes to embedded systems and maybe some of the other industries that I believe QNX can cover, I believe it's in medical devices, aerospace, defense, rail. Threats against any of these is pretty major. I guess, what are - I mean, this obviously could involve both of you being able to comment on this, but what kind of threats against embedded systems are we actually seeing today? 

[00:33:30] JW: I think everybody's familiar with the Jeep Hack from 2015 that Charlie Miller and his partner were able to hack into a Jeep, control some aspects of the vehicle as a real wake-up call to the auto industry. We know the system. We were involved in the system, and the system evolved from a non-connected system that over time became a connected system, had no concept of security at all. 

QNX is a component supplier to the automotive industry or the medical industry. We don't build the actual final product. What we provide is, obviously, all the mechanisms from an operating system perspective that the customer can use to shut the door, to shut the windows as much as possible. But they're doing the same thing. They're engaging threat analysis. They're doing TARAs there. The auto industry takes this very, very seriously, as does the other industries that were involved in medical, for instance. 

A big part of medical, for instance, is being able to secure the network itself within the hospital to start to reduce the threats. But, yes, I mean, the landscape is no different. The stakes are high. When Ismael talks about it, he talks about stealing of intellectual property, secrets being exposed. With a car, you're looking at something that could be much more serious from a - not necessarily from intellectual property but from an actual taking control of the vehicle. I would say the OEMs, they are very, very focused on security. 

[00:35:07] IV: The response times are completely different, right, John? 

[00:35:09] JW: Oh, absolutely. 

[00:35:10] IV: We monitor something. We look at something. We do instant response. Of course, rapid response is important. But in terms of a vehicle, it's immediate. It's real time. 

[00:35:18] JW: Yes. So there's a lot of hardware mechanisms within the vehicle to separate traffic, to make sure. I mean, one of the big things that was discovered with the GPAC was there was no barrier from the infotainment system to the rest of the car. There was no gateway. Now, you have the notion of gateways, and you have the notion of routers within the vehicle that are pretty locked down. But, yes, it's a big topic. 

[00:35:41] GV: I guess that goes back again to microkernel in terms of being able to have that separation. 

[00:35:45] JW: Absolutely. Again, we're a component within a much larger application sphere, so we can do what we can do. We can provide the mechanisms that we provide. But at the end of the day, the OEM that's building the device, whether it's a medical device, whether it's an industrial automation device, oil and gas, wind turbine car, it's ultimately up to the OEM. We provide the mechanisms. But, I mean, there's a lot of layers there of application and connectivity that at the end of the day, we don't see it until the car is shipping. 

[00:36:19] GV: I mean, I think that it's very familiar to even if our listeners don't have any experience with the embedded system side, but just the pure software side. A framework, a language can be provided. Everything framework is probably the better analogy. It can be provided. It has a lot of safety features, a lot of security features. But it's how it's implemented at the end of the day, yes. 

[00:36:37] JW: Well, that's just it. The reality of it is when you think about an embedded system just versus software, the differentiator is really that we're in a more constrained environment. Even today, if you look at that environment, there's 8, 12, 20 gigs of memory. I mean, we're running on the latest silicon like Thor from NVIDIA, so it's the same thing. The customer has given a bunch of frameworks to be able to build something. 

Then, obviously, we have to monitor CVEs. There's a lot of open source being used within the vehicle, so we have a responsibility to monitor any open source software that we're providing as part of our products. That's an ongoing process, as is being able to update the vehicle or to shut down a feature in real time if a threat is found. The monitoring of vehicles is very similar to the monitoring of business and any other type of security threat. 

[00:37:35] GV: Yes. I mean, just to touch on one last thing there, as you've called out, it is about how it's implemented. I imagine not - you don't have to give specific names or examples, but have there been situations where a company has ultimately realized there's a problem, and they have to actually come back to you because they say, "Look, we actually don't know how to - what the best way around this is, and the architecture is from your side, and can you help us?" That speed of response, I think, is what I'm getting at, coming back to you. 

[00:38:03] JW: I definitely won't share who. But, yes, that is not unusual that they seek our help, for sure. Most of the time, it's more to determine what does this vulnerability mean to me. Do I have a vulnerability here? Or because, I mean, you can have a vulnerability in software that's not exposed by the way the system was implemented. Normally, that's what they want to know from us is, okay, we know there's a weakness here. Are we vulnerable? Sometimes, these are systems that are very old. A medical device is not unusual to be in the field for 20 years. 

[00:38:36] GV: Yes. That's a great call out in terms of, as you say, a medical device is supposed to have a lifespan of exactly a couple of decades. 

[00:38:43] JW: Yes. Well, wind turbine, the wind turbine has a 25-year lifespan. If somebody were to hack a wind turbine and start playing with the pitch of the blades, you could bring down wind turbines. 

[00:38:54] GV: I guess looking forwards, what are you each, I guess, excited about in terms of, maybe just sticking with you, John, briefly, QNX into, I don't know, the next 5, even 10 years? What are you most excited about in terms of where things can go? 

[00:39:09] JW: I think what I'm excited about is the fact that everything is becoming more software-defined. More mission-critical devices are becoming software-defined such as cooperative robots, cars. But there's going to be more software in the future, not less, so I feel really good about our business. Also, what we're seeing is our customers would like us to do more, to provide more of a platform as opposed to components so that they can focus on application and not focus so much in the weeds of the software, what we call foundational software. 

I see a really very large opportunity for QNX to really grow its business and to really grow out or to build out more of a safe and secure platform for different verticals, whether it's automotive, medical, robotics, et cetera. 

[00:40:01] GV: Awesome. Yes, Ismael, same to you. I know in security, it's always an interesting question. It's like what are we getting excited about? Usually, it has to relate to threats. I mean, people are hacking, and we only have a job in security if bad things are, unfortunately, unfolding at times. But what are you excited about? 

[00:40:20] IV: There's always going to be that component of looking at what attackers are doing and defending against that. If we look at the use of AI, yes, attackers are starting to use that, but also defenders. I think that's a very interesting field because as we started using AI to anticipate, to do secure by design, especially as John was saying where everything runs on software, critical infrastructure running on software, supply chains. AI is going to help us to scale much better, right? I'm very excited about how we can look at - that's part of what my team is doing as well, right? Looking at ways in which we can use AI to scale better and faster than attackers, so we can anticipate more. We can secure more by design rather than just like always being reactive. 

[00:41:09] GV: Yes, absolutely. I mean, I think that's where, again, one area of software and security I've always been interested in and trying to promote is just that software engineers themselves are much more educated and aware of security and what they're building. Not just passing it off to, "Oh, the security engineer will tell me if I've done something wrong." Again, I think that AI really is helping here. Of course, tools like co-pilot, et cetera, do make mistakes, but they do learn from these mistakes quite quickly. 

[00:41:35] JW: That's a great point. It's very much safety and security have to be cultural. 

[00:41:39] GV: Absolutely. 

[00:41:40] JW: Not bolted on. Your engineers have to - it has to be part of their daily living within the organization. That takes time. 

[00:41:48] GV: Exactly. I think that's a very good point, and it was actually something I had to educate, I think, a few CEOs on, which was that they thought software engineers were fantastically educated on security. I had to break it to them. It was almost the opposite. It was the last thing they had been taught. It was the last thing they thought about, so yes. 

[00:42:05] JW: It is. It's not fun. It really has to become part of your culture, part of the way you think when you're doing your software designs, when you're doing your implementation. It's a lot more fun to do 80% of the fun work and let somebody else do the 20% that's really hard. You have to build into the process. You have to build it into the mindset and make people really believe that this is the prime thing that they're doing. 

[00:42:33] GV: That is a great point. Yes. Just to wrap up, I tend to ask this question to most guests, and we've got two today. For each of you, the question really is just if you could go back and tell yourself something at the start of your career based on what you know now, what would you be telling yourself? Or it could be advice, or it could be just something that you would have told yourself. 

[00:42:54] IV: I think that maybe this is going to be very generic, but I think sometimes we limit ourselves to what you have seen around you or the things that other people that you know have done before. I think that one of the things I would tell myself is like, look, there is no limits to what we can achieve professionally, personally. There's abundance of everything out there, lots of fun projects and to solve, and don't limit yourself. That's something that I see now. Obviously, I've been working with global companies and global teams for quite some time. It's a lot of fun. That's something that makes me excited and keeps me going as well, like trying to solve these problems. 

Especially for when it's problems that affect people's lives and we're talking about automobile before, right? But how many ransomware attacks we see against schools. We see against hospitals, right? I think that's something beautiful about what we do or our mission. Anyway, so I don't know if I answered your question, but that's kind of -

[00:43:55] GV: No, no. I mean, there's no right answer to this, right? But, yes, yes, I mean, work is what you make of it. I think that's a great people's advice around do what you love and this kind of thing, which is a little bit hard sometimes, I think, for people to get their head around, but there's always ways to be turning up and doing something each day that can excite you. I think, it's the way to look at it. I like that. John, what about you? 

[00:44:16] JW: Obviously, I'd love to go back and fix every mistake I've ever made. 

[00:44:19] GV: That's a tree engineer right there.

[00:44:22] JW: But I have to admit, I've been pretty lucky. I mean, one of the things I've always told my kids is I always enjoyed getting up and going to work. To me, that's - I wouldn't change anything, to be very honest, from that - like I said, I've made lots of left turns and right turns where I should have made the opposite turn. But at the end of the day, I've enjoyed my work. I've enjoyed going to work. I've enjoyed the customers. 

I mean, even when I was traveling to Germany every couple of weeks for a period of a couple of years, I just thought it was fantastic meeting all these people, going to these different countries. I have no regrets. Could I have done things better? Absolutely. But I'm still in learning mode, and I'm still really enjoying it. 

[00:45:03] GV: I love that, still in learning mode. I think probably all three of us are, and I think that's a great place to end it. Stay in learning mode. I love that. Thank you so much to both of you giving out your time to come talk to our listeners. I think they've probably learned a lot about BlackBerry today that they had no idea potentially that was going on. Fascinating company. I've always been a fan of it from the handset days, and I love to see what it's doing now. Thanks so much for coming on. Yes, I hope we catch up again in the future. 

[00:45:27] IV: Thank you. 

[00:45:28] JW: Thank you. Much appreciated. 

[END]