In the tech world, few people hold bigger cyber-security jobs than Steve Schmidt. As chief security officer for Amazon, he is responsible for keeping just about everything at the giant company safe, from hundreds of millions of shoppers to quadrillions of data points in Amazon Web Services.

The array of threats is huge, from everyday scammers to encryption-cracking quantum computing that’s coming down the line.

But as he took to the stage at Amazon Web Services’ annual Re:Inforce 2022 conference, the former FBI and AWS executive gave his keynote address in a t-shirt bearing a pointed message: ‘ADHD: it’s not a disability, it’s a different ability’.

When I sat down with Mr Schmidt afterwards to talk about general security issues, I started by asking him about his message on stage.

Adrian Weckler: Why did you wear that t-shirt highlighting ADHD?

Steve Schmidt: I myself have attention deficit disorder. There's a very interesting correlation between Amazon executives in senior positions and ADHD. And the discussion we've had about that internally is that one of the things that's hardest in our job is context-switching. We have so many different things going on. It's actually really beneficial to have ADHD in that circumstance, because it allows you to be comfortable with that [context-switching].

The way I view it is sort of like the Force in Star Wars. If it's not trained, it can be a mess and cause you real problems. But if you can learn how to manage it effectively, it can be a tremendously useful tool. It's one of the reasons I'm good at my job.

Adrian Weckler: In Ireland, it’s very hard to get a diagnosis for ADHD. I have family in this situation. It’s not widely understood or dealt with much. What else have you found?

Steve Schmidt: It’s important to understand things like internal cues when reaching the point of needing to shift topics, and doing so productively, as opposed to the traditional “you're not paying attention”. It's incredibly beneficial. My wife is a teacher. And she's used to me at home. As a result, when she sees the same kind of behaviour in her students, rather than saying “you need to go back on the topic we're working on”, she'll intentionally assign them something different for the next 20 minutes.

What was moving from security chief at AWS to Amazon.com like?

The biggest difference I've seen is in the technologies employed. One of the things that I love about my new job is that I get to play with robots and rockets and self driving vehicles and those sorts of things, which weren’t part of my role at AWS. Otherwise the problems in security are not novel. They are pretty much the same. One of the reasons that Andy [Jassy, Amazon CEO] asked me to do this job was that we have a bunch of small new businesses which are growing, and we want to make sure that we build the right security in at the beginning of those processes rather than having to try to retrofit things later on. So as we start new things, we want them to come out the door with the right security and the right privacy features.

You talk a lot about the importance of encryption. But while this is generally lauded in technology and security circles, authorities are beginning to seek a compromise in their battle with things like child abuse imagery. What’s your perspective?

I think that governments around the world have different views on the efficacy or necessity of encryption. Our viewpoint is that customers own their data and we've always treated them that way. We've always given the tools necessary to encrypt their data as they wish. Encryption is about customer privacy. And most importantly, it’s about ensuring that customers have control over their information. One of the reasons that we created the encryption systems that we did many years ago, was to ensure that customers were the ones who determined who had access to their data, because if they use our encryption tools appropriately, it doesn't matter what lawful process that I [in Amazon] am given by a government – I cannot produce their clear text.

But if the European Union or the UK, as is happening now with online safety laws, mandate a tech company like Amazon to start scanning its systems in compliance with anti-abuse imagery rules, how would Amazon react?

We obviously follow the law wherever we go. So there's no question there. It's more about us doing what we can, where it's appropriate and where it's necessary under the law. There are circumstances with the way customers operate that we cannot see into their data. That's the standard operating procedure. In that case, the customer can comply with the law because they're the ones who have access to the data.

As a former FBI man, do you have any sympathy with the authorities’ point of view on compromising encryption?

I understand their point of view. Unfortunately, I think in many cases, there is a naivete about compromising encryption quality where people don't understand that if that is done, it is detrimental to everyone.

One point being made here at Re:Inforce is a warning that today’s encryption might be vulnerable from technology advances in the near future, particularly quantum computing. Is that something that Amazon is thinking about now?

Yes. We started a process, years ago, where we looked forward and said there is going to be a time when quantum computing advances to the point where it can challenge some of the existing cryptographic systems. And we want to be ahead of that problem. So we made the investments. We have the teams with the people and the right skills in place, and this has allowed us to come up with different protocol options. The most important thing here is that many of the systems that we use today have that option available. Customers can test it and try it now, before it becomes an emergency.

Is there typically a threat actor in that quantum scenario? Quantum computing has always been characterised as something that's really only available to actors or entities with great resources.

I think for now, quantum computing is only available to actors with great resources. But you could say the same thing about general purpose computing many years ago, that only the nation states had access to it. Go back to the very beginning of cryptographic attacks. Think of the Enigma machine and the German cryptographic systems in World War Two and the British government with Alan Turing.

On the Re:Inforce stage, you talked about Amazon’s support for under-siege Ukrainian institutions and civilians, highlighting the company's technology to help Ukrainian governmental and educational facilities. By doing this, do you have any concern about becoming a higher-priority security target for Russia, which is a very capable nation state cyber-actor?

Operating on the internet, you are subject to all of the nation states that are out there all the time. So there's no new problem that's coming up with that. The Ukrainian situation is one where there's a sort of a moral imperative to help the NGOs who are trying to support people, and to help people who are trying to feed others. We want to do what we can there. We also want to make sure that we can help preserve Ukrainian civilisation.

On a more granular level, how has Amazon’s recent introduction of free multifactor authentication tools for customers fared? And is there any likelihood of it being expanded outside the US to non-US customer accounts?

We were trialling in the US for two reasons. One is because the export of encryption technologies, which the MFA tokens fall under, have some rules associated with it. So it's very easy for us to roll it out here. We have to think differently about each jurisdiction that we go into. The other piece of that is we wanted to see what the uptake looked like, before we offered it elsewhere, because it's not cheap to do. But it's been very good. And we're really happy about that because a physical security token as an anchor of identity is something that makes the adversary’s job very difficult. When you think about ransomware actors and the like, they normally try to acquire your identity for your systems and use that to leverage your access to information by giving you a hardware token that's required to log in. It really does break a lot of their access paths. So it's something that we do regard as a keystone of good identity management. As for outside the US, we're going to see what the customer demand is in other jurisdictions and, of course, look at it subject to the local laws and rules around the use and distribution of cryptographic materials.

You talk about building security into products and services as a core part of development from the start. But companies still talk about this as a balancing act between priorities, matching time, cost and effort. What would you say about that?

One of the reasons I'm successful in my job is because I owned a development team first. So I understand how builders think about the way that they build things. And the security team can take very intentional decisions which will help improve the velocity of a building process. For example, reviewing code to see whether it meets security standards. The way we used to do it was we'd wait until the code was all written. And then we'd review it and say, here are the problems that we've got. Because we’re human beings, we just want to ship it at that point – here’s this beautiful thing we’ve just constructed, right? But then these people come in and tell us, ‘that's broken’. It's really a downer of a situation for the builder. But there's a different way. We have this concept of code reviews. So if you write software in Amazon, one of your teammates has to review it to say that it's appropriate for task before you can ship it. There's a set of tools that we use to do that. We've built our security code review into that same set of tooling. And that means when you submit the code review, you as a human are actually looking for feedback, looking to see whether it works. Your peer provides the feedback and the security team provides the feedback at the same time. The satisfaction of the builder is so much higher with the feedback that the security team provides that point than it was before. The difference is incredible. It ships more quickly, too, because we catch the problems and aren’t stuck in a system where we have to figure out how to change it.

Let me ask you now about Ireland. AWS has a very large office in Dublin and a large security team there. How has that been?

It's a phenomenal recruiting location for us. The EU relationship allows us to recruit from a lot of different countries that we wouldn't otherwise be abv to. And furthermore, the infrastructure in Ireland is such that it's a very reliable participant in our company. Dublin has a well educated populace and integrates easily into the company. It’s the centre of gravity for us in Europe.

I’ve heard you talk about the 1989 book, The Cuckoo’s Egg: Tracking A Spy Through The Maze Of Computer Espionage. Do you approach security as a general series of solving problems?

I do. Fundamentally, the most important thing for someone in security is curiosity. It's asking why something happened, again and again and again. Cliff Stoll [writer of The Cuckoo’s Egg who solved the first big computer hacking case] is a great example of that. At Amazon, when something doesn't go the way we want, there is a formalised engineering review that's done using a process called correction of error. And the point of that is to understand, with precision, what happened, why it happened, and then figure out how we are going to prevent it from happening again. The question ‘why’ is asked five times at the bottom of the form, literally. It's to force people to dig deeply to the actual root cause of a problem. And that kind of recursive curiosity is incredibly important. So while we certainly look for people with formal training in security, we also look for people who are innately curious because it's much more difficult to teach curiosity than it is to teach the other. We also really favour people who themselves are developers, because our job in security is to help our developers succeed. It is not just to prevent things from happening.