OASIS Board Member Bret Jordan

OASIS Board Member Spotlight Series: Q&A with Bret Jordan

The OASIS Board of Directors are integral to the organization's success. Read our Q&A to gain a better sense of who they are and why they serve the OASIS community.

Meet Bret Jordan, an accomplished executive with 30 years of experience in the field of cybersecurity. Jordan has successfully led various global enterprises, startups, academic institutions and nonprofits. At OASIS Open, he has made significant contributions as a co-chair, editor, and advocate for numerous standards, including STIX, TAXII, CACAO, and OpenC2. In recognition of his expertise and the impact he’s had in his field, Jordan was honored as an OASIS Distinguished Contributor in 2020. Read more in our Q&A:

Can you tell us about your current role?
I currently work as Chief Security Strategist at Afero, a technology company building a secure by design or born secure IoT platform as a service (PaaS). We provide an enterprise grade, end-to-end secure solution for consumer IoT products. My role is to work on strategy, long-term horizon scanning, and those parts of the product that deal with end-to-end security. 

What kinds of things is your company working on? 
Afero was the first to build a comprehensive and managed IoT platform upon a foundation of Enterprise-grade PKI. Security is a “red thread” woven through and connecting every layer of the platform — it’s not just a feature, it is an intrinsic quality. We have made substantial advancements in this field, evident by our impressive portfolio of approximately 100 patents which serve as undeniable evidence of our continuous commitment to innovation.

There are several things that make us unique, one of which is our patented onboarding solution that does not require Bluetooth pairing. You simply scan the QR code for the product, turn it on, and it is done. This means, in most cases, devices are online and working in seconds.  

One of Afero’s customers is The Home Depot. Afero has built the secure IoT platform for all of their private label brands: EcoSmart, Defiant, Hampton Bay, etc. The program and ecosystem is called Hubspace, and that is also the name of the app. We provide an enterprise grade end-to-end secure solution for their IoT products all the way down to constrained light bulbs. Because of the Afero solution, The Home Depot has experienced a significantly lower customer call volume and product return rate for their Hubspace products.  

One simple but meaningful use case for smart and connected bulbs is that you can easily change the color temperature of the bulbs to make them all match or have them automatically turn on or off with the rising or setting of the sun. With Hubspace these pain points are removed. Ten years ago, this would’ve been viewed as a premium service or something that only tech enthusiasts would have utilized. Five years ago, if you wanted a smart and connected light bulb you would have had to pay a significant premium. Today, this functionality is available to everyone. You can even control these products directly from your phone or a voice assistant.  

What we have seen is that the average user just wants to plug in their smart devices and have them just work. They do not want to try and cobble together a bunch of random products and technologies; they want a simple to use ecosystem. Afero has addressed this problem and these pain points and invented technology to solve it.

What can you tell us about your new podcast? 
We’ve recently launched a podcast called Smarter Everything. The premise is to talk about the transition to a smarter and more connected world as we begin to bring more connectedness into our daily lives. I like to refer to it as the hyperconnected edge that we’re moving to. It’s where things are going, and there’s a lot that needs to happen before we can get there.  

As the industry moves down this path and consumers deploy these technologies and products, there are many things that need to be considered to ensure that end users are protected, and their privacy is maintained. The widespread availability and minimal additional expense of IoT products has made the smart and connected world available to everyone; we’ve reached the point where people are eager to buy these products and we want consumers to be informed about not only the benefits they provide, but how they can utilize them in a more secure and productive way.  

How did you get involved with OASIS?
My journey into international standards started many years before I joined OASIS, back in the late 1990s/early 2000s with the 802.1X protocol and its various EAP methods. Then in the mid 2010s I started working on the Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII) work when it was still at the Department of Homeland Security (DHS). I subsequently joined OASIS when DHS moved the STIX and TAXII work there. 

Once STIX and TAXII were at OASIS I became heavily involved. I ended up chairing a lot of the STIX and TAXII work for about eight years. I also served as an editor of the documents and helped coordinate and orchestrate the comments and feedback that came in from the group. The STIX and TAXII community at OASIS was incredibly active with around 350 members at one point. I also worked on the Open Command and Control (OpenC2) when it was a National Security Agency (NSA) project and continued working on it when it was first brought to OASIS. These three projects really got me involved in OASIS. I have since gone on to co-start the Collaborative Automated Course of Action Operations (CACAO) for Cyber Security work.

What inspired you to join the OASIS Board? 
After working on STIX and TAXII, I knew that I wanted to enhance my contributions and better serve the OASIS community. My goal was to foster stronger connections between the board and the membership. My intention was to enable members to gain deeper insights into ongoing activities and enable them to provide valuable feedback to help drive change.  

Once I joined the OASIS Board Process Committee, I helped facilitate not only my changes, but changes from everybody else. I wanted to address the issues that members cared about. As chair of the Process Committee, I have instigated a transition to an open model using GitHub for our document creation and tracking. This way, OASIS members can submit issues or even do pull requests. We’re really trying to connect the board back to the membership because ultimately the OASIS membership is the foundation of the organization.

How do you see your background and experience complementing the current board? 
My background has been in cybersecurity; I have been working in this space for about 30 years on the academic side and the enterprise side. I understand how to run very large projects and programs – things that take months, quarters, or years to complete. My day-to-day experiences span from the operational side to the management side and to the research side, which adds a unique combination for the work we do here at OASIS. 

Everybody has their own little bit of expertise that they bring to the board and it’s all incredibly important and valuable. I think my expertise stands out because I’ve had the opportunity to work closely with other standards development organizations (SDOs) and standards setting organizations (SSOs), gaining valuable insights into their problem-solving approaches, and learning what works and does not work at scale for standards. 

What is it about the OASIS community that you’re passionate about? 
I like OASIS because it’s a true community with a sense of purpose and an organizational structure that lets groups get work done. Not every SDO or SSO is like that; a lot of them have controlling autocracies where a couple of individuals tend to drive the conversation and stomp out ideas they do not personally like. OASIS doesn’t tend to feel like that. Most of the groups here at OASIS are very true to the form of traditional standards that are driven by consensus. Meaning, it’s not unanimity, and not everybody gets a pony. The rules and processes at OASIS are much more conducive to getting people around the table and getting actual work done. OASIS processes are not heavy handed and do not lend themselves to having one person control everything; there is no benevolent dictator for life in a TC at OASIS. Also, at OASIS, there is a process and a plan for what it takes to actually get something done, and members understand this. They also understand the amount of work and effort that is needed to bring a standard to completion. In other SDOs and SSOs this can be vague and up to the whims of certain individuals. 

Why do you think companies and organizations bring their projects to OASIS? 
OASIS provides a mechanism for organizations to get like-minded people together and get work done in a meaningful way. Other SDOs have antiquated mechanisms that either prevent success, are designed to stall success, or enable a very small group of individuals to control the destiny of what gets started and ultimately worked on. OASIS is a bit more nimble. It is not perfect, but in a lot of ways it is better than many SDOs. The benefit of bringing work to OASIS is you get the great governance and IPR protections that come along with going through an official SDO, and OASIS makes it easy. If I have an idea and there are enough people interested and willing to support it, we can join forces and start working on it, it is that simple. Try doing that in another SDO or SSO. 

What do you think about the work being done at OASIS? 
There’s a lot of great projects that people know about, but do not realize they come from OASIS. Things like SAML, XACML (the eXtensible Access Control Markup Language), STIX and TAXII, CACAO (the cybersecurity playbook or the Collaborative Automated Course of Action Operations), and OpenC2. All of these things are focused around solving real world problems in operational cybersecurity – and they all came out of OASIS. 

Can you share some examples of the impact of your work?
STIX, TAXII, and CACAO are the biggest projects that I’ve contributed to here at OASIS. But I have done work in the IEEE, IETF, and ITU-T. I have also written an RFC (RFC 8785) about JSON canonicalization, which enables digital signing of JSON data. I am also currently working on a contribution to the X series documents (e.g., X.500, X.509) at the ITU-T for the actual signing of JSON data. This is desperately needed as most of the data that’s transmitted today over the internet or through browsers is JSON based and there is currently no good way to digitally sign it.  

Early on in my career I was involved in another noteworthy project. I worked on an 802.1X supplicant, the actual client piece of an 802.1X session, and we built the first widescale 802.1X roaming network which became the foundation for the idea of what is now called Eduroam. We wrote a white paper at the University of Utah about it, and the creators of Eduroam read our white paper and basically made a bigger version. We had this idea and called it out in our white paper. We talked about it in the context of Universities being able to crosslink authentication and do local authorization but remote authentication at the university of your choice. 

Do you have any role models that helped you in your career? 
There have been a few people over the years. I started my career in academia, designing, running, and building very large networks on high performance academic grid systems. I’ve also worked in startups and large enterprises. The three people that have inspired me the most and helped me early on in my career were two of my supervisors and one co-worker. One was Hugh Thompson, former CTO at Blue Coat and Symantec, and current chair of the RSA Conference. The second person was Joe Levy. I worked for Joe when he was CTO at Solera Networks and then at Blue Coat. Both helped me see a bigger picture early on in my career and really encouraged me.  

When I was working at the University of Utah in the College of Engineering, I remember having a discussion with a network engineer named Joe Breen at the Center for High Performance Computing. In that discussion, Breen figuratively opened a door just enough to let me see that there was not just another room on the other side of the door, there was a whole other world that existed. Joe opened my mind to the idea that this space is so much bigger and so much more involved than what I had previously conceived; the computer and cybersecurity spaces are so vast and so deep. Since that time I have become obsessed with learning new things. If I was independently wealthy, my dream would be to go to MIT and just do every degree program they offer, starting at A and working my way to Z. 

What trends or changes do you see in the industry that are most exciting to you? How can OASIS prepare itself for what you think may be coming our way? 
About eight years ago, I gave a talk at the Financial Services Information Sharing and Analysis Center (FS-ISAC) meeting in San Diego. Hugh Thompson and I spoke, and I talked about the security of banks being ultimately derived down to the security of a light bulb. I knew this stuff was coming, but I did not yet fully grasp how pervasive it was going to be. Then in 2019, I went to the ITU World CTO Conference in Budapest to talk to all the CTOs of the various telcos about my view and vision for this hyperconnected 5g enabled edge. I had been working on this theory for quite some time, for about four years before I gave that talk in 2019. We are now starting to see that actually come to fruition.  

But what excites me the most is this hyperconnected environment that we’re going to get to, where every computer and device will be interconnected, talking to each other, and making decisions in cyber relevant time. Everything will need to work together seamlessly. There is a lot of infrastructure, technology, and standards that need to be created to make sure this actually works. There are a lot of pieces on the cybersecurity side that we need to make sure stay secure. But there are also the actual communication paths and pieces that make it all work. We are going to get to this point where things need to communicate in a very different way than what has been done before.  

Typically, we have a one-to-one relationship with technology. For example, you have one computer and one phone. But in this hyper connected world, when you start thinking of all of the sensors and all of the physical devices, you will have orders of magnitude more devices per person. A normal home equipped with IoT products may easily have 50-100 devices. Look around your home, by the time you add up all of your existing e-readers, computers, smart speakers, and all the other things that are internet connected it is very common to have 30+ devices and you have not even started deploying IoT. That excites me because it is going to fundamentally change the way we have to design, secure, and interact with our environment. Even in my office, where it’s just one person, there are probably 15-20 connected devices. We need to make sure all of that works seamlessly and is end-to-end secure.  

Also, everything that we have been doing in cybersecurity for the past while does not work all of the time. We have known this for a while, but we still just keep bolting on technology and putting oxygen on the fire. We’ve been utilizing the same model of security since I started doing this work back in 1993. Month after month, quarter after quarter, year after year, organizations keep getting compromised and breached, so we know the model is somewhat broken. What we need to do is step back, go to standards, and look at how we could redo this from the ground up to make this world a better and more secure place. Standards play a huge role and I see OASIS being able to do a lot of great things in this space, especially in coordination with other premier SDOs. I find all this very exciting.

What are some of your career accomplishments that really stand out to you? 
Being part of the STIX and TAXII community really stands out to me because that was just such a monumental amount of work. There were weeks where the editorial group, John Winder, and Rich Piazza from MITRE, and I were resolving more than 500 comments and suggestions each week for weeks on end. It was normal for us to have 15-20 hours a week spent on working calls trying to address the number of contributions that were coming in.  

What’s some valuable advice that you’ve received in your career? 
Kindness goes a long way. I also think it’s important to have an open mind and not to jump to conclusions. Try to understand that, for the most part, everyone is doing the best they can with what they’ve been given. It’s important to understand another person’s perspective and their point of view before you jump into a rash decision. If you step back, listen, and try to understand an issue, you’re going to learn more than you ever realized. The more engagement you have and the more people you talk to, the more you can learn about the areas that you don’t know about. It is then up to you to actually go and do some research and try to understand things a bit better. But it is key to be a little kinder and a little more patient.

What’s a fun fact about you?
I love to cook. I approach cooking in a very scientific way and much to the chagrin of my family, I will make things over and over until my family says that I have deemed it perfected. I then document it and then I move on to something else. They keep asking me when I am going to make this or that again, and lately the question has been “when are you going to make that cheesecake again?” I also keep a logbook for cooking to keep track of when I made a specific dish, the results, and what I liked or didn’t like for the next time I make it. I also weigh all my ingredients and I view my recipes as replication steps, not just a simple recipe, because recipes have a lot of vagueness (a pinch of this and a pinch of that).