A most curious Hotelie: Gregory Falco’s wide-ranging path to MIT and beyond
In today’s wired-and-wireless environment, the Internet of Things is growing to encompass virtually everything. From phones, washing machines, and baby monitors to building controls, municipal water supplies, and global positioning systems, devices are increasingly connected to and mutually dependent on the power grid and users’ networks. Should any of those interconnections fail or get hacked, the results might be catastrophic.
This realization dawned on Gregory Falco ’10 while he was consulting with clients in his job with the global professional services company Accenture a few years after graduating from the School of Hotel Administration. “I was hanging out with sheikhs and fancy people in the Middle East who were asking me if all this stuff was secure. I realized that there was absolutely no security behind a lot of these technologies that underlie all of our critical urban infrastructure.”
Greg Falco is like the kid who takes a screwdriver to a major kitchen appliance, disassembles it, puts it back together with some interesting new features, and makes money selling the improved device to his parents’ friends. In characteristic fashion, then, he decided—as a self-taught computer scientist with no degree in the subject—to see what he could do about the vulnerability of critical urban infrastructure to cyberattack. “I applied to MIT to figure it out,” he said simply.
He is due to receive his doctorate in cybersecurity this spring. Not only that, but he recently landed on Forbes’s 30 Under 30 list in enterprise technology in recognition of the promise of NeuroMesh, the anti-hacking security company that he founded with MIT kindred spirit Caleb Li.
One thing LEEDs to another
Falco’s path to the cybersecurity field was as circuitous as the route from a car’s onboard navigation system to the systems that control the movement of trains. As a Cornell undergrad, he worked for Expedia as a consultant, helping them build their criteria for sustainable tourism. “That was really cool,” he said, “and I thought, ‘I’ll go get my LEED accreditation,’” which he did. Thinking he would become an expert in energy-efficient hotels, he went to work as a sustainability and energy consultant for realty giant Tishman Speyer. Accenture got interested in what he was doing and, with the support of Jay Tsigas ’88, an executive with the company, Falco was hired as a consultant in their smart buildings practice.
He simultaneously embarked on an MS in sustainability management at Columbia, where he has taught sustainability technology courses as an adjunct lecturer since graduating in 2012. More recently, he has also taught computer science and machine learning there, to students in public policy.
At Accenture, Falco initially performed big-data analytics to improve energy efficiency in commercial real estate, including hotels. The firm quickly found most of its clients unwilling to pay for sustainability solutions, however, so Falco ended up founding Accenture’s smart city division, which grew to represent tens of millions of dollars in annual business by the time he left to focus on his family and NeuroMesh in February 2017. “The practice was around the Internet of Things—sensorizing absolutely everything in a city, helping cities figure out things like how do I connect my phone to my transportation system to my electric grid,” he explained.
There was another side to Falco’s undergraduate experience at Cornell that helped set him on the path to MIT: he worked as the business manager in the Biorobotics and Locomotion Lab in the Department of Theoretical and Applied Mechanics. He also took classes in energy control systems and environmental engineering.
Curiosity and hospitality
Given his love of learning and the diversity of his interests, it’s no wonder that Falco ended up at Cornell. “Cornell was instrumental in fostering my intellectual curiosity, because it has absolutely everything you can study; you can satisfy the desire to learn the most random topics,” he said. “That’s probably where I got the bug to try so many things, and it has followed me everywhere afterwards.”
The hospitality bug bit Falco in about the fourth grade. Upon reading a book called Careers for Kids Who Like To Talk, he felt that hotel management was his destiny. “Whenever my parents took us traveling, I would interview the hotel managers, and I decided it would be a really interesting and awesome career. As I got older and started thinking about schools, the only school I thought about was SHA, because it was the best.”
Reading the Hotel School’s alumni magazine helped convince him to study there. “I saw the diversity of experiences that Hotelies had and the amount of traveling they did,” he said. “I thought this would be a great mixture of traveling, talking to people, and learning new things. I also loved that it sounded like an intensive environment.”
He did have to weigh what to do about his penchant for engineering, however. “I had always been a science nerd,” said Falco, who in high school retrofitted a tennis racket to improve his serve, won multiple engineering competitions with it, and started a small business selling rackets. “I struggled with the idea that maybe I should go into science, but I wanted to create businesses out of the stuff I was inventing. The Hotel School is a business school, and so that was a win-win situation.”
To help settle the question, Falco previewed the program by taking Cornell’s Summer College course in hospitality operations management. Ironically, perhaps, he had a particularly hard time in senior lecturer Mark McCarthy’s microcomputing class, but the experience did him good. “He showed me that you have to bang your head against the wall for a long time to get some of this stuff, and after you get it, you can be really good at it,” he said. “Summer College made it clear that SHA is the coolest business school in the world, because everything you need to learn about business is taught, and every class is super practical, with case studies galore in a very fun industry. I also got a general taste of Cornell and learned the truth of the saying ‘elite, not elitist.’”
Ranger and Rover
At Cornell, Falco fed his inner nerd by merging business with engineering. “The biorobotics lab was my refuge from classes,” he admitted. “The principal investigator was Andy Ruina [who is the John F. Carr Professor of Mechanical Engineering], and the lab was run by Jason Cortell, both extremely bright—imagine your prototypical engineer times a thousand.”
Falco worked on the Cornell Ranger, an energy-efficient, bipedal walking robot. “Although my responsibilities were nontechnical—I had to get sponsorship for the robot—just being around that crowd was often a highlight of my day,” he said.
Many of Falco’s friends in the lab went to work for NASA’s Jet Propulsion Laboratory (JPL), either as summer interns or as full-time employees, to work on the Mars Rover. “I wanted to go there, too, but they never had openings for business students,” he said.
Falco eventually got to JPL anyway. “I found my way to CSAIL [MIT’s Computer Science and Artificial Intelligence Laboratory] and realized that everyone in our group there also went to JPL for internships to build the Mars Rover,” he said. “But while the Cornellians were mechanical engineers, I ended up working with a team of artificial intelligence experts who are building the brains of the rover.”
Noticing Falco at a security competition, NASA JPL engineers decided to help sponsor his PhD so that he could develop cybersecurity strategies for the Mars Rover or Europa Lander. “I can say it was well worth the wait,” he said of his roundabout journey. “The JPL is the greatest place to work—ever.”
AI and EQ
MIT’s intense learning environment, in the midst of world-class experts, was a perfect setting for Falco to explore solutions to the ever more complex threats in the world of cybersecurity. A one-man interdisciplinary team, Falco devised a three-pronged dissertation that addresses the technological, business, and social facets of cybersecurity in critical urban infrastructure—and which has required faculty advisors from urban studies and planning, computer science and artificial intelligence, and business.
The first prong entailed developing a model to assess and manage cybersecurity risks to help chief information security officers respond to cyberattacks. The second prong uses artificial intelligence techniques to analyze vulnerabilities in critical urban infrastructure, which typically relies heavily on easily hacked industrial control systems.
The third prong addresses the idea of defensive social engineering, focusing on the social science behind dealing with hackers. As Falco explained, we typically respond to hackers by fighting back with technology, forgetting that humans are behind the attacks, when in fact it may be just as important to think about their motivations as their technology.
For instance, in the WannaCry cyberattack perpetrated by North Korea in May 2017, hackers deployed “ransomware” that took victims’ data hostage, affecting about 200,000 computers in about 150 countries. The ransomware operators, a third party hired by North Korea, demanded payment in bitcoin (because cryptocurrency is harder to trace than conventional currency). “You could actually call up and talk to the operator,” Falco noted. “If you could appeal to the operator’s emotions in some way, you could use your emotional intelligence to manipulate that person into doing something good for you.”
He continued: “It goes back to what we were taught at SHA: read the situation and read your customers; intercept every desire. Know your adversary; figure out their values and intentions.”
Hacking for good
Part of knowing these adversaries was learning their hacking techniques, a challenge that Falco accepted with his usual enthusiasm. “There’s a lot I still don’t know and a lot of people would really kick my butt in hacking,” he said, “but it is a skill I was recently able to acquire.”
Although hackers can inflict considerable damage by paralyzing systems or stealing consumer data, Falco feels that most aren’t interested in causing harm—hacking is primarily fueled by curiosity. No wonder it appeals to him.
“Yes, you want to break into something without authorization, but not necessarily because you want to destroy something; it’s because you want to see if you can do it,” he explained. “The real hacker mindset is being creative about how you use something. I’ve learned that, in hacking, you can actually make a huge impact for bad or for good.”
Falco, whose curiosity is matched only by his desire to help people, uses his hacking skills only for good, not evil. “Life is service,” he said, quoting the Hotel School’s founding benefactor, Ellsworth Statler. Thus, NeuroMesh deploys hacking techniques to protect critical urban infrastructure from hackers.
Urban infrastructure is rife with security vulnerabilities waiting to be breached, said Falco, especially with its reliance on centralized control systems. This centralization presents hackers with a single point of attack that can wreak havoc across the whole system. Botnets, a type of malware, work by installing a lightweight script in a device that takes over control, thereby turning the device into a “bot” that stops responding to its controller and attacks other systems. NeuroMesh’s solution involves installing a custom-programmed “vaccine”—“malware that kills other malware,” as Falco explains it—in IoT devices.
NeuroMesh’s software augments traditional, centralized control-system security with a distributed system that rigorously manages data communication. This heavily encrypted system, known as a blockchain (or, in the case of the technology employed by NeuroMesh, the bitcoin blockchain), keeps a verifiable record of every data transaction and distributes this information so that every networked device stores a permanent record that cannot be overwritten or compromised in any way. The blockchain record makes it easy to notify blockchain-enabled IoT devices of malware and bad IP addresses that might try to communicate with urban infrastructure systems. The idea of combining IoT and blockchain technology is beginning to take hold in business circles, but much work remains to win converts.
Continuing the Hotelie tradition
To work with the various stakeholders in critical urban infrastructure, Falco finds himself calling on his diverse knowledge in technology, business, and public policy. Although many cybersecurity experts feel that innovative solutions like NeuroMesh are crucial to fighting hackers’ increasing sophistication, Falco has encountered numerous roadblocks to acceptance. For example, a huge European utility company signed on with NeuroMesh only to discover that the manufacturers of the devices they wanted to protect refused to allow NeuroMesh software to be installed on their units. “They didn’t want third-party product on their devices,” Falco explained. And in the United States, for instance, “You have to take out a million-dollar bond just to get a pilot with utilities for your technology.”
On the positive side, Falco has found European countries to be generally cooperative and forward-thinking about cybersecurity. “That’s good for everyone, because the economy is so international that, if you are a U.S. company doing any business in Europe, you have to prove you’re satisfying European cybersecurity standards. But it’s going to take some time to get where we’re trying to go.”
Educating utilities, municipalities, and device manufacturers on the threats and opportunities of cybersecurity will take years. While waiting for the market to mature, Falco and Li may continue incubating NeuroMesh at MIT. “The technology could evolve with the times and with the threats until the community is ready for us—and then we’ll be there first,” he said.
In the meantime, Falco said he’d enjoy becoming a tenure-track faculty member in a forward-looking business school after doing postdoctoral research. “Teaching is the best way to scale yourself. I know I won’t be able to touch every industry and every problem that ever exists. But if I can teach a classroom of people how to think, then they can go out there, and something that I contributed to will be out there in the world. That is the most exciting thing to me: seeing my students succeed.”
With his exceptional resume, Falco sees himself as continuing a proud Hotelie tradition. “When I was at SHA, it was clear to me that you might learn to do something in the context of hospitality, but you could apply that knowledge to all kinds of other contexts in the real world. It’s cool to see Hotelies doing so many different things. “Any person, any study, doing anything: I like to think I helped others to follow in that path.”
—Written by Irene Kim, a freelance writer for the Cornell SC Johnson College of Business;
Photos by Ian Maclellan unless otherwise noted