a16z Podcast - a16z Podcast: Changing the Conversation about Cybersecurity
Episode Date: June 16, 2017When individuals gain the abilities that only nation states once had, how do we put cyber threats in perspective for policymakers -- without unduly "inflating" the threats? As it is, securit...y is an intense and important topic, so our job is to be scared -- and prepared -- but what's the scope of the actual threats, how do we talk about them, and what are the best analogies even? For example, we tend to think about "getting inside" as the big problem -- but in fact, the steady, "low-grade" degradation of trust and constant exposure is much more common and where we should be focusing holistically. The guests in this episode of the a16z Podcast discuss all this in a conversation (with a16z's Matt Spence) recorded as part of our Tech Policy Summit in Washington D.C.: a16z general partner Martin Casado; Head of Cybersecurity Strategy at Illumio Nathaniel Gleicher; and former Director of the National Counterterrorism Center and former General Counsel for the NSA Matthew Olsen.
Transcript
Discussion (0)
Hi, and welcome to the A16Z podcast. In this episode, recorded as part of our tech policy summit in Washington, D.C., guests Martin Casado, A16Z general partner, Nathaniel Gleacher, head of cybersecurity strategy at Alumio, Matthew Olson, former director of the National Counterterrorism Center and former General Counsel for the NSA, talk with A16C's Matt Spence about changing the way we talk about cybersecurity.
So, why don't we, Matt, start with you?
So you saw some of the most dangerous cyber threats to our country from your perch from inside
the Situation Room. What should we be more afraid of and what should we be less afraid of
in the cyberspace? We need to be really rigorous and precise when we talk about the threats we
face. You know, you were there, Matt, with us in the Situation Room. We were briefing the president.
I was the person who started off the briefings with the president to talk about the threats we
faced from terrorism. And there's always this.
impulse to inflate the threat because you don't want to be wrong, right? And so there's this
sense like you should kind of go to the scariest, darkest corner of the room. But I think it's
critical that individuals in that position and companies in that position actually don't fall prey
to that impulse. And to really understand, okay, what is the nature of the threat? How do we put it
into perspective so that policymakers, companies can make sound resource decisions, sound business
decision, sound policy decisions about how we're going to counteract the threat.
So I think that's a fundamental point, and I do think we face a bit of inflation about the
nature of the threat, or at least a little bit of lack of care and talking about the threat.
I do think, and where I make to sort of take a different maybe glass half empty versus
glass half full perspective, you know, as much as we celebrate all of the ways in which
the advances in computing and in big data and analytics give us greater ability to
counteract the threat, those same capabilities are also going into the hands of our
adversaries. And so the same things that help protect us are also the same things that are
causing us to feel vulnerable and to feel exposed. And where, just like in terrorism, where
there are asymmetric threats from individual terrorists and ISIS can outsource and crowdsource
terrorism to anyone who can communicate with ISIS over an encrypted channel, we see individual
small groups of people, as you said, gaining the capabilities of what were nation-state capabilities
in terms of the ability to carry out attacks from just a few years ago. So I don't disagree. I just
probably, because of where I come from, have a little bit more pessimistic view and can't be
quite so sanguine about the direction that we're going. There is a danger of inflating the threat
as well, too, right? If everything is a threat, nothing is a threat then. And that's kind of the issue,
too is there's this intersection of the way we talk about threats and the major technological
breakthroughs that we've had. And Nathaniel, turning to you is, in your perspective, both kind of
in industry and the White House, what are some of the major technological breakthroughs that
you think we've seen since? Maybe like the early 2000s, when there was last so much concern
and hype about cybersecurity. In other words, are there breakthroughs or what are the
breakthroughs that have allowed us to avoid sort of the world-ending events that we all thought
would just have us all, like, spontaneously explode right now due to some cyber attack or something
like that?
You know, it's funny.
There's a book called The Cuckoo's Egg, which details this very sophisticated attempt to break
into Berkeley's security systems and the efforts of this security researcher to track and catch
and stop the guy who's breaking in.
And it's interesting because he walks through how he does it, and it's a very detailed
description of a threat and counter-response.
The funny thing is, it took place in the early 1980s.
And there's some things that are different, right?
He actually tracks this guy by having rooms of printers set up
between about 9 p.m. and 8 a.m.
because this is when the intruder was breaking in,
tracking and printing out records of what part of the environment he's in
and where he's moving.
So some things are different, but actually a lot of it's pretty similar.
And many of the techniques he uses look a lot like the techniques
we still use today.
So I would actually sort of say there aren't as many changes as we think there are.
And one of the big problems, and part of I think what you are identifying, Martine, is
there's a big difference between sort of what cybersecurity threats actually are and how we talk about them.
There's a statistic that's been going around.
It was used in a couple of cybersecurity bills recently.
It was used on the hill.
And the statistic is 60% of small businesses that get targeted with a cyber attack go out of business within six months.
And in case you're wondering, the statistic is totally wrong.
There's no basis for it whatsoever.
But it's exactly the kind of statistic you'd expect to hear about cybersecurity
because it's about sort of this big, massive destruction,
no companies could survive, huge consequences.
And I was talking to a colleague of mine,
and he was pointing out that if that were true,
virtually every business that went out of business
would go, would happen because of a cyber attack.
There is a very serious threat.
from cyber intrusions, but it's not often the threat
we talk about.
We tend to imagine that getting inside is the big problem,
and that once they get inside, there's this risk
of this big, massive institution-ending event.
And that is certainly possible.
But much more frequent is the steady, low-grade degradation
of trust in the systems that we use.
And once intruders get in, they need
to sort of move laterally through these environments
to find the target that will let them cause damage.
And there's still this large focus, and there always has been at sort of the perimeter and the edge
and keeping people out and stopping those institution-ending threats.
But if we focus more on the low-grade constant degradation and the constant exposure,
that's where the real challenge lies, and that's where innovation is really required.
But it's hard because, as you said, low-grade degradation is less sexy than Cyber Pearl Harbor,
you know, or the Cyber 9-11.
But it's interesting, I mean, we have this audience here of entrepreneurs, policymakers, and Martin, you know, what do you think Washington gets most wrong about the security threatened cybersecurity?
Or what are the things that you hear that most make you want to just tear your hair out as we talk about cybersecurity and either the threats or other ways of dealing it today?
Yeah, actually, I think Washington is kind of what gets it right, actually, like, believe it or not, and like maybe not the response you're getting.
reason is because they take a holistic view to cybersecurity. And I think that's what we should
all do. So let me just explain. So I used to sit on these councils, which were like, this is back
in 2000 to 2003, and they were sovereignty ending event councils, right? And so you'd have,
I was like the cyber guy, and then we'd have like the civil engineer, and then we'd have maybe
the nuke guy and whatever. And we'd all, you know, do these think tanky type things about, like,
like, you know, how can you protect the critical infrastructure? What are the possible things
that could actually create sovereignty ending, which I think at the time, the definition was
seven days without basic services and so forth. And in those types of theme tanks, like cyber
was just another piece of infrastructure and you take these very holistic views. And I thought
that the government did a very good job of that because it's got such kind of a deep understanding
of these. And so now every time I went to the similar type of panel, but it was kind of more
an industry focused panel, the conversation would go like this. You'd say like, oh, okay, well
listen. So I guess the nuclear power grid can go down and everybody's like, yeah, that's right.
okay, here's some incremental changes we can do the supply chain or the technology.
Okay, yeah.
So nuclear power plants, you know, you can do this thing to them and like, oh, yeah, okay,
we can beef up physical security, you know, whatever.
Cybersecurity, well, you know, you can probably take down the internet due to a BGP attack.
And then all of a sudden, we're like, oh, my God, like, cyber security is totally broken.
We don't know what we're doing.
And so we kind of evaluated it very, very differently than other pieces of infrastructure.
And so I think, like, I mean, I know you were looking for, like, what the government gets wrong.
I mean, I think we should actually look at what it gets right,
which is it views this as one piece of a broader problem that views it holistically.
And I think as an industry, we should start doing that as well.
That's great. I mean, I think if, you know, I got a dollar for every time someone said the government got something right, I have like $3.
So, I mean, I think, but what you talked about like the analogy of how we think holistically, I mean, the issue I think that a lot of people in this room or policymakers think about are what's the right way to talk about the threats in cyberspace for voters and people are thinking about that.
So Nathaniel, how should we think about, like, is there like a right analogy or the way that we should talk about what the threat is to make it real for folks who don't have the technical chops that the three of you all do?
So there are a lot of different analogies that people use, and the problem is that a lot of them break down very quickly because we like, so. Nuclear deterrence is an analogy that everyone jumps to, which is interesting because getting back to this earlier conversation, nuclear deterrence is built around the model of a sovereignty ending massive event as opposed to constant low-grade threat. It really doesn't map very well. An analogy that I actually really like to use is thinking about the way the Secret Service protects the president, which makes some sense in this room. Sometimes people get very confused when I'm saying it in a different sense.
But what's interesting about it is, it's really easy to break into the White House, or at least jump the fence at the White House.
People do it all the time, right?
The Secret Service has learned this very fundamental lesson that threads through actually most of physical security, which is a very high, impermeable perimeter doesn't work.
And in fact, at the perimeter, the defender has the greatest disadvantage.
The intruder can keep trying to get over.
Once the intruder gets over the fence and into your environment, they're in an environment that in theory you as the
defender control, which is where you have the greatest advantage.
So if you think about what the Secret Service does, right, you can jump the fence and people do
it all the time. There's been a bunch of coverage of that. And usually what happens is 30 seconds
later or 15 minutes later, you get tackled on the lawn. And that's actually okay, right?
It gets back to this notion of what is failure and what is success. Someone jumping the fence
doesn't matter unless they get to the president and cause harm and cause damage. Someone breaking
into your environment, if you stop them before they cause damage, isn't that much of a problem.
A similar example is if an intruder, if a criminal breaks into your basement and never gets out of your basement and spends six months inside your basement, how much do you care?
I mean, you care, but you care because they're a lot closer to your bedroom than they were if they never got into your basement.
Right?
We think about it as a binary event.
They get in and we lose.
And it's not really the way it works.
And if you think about these models, the way the Secret Service works, the way law enforcement works,
the way a lot of physical security works. They have these strategic approaches that focus on understanding
the environment and controlling the environment. And that understanding and control is what gives
defenders their advantage. Interesting. Now, what do you think? I mean, you're clearly hiding things in
your basement. Yeah, I have lots of people living in my basement. I agree with that. You know,
the analogies are really hard. And I think, you know, I think thankfully we've moved beyond
the 9-11 Pearl Harbor analogy, which was inapt, I think. And I, um, I, I agree. I, I,
You know, coming at it from a sort of Washington, D.C. and national security perspective,
I think much of what we talk about as cyber attacks and cyber threats are really not the kinds of attacks or threats that rise to the level of our national attention.
You know, for me, they're annoying, they're somewhat disruptive.
For me, the sort of cyber security hit home several years ago, I was at NSA as the General Counsel there and starting to think about cyber.
And I think now about what we see going on from Russia.
for example. That deserves a national response. You know, they have seen cyber as a vector to carry
out their very aggressive foreign policy. So those, that's where really the rubber that's the road
for me for cybersecurity and where we need as a government to work with the private sector to
figure out how to protect the nation from that level of attacks. But increasingly, I think as
Martinez rightly said, those level of capabilities are falling into the hands of, you know,
criminal organizations and much less sophisticated groups. So that's the concern, I think, as you
look ahead. I mean, Matt, you raised an interesting point about how do you stop this and what
is the concern? And the way that most of us think about, of course, are passwords. So as we
think about this, what are, there are a lot of different ways to protect our physical environment.
So what's besides passwords and what's coming next? I mean, Martin, is it voice recognition?
I mean, you see a lot of interesting things on the investment side. And what's, and what's,
What's next?
Yeah, so I'm, like, if you guys can't tell, like, I'm super obsessed with, like,
the interface between the cyber world and the physical world.
Like, in the way that I described it in my talk, I'm like, we've got all these really
sophisticated cyber context, concepts that were actually applying to physical security.
But it actually turns out that the reverse is true, which you can take, like, physical
concepts and physical roots of trust and bring them into the cyber world.
And in the past, that's been very difficult, because any time that you take electrons and
you tie them with atoms, it's actually very difficult because of the distribution.
problem of the atoms. But the iPhone has solved that. So if you think about it, you know,
everybody has a smartphone these days or, you know, to some first-order approximation,
everybody has a smartphone. And that smartphone connects that person to the physical world.
It's got all of these sensors. It's got accelerometers. It's got speakers. It's got cameras.
And so you can take that physical set of atoms, all of those sensors, and you can you can tie
that to the cyber world in pretty meaningful ways these days. And so we see a huge growth in
companies that are trying to exploit this so you don't have to do things like passwords.
I'll give you an example.
There are companies that can detect very, very accurately who you are by how you walk,
just using the accelerometer in your pocket.
There are companies that will take, if you have your phone out, what they'll do is
they will use the speaker to send out like a hypersonic sound that you can't hear,
then, sorry, they use the speaker to do that, and they use the microphone to collect it,
and they can actually map out a physical room.
So they can, like, within the microphone, map out using basically sonar, just using an iPhone, a physical room and determine, like, if you're in your office or not.
There are companies that will determine, like, how fast you type.
And all of those things will, like, uniquely identify you in the physical world and make that available to you in the cyber world.
So I do think that we're getting very good now that we have a proliferation of physical devices with a lot of sensors are getting to a place where you can, for example, know pretty well that it's you that is logging into your bank.
account, even though you don't have to kind of regurgitate those, you know, 30 numbers or whatever
that was there a silver bullet? I mean, that sounds pretty optimistic to me.
Well, so I think this is a trend that I'm tracking. I mean, like right now, I think it's going to be
a long time before we get rid of any single factor, but I do think that we're seeing
multi-factor authentication. That means I try multiple things, like I will do the password and I
will determine where you're coming from. And so I actually think that the trend is going to be
more usability because we have these physical access. Interesting. I mean,
there's a lot of way that our devices can then identify us.
Like, through their matter, Nathaniel, I mean, hearing that, you know, wearing your counterterrorism
and NSC hats, are there things that make you scared?
I mean, are there new threats that are created by something like that?
Yeah, it goes back to this basic point that's all, all of these are, you know,
these are neutral technologies, but they could be used for good or ill, right?
And they both bring us great a degree of security and freedom and convenient.
but they also create vulnerabilities.
So, you know, this convergence of the physical and the cyber,
I think it's exactly the right place for us to focus
because it holds out great promise for more security.
But even these identity authentication innovations,
they still leave open broad areas for our networks to be exposed,
even as we make progress there.
And I think that's a place that, you know,
I'm particularly concerned about large companies
and critical infrastructure and their networks.
So, you know, there's a joke kind of in the intelligence community,
that when you see flowers, someone asked, well, who died? And you're always looking for the most
pessimistic view. So, but I think from this panel, it's interesting. We've talked about
reasons for optimism. So Martine talked about his, so Matt, Nathaniel, like, where, what are you
most optimistic about when it becomes, when it comes to the threats in cyberspace or what we've
been talking about? I think cybersecurity is a really young discipline, and we forget that, right?
These other, the physical security disciplines, we've been building them for decades.
and centuries in millennia, and we've learned a lot. And we know comparatively very, very
little about cybersecurity, and so we feel at a loss. But I think there is a lot we can learn
and build from. And we're very, very early in the stages of figuring how to protect this.
And if you look historically at technologies that have upended conflict and made it much
easier to be an attacker than a defender, there are any number of these throughout history
from armor in World War II to gunpowder in sort of the 16th century, in Europe. And in each one,
you have a radical period of instability, and then you have a group of defenders that get together
and figure out how to fix the balance and move things back. And each time when they do that,
it's because they think about understanding and controlling the environment, and they deploy these
same tactics. And so I'm incredibly confident we'll get there, because any of you look historically
at the path, we do get there. The question is how long and how complex and what the cost is.
Interesting, Matt. Maybe a renewed and proper sort of
trajectory for the trust between Silicon Valley and technology companies and the government.
Something that's been, I've been very concerned about in the post-Snowden era.
You know, as I mentioned, I was the general counsel at NSA back in 2010 and 2011.
So I sort of worked on the programs and I saw what happened when they revealed and I saw
what happened in terms of that working relationship, which is ultimately sort of fundamental
to innovation and ingenuity and really the ability for government and in our, in our
technology community to work together to solve these problems, I am much more hopeful today than I was
three years ago. And so I think that's on the right path. So Matt, you know, from all your
probably hundreds of hours in the situation room, what was the moment that made you most afraid?
To be clear, I know Matt well. I did not. I'm probably for this question. So I'll throw a friend.
When I got asked questions, I couldn't answer by the president. Yeah, that would be a pretty scary
moment. But, you know, I think, you know, I really was there for a lot of the turmoil around,
you know, sort of things that happened in the moment. So crisis in the moment, Benghazi, the Boston
Marathon bombing. And, you know, I wasn't afraid, but those were, you know, what I think makes
maybe pivot a bit and say, what makes me afraid today is another attack on our country, a terrorism
attack or a major cyber attack and whether we're prepared to have the right response and have
a calibrated response. I think going back to your initial comments, Martin, particularly in the
terrorism realm, I'm a little concerned about that. Thank you very much for a great panel.
I really appreciate all the time you made. Thank you. Thank you. Thank you.