a16z Podcast - a16z Podcast: Cybersecurity in the Boardroom vs. the Situation Room
Episode Date: June 18, 2017"We're always fighting the last war" -- that's a phrase historians like to use because policymakers and others tend to be so focused on the threats they already know, and our mindsets and or...ganizational structures are oriented to respond that way as well. And in the "situation room" of nation states (including the intelligence briefing war rooms in the White House), much of the security conversation is necessarily focused on the worst possible scenarios, broader context, and attribution as well. Companies, however, unlike nation states, do not have to worry so much about attribution (who did this? why) or even as much about the sexy, headline-grabbing threats. In fact, they may be better off focusing on security hygiene and basic metrics for assessing risk in the boardroom -- much like they review financials regularly -- argue the guests in this hallway-style conversation episode of the a16z Podcast. Herb Lin, who is Senior Research Scholar for Cyber Policy and Security at the Center for International Security and Cooperation and is also at the Hoover Institution, both at Stanford University; David Damato, Chief Security Officer at Tanium; and a16z policy team partner Matt Spence (who among other things previously spent time at the White House working with the National Security Council) begin by sharing their views on the term "cybersecurity" ...and end up with practical advice for a security boardroom 101. No matter what, security should have a seat at the table.
Transcript
Discussion (0)
Hi, everyone. Welcome to the A6 and Z podcast. I'm Sonal. Today we're continuing our taking the cyber out of cybersecurity series with Herb Lynn, who's senior research scholar for cyber policy and security at the Center for International Security and Cooperation, and is also at the Hoover Institution, which are both at Stanford University. We have David Demado, chief security officer at Tinium and A6 and Z policy team partner Matt Spence, who, among other things previously spent time at the White House working with the National Security Council. The hallway style discussion ends up focused.
focusing on practical advice for changing the conversation about security in the boardroom as opposed
to the situation room. And we begin with considering the term cybersecurity and the very first
voice you'll hear really briefly is David followed by Herblin. By the way, for a quick second,
can I just say how annoying a term cyber security is? I feel like only policy people actually say
cyber and people trying to get research funding. And security vendors. That's a good question.
Actually, what is the alternative? This is like that word synergy where it's like a really useful
word, but everyone hates it and there's no better alternative. I guess just security. Let's
start with the word cybersecurity, okay, as one word, cybersecurity, no space in between them.
It matters because the Oxford English Dictionary has, which I regard as the authoritative
source on the English language, has taken over the term. Especially on cyber because it's so up to
date. They are up to date. Their last year's word of the year was an emoji, so they are pretty
up to date. Cyber security are those things that are taken to defend and protect the computer
system or the information inside it. Notice that it's a completely defensive orientation.
If you put the space in between cyber and security, cyber space security, you start thinking
about it's now it's the security of the cyberspace over the cyber domain, which is a very
different thing. If you think about the term national security, nobody leaves the space out.
Two words, not one word. And if you start thinking about the security of the nation, that gives you
a whole different perspective on it. It's all of the things that you might want to think about
in terms of what would make a nation more secure. And so depending on the context, I'll use
a space or not the space, but of course, in giving talks, you can't make that distinction.
You could actually do the air quote thing and be like cyberspace security. Right, right. But
I think, you know, conceptualizing it to me of cybersecurity in the same sense that's the
cyber plays the same role that the word national plays in national security, that puts a whole
different spin on it from me. A qualifier. That's right. That has a
important implications, both on the defensive and the proactive thinking around it.
Historically, with the development of weapons technology, there was a period where we were trying
to make more and more powerful weapons. So we got bigger and bigger bombs and so on. But nobody
uses nuclear weapons. Thank God. Yes. There has been a trend away from weapons that have a very
large boom to weapons that have a much smaller boom. And there's a sense in which cyber weapons
You can do something that just do an annoyance to somebody to something that might, you know,
destroy the entire system or systems to which this computer is connected.
And I can do anything in between.
Yeah, you're right.
I mean, these different gradations, I'm even seeing people use them as a form of expression,
even doing something like doxing, you know, or denial of service attacks, just single
company because they're annoyed or even like a form of protest.
Some people consider this like the modern equivalent of just spray painting on a wall.
but, you know, it has enormous financial and other consequences.
So it's kind of interesting, actually, to think about that because you would never
have done that with a nuclear weapon, obviously.
Exactly.
And so the tendency here is that cyber weapons are weapons that are eminently usable for a variety
of purposes.
And one of the most interesting things in the past 10 years is that nations are starting
to wake up to this.
They're starting to see that these weapons are enormously usable.
There's no legitimate use for private citizens to have nuclear weapons.
This is a type of weapon which is held by states who have the monopoly over the use of force.
Cyber weapons are totally different.
You know, we want for a growing economy people within our country to be great hackers, to come
with technical and technological innovations, to have that power in their hands and the same power
that they have to create the innovation we want can be enormously destructive.
And as the government worries about that, it's really hard because you think about cyber as a threat
on the one hand, but the other hand, it's part of our economic growth.
And isn't this part of the reason why some of the best,
and worst attacks come out of Russia because you have a lot of code savvy kids who are very competent,
but who don't have a lot of economic options, like, to be in jobs.
Yeah, we've seen this particularly in a lot of the financially motivated crimes that have been perpetrated.
Like ransomware?
Ransomware or even something like a lot of the bank heist that we've seen.
One of the first cases I ever worked on back in 2010 was a bank that lost about $10 million
overnight.
It's a gang of criminals who were loosely affiliated with each other, who had a reasonable set of skills
from their computer science degrees, from their experience and education in college,
who had combined with some individuals with banking knowledge.
And overnight, we're able to steal $10 million in a very sophisticated way.
And again, not associated with the nation state, not associated with tremendous amount of resources.
You have to be a major power to be able to operate like a nuclear weapon, have a facility,
the infrastructure involved.
And with code, you can be anybody.
But the other thing that strikes me as a big difference is between, for example,
on nuclear and cyber, which is a big deal, is that you need the materials. You need enriched
uranium and plutonium to build a nuclear weapon. Cyber weapons are basically knowledge. It's even
worse than that. The knowledge has already been formulated into tools or weapons that you can
then use as an un-serviscible code. It's repurposable, mashable weapon creation. But the fundamental
point there is that it's bits, not atoms. And yet the effect, however, can have a physical effect
on atoms. Absolutely, because we want to connect the atoms and bits. But governments are
oriented towards control of atoms.
You know, that's what border controls are about.
And so it's really hard.
I did probably about 110 investigations over the past decade.
And by the way, who were you that you were doing these investigations?
I was an incident responder.
You know, so I started off my career as what's called a penetration tester,
which means that someone paid me the break into systems.
I thought that was only in movies.
I'll be honest with you.
I was not very good.
But within about a week or less, I think my best was about two hours.
We were able to break into some of the most secure locations in the world physically
and based on information technology.
Not to minimize the seriousness of that,
but one of my absolute fair movies of all times is sneakers.
Their job is to be like the penetration testers
and they actually get like enlisted by the NSA to break into someone
and it actually turned out not to be the NSA, but anyway.
They did way cooler stuff than I did.
I guarantee it.
Anyway, so you had all these investigations.
Right.
And so we did all these break-ins, right?
And I realized how easy it was.
And we switched over eventually about six years ago
when I started doing investigations because it was much more difficult
to actually find an attacker and trace it back.
than it was to actually break it.
And so I went sort of the opposite side
since I had that knowledge and methodology.
And what I found over time
is not much has really changed
and it's because we continue to focus
on the things that are sexy, right?
It's these things like hygiene that are the issue.
The basic solutions are things
like better security for IoT devices,
network segmentation,
preventing things being accessible from the internet.
These are not complex topics.
And that's what I've tended to see over time.
You get into these boardrooms
and the topics are overly complex.
Like security is a very complex topic.
board members are very high level. They're simply really interested in things that are in the news.
So if you look at things like China and Russia that don't impact most organizations, they want to
know who's attacking and where they're from, what they're doing. And to be honest with you, that's
not something that's typically helpful. It's a distraction from the real conversation.
It's interesting you say that because attribution is hard. At a certain point, like you can have
all these people claim one thing or another and then other people actually have theories about what
happens. But at the end of the day, there's politics in the attribution, active attribution itself.
It almost matters to focus to your point on like trying to prevent.
and solve and address.
And for most organizations, the attribution doesn't matter.
For the government, it absolutely matters.
But as a corporation, what will you be able to do?
You're not going to be able to hack back that country.
The reason why attribution matters in the situation room is Russia trying to influence
United States elections.
You know, is this an act of war?
Like, the questions that happen in the situation room need to be these big questions
about how cyber relates to our entire national security.
When you're in the boardroom, maybe the first question you'd be asking is, have you
trained your employees of how to address the most common cyber threats. So if something's really
hard to use and people aren't going to use it, you know, this is how it is. You know, most people
look at the cyber training video, likely I do the airline safety video, uh, when you board your
flight. And you're like, well, I fly thousand miles a year. I know there's an airbag. I know
their their window seat. And you just ignore it. Recently, we heard about, uh, an attack on the,
uh, domain name system infrastructure against the company called Dine. What was newsworthy about it was
that it was a large distributed denial of service attack that was largely caused by
compromised Internet of Things devices.
Specifically a component within them that had malware.
That's right.
There was malware that had been used to infect the whole millions, literally, of IoT devices.
And the bot master put them all together to create a DDoS attack on nine.
Wait, the bot master, is that a real thing?
That's a comic book hero right there.
He wears a cape.
Right.
He wears a cape and has a black hat.
But, no, it's the party that's responsible for the botnet and may not even be a single individual.
But anyway, what was newsworthy about it was that it caused a bunch of consumer-facing websites
that relied on this infrastructure to be inaccessible to you and me.
And what's interesting about it is that we've been predicting this.
We've known that this was possible for a very long time.
Honestly, I think most people woke up and are like, what the hell just happened?
It's certainly not surprising to any technical person.
There had been other smaller IOT-based attacks on stuff, but yet it got all this attention.
And people said, hey, you know, it woke people up.
Seven years ago, when Stuxnet hit the news, the Stuxnet was the alleged American and Israeli cyber attack
against the nuclear facilities, enrichment facilities in Iran.
My friend Kim Zetter wrote the definitive book on Stuxnet.
And that was, by the way, the first case ever that we know of where, at least the way I heard it,
where computer malware had a physical consequence because it took down a nuclear facility.
It did have physical consequences.
It was certainly not by any means the first time.
I'll tell you a very embarrassing story.
The first time I was interviewed about Stuxnet, the person said, and what do you think
the impact of Stuxnet is going to be?
And my answer was nothing.
There was going to be no impact of it at all because every computer person knew that it
was possible and this was nothing new.
I was totally wrong about that because what it did was it woke states of us.
policymakers up to the possibility that this was a possible, feasible thing to do. It may have been
the first documented instance of a large-scale attack on something physical that people noticed,
but certainly there have been people who have caused physical damage by computers before.
And lately we've been saying more of the DDoS attacks in the news. And an earlier point about
the smaller gradations in the annoyance cases, you see a ton of DDoS attacks when they're like
personal vendettas against like a gruntled employee like leaving a company or something. It could be
anything. The specialists usually differentiate between three different attributes that you want to
that you want to defend. Ironically, the acronym is CIA, right? Confidentiality, integrity,
and availability. A DDoS attack is an attack on availability. That is it means that your system
is no longer available to do the things it's supposed to do for the people who are supposed
to be able to use them.
violation of confidentiality means I steal your, I steal your credit card numbers.
You still have a credit card in your hand.
It's not like a dollar bill.
I take a dollar bill from you.
You don't have it anymore.
These like identity hacks and things like that.
There are hacks of information.
And since information can be duplicated perfectly without you're ever knowing it, I can
have the information and you can have the information and you won't know it until I use
this for somehow in some way that's bad for you.
And attacks on compromises of integrity are changing the data or the program.
or deleting it or somehow affecting the actual bits that are there.
Attacks on integrity mean that you've actually changed the data or zeroed it out or something
like that.
Malware can be used to do any one of those things or all of them.
It's the generic tool that it's a computer program, loosely speaking, that will create
compromises in any of those attributes.
Integrity tends to be one of the most devastating attacks because you typically don't
know what's happened.
The best example that I have of integrity versus confidentiality.
Yeah, because I'm trying to have a little bit of a hard time distinction.
You have, you go to a physician.
Your medical records are in a computer.
Would it be more concerning to you to have your records published on the internet
or to have somebody screw around with the data inside to change your blood type?
Or you get the wrong drug as a result.
The difference is on the one hand, you're embarrassed.
And the other hand, you can be dead.
I think the theme here too is we're very reactionary.
So it takes certain types of breaches to wake us up to a possibility we all knew about.
If you walk through the timeline, you go back and start with Google in 2010 when they're the first company that come out and actually talk about Chinese state-sponsored actors.
This is something the government and a lot of people knew about at the time.
And it's the first commercial organization that actually came out and said it and made people aware.
And we need to take note of that.
I mean, there's a phrase historians always use.
It says we're always fighting the last war.
What does that mean?
It means that you look back and like, let's prevent.
the next Pearl Harbor. Well, the next Pearl Harbor doesn't look like what happened before. It's a new
set of threats. It's coming from an enemy you're not expecting. It's going to have direction you
don't even think about. And so rather than trying to win what calls yesterday's war, let's think
about the new threats. You know, I want to pause for a moment because it's actually really
interesting what you said about the last war, because we're so oriented as human beings on what we
already know. We're very bad at seeing the consequences of things that we've built that are complex
systems that evolve with behaviors that we cannot predict. And I'm even thinking of things like
Facebook where you think you're just friending people and it's social and you're seeing cats.
And then actually that becomes a whole new paradigm for all this data that's powering deep learning.
So in a way, the very thing you're describing begs the question of what the appropriate response is.
Like, do you just only know the appropriate response based on your current toolkit?
Like, what happens?
There's a lot of companies that are now doing advanced threat modeling and they're doing something
called red teaming where they're bringing individuals and then simulating attacks and practicing their
response. And they're actually running through a real attack. They're constantly running
simulated attacks and the defenders are practicing their response and they're looking at the
results to see how they're improving over time. But isn't the very point that we can't always
predict, they're basically getting the operational machinery in place to be able to know how to
respond. But you don't actually know a lot of these threats are completely. No, I think actually
they're not unpredictable. A lot of them are following the same trend. An attack isn't made up of one
action. It's usually made up of multiple actions. And so what you may see is one different action
in that attack and probably maybe 10 or 12 of the steps that you've seen in previous attacks. So
in most cases, you're looking to detect those things that are not new in the organization or not
new during the attack. And I think that's a reasonable approach. Understand your network better than
anyone. Few people realize it's kind of like, you know, know thyself first. Know yourself, of course,
is the classic dictum of Sun too. And there are very few organizations that really understand
their environment. There's a really great quote by Rob Joyce, who actually headed up the NSA, TAO,
which is the arm in the NSA, and that plans and carries out hacking attacks against foreign nations.
And this was at the Enigma Conference in San Francisco last year.
One of the things he said in his talk was that most organizations don't really understand their own organization, their environment.
And then many cases, attackers understand the environment much better than the defenders do.
That's so counterintuitive.
How is that possible even?
Well, you know, I think it goes back to how distracted a lot of security leadership is.
So I'll give you a great example.
I was talking to a chief security officer the other day.
And they were talking to me about how to protect mobile phones.
Meanwhile, when I asked them how many systems they had in their organization, how many endpoints they had,
computers and servers and things like that, they had no idea.
So that's pretty common.
You ask, how is it that the attackers know the system better than the defenders?
The attackers know it because they have to get the details right.
That's a must for them to succeed.
And you never see the attackers who don't get the details right because they're never in your
system.
It's only the guys who are in your system that have gotten the details right.
The other thing you do is they know human behavior.
You know, systems are very different.
Systems are very complex.
But humans are pretty similar.
Humans get frustrated, they get impatient, they take shortcuts, they get annoyed.
Yeah, when I was at Park, we had a special group dedicated to what was called usable security for that very reason
because the fundamental breakpoint in any system will always be the human, the error, that, you know, the psychology of a person and the details related to that.
I'd say the other challenge is that as an attacker, I can keep trying my attack as many times as I want.
So every time you catch me, I simply restart my attack because there is no accountability.
There's nothing to lose and everything again.
Exactly.
Okay, so just to switch gears then, you've talked a ton about hygiene and some of the basic stuff that needs to be done. But how do we need to think about what happens in the boardroom? There's just this tremendous gulf between what's happening in the situation room and what's happening needs to happen in the boardrooms. Now, if you're in a situation room, the members of the President's National Security Cabinet look around the table and look at each other and wonder, who is attacking us? Is it Russia? Is it Iran? Is it North Korea? How do we find that out and how do we make sure that we're knowing where it's coming from? Obviously, okay, so the attribution matters in the situation room because you then
know who to go after, obviously. I mean, part of the attribution is how do you deter other states
from acting against us? How do you respond to them when they've done it? And how do you talk to the
American people about what's happened? These are like the sexy, high-level cyber issues.
You know, the ones that you read about in the newspapers. Yeah. The boardroom issues are very
different. You know, the boardroom issues are, how do you have the basic hygiene to stop yourself
from being attacked? The equivalent basic advice from a doctor would be, you know, eat less,
sleep more, drink less, and don't smoke. The cyber conversations that often have in the situation
are more of the fad diet. You know, they're dealing with the most advanced threats to companies right now.
And those, frankly, aren't the major threats that most companies need to deal with.
Is there sort of a boardroom 101 for what people should do with this information?
There should be. And the challenge is right now there's no standardized way to report information to the board.
So if you look at when I report financial information, I have my 10K or 10Q, I'm reporting financial metrics in a similar way so that if I'm a board,
member on multiple boards, I can interpret that data and make sense of it. Each board is getting a
different set of data and it's not always complete. And so one of the things that probably
needs to happen in the near future is defined on a set standard that ensures that boards are
first educated on what cybersecurity is. So they have to be knowledgeable about it, just like they
have to know about financials, right? You wouldn't expect the board member to join and have
no understanding of financial information. So I think that's incredibly important. You have to link it back
to the impact in the organization to make it relevant to the board members. So they actually
understand there's a risk, but what's my impact? What's the cost? Like quantifying it.
Exactly. How does it impact my business and how are we trying to mitigate that?
How do you measure something like reputation though? That's a really tricky one. There's no
financial, tangible number for reputation trust laws. That's right. It's sort of a finger in the air.
And that's what a lot of the insurance companies really struggle with this as well when they're
insurance. But that's not a cyber issue. I mean, Johnson and Johnson had to deal with that when I had
to contaminate a Tylenol, you know, incident way, way back. In the Sony case, wouldn't you say that
there is sort of a reputation? Of course. Of course there is. But what I was saying is that it's not
new to cyber. Ah, I see your point. You just have reputational risk all the time. That's right.
No matter whatever stupid thing you do damages your brand. I would actually argue something
slightly different, though, because there's something intangible and dangerous and more subtle
and pervasive involving cyber. Trust is a shaky thing. When you have like a specific actor,
a person you can pinpoint and see that guy's the asshole who gave our secrets away, you feel
okay that you have a scapegoat. When your scapegoat is just distributed.
nebulous, faceless attacker, that makes reputation management very difficult, I would argue.
Yeah. So the other thing I would add to reporting to board members is there's two things that are
important. One is the metrics should communicate risk. A lot of the metrics I see are things like
the number of attacks. A, I don't know what that means. And two is I don't know what the risk of that
is, right? What is an attack? What is an event? The other component is, can I measure that over time?
Board members don't want to pick up a packet and then see a metric that is different from quarter to quarter.
So it's true in financials too.
Exactly.
So we want to see trends so that we can ask questions on odd trends.
We want to see are we improving or are we not improving and then be able to ask questions in those areas.
So I think that's incredibly important and something I don't see a lot of.
There's one other aspect of this, which I want to raise.
It's not necessarily a board issue.
It could be a senior executive leadership issue.
But the problem is the following, that we are asking,
collectively our computers to do more and more. We want more and more functionality. The only way
to do that is to have your systems become more and more complex. Complexity is everyone knows
in the security business is the enemy of security. And so what we're really trying to do is we're
trying to make information technology do things and we don't know whether or not we can do them
securely. Let alone where they come from. Right. It's the very definition of complexities. You
don't know the source, the cause anything anymore. That's right. And so,
it may be that in the future, and I think we're actually there now, we're sort of at a tipping
point, that we need to find a way of having a disciplined conversation about whether the
security risks are too much to say, no, we're not going to go down that path. And we're not
going to ask them to do the functionality that we're asking them. We're going to scale back our
expectations. The security people have to be in the room when they're trying to think of a new
offering and so on. They have to be involved from the start. They can't be
given the security as a, here's what we want to do, now go make it secure. That can't be the way
it goes. And you have all these other companies now coming to the arena that weren't technology
companies, you know, manufacturing refrigerators or toys or cars. And now they have to now be
responsible for security. So it's completely new for them, right? And in many cases, a lot of these
companies don't even have security visions. Right. And you can't outsource it. You would never
joke and say, I'm not a numbers guy, so I don't really know, you know, sort of like what our debt load is.
We're all in security, insecurity basically. This is interesting because it's following the
arc of evolution of tech. You know, we always say, like, you can't silo the internet
division back in the day when there was an internet. Like, you can't silo the chief technology
offer. You can't silo technology. And now you're saying you just can't silo security. It has to
have a seat at the table. And maybe returning your first question is, why is cybersecurity
the wrong term? Because security is not just about what we consider cyber. It's not about
your laptop. It's not about your mobile phone. You know, it's about increasing your patient health
records. It's about everything you use every day. It's about things that you touch that you want
for convenience, and suddenly that all becomes a security threat. So it's not this narrow
thing. It's everything we're doing. And that's why we should be worried about that we're not doing
enough. Everything related to information and anything that touches information. Which is everything.
Well, clearly we're living in the future, as you said. Thank you for joining the A6 and Z podcast, guys.
Thank you. Thanks.