a16z Podcast - a16z Podcast: Security's Painful Prominence and Why There is No Turning Back -- with Marc Andreessen
Episode Date: March 31, 2015Cyber attacks are growing in number and impact, and the reason is simple: there's more of value (and more vectors to) steal in our increasingly virtual world. So how are we to continue to move forward... along this connected path as a culture and as businesses? Marc Andreessen tackles that question in this segment of the a16z Podcast -- against the backdrop of ever-more sophisticated hackers and hacks, Edward Snowden, and the rise of trillions more devices coming online. Still, despite the real risk and pain of cyber attacks we won't go backwards -- we have no choice but to move forward, says Andreessen. "The reason we don’t have a choice is there’s too much value in the virtual world." Smartphones, the internet; pick your favorite device, app, or service... ask yourself what (if anything) you would be willing to give up. Not much, right? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or investment advice, or be used to evaluate any investment or security, and is not directed at any investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures.
You guys know Mark. I'm Michael Copeland. I'm a partner with Andrewson Horowitz. Mark, I like to think of Mark as the co-founder of the web. You're a co-founder of a child now.
and co-founder of the firm.
So we want to talk about a wide variety of things,
but we want to focus the conversation on security.
You have this thesis, Software Eats the World,
and as an observer and somebody in the industry,
we see that security breaches seem to be increasing.
The severity is increasing.
And the question is why,
and I think the answer is there's more to steal.
But how do you balance the gains of this software,
it's the world dynamic with what clearly are real risks.
Yeah.
So, well, the short, I'm a radical on this topic.
So the short answer is we have no choice.
And I'll come back and explain why.
So if you had told me 10 years ago, maybe even five years ago,
that we would be living in a time when, A,
the President of the United States apologizes on the Rose Garden lawn
for a website that doesn't work that cost $600 million.
The $600 million part would not surprise me.
The fact that it didn't work, maybe it would have been slightly surprising.
And the president was apologizing for it.
Two, that the major Democratic political candidate is in serious trouble over running her own email server.
Which is a fairly remarkable thing.
If you think about it.
By the way, she has established, without taking a political stance on this, she has established there's no problem because the email server is perfectly secure
because the secret service was guarding it.
So there may still be some technical details lost in translation about how hacking actually happens.
and then
you know third that a major corporation
making actually a very funny movie
people haven't seen it
the North Korean movie is actually quite
entertaining. The interview. The interview is actually quite
entertaining but that a major
a major Japanese and American corporation would
be brought to its knees by hacking
from an alleged nation state
over offenses to its leader
to the point where the studio had
has since gotten forced out
and we can just go through many many many examples of this
you know, it's an amazing time.
You know, like all of you, I remember when this, you know,
I remember the movie War Games came out, right?
And it was just like, you know, okay, we have to worry
about the 14-year-old kid, right, hacking out of curiosity,
but we don't have to worry about nation, states, and criminals.
So, you know, I think one interpretation of where we are
is like we're making these sort of incremental steps in terms of like we bring the world
more online or we bring in more software and then we have more security.
And then, you know, sort of the question gets phrased,
kind of like you phrased it, which is we kind of have these choices to make
about how connected the world is going to be
and about how much software we're going to have.
And somehow if we decided that it was too risky from a security standpoint, we would somehow stop doing all these things, which I think is just not true.
I think the reality, the assumption we have to make is that basically the way I think about it, the world is going virtual, right?
So we've all lived in the physical world forever.
Increasingly, we all live in the virtual world.
And, of course, we eat and sleep and breathe in the real world, but all of our communication and business and information and our reputations and our education and entertainment, all these things.
All the things that actually kind of make, you know, make life vital and interesting, increasingly are happening online.
Another interesting thing about the world we live in today is, and if people have noticed this, remember the phrase surf the web?
Like, it's just gone, right?
Nobody ever says that anymore.
And it was weird where, like, everybody says surf the web up until, like, I don't know, 2008 or something.
And then everybody just stopped saying it.
Because now that we've got smartphones, we're just on the web all the time.
Like, we're on the web all the time.
Like, why would we not be on the web?
It would just be bizarre, right?
And so the reality is we're going to live in a virtual world.
We're going to live in an online world.
We're going to live in a software world.
Because we're going to live in that world,
that is where virtually all of the value is going to be,
which means that therefore it is where virtually all the attacks are going to be.
Now, it's indisputably true that the computer industry
over the last 50 years was not built with that in mind, right?
And so, you know.
Describe, give us some more detail on that.
Well, I don't, you know, I mean, just, I'll just, you know,
maybe this is a good room for me to confess my sins.
You know, when we wrote the code for Netscape,
When we wrote the code for Mosaic in 1993, I mean, I had never, you know, I thought myself I was like an okay programmer,
but I had never heard of the term of a buffer overflow bug. And in fact, I actually need to look up.
I'm actually not sure that the term even existed at that point.
So it wasn't your fault.
It wasn't my fault. It certainly was not my fault.
When we invented JavaScript at Netscape, 1995, the concept of cross-site scripting was a complete unknown.
I don't think the people who invented, you know, the IBM researchers sort of invented SQL in 1970s.
I don't think they had any idea of SQL injection. Right. All these concepts, you know, you know,
Like I said, it's one thing, if it's a kid writing a, you know, writing a virus that spreads on Apple 2's, you know, spread through floppy disks.
You know, it's another thing to have serious, sophisticated adversaries.
Actually, this is the other thing that I find amazing.
The NSA, think about this.
We live in a world where, number one, a 29-year-old contractor can walk out of the NSA with a thumb drive that contains like everything.
Like, apparently everything.
I mean, number one, that they're that porous.
And then number two, even though they're that bad at their internal security, the sophistication of the hacks, like the thing that came out this week about how they've been
is actually quite impressive, like, as a taxpayer, like, I'm pretty thrilled.
Like, you know, it would not have been surprising if a large government bureaucracy
had not actually been good at their job, and this one seems like they've been quite good.
And so, it's just, like, there's just, historically, we just didn't anticipate living
in this world.
And by the way, I would argue the arrogance required to have assumed that the technology
we were all building was going to be this important.
I mean, not that we weren't, we were all called megalomaniacs anyway, but we would have really
been thought if we're out of our minds.
And so I think it's just the nature of the beast.
I think it's just the case that by and large our industry is going to build the products that's going to build.
The customers are going to use them.
The environments are going to be what they're going to be.
There are going to be people responsible for security who are kind of on the hind foot a lot of the time.
I think that that's the nature of the beast.
The good news is, and I think you guys are all examples of this, and I think you see this,
is the importance of security and cybersecurity and organizations has risen, you know, maybe to the ultimate level now.
I'll just tell you, in my experience, you know, working with big companies, the target
hack has probably had the single biggest effect where the CEO got fired.
And, you know, and this is one of those things, like, you know, this is fresh in mind because
I'm thinking about how to deal with kids.
But, like, if you're dealing with CEOs, like, the way to, like, establish that somebody's
actually responsible for something is to fire somebody.
Like, when a CEO gets fired, that's a pretty big signal.
All the other CEOs right out, like, the dogs watching TV, they're all like, oh, like,
we're going to have to pay attention to that.
And then the other thing and the target thing that's worth watching is the boards of directors, right, of major corporations are under a lot of pressure from governance groups on lots of topics already.
And as a corporate director right now, you kind of, which you really don't want to do is you don't want to get sideways with this firm called ISS, which is the firm that advises a lot of the pension funds and index funds on how to vote their shares because it's the fastest way to get booted out as a director.
and ISS is now coming down on the target board of directors, right,
for not being sufficiently worried about cybersecurity.
I guarantee you the target board of directors, I'm sure, are all stellar,
like, really knowledgeable, like, you know, former top business leader, CEO, CFOs.
I guarantee you they have no idea what any of this stuff is.
I guarantee you they thought that this stuff was all being handled,
not just an IT, but they thought at the board level,
what happens right at these board, you guys probably all know this,
but what happens to these boards is sort of cybersecurity rolls up to risk,
which rolls into the audit committee, right?
which is the committee that deals with accounting topics
and then cybersecurity. And then the audit
committee does the readout to the full board and says, I don't worry about
it, everything's fine. Right? And so
it's for the first time this year,
you know, major Fortune 500 boards of directors
are all of a sudden realizing this is
their thing that they have to deal
with. CEOs are now realizing this is their thing
that they have to deal with.
And so, you know,
the minds, you know, and arguably this
should have happened five years ago, maybe 10 years ago.
It certainly needs to happen now.
The repercussions of this change, I think,
are going to be very big.
So you're a CEO, like you say,
we live in a virtual world,
and we as customers and we as people who work in the world.
We live in a virtual world.
You're saying we don't have a choice.
This world is here.
But at the end of the day, if I'm in charge of security,
if I'm a CEO, I still have to do something.
So how do I move forward or move through that world,
and how would you describe that?
Yeah, yeah.
So I should completely earlier thought.
So the reason we don't have a choice
is because there's too much value on the other side.
There's too much value
a living in the virtual world. I mean, it's like saying, I don't know if we're secure,
so I'm going to keep using taxis, right? It's like, you know, maybe there's a couple people
who will do that. Most people won't do that. You know, I don't know if, you know,
for any media people in the room, but like, you know, executives, but, you know, I don't know,
I don't know if like New York Times.com is secure. I think I'll go back to
reading yesterday's news and the physical newspaper. Like, people are not going to go
backward. These things are too useful. Like the online world, smartphones and iPhones and
email and like all these, Snapchat, all these things are just too useful.
Like, this is one of the things I really believe is that quality of life in our time is rising very fast.
And people are kind of in a bad mood, you know, people are in a bad mood about income levels and all these other, you know, economic growth and all these things.
But quality of life is rising very fast because we now have at our fingertips, you know, information that U.S. presidents didn't have, you know, 20 years ago.
And so this new world is the one that we're going to live in.
It's the one that our kids are going to live in. It's the one that we want to live in.
And so it is going to happen. There is no stop.
Right.
And so you have no choice then but to deal with it.
And I'm just wondering what the gaps are then between this phase that we're in now,
which you described is very much different than the sort of Netscape days
and everything was locked in a PC, you know, in a room someplace,
as opposed to like it's connected billions of people all the time to everything.
Do we need to have a different mindset, even behaviorally as people and as corporations?
Yeah, so a couple things.
So, you know, I think one thing is, so I,
I think from a technology standpoint,
businesses need to either become first class
at security and legitimately first class
with first class expertise and first class funding.
Either that, or they need to work with vendors
such as cloud vendors and SaaS vendors who are.
And in fact, I think that's actually one of the other
really interesting things happening in the industry right now,
in the software industry broadly,
is that it was maybe five years ago
or even three years ago you would talk to a lot of CIOs
and talk to a lot of buyers of technology at big companies,
and they would tell you,
you know, I still want to run my database and all my systems on site
because I really don't, you know, these cloud things,
I don't trust these cloud things because my information is out in the cloud,
who knows what's going to happen.
I think it's becoming increasingly, I think a lot of CIA is becoming increasingly aware,
especially at companies that haven't mounted a first-class effort in staffing and funding
for security that is highly likely that the cloud vendor is more secure than they are.
And not only that, it's highly likely that that's been the case for many years,
and then at some point they realize it's highly likely that they should have known that and didn't.
And that's, you know, sort of when they discover after the fact that, you know, the Chinese have been in their databases for six years,
which is kind of, you know, the great wake-up call.
And so I think that there's actually this inversion happening right now where one of the reasons these cloud vendors,
and this is, you know, Gmail and box and like all these new guys, you know, GitHub that are at your Salesforce.com that are growing cloud services so fast.
A lot of it is companies finally saying, okay, maybe I can't actually secure all my internal systems.
Maybe I do have to work on the outside.
And then you've got a bunch of companies, including ones represented by folks in this room,
that are taking this seriously and do have first-class efforts and are going to need to continue
to work really hard and fund everything appropriately and continue bringing in the right kind of people,
but, you know, can really do, can really amount to first-class defense.
And then I think a bunch of companies somewhere in the middle, you know, that are really going to struggle.
When things go south, who's liable?
It's interesting, like Apple Pay seems to, I still don't know who's like holding the bag if something goes wrong with Apple Pay,
But, you know, Target, Home Depot, banks, Sony, for that matter.
Who's holding the bag in the end, do you think?
Yeah.
Well, so Apple's very deliberately crafted Apple Pace
so that they're not holding the bag.
Yeah, just to be clear.
They're good at that.
They're actually a very clever technique with tokenization
where it's definitely all somebody else's fault.
That's been pre-established.
So who's holding the bag?
So, I mean, so one is, you know,
the sort of obvious and easy answer is,
well, that's the subject of endless litigation.
So I think that that will become a big issue for a long time.
The other interesting thing is,
about who's going to hold the bag is that I think, which you see, like, I would say, like,
credit card fraud is a really interesting example of this, which is sort of everybody ends up
holding the bag, right? So if you think about how the consumer economy works with credit cards,
both actually increasingly real world, but also certainly e-commerce, right? Credit cards are
another one of these things. The inventors of the Bank of Ameriard, right, which was the first
credit card in the 1950s, never imagined, you know, electron, number one, they didn't imagine
electronic transactions, like they imagined that people would be filling out the papers, you
know, people did for a long time. And then they certainly didn't imagine that you would have
the skimmers, right? And they certainly
didn't imagine, by the way, fake ATM machines, which
is like one of my favorite things is when somebody drops a fake
ATM machine in the middle of them all and like walks
out with like $50,000. I think that's like the
coolest thing ever. So
you know, they just didn't. And then of course, the credit
card guys definitely didn't envision e-commerce,
right? Because a payment model
where you give your payment credentials to
the merchant, right, in order to
transact online is just
obviously lunacy, right? I mean, no one
never intentionally designed a system like that.
And of course, we all shop like that today.
And so then you get in this weird dance where you've got the consumer, you know, who's supposed to pick their merchants carefully and who's supposed to secure their Amazon password, and they never do any of that stuff.
You've got the e-commerce sites that are supposed to secure their databases and their systems, which they almost never do.
You've got the banks that are supposed to secure their systems.
You've got the transaction processing guys, like first data.
You've got the credit card companies themselves.
So you've got like five different entities where when all the credit card information gets stolen, like, you know, there's different blame to be apportioned.
In reality, what happens, right, is we all hold the bag, because what isn't happening is
then credit card fees, right, get recalibrated to be the, whatever it is, three or four percent,
the economy-wide in order to cover all the fraud, right? And basically, as the customers broadly,
we all eat it. One of the things that I think in the new world is going to be critically important
is having more clearly defined responsibility, right, of who's actually accountable for what.
And so this is something I've said in public that it receives a little bit of blowback,
which is, like, for example, consumers, like who use bad passwords, like,
ought to be held liable for the consequences.
Consumers at some point,
like, at some point as an adult,
you learn that when you leave your house at night,
you lock the door, right?
Consumers at some point are going to have to learn
how to construct a good password, right?
And I say that, and then everybody yells at me
because they're like, the technology should make that easy,
whatever, whatever.
And I'm like, it's a key.
Like, at some point, like adults have to take responsibility.
Like, two-factor authentication, right?
The idea that two-factor authentication is still optional
and not required on all these services
because everybody's worried that consumers aren't going to be able to,
like, it's just going to be a part of life
to have to do two-factor authentication.
But to do that, it can't be the case where if you screw up and your information gets out,
and you get hacked, you know, that you're not on the hook.
And so I think societally, we're going to have to have more of an awareness of that person screwed up.
There is direct, I mean, it's just like firing CEOs.
Nothing actually makes somebody accountable like actually standing to lose money over it.
Right.
Disclosure.
When a company finds out that something bad has happened, who gets to know and how soon
and how soon does the government get to know for that matter?
Yeah, yeah.
So this is another area
I think this will be endless litigation
I think that I think actually this is going to be a whole wave of
shareholder litigation that's going to follow from this because
as far as I can do there may be formal
there may be legal requirements for disclosure but as far as I can tell
they are applied in the breach if at all
across corporate America right now
and you know we all probably know
of examples of major breaches that have never
been disclosed to anybody
you know I think and and
and by the way good and valid reason right
for a bank to for a bank to disclose
that it's been hacked undermines trust in the bank could cause a
running the bank, like, you know, there are bigger implications than just internal politics
on these things.
Shareholders are going to demand the right to know, especially in the wake of things like
Target.
Shareholders are increasingly demanding the right to know.
Again, there's a big question there is, is it in the shareholders' best interest for
these companies to just have to hang all their dirty laundry out all the time?
Right.
Like, is that really what the shareholders want?
There are lawyers who are in the business and filing lawsuits to that effect.
They can always find a shareholder.
I can imagine some hedge fund guys who would like to know that early and often, but yes.
Exactly.
And the government, Silicon Valley's relationship, and I'm talking about big tech companies
in Silicon Valley right now, there's a lot of tension.
You know, Obama was here at Stanford for the security conference, which you guys may have
gone to, I'm not sure, but there was this impression that he was being sort of held at arm's
length by, you know, Larry Page and all these folks that didn't show up, essentially.
What is that relationship right now from your perspective, and how does it play out?
I mean, again, we're all moving through this together, government, big companies,
But where is it today and where does it, where do you think it heads in the near term?
Yeah.
So people in the room already know this.
Relationships, the relationship between the government and Silicon Valley from, in terms of all these issues, is at an absolute low point.
Like, it's one of those low points where you can't imagine it getting any lower, although it probably can.
Somebody, somebody wants, some sees Michael Eisner and Disney once said the great thing, the only thing good about having things go really bad is that you can't fall off the floor.
And in my experience, that it's actually usually not true.
you usually can.
So the relationship between the Valley and the Valley companies and Washington is just
absolutely abysmal.
And just like outright host, I would say outright hostility at this point, complete
lack of trust.
And then the Snowden thing has just obviously been just a tremendous earthquake.
The thing with the Snowden thing is, and I'm trying not to take a political stance here,
but just a non-partisan stance, but just objectively, the thing with the Snowden thing is
the government basically has done nothing as a consequence of Snowden.
Like, it's fairly shocked.
Like the administration has basically done nothing.
By the way, if we were at the NSA right now,
they would agree with this, which is the NSA feels
completely hung out to dry.
The Valley companies feel completely hung out to dry.
The administration's like, what, what, did somebody say something?
And so you'll note, there's been nothing.
There's been no proposal, like how do we put the,
you know, you can't put the genie back in the bottle,
but like what do we do?
Like what are the new operating principles?
What are the guidelines?
What are Valley companies expected to do?
There's been basically nothing.
There's been photo ops and all the CEOs I've talked to who have
on a met with administration or went to this event.
There's no substance.
I haven't heard one thing reported from any of these conversations
where it's like, okay, now there's a thing to do.
And so as a consequence, there's just like,
there's what feels like kind of tremendous betrayal
kind of all around, tremendous hostility,
tremendous kind of feeling that nobody will look out
for anybody's back.
And then the Valley companies, for whatever else you may believe,
feel tremendously exposed in our businesses
because our products are sold all over the world.
And there's been this tremendous lack of trust
And we whine about the press coverage,
because we like to say things like,
well, all the other governments were doing it too.
But, you know, there's like that argument
didn't work with my mother when I was eight.
It is not all that effective
when complaining about the German intelligence service.
Remember that when your son gives you that argument?
Oh, yeah, yeah, yeah, yeah.
No, that's a kind of argument that theoretically
will work well, and then practice never does.
So, you know, the value companies feel very exposed.
And then, of course, these issues are getting used
as cover for, you know, China is using these issues.
We would argue as cover for protectionism,
but whatever, you know, American companies
are increasingly getting forward.
out of China. And so it's in a pretty advanced state of hostility. I think from a civil
liberty standpoint, arguably this is, you may argue this is a good outcome. The Valley companies
now feel much more emboldened, not even so much out of a sense of like proactive,
like enthusiasm, but almost out of a sense of like defensive energy to get much more determined
to do end-to-end encryption. Also much more determined to fight the government in court. And there
have been a whole series of lawsuits mounted by companies like Facebook to try to, you know, try
to push back on the secret courts or try to bring a lot of that stuff out into the sunlight.
But it's a really, it's in terms of the, like, trust communication, like it's a dark time.
By the way, this classic kind of, again, nonpartisan story of government.
So then senior officials came out about six months ago and with a bright, shiny new idea.
They said, I think we figured out how to do this.
They said we, and this was not actually going to say this is another branch, but kind of representing the government.
They said, I know what we'll do.
We can stop doing all the surveillance as long as all the companies that have all the data
can just proactively tell us when somebody's doing something bad.
Yeah, that'll work.
To what you said, yeah, that'll work.
Yeah, yeah.
We really, we want to be in the thought crime business.
We want to have to turn, every time somebody says something bad about somebody,
we want to turn it over to the feds.
Maybe not.
And so, like, it's bad.
And I guess I just close by saying on that topic, I think that, I think nothing will happen
under this, as far as I can tell, nothing will happen under this administration.
I think whoever is the next president
and whoever the next set
of national security officials
have a big opportunity on this
or it will go further sideways
and it's hard to say kind of
what happens
and how bad it could get if it keeps going sideways
but you think it could get worse
or people could dig in even deeper
yeah well I mean so this is my argument
my argument Washington is look
like if everything is and you know
one doesn't know how much Snowden walked out with
like maybe he only walked out with 10% of the programs or something
but like you know for people who follow this
like the hits keep coming
like we keep learning new things like all the time
and so like I think the operating principles
he walked out with everything
and so if everything's gonna just be exposed
anyway then like what's the obsession with secrecy
like you know at some point
like maybe we need to rethink maybe we maybe the
government needs to rethink how it's operating on these topics
and maybe that's just you know friends of mine
who are kind of more kind of politically radical
on this than I am basically say
this is the world that basically Snowden is the first
of a there will be a thousand Snowdens
and so basically that argument goes
as follows which is it just so happened
that Snowden was one of 30,000 employees at the National Security Agency, including all the contractors, right?
And it just so happened that, you know, call it, you know, 5%, you know, call it, you know, 30% of those employees were under the age of 30.
You know, of those, you know, 5% were like politically, like radical civil, you know, liberties, ideologues.
And then of those 5% were so radical that they actually had an EFF sticker on their laptop, which Snowden did.
And you only need one, right?
And so not only will there be a Snowden for the NSA, there will be a Snowden for the Chinese
State Security Agency, there will be a Snowden for GCHQ, there will be a Snowden for Citibank
and on, basically we'll all have Snowden's.
And so in a world where there are Snowden's kind of in every organization, maybe this
kind of thing where we all think we can, you know, these large organizations think they
can operate under cover of darkness.
Maybe that's just not the way it's going to be.
And it may just be that the U.S. government is the first large organization that really
has to directly confront this.
This is not cover of darkness, but it's suit anonymous.
Bitcoin. How does Bitcoin sort of fit into your view of where things need to go
and as an aid in kind of securing things in a better way?
Yeah. So first of all, I have to be careful on the topic of Bitcoin because I can very
easily do the full cruise job and bang my shoe on the table for six hours. So I'll try
to do the short version. So Bitcoin emerges at a very interesting time, I think, for two
reasons. One is just broadly architecturally, the idea of the blockchain and the idea
of decentralized trust.
And for those you haven't looked at this,
it's really quite clever the way the system works
in terms of being able to have people
who have not met each other,
be able to actually establish
and maintain trust relationships online
through cryptography.
Like, I mean, I can't think of a better time
for this technology to emerge.
I wish it had emerged 20 years ago,
you know, so that we could have built it in
to the web and we could have built in the browser
and we could have everybody using it now.
But, you know, interest in these topics
is sky high.
So this is a very interesting time
for a new technology like this.
So that's sort of the big picture.
And then tactically, payments, Bitcoin is a real solution to this problem I mentioned before,
kind of indirect incentives and indirect accountability.
And so one of the things interesting about Bitcoin is as a payment method,
as a way to actually represent value and pay people online, it's a bearer instrument, right?
So it's like cash, or it's like a bearer bond as opposed to a credit card number.
And one of the interesting things is I can pass Bitcoin, I can send Bitcoin from myself to somebody I've never met before.
and I don't have to reveal anything about myself, right?
I don't have to give my credit card number, my payment credentials,
make anything.
And, you know, it's public-private key cryptography,
and, like, it just works, and I'm completely safe and secure,
and it doesn't matter what happens after that.
The other person has the value, but they can't, they can't blow back on me.
And so it's actually been really funny.
Economists think that this is a huge step backwards,
like they think that the modern economy of credit and debit and so forth
was evolved over time and having to move back to cash
is like a big step in the wrong direction.
But I would argue online, because,
of this incentives problem, you know, you want people to be responsible.
The target hack was a good example. Like one of the things about the target hack is I think
they're going to, I don't know for sure, but I would imagine they're going to be fighting for
years about who covers the losses on the target hack when the credit card database got breached.
In the case of Bitcoin, if my account gets breached or if Target gets breached and the
hackers steal the Bitcoin, there are no other consequences other than the fact that my Bitcoin
or Target's Bitcoin got stolen. There's no ability to use that information to then go hack
somebody another, you know, a second time. And so it is a much more direct linkage of
sort of negligence or lack of attention to detail or lack of awareness of security coupled
with financial consequences that we just don't have today. But like if we can't even get people
to do two-factor authentication, how do we get them to shift into like, oh God, it's digital currency
that, you know, you don't even know how it works. Just trust us it does. You know, the answer is
most people are not going to use Bitcoin directly. Most people are going to use
services, we funded a company called Coinbase that makes it really easy to use Bitcoin.
Basically makes it easy to use Bitcoin as PayPal makes it easy to use dollars.
And so for anybody who can use PayPal, they can use Coinbase.
So a lot of people will use commercial services.
But Bitcoin itself, like from a technology standpoint, normal people may not understand it.
But the use cases are very interesting.
The architecture is very generalized.
So it sort of disappears like lots of good technology does and we just start using it.
I have another question around Internet of Things.
You know, things are complex enough as it is.
You know, you guys deal with endpoints in the numbers of millions,
but we're talking billions upon billions.
First, define Internet of things for us, you know, from your perspective,
and then how does that present kind of another massive layer of complexity or does it?
Yeah.
So, yeah, so I think the best assumption is probably trillions.
I think the number of things is going to, the number of things online is going to get very big.
So the way I think about it, this goes back to what I was talking about,
in the virtual world, is that basically any physical object, any physical item is going to want
to have a chip in it. And then any physical item with a chip in it is going to want to be
connected online. So literally everything over time gets connected online. There's two interesting
books in this I recommend. There's a book, I believe the title is Enchanted Objects that came
out. And it's a guy who kind of goes through this. His kind of argument is, like, we're going to
live in Harry Potter world. Like Harry Potter, like, you know, he's walking down the hall at
Hogwarts and like the picture lights up and starts talking to him.
and then he's got his, I don't know,
he's eating utensil and turns into a snake
and slithers off or whatever,
all the different things.
Like, everything basically gets animated.
Like, there is nothing that's just like static
and just sits there, like everything is active.
And, you know, and at first, you know,
that seems like it's pushing things too far.
And then, you know, and then we see the pitches we see every day.
We're literally getting people,
I mean, we're in one of those phases of the industry
where anything that can get dreamed about
is going to get explored.
And it's going to be a magical inventive time.
The security consequences of this, I think,
are going to be, I would say, awesome in both the very terrifying sense of the word
and in the very inspiring sense of the word, which is, I mean, look, there's no way
we can help self-driving cars with the current level of security of the average desktop
PC.
Like, we just, like, there's no way we can't do it.
Self-driving cars, very exciting.
Self-driving cars, if every car on the road is self-driving, all cars could go 300 miles
an hour, right?
And they could weave through traffic.
There would be no more stoplights, and you could basically cut auto fatalities to zero, right,
as long as they don't get hacked, right?
Right.
So with that slight, you know, additional kind of thing.
And so internet of things, like if we weren't already required
to take security more seriously, internet of things
would definitely trip us over.
So here's my theory.
I think self-driving cars are actually going to be,
I think they're actually going to be owned by hedge funds.
So I guarantee they're not going to want to take responsibility.
So I think what's going to happen is hedge funds are going to spend a billion
dollars and they're going to buy a fleet of self-driving cars.
And then they're going to bid them out through services like Uber and Lyft
to passengers.
And so you're going to be standing outside.
You need a ride to get home.
You click the button and it like bids out over a network like Uber
or Lyft to whatever cars nearby, which is probably owned by some
somebody with a big balance sheet, probably a hedge fund.
I see. Right.
And so in a case like that where something goes wrong, you've got the driver, you've got,
or the driver, the passenger, you've got the, and of course, then there's a question of
whether the person in the car had any ability to take control or not, right?
Because then, you know, should the person have taken control? Should they not have taken
control? Then you've got the hedge fund. Certainly people blame the hedge fund, just on general
principle. And then, you know, the route planning software, the guidance software,
Google, you know, the stream of Google Earth data that's going to be coming in.
Right, right. Yeah, it will be, yeah. It's going to be a mess. As usual, lawyers will be
get busy for a little bit. It'll be fun. So, final question. Silicon Valley and the economy,
I mean, technology, you have this, you know, sort of overarching to do this software eats the world.
And at the firm, one of our fellows, Benedict Evans, says that tech has outgrown tech.
Is the tech economy is sort of a separate thing? It's just on fire here in the valley.
How do you look at Silicon Valley's economy, the technology economy, and as it relates to sort of the rest of the world bumping along doing its thing?
Yeah.
So I'm a much bigger optimist.
There's been a lot of negative kind of coverage of the tech industry kind of being, if anything, too, sort of ironic, actually, for those of us who live, as many people in the room did, live through the 2000 crash.
Everybody by 2003 knew that tech was all stupid and dead.
And so to have gone from that to tech is maybe now too powerful and too successful with no intermediate steps anywhere in the middle.
has been kind of entertaining to live through.
I think the consequences,
I think the consequences for the global economy
and for basically people everywhere
are much more positive
than people are talking about right now
in two ways.
One is we're giving people
incredibly powerful tools, right?
This is sort of the big understated thing.
I think there's this like,
there's still this kind of sense of like we're giving,
so the good news is we're living in a world where smartphones,
Android smartphones now are down to $25, right?
And so India, Pakistan, you know,
whole range of developing world countries,
Indonesia, you know, you go to the local store and you literally get an Android smartphone
for $25, right? And that is the equivalent of a supercomputer from 25 years ago, you know,
that basically everybody in the planet is going to have one, right? People who have smartphones
now don't have to this day running water or electricity in their homes. And I think there's
a view of like, oh yeah, fine, okay, they can make phone calls or they can watch, you know,
World Cup videos or whatever, but like they, you know, this is not like for somehow a tool of production.
I think these are tools of production, right? I think people who have smartphones and then
over time, tablets and laptops and all the technologies that come from this, I think are in a
position, and if either position, either for themselves or for their kids, you know, for education
and access to information, access to careers, access to work, access to banking service,
modern banking services, financial services, lending, the ability to take products to market globally,
right, is something, the ability to get educated, is something that is becoming available to
everybody on the planet in a way that just hasn't been before.
And we're just in this kind of, you know, phase right now where the technology is literally
just getting to, like, we're just in the phase now where the technology is actually getting
everybody. And so I think 20, 30 years out, I think it's going to be amazing to see what people
are going to do with these tools when they have them in their hands, and all the kind of second
and third order effects that'll come from that. And then I think it's, you know, indisputably true
that there is going to be, and there is today, you know, significant disruption. I mean, it's
certainly, you know, nobody's idea of a good time to be a taxi driver in the era of lifts and Uber
or to be a small independent bookstore in the era of Amazon. But, you know, without
sounding callous about it, all of these shifts are the result of consumer choice. All these
shifts are the result of consumers voluntarily deciding to spend their money one way or another
way. And kind of the history of economics is when consumers have the decision, have the free
decision to be able to spend money the way they want. You know, really, really good things
happen in the economy. And so we're going to go through a lot of change. I think we're in this
period of time where it almost, I think it looks worse than it is because we see all the change
happening. We don't yet see the payoff because we don't see what everybody's going to do with
all these new tools. But I think we will. And I think over the next five or
10 years, I think, especially what's going to come out of the developing world is going to be
phenomenal. I'll just give you one example. A good friend of my, Chris Schroeder, who used to
work in the state department and then ran a big internet company, spent two years in the Middle East,
and he's highly networked throughout Egypt and Syria and Jordan and all through the Middle East.
And it turns out there's a whole internet startup boom happening in the Middle East. And
like, this is a fairly like big deal because like, you know, there's lots of other stuff
happening. And there are kids busy working away on app startups in Jordan and in Syria,
just the same way they are here. And in fact, the most inspiring part of, this didn't happen
before he wrote the book, but he wrote an essay about this later. After he wrote the book,
he got one of the very few passes. There's like 20 a year of American business people who get to
go to Iran on its state department program. And he went and he spent two weeks on the ground in
Tehran. And he said there is an absolutely vibrant internet startup scene on the ground in Tehran.
kids who are working on these startups are just like as excited as can be they know
everything like they're completely current on every they know everything that all the guys
who come in our office every day you know no they're completely current and they've
read all of you know they've read all of you know posts they've read all of our like it's
everything they've read everything um and they've got their apps and they got their ideas and
like literally their big issue is they're under an embargo right like they just they can't
get their stuff to market um but they could not be more excited about it and so i think
you're seeing lots of signs around the world of sort of a huge amount of latent energy
creativity, economic growth and development, that hopefully the world will be stable enough
over the course of the next couple decades. We'll really be able to see that play out.
Thank you so much.
Great. Thank you, everybody. Great. Thank you.