a16z Podcast - a16z Podcast: Security’s Wakeup Call
Episode Date: December 3, 2014The security landscape is changing. Can companies fight back against an increasingly well-armed and sophisticated set of bad players? “I think it is the beginning of a wakeup call,” former deputy ...secretary of defense Ashton Carter says. “That said, I think there are a lot of people at the top that don’t know what to do.” Carter (who is is expected to be formally nominated as the next Secretary of Defense) joins a16z board partner John Jack and Yahoo security chief Alex Stamos for a wide-ranging discussion about the state of security.
Transcript
Discussion (0)
Okay, well, in the interest of keeping on the schedule, we're going to get started.
This is Dr. Ash Carter, a deputy secretary of defense, and Alex Stamos, who's the Siso of Yahoo.
I'm John Jack. I'm a board partner at Andresen Horowitz. I'm 59 years old.
And yesterday I was reading the paper, listening to Frank Sinatra.
And at the same time, I opened my mind.
mail. And I had, and this part's true. I was actually listening to ACDC, but he wouldn't know that.
So I opened my, I opened my mail, and I did have a new charge card from Visa as a result of the
Home Depot breach. And as we've seen in the news, there's the Home Depot breach, there's the
Target breach, which the cost to target is now $236 million direct costs and rising. And
And we know what happened to a few people's jobs there.
And now we have J.P. Morgan Chase.
So my first question to you, Ash, is what's going on?
I think that as long as I've been in the technology field and then five and a half years in the Department of Defense,
and just to be clear, I'm the former Deputy Secretary of Defense as of a few months ago.
You were just promoted.
But we had all of our systems and our technology and obviously NSA.
reported to me and all that.
And I was consistently disappointed with our security, even though we spent an awful lot
on it.
We're probably more aware of them others.
And as long as I've been in this field, I have had the feeling that this was an area
in which demand was inadequately articulated, and so investments weren't being made.
And year after year, after year would go by.
Now, I hate to see demand stimulated in this way through the target thing, but I think it is the beginning of a wake-up call.
That said, I think a lot of people at the top don't know what to do at that point.
They have a big installed legacy base, a lot of that's old, and they may climb on top of that problem technically,
and then they say, oh, geez, I didn't know about this SaaS and mobile and cloud and all these.
things that add a whole different layer to things.
And then many of them, and this is especially true of small, not J.P. Morgan Chase, not Target,
but go down a tier.
They don't quite know why it could be detrimental to their business to be insecure.
They understand the reputational part of it, but not necessarily the instrumental part.
And these are real, one of the threats to them is real world competitors elsewhere
in the world who are stealing their intellectual property.
So it's not a joke, and it's not really an abstract thing.
But any rate, the short answer to your question is,
I've been waiting for Godot here for many years.
I certainly hope that this is the beginning of a wake-up call,
but I'm skeptical.
Alex, are you awake?
Yes, I'm awake.
Okay.
So on the credit card issue, I think there's a micro and a macro.
So the micro issue is we're on the,
verge of a transition away from the Mag Stripe 16-digit credit card model.
And just at the beginning of that transition, some bad guys figured out the real fundamental
problem that the CIOs and the CISOs of these companies have, which is they have a huge
physical plant with 50, 60, 70,000 deployed point-of-sale systems, many of which are still running
Windows XP and that are almost impossible to secure, right?
And so you have kind of the micro issue of, often in the security industry, the bad guys
figured that out. They have a very notable success. And Target was the first success, and then
you have the follow on. And now with the EMV transition, especially, these guys who have had
probably access for a long period of time are trying to slam it through and make as much money
as possible before EMV comes next year and NFC and all that stuff. I mean, the macro issue,
as Dr. Carter said, the unfortunate truth is that if you look at the Fortune 500, I would say
470 of those companies are kind of screwed because they're playing at.
What's happened is is that the level of adversary has caught up to a level that's
well beyond their ability to play.
And so when you look at like the people who are okay shape are the big tech companies because
we have big diverse teams.
We have over 100 people on my team and a couple others working on security.
And I have the ability to hire Windows kernel experts and reverse engineers and malware experts
and people who, you know, we write a bunch of our own software to go find malware and to manage
systems.
And I have the ability to hire those people and to keep them employed and interested.
and then you have like the defense industrial base
and those guys can just throw money at the problem
but for everybody else
and the banks right the banks can throw money at the problem
no it's just you know they can hire good people
they have a ton of money they're able to spend it on product
but outside of that like if you're just a
industrial company in the Midwest and you have
5,000 employees and a couple billion dollars in revenue
it used to be that security was
you know you keep the viruses off the network and stuff
and now it's that you have a competitor
in China or Russia or another
developing country where there's a loose line between the government and
industry and all of a sudden you're facing people who've been trained by those
countries intelligence agencies from an industrial espioness perspective who have
cut their teeth breaking into Lockheed and North of Grumman and Google are now
turning to Midwest industrial manufacturer and those guys are really in trouble
because as an industry we don't have much to give them because they can either
build the people like we can or they can't spend the budget like the banks and
the defense industrial complex can so it sounds a little scary so if you
If you think about one of the thesis of Andresen Horowitz is that software is eating the world,
meaning that there's more and more software deployed to disrupt current industry or what I tell CIOs and CISOs is software is essentially the manifestation of your competitive advantage.
You build software in order to keep your business ahead of your competitors.
So we have a new class of bad actors who know how to go after anyone.
from the largest enterprises down to small medium enterprise,
yet we have a continued need to publish more software
in order to maintain a competitive advantage.
And with more software, we have more attack surface.
So what would you say to the CMOs and CIOs in this room
about how to think about the problem and think about what to do,
given that CMOs are more concerned about the brand and reputation?
And CIOs, of course, often have the CISO reporting to him or her or side by side.
It's a big problem.
What guidance would you give?
I'll go to Alex first.
Yeah, for the CIOs, you said the magic words, attack surface, right?
So attack surface is you imagining what's a company look like to the outside to a bad guy
or what's a piece of software look like.
And attack surface minimization is by far the cheapest and most effective way to reduce your security risk.
It's the reason why Microsoft has spent probably a billion dollars on sales.
security in the last decade and they still haven't gone anywhere.
It's because they're not willing to do a tax service
minimization due to the way they do backwards compatibility.
And so if you're a CIO, one, move to the cloud.
Who here works at Microsoft?
Great, nobody.
Nobody in this room is qualified to run exchange at their enterprise.
No CIO in here is qualified to run exchange, right?
Like if there's anything in the cloud and the DevOps
revolution has taught us, it's that things are way more secure if you
write the software and you operate it yourself.
So moving to the cloud into trusted cloud provider
who are doing a good job for all of the functions
where you're not writing your own software,
I think is the best way to reduce a tax service.
And for the CMOs, engage on security issues
before it's an emergency, right?
The problem is for most companies,
they only trot the CISO out to be the sacrificial lamb
to have their head chopped off in public.
After there's a, and that's one as like the union,
my union rep says that that's not a good thing
for CISOs overall, but also it's a lost opportunity
for companies to engage the press
and engage their users to talk about positive things
about security and to build up some trust.
Because the truth is we're all gonna have security incidents.
If you only talk about security when it's a bad thing,
you have no ability, you have nothing built in
with reporters and the people who give quotes
and the experts in the field to rely upon
when the bad things happen.
So get more proactive about talking about positive things
about security and how users can keep themselves safe.
So when the bad day happens,
that you've got a little bit of a cushion.
Ash?
I agree with everything Alex said.
And he has a,
company that has capabilities, not all companies can do what they do, or not all companies
have an Alex Stamos working for them, and they're not going to. So the challenge for the,
what I'll call sort of more average company with a big installed legacy base and a kind of
IT department is how do you, as you look out, and I talked about the market, what is the
supply chain look like for security. It's hugely fragmented. There are lots of, you know,
you have to have this and you have to have that. We all know what all the pieces of an overall
security architecture is depending upon what you're trying to protect and the attack surfaces
that you're dealing with. But it falls on the company and its own staff to assemble that
architecture. And so somebody's going to make a hell of a lot of money who figures out how to
brand that architecture and can credibly say, I'll put together an architecture for you, non-tech
company, as good as the one Alex is going to put together for a tech company. And here's how
you'll know it's good. Right now, they're having to do it themselves, and they've got 10 vendors
coming in with pieces of it, and they're trying to put these pieces of the puzzle. And they're just not
capable of doing it. It's a very hard thing to do intellectually to do, and the IT departments
aren't up to it. Do the CMOs in the room have to change their mindset around security in
this regard? So for the past 12 years when I've been in this industry and I have a successful
sale to a big financial services firm, their first thing they tell me is you'll never use
my name, it better not appear on your website, will never be a reference,
This is top secret stuff.
Is the landscape changing where, to your point of being proactive, means that companies should talk about their security strategy so they're out in front of it?
Yeah, I totally agree.
I mean, the idea that the bad guys are getting the information from public sources, they know what your info is.
The truth is, I think, one of the things CMOs need to realize, I think CIOs hopefully get at this point.
A breach isn't just a breach as a breach, right?
We have this idea that if any machine gets broken into,
it's the same as 100 million credit card numbers being stolen.
The truth is, for any reasonably large enterprise,
every day your security team is running two or three or four security incidents.
That's malware dropping on somebody's machine,
somebody who was tricked and fished.
That was an external machine that didn't get patched and got compromised.
That's just day-to-day for us, right?
And so I think CMOs need to realize that there's kind of a given, taken,
security that happens, and it's important to talk about the fact that if,
you know, we, for example, had a security incident just a couple weeks ago where we had
three machines broken into, and there was a young man who's trying to make a name for himself
by publicizing this. And it's a big deal, and we're glad that these machines were found
and caught. But because of the way we build things, there was no user impact, there's no user
data impact. And it was important for us to kind of go out and publicly say, this is what this
means, and we could do that because we talk about our security model openly. And so I totally
agree that you need to go out and talk about that because the bad guys know, you know,
no enterprise with more than a couple dozen people is going to keep the bad guys from first
getting a foothold in their network. That's impossible. It's about what happens after that.
So there's no real loss to talk about your security plans.
Ash, Director Comey of the FBI said, everyone is owned by the Chinese. What did you think of that
statement? And I don't think he meant like equity ownership.
No, no, no, no, no, no, no, no, no, no, no, no he didn't. And I think I think Jim Comey is
basically telling the truth.
The Chinese government-sponsored
and at kind of one-arm's-length proxy
IT aggressor services are large,
they're smart, and they're largely unopposed
in this country.
So I think that you, and I certainly,
I'll tell you,
JJ, I even felt this way about our networks in the Defense Department, and if anybody
thinks that we did a very good job of protecting defense networks, take a look at Edward
Snowden, a classic, whatever you think of that.
It was a classic insider threat realized to the huge detriment of the country.
They are – they are – I always felt had penetrated our – the
government networks we know and we see all the time them and it they're small
they go after little companies that make a little component a specialty
component of a specialty alloy or something or a paint that that it took
somebody somewhere in this country decades to perfect that formula and they
steal that formula and thereby overnight become a competitor for a company
it's a serious business.
It also allows them to get into the supply chain.
So if they can break into that little paint suppliers' systems,
they can get into the supply chain
and worm their way up to where they might want to get to.
Alex, what do you think about, you touched on a little bit,
again for the CMOs in the room,
how do you make a decision what to talk about
if indeed you have been breached?
I mean, there's two extremes, right?
There's the one machine or three machine,
example you have and then, you know, 100 million credit cards. But what about that area
in the middle? How do you think about that?
Yeah. Unfortunately, it seems like most of the decisions are made by lawyers, right, who
are all about we're going to hide as much information as possible because we're not going
to give it out. Obviously, each one of these breaches comes with its own special set of
shareholder lawsuits and user class actions. And there's a Shakespeare quote that I think
is relevant here that I'm not going to repeat, but you can guess what it is.
But, you know, letting the lawyers make the decisions by default, I think, is not great.
I mean, obviously, having your general counsel and your legal team part of it is totally
critical, but that's why you have to have that discussion with them ahead of time.
And I think wargaming this out is actually not an unreasonable thing.
To sit and do a tabletop exercise, and there are consulting companies that do this,
or you can just do it on your own with your own security team,
where you could war game out with your CMO, with your general counsel,
with your law enforcement team, the people who do all the investor relations and securities law,
and game out?
What would we do in this scenario
so that you're not making the decision
in a four-hour window?
I just had one thing
that is another dimension of this
that I think bears mentioning.
It came up this morning
and when folks were talking about
the two-way nature of a transaction
in which I share data with an enterprise
and the need to give back
and therefore the question of trust
and the personal cost
associated with being active on the narrative.
I think that's another dimension of security.
It's not about bad guys hacking and stealing things,
but it is about trust and reputation in a certain sense.
I think these two things are kind of going to come together.
I think people, not malefactors,
but people are going to be more demanding
that they understand what is being done with their information,
that it's not going off somewhere, not China necessarily,
but often somewhere where they can't control it
and aren't getting anything back.
I think from the point of view of the corporation leadership,
those two things are somewhat separate,
but operationally they overlap quite a bit.
You know, on a thread there is,
what is the role of the government and commercial enterprise
in sharing information about threats?
Okay.
I don't, we have some pockets of success.
there. We have FSI SAC,
you could argue, has a pocket
of success. But why isn't there just
a, the government
shares everything they know, every commercial
enterprise shares everything they know,
except for the lawyers, everything
they know, and we have this universal
knowledge base
of bad
behavior. Well, there's more going on there
than you might think, but a lot less
than there should be. So now the question
is why, and these aren't,
these are not excuses to me. They're
explanations. There's no excuse. But the explanations are that a lot of the threat information
that the government collects in the counterintelligence area, counterterrorism, protect our
networks area, some of it's germane, but a lot of it is not really germane to these commercial
attacks. Said differently, the government isn't collecting a lot of information about these
attacks. That's thing one. Thing two, which is less.
acceptable is in this in the US federal government has still not made a
decision in the manner of cyber defense of the kind that it had to make in the
area of counterterrorism which is is this a an attack a crime or a disaster now
why do you say that matter because it's all three if it's an attack then you
expect your defense establishment to take care of it if it's a crime
then you expect your law enforcement establishment to take
care. And if it's a disaster, then you expect your homeland security apparatus to take.
And so there's been this sort of three-fold struggle over this. And you add a huge layer of
lawyering, government lawyering, even worse, on top of that. And you have stasis and paralysis.
So even that's another way of saying, JJ, is that even that which is collected and could
profitably shared, is inadequately shared because of those basically trivial bureaucratic.
Can we break that log, Jim?
Yeah, I think that we've got to.
And I think you see Jim Comey actually trying to do that.
And my attitude, when I was representing the Defense Department to Jim and his predecessor, Bob Mueller,
is my attitude was, I'm not going to try to claim this.
go for it
and I'm 100%
behind you. I could never
get Homeland Security, quite honestly
because I thought they had
the attitude that they wanted
this bureaucratically.
I mean, all bureaucracies want things
and they wanted this, but they didn't have the
capability. Comey
had the authorities and some
reasonable technical capability.
We had a lot of technical capability, but I didn't feel
like we were the right people to do it.
So my attitude is this is a national problem
them. Let me just get in behind Jim and tell all my bureaucrats to stuff it and stop fighting
with them and trying to seize it yourself. But I never got Homeland Security to that point
of view. We better talk to them. What's the corporate view on the sharing and collaboration?
Yeah, I mean, we'd like to collaborate more on the national intelligence threats. It feels like
it's a one way that we send data to the government and they say thank you. And we talk to these
folks, and it's not like they're being malicious, the problem is kind of over-classification,
right, that you'll have a source or a method that gives them data that's useful, and then
everything that touches becomes classified, and then the process to get this stuff from,
you know, if it's SCI, you know, compartmentalized information, to get that declassified to
be able to share with us, like completely, you know, to the no foreign level or something,
is extremely hard, even though, you know, I have employees who have TS-S-SEI clearances,
who have the ability to work with the government, but then we can't.
We can't take data that then we can't use elsewhere, right?
And so for me to be able to take an IP address to put it into my Splunk search has to be declassified and there's no real good process for that.
And so most of the data sharing that happens that's useful for us is between us and our partner companies.
FSI SAC is a great example of how the banks have done that.
We're a member of FSISAC because we do billions of dollars in credit card transactions.
And I think that's great.
I think the tech industry needs to do that.
I mean, it's a little harder for us legally.
The banks basically have no privacy laws, which is how credit unions exist and stuff.
they can just take all of your information and share it.
That's not true for us with ECBA and a couple other laws.
And I think that's fine that those laws exist,
but we need to figure out the legal framework
that allows us to share information in real time
to be able to say, you know, this Android phone
that has malware on it is pretending to be other users
on Google, Facebook, Twitter, and Yahoo at the same time.
It'd be great for us instead of each one of us determining that
separately, that one of us figures it out,
and then that person's locked out from the rest.
Okay, well, we have eight more minutes,
and 11 seconds.
And what I'd like to do is ask you each a question
that's very specific to your domain
and not necessarily completely on topic.
Great.
Alex, I'd like to ask you, as individuals in this room,
how do we think about our own personal security,
cybersecurity?
So the kind of inconvenient truth of the tech industry right now
is that there's pretty much nothing
a individual person can do to be safe online if they're targeted by a bad guy. And the way
we can tell us for sure is from the ICloud hack. So we've talked about Target and Home Depot,
which has 100 millions of credit card numbers, but who really cares, right? Like lots of people
get their credit card numbers change and Target loses a couple percentage point of their market
cap, but the human impact of that is minimal. Whereas with the ICloud photo leak, you know,
we have dozens of celebrities with their most intimate videos and photos being on the internet.
And, you know, the first reaction from a lot of people in the tech industry was like,
well, you shouldn't take naked pictures of yourself
on your camera, which is like a totally reasonable thing
to tell your teenagers, right?
But it's not an appropriate reaction
from the tech industry.
And the truth is that all of this technology in our lives
we've built this huge edifice that is completely
unsupported by the fact that if you are targeted
by a bad guy, they're going to get in, right?
Either they're going to, first they're just going to buy
your username and password off the black market
from a third-party breach, or then they're going to step up
to doing a spearfishing attack of you
or they're going to do password reset question,
which are, if they research any individual,
you can get somebody's credit report,
which you can purchase from ChoicePoint or something like that,
or they'll go and put malware on your personal machine, right?
And so that's a real problem for the tech industry.
And so, I mean, the best things people can do
is they can protect themselves against kind of the mass takeover,
which means you need to use a different password in every single site.
You need to turn two-factor authentication on everywhere.
That probably means using a password management tool,
like a last pass or dash lane or one-password.
But beyond that, it's incumbent on us to the next five years.
We need to redesign how technology works, so actually people are safe if they're targeted,
not just that they're lucky.
Okay, I was kind of hoping for like this magic, just do this.
I mean, you could join the Amish and raise Barnes all day.
I mean, that's honestly the safest thing.
Okay.
That's what I'm working on the beer.
Yeah, you got it going there pretty good.
Ash, while we have you on stage, a little bit higher level than cybersecurity is now.
national security. And I'm just curious on your views on all that's going on in the Middle
East and what's the path from here?
Well, I'll say something that might surprise you, which is that, yes, the Middle East is
very important. I fought two wars there, Iraq and Afghanistan. Bin Laden, Ray, lots of things
have been going on there. And likewise with Russia, Putin, Ukraine.
Ukraine and so forth. But if you step back a little bit from those and you say, what would really be consequential for us as a country and us in this industry writ large, your eyes have to go back to East Asia, where for 70 years, largely because of the United States, there's been stability and prosperity.
That's the environment in which Japan first rose and prospered,
and then South Korea, and then Southeast Asia,
and today, China and India.
And that's a great thing.
And it's a huge asset to our world and to humanity
and to those people.
But it is also a region in which, where the wounds
of World War II never healed.
They all hate each other, if you haven't noticed.
And the United States has been kind of a counterweight
to that and a balance wheel.
And the rise of China is, OK, and I'm not one of these people
who believes that conflict with China or Cold War with China
is inevitable.
It's certainly highly undesirable.
But you don't get what you want in this life just by wanting it.
We have to work at that result.
And there is a tendency in Chinese strategic thinking,
and you hear it in Xi Jinping, to be a little,
It now's our place in the sun, our time to shine.
Within bounds, that's okay.
When it shades into hubris and risk-taking, it's a problem.
And I just say that because that could ruin everything.
Putin can't ruin everything.
And, you know, ISIS can't ruin everything.
That could ruin everything.
The other thing I came to mind, which is very important to me personally,
and I'm kind of devoting myself to now,
and this has been mentioned several times in this room,
room, and that is the ability of our people in the United States to partake of the digital
economy. Do they have the skills to do that? Do they have to succeed? And because our business
success will depend upon their ability to do that, and the social cohesion of the country
will depend upon the sensation that the American dream isn't just a dream, and that the
escalator is still there.
And once again, that's not something you can just take for granted
generation after generation.
We have to work on it and say, well, what is that going to mean
in this new world?
It's not going to mean what it meant for our parents.
It's going to mean something different.
But there has to be that sense that you can get ahead by,
and that the system is fair and gives you a chance,
and that we have the best workers there for, you know,
top flight.
industry and so forth.
And I think there are enough
worrisome indicators there
that it's something we need to take seriously about
because you know, you're leaders of the society
here leading into this new
future. I think we have to
have a philosophy towards that.
And I'm now having left defense
and I don't have that to preoccupy me anymore.
I'm turning myself to that puzzle.
I don't have the answer to it, but I think
it's something that I'm thinking about.
So interesting perspective, you're saying that
part of the way to think about
this is very inwardly focused, right?
Is our own world we live in that we drive
versus just thinking about how we can quell the enemy
on their turf, et cetera, et cetera.
Yeah, I mean, I'd love to have the luxury of saying
everything's okay here and we'll still have all the technology
and the money that we need to defend ourselves, you know,
and be the best and so forth.
But you can't take that for granted in defense
any more than you can take it for granted
in any other field of technology.
Other people are good, they're smart,
they're working on their development
of their own people and their own technology,
and that's fine, it's fair,
but I want us to be doing that for ourselves, too.
Great.
Well, thank you both very much.