The a16z Show - a16z Podcast: Changing the Conversation about Cybersecurity
Episode Date: June 16, 2017When individuals gain the abilities that only nation states once had, how do we put cyber threats in perspective for policymakers -- without unduly "inflating" the threats? As it is, securit...y is an intense and important topic, so our job is to be scared -- and prepared -- but what's the scope of the actual threats, how do we talk about them, and what are the best analogies even? For example, we tend to think about "getting inside" as the big problem -- but in fact, the steady, "low-grade" degradation of trust and constant exposure is much more common and where we should be focusing holistically. The guests in this episode of the a16z Podcast discuss all this in a conversation (with a16z's Matt Spence) recorded as part of our Tech Policy Summit in Washington D.C.: a16z general partner Martin Casado; Head of Cybersecurity Strategy at Illumio Nathaniel Gleicher; and former Director of the National Counterterrorism Center and former General Counsel for the NSA Matthew Olsen. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi, and welcome to the A16Z podcast. In this episode, recorded as part of our tech policy summit in Washington, D.C., guests Martin Casado, A16Z general partner, Nathaniel Gleacher, head of cybersecurity strategy at Alumio, Matthew Olson, former director of the National Counterterrorism Center and former General Counsel for the NSA, talk with A16C's Matt Spence about changing the way we talk about cybersecurity.
So why don't we, Matt, start with you.
So you saw some of the most dangerous cyber threats to our country from your perch from inside the Situation Room.
What should we be more afraid of and what should we be less afraid of in the cyberspace?
We need to be really rigorous and precise when we talk about the threats we face.
You know, you were there, Matt, with us in the Situation Room.
We were briefing the president.
I was the person who started off the briefings with the president to talk about the threats we faced from terrorism.
And there's always this impulse to inflate the threat because you don't want to be wrong, right?
And so there's this sense like you should kind of go to the scariest, darkest corner of the room.
But I think it's critical that individuals in that position and companies in that position actually don't fall prey to that impulse.
And to really understand, okay, what is the nature of the threat?
How do we put it into perspective so that policymakers, companies can make sound resource decisions,
sound business decisions, sound policy decisions about how we're going to counteract the threat.
So I think that's a fundamental point, and I do think we face a bit of inflation about the nature
of the threat, or at least a little bit of lack of care and talking about the threat.
I do think, and where I make to sort of take a different maybe glass half empty versus
glass half full perspective, you know, as much as we celebrate all of the ways in which
the advances in computing and in big data and analytics give us greater ability to
counteract the threat, those same capabilities are also going into the hands of our adversaries.
And so the same things that help protect us are also the same things that are causing us to feel
vulnerable and to feel exposed. And where, just like in terrorism, where there are asymmetric
threats from individual terrorists and ISIS can outsource and crowdsource terrorism to anyone
who can communicate with ISIS over an encrypted channel, we see individual small groups of people,
as you said, gaining the capabilities of what were nation-state capabilities in terms of the ability
to carry out attacks from just a few years ago. So I don't disagree. I just probably, because of where
I come from, have a little bit more pessimistic view and can't be quite so sanguine about the
direction that we're going. There is a danger of inflating the threat as well, too, right? If everything
is a threat, nothing is a threat, then. And that's kind of the issue, too, is there's this
intersection of the way we talk about threats and the major technological breakthroughs that we've
had. And Nathaniel, turning to you is, in your perspective, both kind of an industry and the White
House, what are some of the major technological breakthroughs that you think we've seen since?
Maybe like the early 2000s, when there was last so much concern and hype about cybersecurity,
in other words, are there breakthroughs or what are the breakthroughs that have allowed
us to avoid sort of the world-ending events that we all thought?
would just have us all like spontaneously explode right now due to some cyber attack or something like that?
You know, it's funny. There's a book called The Cuckoo's Egg, which details this very sophisticated
attempt to break into Berkeley's security systems and the efforts of this security researcher
to track and catch and stop the guy who's breaking in. And it's interesting because he walks
through how he does it, and it's a very detailed description of a threat and counter-response.
The funny thing is it took place in the early 1980s.
And there's some things that are different, right?
He actually tracks this guy by having rooms of printers set up between about 9 p.m. and 8 a.m.
Because this is when the intruder was breaking in, tracking and printing out records of what part of the environment he's in and where he's moving.
So some things are different, but actually a lot of it's pretty similar.
And many of the techniques he uses look a lot like the techniques we still use today.
So I would actually sort of say there aren't as many changes as we think there are.
And one of the big problems, and part of I think what you are identifying, Martine, is there's a big difference between sort of what cybersecurity threats actually are and how we talk about them.
There's a statistic that's been going around.
It was used in a couple of cybersecurity bills recently.
It was used on the hill.
And the statistic is 60% of small businesses that get targeted with a cyber attack go out of business within six months.
And in case you're wondering, the statistic is totally wrong.
There's no basis for it whatsoever.
But it's exactly the kind of statistic you'd expect to hear about cybersecurity because it's about
sort of this big, massive destruction, no companies could survive, huge consequences.
And I was talking to a colleague of mine and he was pointing out that if that were true,
virtually every business that went out of business would go, would happen because of a cyber attack.
There is a very serious threat from cyber intrusions, but it's not often the threat we talk about.
We tend to imagine that getting inside is the big problem, and that once they get inside,
there's this risk of this big, massive institution-ending event, and that is certainly possible.
But much more frequent is the steady, low-grade degradation of trust in the systems that we use.
And once intruders get in, they need to sort of move laterally through these environments to find the target that will let them cause damage.
And there's still this large focus, and there always has been at sort of the perimeter and the edge
and keeping people out and stopping those institution-ending threats.
But if we focus more on the low-grade constant degradation and the constant exposure,
that's where the real challenge lies, and that's where innovation is really required.
But it's hard because, as you said, low-grade degradation is less sexy than cyber Pearl Harbor,
you know, or the cyber 9-11.
But it's interesting, I mean, we have this audience here of entrepreneurs, policymakers, and
Martine, you know, what do you think Washington gets most wrong about the security threatened
cybersecurity?
Or what are the things that you hear that most make you want to just tear your hair out as we
talk about cybersecurity and either the threats or other ways of dealing it today?
Yeah, actually, I think Washington is kind of what gets it right, actually, like, believe
it or not, like, maybe not the response you're getting.
reason is because they take a holistic view to cybersecurity. And I think that's what we should all do.
So let me just explain. So I used to sit on these councils, which were like, this is back in
2000 to 2003, and they were sovereignty ending event councils, right? And so you'd have, I was like
the cyber guy, and then we'd have like the civil engineer, and then we'd have maybe the nuke guy
and whatever. And we'd all do these think tanky type things about like, like, you know,
how can you protect the critical infrastructure? What are the possible things that could actually
create sovereignty ending, which I think at the time, the definition was seven days without, you know,
basic services and so forth.
And in those types of theme tanks, like,
cyber was just another piece of infrastructure,
and you take these very holistic views.
And I thought that the government did a very good job of that,
because it's got such kind of a deep understanding of these.
And so now every time I went to the similar type of panel,
but it was kind of more an industry-focused panel,
the conversation would go like this.
You'd say, like, oh, okay, well, listen.
So, I guess the nuclear power grid can go down,
and everybody's like, yeah, that's right, okay,
here's some incremental changes we can do the supply chain
of the technology. Okay, yeah. So nuclear power plants, you know, you can do this thing to them and like,
oh, yeah, okay, we can beef up physical security, you know, whatever. Cybersecurity, well, you know,
you can probably take down the internet due to a BGP attack. And then all of a sudden, we're like,
oh, my God, like, cyber security is totally broken. We don't know what we're doing. And so we kind of
evaluated it very, very differently than other pieces of infrastructure. And so I think, like,
I mean, I know you were looking for, like, what do the government gets wrong. I mean,
I think we should actually look at what it gets right, which is it views this as one piece of a
broader problem that views it holistically. And I think as an industry, we should start
doing that as well. That's great. I mean, I think if, you know, I got a dollar for every time
someone said the government got something right to have like $3. So, I mean, I think, but what you
talked about like the analogy of how we think holistically, I mean, the issue I think that a lot of
people in this room or policymakers think about are what's the right way to talk about the threats
in cyberspace for voters and people are thinking about that? So Nathaniel, do you know, how should we
think about. Is there like a right analogy or the way that we should talk about what the threat
is to make it real for folks who don't have the technical chops that the three of you all do?
So there are a lot of different analogies that people use, and the problem is that a lot of
them break down very quickly because we like, so. Nuclear deterrence is an analogy that everyone
jumps to, which is interesting because getting back to this earlier conversation,
nuclear deterrence is built around the model of a sovereignty ending massive event as opposed
to constant low-grade threat. It really doesn't map very well.
An analogy that I actually really like to use is thinking about the way the Secret Service protects the president,
which makes some sense in this room.
Sometimes people get very confused when I'm saying it in a different city.
But what's interesting about it is it's really easy to break into the White House, or at least jump the fence at the White House.
People do it all the time, right?
The Secret Service has learned this very fundamental lesson that threads through actually most of physical security,
which is a very high, impermeable perimeter doesn't work.
And in fact, at the perimeter, the defender has the greatest disadvantage.
The intruder can keep trying to get over.
Once the intruder gets over the fence and into your environment,
they're in an environment that in theory you as the defender control,
which is where you have the greatest advantage.
So if you think about what the Secret Service does, right,
you can jump the fence and people do it all the time.
There's been a bunch of coverage of that.
And usually what happens is 30 seconds later or 15 minutes later,
you get tackled on the lawn.
And that's actually okay, right?
It gets back to this notion of what is failure and what is success.
Someone jumping the fence doesn't matter unless they get to the president and cause harm and cause damage.
Someone breaking into your environment, if you stop them before they cause damage, isn't that much of a problem.
A similar example is if an intruder, if a criminal breaks into your basement and never gets out of your basement and spends six months inside your basement, how much do you care?
I mean, you care, but you care because they're a lot close.
closer to your bedroom than they were if they never got into your basement, right?
We think about it as a binary event. They get in and we lose. And it's not really the way it
works. And if you think about these models, the way the Secret Service works, the way law enforcement
works, the way a lot of physical security works, they have these strategic approaches
that focus on understanding the environment and controlling the environment. And that understanding
and control is what gives defenders their advantage. Interesting. Now, what do you think?
I mean, you're clearly hiding things in your basement.
Yeah, I have lots of people living in my basement.
I agree with that.
The analogies are really hard, and I think, you know,
I think thankfully we've moved beyond the 9-11 Pearl Harbor analogy,
which was inapt, I think.
And, you know, coming at it from a sort of Washington, D.C.
and national security perspective,
I think much of what we talk about as cyber attacks
and cyber threats are really not the kinds of attacks
or threats that rise to the law.
level of our national attention.
You know, for me, they're annoying, they're somewhat disruptive.
For me, the sort of cyber security hit home several years ago.
I was at NSA as the General Counsel there and starting to think about cyber.
And I think now about what we see going on from Russia, for example.
That deserves a national response.
You know, they have seen cyber as a vector to carry out their very aggressive foreign policy.
So those, that's where really the rubber hits the road for me,
for cybersecurity and where we need as a government to work with the private sector to figure out
how to protect the nation from that level of attacks. But increasingly, I think as Martinez rightly
said, those level of capabilities are falling into the hands of criminal organizations and much
less sophisticated groups. So that's the concern, I think, as you look ahead.
I mean, Matt, you raised an interesting point about how do you stop this and what is the concern?
And the way that most of us think about, of course, are passwords. So as we think about,
this, what are, there are a lot of different ways to protect our physical environment. So,
what's besides passwords and what's, what's coming next? I mean,
Martine, is it, is it voice recognition? I mean, you see a lot of interesting things on the
investment side. Yeah, yeah, yeah, and what's next? Yeah, so I'm, like, if you guys can't tell,
like, I'm super obsessed with, like, the interface between the cyber world and the physical world.
Like, and the way that I described it in my talk, I'm like, we've got all these really
sophisticated cyber context, concepts that were actually applying to physical security.
But it actually turns out that the reverse is true, which you can take like physical concepts and physical roots of trust and bring them into the cyber world.
And in the past, that's been very difficult because any time that you take electrons and you tie them with atoms, it's actually very difficult because of the distribution problem of the atoms.
But the iPhone has solved that.
So if you think about it, you know, everybody has a smartphone these days.
Or, you know, to some first order approximation, everybody has a smartphone.
And that smartphone connects that person to the physical world.
It's got all of these sensors.
It's got accelerometers.
It's got speakers.
It's got cameras.
And so you can take that physical set of atoms, all of those sensors, and you can tie that to the cyber world in pretty meaningful ways these days.
And so we see a huge growth in companies that are trying to exploit this so you don't have to do things like passwords.
I'll give you an example.
There are companies that can detect very, very accurately who you are by how you walk, just using the accelerometer in your pocket.
There are companies that will take, if you have your phone out, what they'll do.
do is they will use the speaker to send out like a hypersonic sound that you can't hear,
then, sorry, they use the speaker to do that, and they use the microphone to collect it,
and they can actually map out a physical room. So they can, like, within the microphone,
map out using basically sonar, just using an iPhone, a physical room and determine, like,
if you're in your office or not. There are companies that will determine, like, how fast you
type. And all of those things will, like, uniquely identify you in the physical world and make that
available to you in the cyber world. So I do think that we're getting very good now that we have
a proliferation of physical devices with a lot of sensors are getting to a place where you can,
for example, know pretty well that it's you that is logging into your bank account,
even though you don't have to kind of regurgitate those, you know, 30 numbers or whatever that
was there a silver bullet? I mean, that sounds pretty optimistic to me.
Well, so I think this is a trend that I'm tracking. I mean, like right now, I think it's going to be a
long time before we get rid of any single factor. But I do think that we're seeing multi-factor
authentication. That means I try multiple things. Like, I will do the password and I will determine
where you're coming from. And so I actually think that the trend is going to be more usability
because we have these physical access. Interesting. I mean, there's a lot of way that our devices
can then identify us. Like, through their matter or Nathaniel, I mean, hearing that,
you know, wearing your counterterrorism in NSC hats, are there things that make you scared? I mean,
Are there new threats that are created by something like that?
It goes back to this basic point that all of these are, you know, these are neutral technologies,
but they could be used for good or ill, right?
And they both bring us great a degree of security and freedom and convenience, but they also create
vulnerabilities.
So, you know, this convergence of the physical and the cyber, I think it's exactly the right
place for us to focus because it holds out great promise for more security.
But even these identity authentication innovations, they still leave open broad areas for our networks to be exposed, even as we make progress there.
And I think that's a place that I'm particularly concerned about large companies and critical infrastructure and their networks.
So, you know, there's a joke kind of in the intelligence community that when you see flowers, someone asked, well, who died?
And you're always looking for the most pessimistic view.
But I think from this panel, it's interesting.
about reasons for optimism. So Martin talked about his, so Matt, Nathaniel, like, where,
what are you most optimistic about when it becomes, when it comes to, uh, the threats in cyberspace
or what we've been talking about? I think cybersecurity is a really young discipline.
And we forget that, right? These other, the physical security disciplines, we've been building
them for decades and centuries and millennia. And we've learned a lot. And we know comparatively
very, very little about cybersecurity. And so we feel at a loss. But I think there is a lot we can
learn and build from. And we're very, very early in the stages of figuring how to protect this.
And if you look historically at technologies that have upended conflict and made it much easier
to be an attacker than a defender, there are any number of these throughout history, from
armor and World War II to gunpowder in sort of the 16th century, in Europe. And in each one,
you have a radical period of instability. And then you have a group of defenders that get together
and figure out how to fix the balance and move things back. And each time when they do that, it's because
they think about understanding and controlling the environment, and they deploy these same tactics.
And so I'm incredibly confident we'll get there, because any of you look historically at the path,
we do get there. The question is how long and how complex and what the cost is.
Interesting, Matt. Maybe a renewed and proper sort of trajectory for the trust between Silicon Valley
and technology companies and the government. Something that's been, I've been very concerned
about in the post-Snowden era. As Matt mentioned, I was the general counsel at N.S.
say back in 2010 and 2011. So I sort of worked on the programs and I saw what happened when they
revealed and I saw what happened in terms of that working relationship, which is ultimately sort of
fundamental to innovation and ingenuity and really the ability for government and in our,
in our technology community to work together to solve these problems. I am much more hopeful
today than I was three years ago. And so I think that's on the right path. So Matt, you know,
from all your, probably hundreds of hours in the situation room, what was the moment that made you most afraid?
To be clear, I know Matt well, I did not.
I interrupted.
I'll throw a friend.
When I got to ask questions, I couldn't answer by the president.
Yeah, that would be a pretty scary moment.
But, you know, I think, you know, I really was there for a lot of the turmoil around, you know, sort of things that happened in the moment.
So crisis in the moment, Benghazi, the Boston Marathon, Boston.
bombing. And, you know, I wasn't afraid, but those were, you know, what I think makes,
maybe pivot a bit and say, what makes me afraid today is another attack on our country,
a terrorism attack or a major cyber attack, and whether we're prepared to have the right response
and have a calibrated response, I think going back to your initial comments, Martin,
particularly in the terrorism realm, I'm a little concerned about that.
Thank you very much for a great panel. I really appreciate all the time you made.
Thank you.