The a16z Show - a16z Podcast: Cybersecurity in the Boardroom vs. the Situation Room
Episode Date: June 18, 2017"We're always fighting the last war" -- that's a phrase historians like to use because policymakers and others tend to be so focused on the threats they already know, and our mindsets and or...ganizational structures are oriented to respond that way as well. And in the "situation room" of nation states (including the intelligence briefing war rooms in the White House), much of the security conversation is necessarily focused on the worst possible scenarios, broader context, and attribution as well. Companies, however, unlike nation states, do not have to worry so much about attribution (who did this? why) or even as much about the sexy, headline-grabbing threats. In fact, they may be better off focusing on security hygiene and basic metrics for assessing risk in the boardroom -- much like they review financials regularly -- argue the guests in this hallway-style conversation episode of the a16z Podcast. Herb Lin, who is Senior Research Scholar for Cyber Policy and Security at the Center for International Security and Cooperation and is also at the Hoover Institution, both at Stanford University; David Damato, Chief Security Officer at Tanium; and a16z policy team partner Matt Spence (who among other things previously spent time at the White House working with the National Security Council) begin by sharing their views on the term "cybersecurity" ...and end up with practical advice for a security boardroom 101. No matter what, security should have a seat at the table. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Hi, everyone. Welcome to the A6 and Z podcast. I'm Sonal. Today we're continuing our taking the cyber out of cybersecurity series with Herb Lynn, who's senior research scholar for cyber policy and security at the Center for International Security and Cooperation and is also at the Hoover Institution, which are both at Stanford University. We have David Demado, chief security officer at Tinium and A6 and Z policy team partner Matt Spence, who, among other things previously spent time at the White House working with the National Security Council. The hallway style discussion ends up focused.
focusing on practical advice for changing the conversation about security in the boardroom as opposed
to the situation room. And we begin with considering the term cybersecurity and the very first
voice you'll hear really briefly is David followed by Herblin. By the way, for a quick second,
can I just say how annoying a term cyber security is? I feel like only policy people actually say
cyber and people trying to get research funding. And security vendors. That's a good question.
Actually, what is the alternative? This is like that word synergy where it's like a really useful
word, but everyone hates it and there's no better alternative. I guess just security. Let's start
with the word cybersecurity, okay, as one word, cybersecurity, no space in between them. It matters
because the Oxford English Dictionary has, which I regard as the authoritative source on the English
language, has taken over the term, especially on cyber because it's so up to date.
They are up to date. Their last year's word of the year was an emoji, so they are pretty up to date.
Cyber security are those things that are taken to defend and protect the computer
system or the information inside it. Notice that it's a completely defensive orientation.
If you put the space in between cyber and security, cyber space security, you start thinking
that now it's the security of the cyberspace over the cyber domain, which is a very different thing.
If you think about the term national security, nobody leaves the space out. Two words, not one word.
And if you start thinking about the security of the nation, that gives you a whole,
different perspective on it. It's all of the things that you might want to think about in
terms of what would make a nation more secure. And so depending on the context, I'll use a
space or not the space, but of course, in giving talks, you can't make that distinction.
You could actually do the air quote thing and be like cyberspace security. Right, right. But
I think, you know, conceptualizing it to me of cybersecurity in the same sense that's the cyber
plays the same role that the word national plays in national security, that puts a whole different
spin on it from me. A qualifier. That's right. That has important implications.
both on the defensive and the proactive thinking around it.
Historically, with the development of weapons technology,
there was a period where we were trying to make more and more powerful weapons.
So we got bigger and bigger bombs and so on.
But nobody uses nuclear weapons.
Thank God.
Yes.
There has been a trend away from weapons that have a very large boom
to weapons that have a much smaller boom.
And there's a sense in which cyber weapons can do something
would just do an annoyance to somebody to something that might, you know, destroy the entire
system or systems to which this computer is connected. And I can do anything in between.
Yeah, you're right. I mean, these different gradations, I'm even seeing people use them as a form of
expression, even doing something like doxing, you know, or denial of service attacks, just a single
company because they're annoyed or even like a form of protest. Some people consider this like the modern
equivalent of just spray painting on a wall. But, you know, it has enormous.
financial and other consequences. So it's kind of interesting, actually, to think about that,
because you would never have done that with a nuclear weapon, obviously. Exactly. And so the,
the tendency here is that cyber weapons are the are weapons that are eminently usable for a variety
of purposes. And one of the most interesting things in the past 10 years is that nations are
starting to wake up to this. They're starting to see that these weapons are enormously
usable. There's no legitimate use for private citizens to have nuclear weapons. This is a type of
weapon, which is held by states who have the monopoly over the use of force. Cyber weapons are
totally different. We want for growing economy people within our country to be great hackers,
to come up with technological innovations, to have that power in their hands, and the same power
that they have to create the innovation we want can be enormously destructive. And as the government
worries about that, it's really hard because you think about cyber as a threat on the one hand, but the other
hand, it's part of our economic growth. And isn't this part of the reason why some of the best and worst
attacks come out of Russia because you have a lot of code savvy kids who are very competent,
but who don't have a lot of economic options, like to be in jobs.
Yeah, we've seen this particularly in a lot of the financially motivated crimes that have
been perpetrated.
Like ransomware?
Ransomware or even something like a lot of the bank heist that we've seen.
One of the first cases I ever worked on back in 2010 was a bank that lost about $10 million
overnight.
It's a gang of criminals who were loosely affiliated with each other, who had a reasonable
set of skills from their computer science degrees, from their experience and education in college,
who had combined with some individuals with banking knowledge. And overnight, we're able to steal
$10 million in a very sophisticated way. And again, not associated with the nation state,
not associated with tremendous amount of resources. You have to be a major power to be able
to operate like a nuclear weapon, have a facility, the infrastructure involved. And with code,
you can be anybody. But the other thing that strikes me as a big difference is between, for example,
in cyber, which is a big deal, is that you need the materials. You need enriched uranium and plutonium
to build a nuclear weapon. Cyber weapons are basically knowledge. It's even worse than that. The knowledge
has already been formulated into tools or weapons that you can then use as an answer to the same.
It's repurposable code. It's repurposable, mashable weapon creation. But the fundamental point there
is that it's bits, not atoms. And yet the effect, however, can have a physical effect on atoms.
Absolutely, because we want to connect the atoms and bits. But governments are or
into towards control of atoms.
You know, that's what border controls are about.
And so it's really hard.
I did probably about 110 investigations over the past decade.
And by the way, who were you that you were doing these investigations?
I was an incident responder.
You know, so I started off my career as what's called a penetration tester, which means that
someone paid me the break into systems.
I thought that was only in movies.
I'll be honest with you.
I was not very good.
But within about a week or less, I think my best was about two hours.
We were able to break into some of the most secure locations in the world physically and
based on information technology.
Not to minimize the seriousness of that,
but one of my absolute fair movies of all times is sneakers.
Their job is to be like the penetration testers
and they actually get like enlisted by the NSA
to break into someone and it actually turned out
not to be the NSA, but anyway.
They did way cooler stuff than I did.
I guarantee it.
Anyway, so you had all these investigations.
Right.
And so we did all these break-ins, right?
And I realized how easy it was.
And we switched over eventually about six years ago
when I started doing investigations
because it was much more difficult
to actually find an attacker and trace it back
than it was to actually actually
break in. So I went sort of the opposite side since I had that knowledge and methodology. And what I
found over time is not much has really changed since because we continue to focus on the things that are
sexy, right? It's these things like hygiene that are the issue. The basic solutions are things like
better security for IoT devices, network segmentation, preventing things being accessible from
the internet. These are not complex topics. And that's what I've tended to see over time. You get into
these boardrooms and the topics are overly complex. Like security is a very complex topic. Board members are
very high level. They're simply really interested in things that are in the news. So if you look at
things like China and Russia that don't impact most organizations, they want to know who's attacking
and where they're from, what they're doing. And to be honest with you, that's not something that's
typically helpful. It's a distraction from the real conversation. It's interesting you say that because
attribution is hard. At a certain point, like you can have all these people claim one thing or another
and then other people actually have theories about what happens. But at the end of the day, there's politics
in the attribution, active attribution itself. It almost matters to focus to your point on like trying to prevent
and solve and address.
And for most organizations, the attribution doesn't matter.
For the government, it absolutely matters.
But as a corporation, what will you be able to do?
You're not going to be able to hack back that country.
The reason why attribution matters in a situation room is Russia trying to influence
United States elections.
You know, is this an act of war?
Like, the questions that happen in the situation room need to be these big questions
about how cyber relates to our entire national security.
When you're in the boardroom, maybe the first question you'd be asking is, have you
trained your employees of how to address the most common cyber threats. So if something's really hard to
use and people aren't going to use it, you know, this is how it is. You know, most people look at the
cyber training video, likely I do the airline safety video when you board your flight. And you're like,
well, I fly thousand miles a year. I know there's an airbag. I know their window seat. And you just ignore it.
Recently, we heard about an attack on the domain name system infrastructure against a company called
Dine. What was newsworthy about it was that it was a large distributed denial.
of service attack that was largely caused by compromised Internet of Things devices.
Specifically a component within them that had malware.
That's right.
There was malware that had been used to infect the whole millions, literally, of IoT devices.
And the bot master put them all together to create a DDoS attack online.
Wait, the bot master, is that a real thing?
That's a comic book hero right there.
He wears a cape.
Right.
He wears a cape and has a black hat.
But no, it's the part.
that's responsible for the botnet and may not even be a single individual.
But anyway, what was newsworthy about it was that it caused a bunch of consumer-facing
websites that relied on this infrastructure to be inaccessible to you and me.
And what's interesting about it is that we've been predicting this.
We've known that this was possible for a very long time.
Honestly, I think most people woke up and are like, what the hell just happens?
It's certainly not surprising to any technical person.
There had been other smaller IOT-based attacks on stuff, but yet it got all this attention.
And people said, hey, you know, it woke people up.
Seven years ago, when Stuxnet hit the news, the Stuxnet was the alleged American and Israeli
cyber attack against the nuclear facilities, enrichment facilities in Iran.
My friend Kim Zetter wrote the definitive book on Stuxnet.
And that was, by the way, the first case ever that we know of where, at least the way I heard it,
where computer malware had a physical consequence because it took down a nuclear facility.
It did have physical consequences. It was certainly not by any means the first time.
I'll tell you a very embarrassing story. The first time I was interviewed about Stuxnet,
the person said, and what do you think the impact of Stuxnet is going to be?
And my answer was nothing. There was going to be no impact of it at all because every computer
person knew that it was possible and this was nothing new.
I was totally wrong about that because what it did was it woke states of it.
policymakers up to the possibility that this was a possible, feasible thing to do. It may have been the
first documented instance of a large-scale attack on something physical that people noticed. But
certainly there have been people who have caused physical damage by computers before.
And lately we've been seeing more of the DDoS attacks in the news. And an earlier point about the
smaller gradations in the annoyance cases, you see a ton of DDoS attacks when they're like personal
vendettas against like a gruntled employee like leaving a company or something. It could be anything.
The specialists usually differentiate between three different attributes that you want to,
that you want to defend. Ironically, the acronym is CIA, right? Confidentiality,
integrity, and availability. A DDoS attack is an attack on availability. That is, it means that
your system is no longer available to do the things it's supposed to do for the people who are
supposed to be able to use them. Violation of confidentiality means
I steal your, I steal your credit card numbers.
You still have a credit card in your hand.
It's not like a dollar bill.
I take a dollar bill from you.
You don't have it anymore.
These like identity hacks and things like that.
There are hacks of information.
Right.
And since information can be duplicated perfectly without you're ever knowing it,
I can have the information and you can have the information and you won't know it until
I use this for somehow in some way that's bad for you.
And attacks on compromises of integrity are changing the data or the program or deleting
it or somehow affecting the actual bits that are there. Attacks on integrity mean that you've
actually changed the data or zeroed it out or something like that. Malware can be used to do any one
of those things or all of them. It's the generic tool that it's a computer program, loosely speaking,
that will create compromises in any of those attributes. Integrity tends to be one of the most
devastating attacks because you typically don't know what's happened. The best example that I have
of integrity versus confidentiality.
Yeah, because I'm trying to have a little bit of a hard time
distinction.
You go to a physician.
Your medical records are in a computer.
Would it be more concerning to you to have your records published on the internet
or to have somebody screw around with the data inside to change your blood type?
Or you get the wrong drug as a result.
The difference is on the one hand, you're embarrassed.
On the other hand, you can be dead.
I think the theme here, too, is we're very reactionary.
So it takes certain types of breaches to wake us up to a possibility we all knew
about. If you walk through the timeline, you go back and start with Google in 2010 when they're the
first company that come out and actually talk about Chinese state sponsored actors. This is something
the government and a lot of people knew about at the time. And it's the first commercial
organization that actually came out and said it and made people aware. And we need to take note of that.
I mean, there's a phrase historians always use. It says we're always fighting the last war.
What does that mean? It means that you're, you look back and like, let's prevent the next Pearl Harbor.
Well, the next Pearl Harbor doesn't look like what happened before. It's a new set.
of threats. It's coming from an enemy you're not expecting. It's going to have direction you
didn't even think about. And so rather than trying to win what calls yesterday's war,
let's think about the new threats. You know, I want to pause for a moment because it's actually
really interesting what you said about the last war, because we're so oriented as human beings
on what we already know. We're very bad at seeing the consequences of things that we've built
that are complex systems that evolve with behaviors that we cannot predict. And I'm even thinking
of things like Facebook where you think you're just friending people and it's social and you're seeing
cats. And then actually that becomes a whole new paradigm for all this data that's powering
deep learning. So in a way, the very thing you're describing begs the question of what the
appropriate response is. Like, do you just only know the appropriate response based on your
current toolkit? Like, what happens? There's a lot of companies that are now doing advanced
threat modeling. And they're doing something called red teaming where they're bringing individuals
and then simulating attacks and practicing their response. And they're actually running through
a real attack. They're constantly running simulated attacks and the defenders are practicing their
response and they're looking at the results to see how they're improving over time.
But isn't the very point that we can't always predict, they're basically getting the operational
machinery in place to be able to know how to respond. But you don't actually know a lot of these
threats are completely. No, I think actually they're not unpredictable. A lot of them are following
the same trend. An attack isn't made up of one action. It's usually made up of multiple actions.
And so what you may see is one different action in that attack and probably multi, maybe 10 or
12 of the steps that you've seen in previous attacks. So in most cases, you're looking to detect
those things that are not new in the organization
or not new during the attack.
And I think that's a reasonable approach.
Understand your network better than anyone.
Few people realize it's kind of like, you know,
know thyself first.
Know yourself, of course, is the classic dictum of Sun too.
And there are very few organizations
that really understand their environment.
There's a really great quote by Rob Joyce
who actually headed up the NSA TAO,
which is the arm in the NSA net,
plans and carries out hacking attacks
against foreign nations.
And this was at the Enigma Conference
in San Francisco last year.
One of the things he said in his talk was that most organizations don't really understand their own organization, their environment, and that many cases attackers understand the environment much better than the defenders do.
That's so counterintuitive. How is that possible even?
Well, you know, I think it goes back to how distracted a lot of security leadership is.
So I'll give you a great example. I was talking to a chief security officer the other day.
And they were talking to me about how to protect mobile phones.
Meanwhile, when I asked them how many systems they had in their organization, how many endpoints they had computers and servers and things like that, they had no idea.
So that's pretty common.
You ask, how is it that the attackers know the system better than the defenders?
The attackers know it because they have to get the details right.
That's a must for them to succeed.
And you never see the attackers who don't get the details right because they're never in your system.
It's only the guys who are in your system that have gotten the details right.
The other thing you do is they know human behavior.
You know, systems are very different.
Systems are very complex.
But humans are pretty similar.
Humans get frustrated.
They get impatient.
they take shortcuts, they get annoyed.
Yeah, when I was at Park, we had a special group dedicated to what was called usable security
for that very reason because the fundamental breakpoint in any system will always be the human,
the error, the psychology of a person and the details related to that.
I'd say the other challenge is that as an attacker, I can keep trying my attack as many times
as I want.
So every time you catch me, I simply restart my attack because there is no accountability.
There's nothing to lose and everything to gain.
Exactly.
Okay, so just to switch gears in, you've talked a ton about high,
hygiene and some of the basics stuff that needs to be done. But how do we need to them think about
what happens in the boardroom? There's just this tremendous gulf between what's happening in the
situation room and what's happening needs to happen in the boardrooms. Now, if you're in a
situation room, the members of the presence of national security cabinet look around the table
and look at each other and wonder, who is attacking us? Is it Russia? Is it Iran? Is it North
Korea? How do we find that out and how do we make sure that we're knowing where it's coming
from? Obviously, okay, so the attribution matters in the situation room because you then know who to
go after, obviously. I mean, part of the attribution.
is how do you deter other states from acting against us? How do you respond to them when
they've done it? And how do you talk to the American people about what's happened? These are like
the sexy, high-level cyber issues. You know, the ones that you read about in the newspapers.
The boardroom issues are very different. You know, the boardroom issues are, how do you have the
basic hygiene to stop yourself from being attacked? The equivalent basic advice from a doctor
would be, you know, eat less, sleep more, drink less and don't smoke. The cyber
conversations that often have in the situation are more of the fad diet.
They're dealing with the most advanced threats to companies right now.
And those, frankly, aren't the major threats that most companies need to deal with.
Is there sort of a boardroom 101 for what people should do with this information?
There should be.
And the challenge is right now there's no standardized way to report information to the board.
So if you look at when I report financial information, I have my 10K or 10Q, I'm reporting financial metrics in a similar way so that if I'm a board member on multiple boards, I can interpret that data and make sense of it.
each board is getting a different set of data, and it's not always complete.
And so one of the things that probably needs to happen in the near future is defined on a set standard
that ensures that boards are first educated on what cybersecurity is.
So they have to be knowledgeable about it, just like they have to know about financials, right?
You wouldn't expect the board member to join and have no understanding of financial information.
So I think that's incredibly important.
You have to link it back to the impact in the organization to make it relevant to the board members.
So they actually understand there's a risk, but what's my impact?
What's the cost?
Like quantifying it.
Exactly. How does it impact my business and how are we trying to mitigate that?
How do you measure something like reputation though? That's a really tricky one. There's no financial,
tangible number for reputation trust laws. That's right. It's sort of a finger in the air.
And that's what a lot of the insurance companies really struggle with this as well when they're insurance.
But that's not a cyber issue. I mean, Johnson and Johnson had to deal with that when I had to
contaminate a Tylenol, you know, incident way, way back. In the Sony case, wouldn't you say that
there is sort of a reputation? Of course. Of course there is. But what I was saying is that it's not new to cyber.
Ah, I see your point.
You just have reputational risk all the time.
That's right.
No matter whatever stupid thing you do damages your brand.
I would actually argue something slightly different, though,
because there's something intangible and dangerous and more subtle and pervasive involving cyber.
Trust is a shaky thing.
When you have like a specific actor, a person you can pinpoint and see that guy's the asshole who gave our secrets away,
you feel okay that you have a scapegoat.
When your scapegoat is just distributed, nebulous, faceless attacker, that makes reputation management
very difficult, I would argue.
Yeah. So the other thing I would add to reporting to board members is there's two things that are important. One is the metrics should communicate risk. A lot of the metrics I see are things like the number of attacks. A, I don't know what that means. And two is I don't know what the risk of that is, right? What is an attack? What is an event? The other component is, can I measure that over time. Board members don't want to pick up a packet and then see a metric that is different from quarter to quarter and can't be measured.
So it's true in financials too. Exactly. So we want to see trends so that we can ask questions on odd trends. We want to see or we improve.
or we're not improving, and then be able to ask questions in those areas.
So I think that's incredibly important and something I don't see a lot of.
There's one other aspect of this, which I want to raise.
It's not necessarily a board issue.
It could be a senior executive leadership issue.
But the problem is the following, that we are asking collectively our computers to do more
and more.
We want more and more functionality.
The only way to do that is to have your systems become more and more complex.
complexity as everyone knows in the security business is the enemy of security. And so what we're
really trying to do is we're trying to make information technology do things and we don't know
whether or not we can do them securely. Let alone where they come from. Right.
Because the very definition of complexities, you don't know the source, the cause, anything.
That's right. And so it may be that in the future, and I think we're actually there now,
we're sort of at a tipping point, that we need to find a way of having a disciplined
conversation about whether the security risks are too much to say, no, we're not going to go
down that path.
And we're not going to ask them to do the functionality that we're asking them.
And then we're going to scale back our expectations.
The security people have to be in the room when they're trying to think of a new offering
and so on.
They have to be involved from the start.
They can't be given the security as a, here's what we want to do, now go make a
secure. That can't be the way it goes. And you have all these other companies now coming to
the arena that weren't technology companies, you know, manufacturing refrigerators or toys or cars. And
now they have to now be responsible for security. So it's completely new for them, right? And in many
cases, a lot of these companies don't even have security visions. Right. And you can't outsource it.
You would never joke and say, I'm not a numbers guy, so I don't really know, you know, sort of like
what our debt load is. We're all in security, basically. This is interesting because it's following the
arc of evolution of tech. You know, we always say like you can't silo the internet division,
back in the day when there was an internet, like you can't silo the chief technology offer.
You can't silo technology.
And now you're saying you just can't silo security.
It has to have a seat at the table.
And maybe returning your first question is, why is cybersecurity the wrong term?
Because security is not just about what we consider cyber.
It's not about your laptop.
It's not about your mobile phone.
You know, it's about increasing your patient health records.
It's about everything you use every day.
It's about things that you touch that you want for convenience.
And suddenly that all becomes a security threat.
So it's not this narrow thing.
It's everything we're doing.
And that's why we should be worried about that we're not doing enough.
Everything related to information and anything that touches information.
Which is everything.
Well, clearly we're living in the future, as you said.
Thank you for joining the A6NC podcast, guys.
Thank you.
Thanks.