The a16z Show - a16z Podcast: Security's Painful Prominence and Why There is No Turning Back -- with Marc Andreessen
Episode Date: March 31, 2015Cyber attacks are growing in number and impact, and the reason is simple: there's more of value (and more vectors to) steal in our increasingly virtual world. So how are we to continue to move forward... along this connected path as a culture and as businesses? Marc Andreessen tackles that question in this segment of the a16z Podcast -- against the backdrop of ever-more sophisticated hackers and hacks, Edward Snowden, and the rise of trillions more devices coming online. Still, despite the real risk and pain of cyber attacks we won't go backwards -- we have no choice but to move forward, says Andreessen. "The reason we don’t have a choice is there’s too much value in the virtual world." Smartphones, the internet; pick your favorite device, app, or service... ask yourself what (if anything) you would be willing to give up. Not much, right? The views expressed here are those of the individual AH Capital Management, L.L.C. (“a16z”) personnel quoted and are not the views of a16z or its affiliates. Certain information contained in here has been obtained from third-party sources, including from portfolio companies of funds managed by a16z. While taken from sources believed to be reliable, a16z has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by a16z. (An offering to invest in an a16z fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by a16z, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by Andreessen Horowitz (excluding investments and certain publicly traded cryptocurrencies/ digital assets for which the issuer has not provided permission for a16z to disclose publicly) is available at https://a16z.com/investments/. Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others. Please see https://a16z.com/disclosures for additional important information. Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
The content here is for informational purposes only, should not be taken as legal business, tax, or
investment advice, or be used to evaluate any investment or security and is not directed at any
investors or potential investors in any A16Z fund. For more details, please see A16Z.com slash disclosures.
You guys know Mark. I'm Michael Copeland. I'm a partner with Andrewson Horowitz. Mark, I like to think of
Mark as the co-founder of the web. You're a co-founder of a child now. And co-founder of the firm.
So we want to talk about a wide variety of things, but we want to focus the conversation on security.
You have this thesis, Software Eats the World.
And as an observer, somebody in the industry, we see that security breaches seem to be increasing.
The severity is increasing.
And the question is why?
And I think the answer is there's more to steal.
But how do you balance the gains of this software eats the world dynamic with what clearly are real,
risks. Yeah. So, well, the short, I'm a radical on this topic, so the short answer is we have
no choice, and I'll come back and explain why. So if you had told me 10 years ago, maybe even
five years ago that we would be living in a time when, A, the President of the United States
apologizes on the Rose Garden lawn for a website that doesn't work that cost $600 million.
The $600 million part would not surprise me, the fact that it didn't work, maybe it would have been
slightly surprising. And the president was apologizing for it. Two, that the major Democratic political
candidate is in serious trouble over running her own email server.
Which is a fairly remarkable thing.
By the way, she has established, without taking a political stance on this, she has established
there's no problem because the email server is perfectly secure because the secret service
was guarding it.
So there may still be some technical details lost in translation about how hacking actually
happens.
And then, you know, third that a major corporation, you know, a major corporation, you know,
corporation making actually a very funny movie people haven't seen it the the
the North Korean movie is actually quite quite entertaining the interview the
interview is actually quite entertaining but that a major a major Japanese and
American corporation would be brought to its knees by hacking from an alleged
nation state over you know over offenses to its leader to the point where the
studio had you know has since gotten gotten forced out I mean we can just go through
you know many many many examples of this you know it's it's an amazing time
you know like all of you I remember when this you know I remember where in the movie
war games came out, right? And it was just like, you know, okay, we have to worry about the 14-year-old kid,
right, hacking out of curiosity, but we don't have to worry about nation, states, and criminals.
So, you know, I think one interpretation of where we are is, like, we're making these sort of
incremental steps in terms of like we bring the world more online or we bring in more software,
and then we have more security, and then, you know, sort of, the question gets phrased,
kind of like you phrased it, which is we kind of have these choices to make about
how connected the world is going to be and about how much software we're going to have.
And somehow if we decided that it was too risky from a security standpoint, we would
somehow stop doing all these things, which I think is,
just not true. I think the reality, the assumption we have to make is that basically the way
I think about it, the world is going virtual, right? So we've all lived in the physical world
forever. Increasingly, we all live in the virtual world. And of course, we eat and sleep and
breathe in the real world, but all of our, you know, communication and business and information
and, you know, our reputations and our, you know, education and entertainment, all these things,
all the things that actually kind of make, you know, make life vital and interesting, increasingly
are happening online.
Another interesting thing about the world we live in today is,
and if people have noticed this, remember the phrase surf the web?
Like, it's just gone, right?
Nobody ever says that anymore.
And it was weird where, like, everybody says surf the web up until, like,
I don't know, 2008 or something, and then everybody just stopped saying it.
Because now that we've got smartphones, we're just on the web all the time,
like, we're on the web all the time.
Like, why would we not be on the web?
It would just be bizarre, right?
And so the reality is we're going to live in a virtual world.
We're going to live in an online world.
We're going to live in a software world.
Because we're going to live in that world, that is where, you know,
virtually all of the value is going to be,
which means that therefore it is where virtually
all the attacks are going to be.
Now, it's indisputably true that the computer industry
over the last 50 years was not built with that in mind, right?
And so, you know, describe,
will give us some more detail on that?
Well, I don't, you know, I mean, just,
I'll just, you know, maybe this is a good room
for me to confess my sins.
You know, when we wrote the code for Netscape,
I was when we wrote the code for Mosaic in 1993,
I mean, I had never, you know,
I thought myself I was like an okay programmer,
but I had never heard of the term
of a buffer overflow bug.
And in fact, I actually need to look up.
I'm actually not sure that the term even existed at that point.
So it wasn't your fault.
It wasn't my fault.
It certainly was not my fault.
When we invented JavaScript at Nescape, 1995,
the concept of cross-site scripting was a complete unknown.
I don't think the people who invented, you know,
the IBM researchers sort of invent a sequel in 1970s.
I don't think they had any idea of SQL injection.
All these concepts, you know, like I said,
it's one thing if it's a kid writing a virus that spreads on Apple II,
is spread through floppy disks.
It's another thing to have serious, sophisticated adversaries.
Actually, this is the other thing that I find amazing.
The NSA, think about this.
Living a World is number one,
a 29-year-old contractor can walk out of the NSA
with a thumb drive that contains like everything.
Like, apparently, everything.
I mean, number one, that they're that porous.
And then number two, even though they're that bad
at their internal security, the sophistication of the hacks,
like the thing that came out this week
about how they've been hacking iOS is actually quite impressive.
Like, as a taxpayer, like, I'm pretty thrilled.
Like, you know, it would not have been surprising if a large government bureaucracy had not actually been good at their job, and this one seems like they've been quite good.
And so it's just like there's just historically we just didn't anticipate living in this world.
And by the way, I would argue the arrogance required to have assumed that the technology we were all building was going to be this important.
I mean, not that we weren't, we were all called megalomaniacs anyway, but we would have really been thought if we're out of our minds.
And so I think it's just the nature of the beast. I think it's just the case, you know, that by a large,
our industry is going to build the products that's going to build. The customers are going to use them.
The environments are going to be what they're going to be. There are going to be people responsible
for security who are kind of on the hind foot a lot of the time. I think that that's the nature
of the beast. The good news is, and I think you guys are all examples of this and I think
you see this, is the importance of security and cybersecurity and organizations has risen
maybe to the ultimate level now. I'll just tell you, in my experience, you know, working with
big companies, the target hack has probably had the single biggest effect.
where the CEO got fired.
And this is one of those things like, you know,
this is fresh in mind because I'm thinking about how to deal with kids.
But like if you're dealing with CEOs,
like the way to like establish that somebody's actually responsible for something
is to fire somebody.
Like when a CEO gets fired, that's a pretty big signal.
All the other CEOs, right, like the dogs watching TV,
they're all like, oh, like we're going to have to pay attention to that.
And then the other thing and the target thing that's worth watching
is the boards of directors, right,
major corporations are under a lot of pressure from governance, from governance groups on lots
of topics already. And as a corporate director right now, you kind of, what you really don't want to do
is you don't want to get sideways with this firm called ISS, which is the firm that advises
a lot of the pension funds and index funds on how to vote their shares, because it's the fastest
way to get booted out as a director. And ISS is now coming down on the target board of directors,
right, for not being sufficiently worried about cybersecurity. I guarantee you that the target
board of directors, I'm sure, are all stellar, like, really knowledgeable, like, you know,
former top business leader, CEO, CFOs. I guarantee you they have no idea what any of this stuff
is. I guarantee you they thought that this stuff was all being handled, not just an IT, but they thought
at the board level, what happens right at these board, you guys probably all know this, but what
happens to these boards is sort of cybersecurity rolls up to risk, which rolls into the audit
committee, right, which is the committee that deals with accounting topics and then cybersecurity.
And then the audit committee does the readout to the full board and says, oh, don't worry about it,
everything's fine. Right? And so it's for the first time this year, you know, major Fortune 500
boards of directors are all of a sudden realizing this is their thing that they have to deal with.
CEOs are now realized this is their thing that they have to deal with. And so, you know,
the minds, you know, and arguably this should have happened five years ago, maybe 10 years ago.
It certainly needs to happen now. The repercussions of this change, I think, are going to be very big.
So you're a CEO, like you say, we live in a virtual world, and we as customers, and we
as people who work in the world.
We live in a virtual world.
You're saying we don't have a choice.
This world is here.
But at the end of the day, if I'm in charge of security,
if I'm a CEO, I still have to do something.
So how do I move forward or move through that world?
And how would you describe that?
Yeah, yeah.
And I should completely earlier thought.
So the reason we have a choice is because there's too much value on the other side.
There's too much value to living in the virtual world.
I mean, it's like saying, I don't know if we're secure,
it's why I'm going to keep using taxis, right?
It's like, you know, maybe there's a couple people who will do that.
Most people won't do that.
You know, I don't know if, you know, media people in the room, but like, you know, executives.
But, you know, I don't know.
I don't know if, like, New York Times.com is secure.
I think I'll go back to reading yesterday's news and the physical newspaper.
Like, people are not going to go back.
These things are too useful.
Like the online world, smartphones and iPhones and e-mail and, like, all these Snapchat,
all these things are just too useful.
Like, this is one of the things I really believe is the quality of life in our time is rising very fast.
And people are kind of in a bad mood, you know, people are in a bad mood about income levels and all these other, you know, economic growth and all these things.
But quality of life is rising very fast because we now have at our fingertips, you know, information that U.S. presidents didn't have, you know, 20 years ago.
And so this new world is the one that we're going to live in.
It's the one that our kids are going to live in. It's the one that we want to live in.
And so it is going to happen. There is no stop.
Right. And so you have no choice then, but to deal with it.
And I'm just wondering what the gaps are then between this.
phase that we're in now, which you've described, is very much different than the sort of
Netscape days and everything was locked in a PC, you know, in a room someplace as opposed to, like,
it's connected billions of people all the time to everything. Do we need to have a different mindset,
even behaviorally as people and as corporations? Yeah, so a couple things. So, you know, I think
one thing is, so I think from a technology standpoint, either businesses need to either become first class
at security and like legitimately first class with like first class.
expertise and first class funding, either that, or they need to work with vendors, such
as cloud vendors and SaaS vendors who are. And in fact, I think that's actually one of the
other really interesting things happening in the industry right now, in the software industry broadly,
is that it was maybe five years ago that you would, or even three years ago, you would talk to a lot
of CIOs and talk to a lot of buyers of technology at big companies, and they would tell you,
you know, I still want to run my database and all my systems on site because I really don't,
you know, these cloud things, I don't trust these cloud things because my information is
out in the cloud, who knows what's going to happen.
I think it's becoming increasingly,
I think a lot of CIA is becoming increasingly aware,
especially at companies that haven't mounted a first-class effort
in staffing and funding for security,
that is highly likely that the cloud vendor is more secure than they are.
And not only that, it's highly likely that has been the case for many years,
and then at some point they realize it's highly likely that they should have known that
and didn't.
And that's sort of when they discover after the fact that the Chinese have been in their
databases for six years, which is kind of the great wake-up call.
And so I think that there's actually this inversion happening right now where one of the reasons these cloud vendors, and this is, you know, Gmail and box and like all these new guys, you know, GitHub that are at your Salesforce.com that are growing cloud services so fast. A lot of it is companies finally saying, okay, maybe I can't actually secure all my internal systems. Maybe I do have to work on the outside. And then you've got a bunch of companies, including ones represented by folks in this room, that are taking this seriously and do have first-class efforts and are going to need to continue to work really hard and fund everything appropriately.
and continue bringing in the right kind of people,
but can really do, can really amount to first class defense.
And then I think a bunch of companies somewhere in the middle, you know,
that are really going to struggle.
When things go south, who's liable?
It's interesting, like Apple Pay seems to,
I still don't know who's like holding the bag if something goes wrong with Apple Pay,
but, you know, Target, Home Depot, banks, Sony, for that matter.
Who's holding the bag in the end, do you think?
Yeah.
Well, so Apple's very deliberately crafted Apple Pay so that they're not holding the bag.
Yeah.
They're good at that.
There's actually a very clever technique with tokenization where it's definitely all somebody else's fault.
That's been pre-established.
So who's holding the bag?
So, I mean, so one is, you know, the sort of obvious and easy answer is, well, that's the subject of endless litigation.
So I think that that will become a big issue for a long time.
The other interesting thing about who's going to hold the bag is that I think, which you see, like, I would say, like, credit card fraud is a really interesting example of this, which is sort of everybody ends up holding the bag.
Right.
So if you think about how the consumer economy works with credit cards, both actually increasingly real world,
but also certainly e-commerce, right?
Credit cards are another one of these things.
The inventors of the Bank of Ameriard,
which was the first credit card in the 1950s,
never imagined, you know,
number one, they didn't imagine electronic transactions.
Like they imagined that people would be filling out the papers,
you know, people did for a long time.
And then they certainly didn't imagine
that you would have the skimmers, right?
And they certainly didn't imagine, by the way,
fake ATM machines,
which is like one of my favorite things
is when somebody drops a fake ATM machine
in the middle of them all and, like,
walks out with like $50,000.
I think that's like the coolest thing ever.
So, you know, they just didn't.
And then, of course,
the credit card guys definitely didn't envision
e-commerce, right? Because a
payment model where you give your payment credentials
to the merchant, right,
in order to transact online, it's just
obviously lunacy, right?
I mean, no one would never intentionally design a system like that.
And of course, we all shop like that
today. And so then you get in this
weird dance where you've got the consumer, you know,
who's supposed to pick their merchants carefully
and who's supposed to secure their Amazon password and they never do
any of that stuff. You've got
the e-commerce sites that are supposed to secure
their databases and their systems, which they almost never
do. You've got the banks that are supposed to secure their systems. You've got the transaction
processing guys, but first data, you've got the credit card companies themselves. So you've got like
five different entities where when all the credit card information gets stolen, like, you know,
there's different blame to be apportioned. In reality, what happens, right, is we all
hold the bag because what ends up happening is then credit card fees, right, get recalibrated to
be the whatever it is three or four percent, the economy-wide in order to cover all the fraud,
right? And basically, as the customers broadly, we all eat it.
One of the things that I think in the new world is going to be critically important is having more clearly defined responsibility, right, of who's actually accountable for what.
And so this is something I've said in public that receives a little bit of blowback, which is, like, for example, consumers, like who use bad passwords, like ought to be held liable for the consequence.
Consumers at some point, like, at some point, as an adult, you learn that when you leave your house at night, you lock the door, right?
Consumers at some point are going to have to learn how to construct a good password, right?
And I say that, and then everybody yells at me because they're like the technology should make that easy, whatever, whatever.
And I'm like, like, it's a key.
Like, at some point, like, adults have to take responsibility.
Like, two-factor authentication, right?
The idea that two-factor authentication is still optional and not required on all these services
because everybody's worried that consumers aren't going to be able to.
Like, it's just going to be a part of life to have to do two-factor authentication.
But to do that, it can't be the case where if you screw up and your information gets out
and you get hacked, you know, that, you know, you're not on the hook.
And so I think societally, we're going to have to have more of an awareness of that person screwed up.
there is direct, I mean, it's just like firing CEOs.
Nothing actually makes somebody accountable, like actually standing to lose money over it.
Right.
Disclosure, when a company finds out that something bad has happened,
who gets to know and how soon and how soon does the government get to know for that matter?
Yeah, yeah.
So this is another area.
I think this will be endless litigation.
I think that, I think actually this is going to be a whole wave of shareholder litigation
that's going to follow from this because as far as I can,
there may be formal, there may be legal requirements for disclosure,
but as far as I can tell, they are applied in the breach, if at all, across corporate America right now.
And we all probably know of examples of major breaches that have never been disclosed to anybody.
You know, I think, and by the way, good and valid reason, right?
For a bank to disclose that it's been hacked, undermines trust in the bank, could cause a run of the bank,
like, you know, there are bigger implications than just internal politics on these things.
shareholders are going to demand the right to know,
especially in the wake of things like Target.
Shareholders are increasingly demanding the right to know.
Again, there's a big question there is,
is it in the shareholders' best interest for these companies
to just have to hang all their dirty laundry out all the time?
Right.
Like, is that really what the shareholders want?
There are lawyers who are in the business
and filing lawsuits to that effect.
They can always find a shareholder.
I can imagine some hedge fund guys who would like to know that early and often,
but yes.
Yes, exactly.
And the government, Silicon Valley's relationship,
and I'm talking about big tech companies
in Silicon Valley right now. There's a lot of
tension, you know. Obama was here at Stamph for
the security conference, which you guys
may have gone to, I'm not sure, but there was
this impression that he was being sort of
held at arm's length by
Larry Page and all these folks
that didn't show up, essentially.
What is that relationship right now from your perspective
and how does it play
out? I mean, again, we're all moving through
this together, government, big companies,
consumers, but where is it today
and where do you think it heads in the near
term? Yeah. So, people
in the room, I already know this. Relationships, the relationship between the government and Silicon Valley
from, in terms of all these issues, is at an absolute low point. Like, it's one of those low points
where you can't imagine it getting any lower, although it probably can. Somebody, somebody,
somebody wants, some sees, Michael Eisner and Disney once said the great thing, the, the only thing
good about having things go really bad is that you can't fall off the floor. And in my experience,
that it's actually usually not true. You usually can. So the relationship between the Valley and the
Valley companies and Washington is just absolutely abysmal. And just like outright host, I would say
outright hostility at this point, complete lack of trust. And then the Snowden thing has just obviously
been just a tremendous earthquake. The thing with the Snowden thing is, and I'm not trying not to
take a political stance here, but just a non-partisan stance, but just objectively, the thing with
the Snowden thing is the government basically has done nothing as a consequence of Snowden. Like, it's fairly
shocked. Like the administration has basically done nothing. And by the way, if we were at the NSA right now,
they would agree with this, which is the NSA feels completely hung out to dry.
The Valley companies feel completely hung out to dry.
The administration's like, what?
What? Did somebody say something?
And so you'll note, there's been nothing.
There's been no proposal, like how do we put the, you know, you can't put the genie back
in the bottle, but like what do we do?
Like what are the new operating principles?
What are the guidelines?
What are Valley companies expected to do?
There's been basically nothing.
There's been photo ops.
And all the CEOs I've talked to who have gone to met administration or went to this event,
Right.
There's no substance.
Like, I haven't heard one thing reported from any of these conversations where it's like,
okay, now there's a thing to do.
And so, as a consequence, there's just like, there's what feels like kind of tremendous
betrayal kind of all around, tremendous hostility, tremendous kind of feeling that nobody
will look out for anybody's back.
And then the Valley companies, for whatever else you may believe, feel tremendously exposed
in our businesses because our products are sold all over the world.
And there's been this, you know, tremendous, you know, lack of trust.
and we whine about the press coverage
because we like to say things like,
well, all the other governments
were doing it too, but, you know,
there's like that argument
didn't work with my mother when I was eight.
It is not all that effective
when complaining about the term and television service.
Remember that when your son gives you that argument?
Oh, yeah, yeah, yeah, yeah.
No, that's a kind of argument
that theoretically will work well
and then in practice never does.
So, you know, the Valley companies feel very exposed.
And then, of course, these issues
are getting used as cover for, you know,
China is using these issues.
We would argue as cover for protectionism,
but whatever, you know,
American companies are increasingly getting
forced out of China. And so it's in a pretty advanced state of hostility. I think from a
civil liberty standpoint, arguably you may argue this is a good outcome. The Valley companies
now feel much more emboldened, not even so much out of a sense of like proactive,
like enthusiasm, but almost out of a sense of like defensive energy to get much more determined
to do end-to-end encryption. Also much more determined to fight the government in court. And there
have been a whole series of lawsuits mounted by companies like Facebook to try to, you know, try to push
back on the secret courts or try to bring a lot of that stuff out into the sunlight.
But it's a really, it's in terms of the like trust communication, like it's a dark time.
By the way, this classic kind of, again, nonpartisan story of government.
So then senior officials came out about six months ago and with a bright, shiny new idea.
They said, I think we figured out how to do this.
They said we, and this was not actually going to say this is another branch, but kind of representing
the government.
They said, I know what we'll do.
We can stop doing all the surveillance as long as, um,
all the companies that have all the data can just proactively tell us when somebody's doing
something bad.
Yeah, that'll work.
To what you said, yeah, that'll work.
Yeah, yeah.
We really, we want to be in the thought crime business.
We want to have to turn, every time somebody says something bad about somebody, we want
to turn it over to the feds.
Maybe not.
And so, like, it's bad.
And I guess I just close by saying, on that topic, I think that, I think nothing
will happen under this, as far as I can tell, nothing will happen under this administration.
I think whoever is the next president and whoever the next set of national security officials
have a big opportunity on this.
Or it will go further sideways.
And it's hard to say kind of what happens
and how bad it could get if it keeps going sideways.
But you think it could get worse
or people could dig in even deeper?
Yeah. Well, I mean, so this is my argument.
My argument, Washington is, look, like, if everything is, you know,
one doesn't know how much Snowden walked out with,
like maybe he only walked out with 10% of the programs or something.
But, like, you know, for people who follow this,
like, the hits keep coming.
Like, we keep learning new things, like, all the time.
And so, like, I think the operating principles
he walked out with everything.
And so if everything's going to just be exposed anyway, then like what's the obsession with secrecy?
Like, you know, at some point, like, maybe we need to rethink, maybe the government needs to rethink how it's operating on these topics.
And maybe that's just, you know, friends of mine who are kind of more kind of politically radical on this than I am basically say this is the world.
Basically, Snowden is the first of a, there will be a thousand Snowden's.
And so basically that argument goes as follows, which is it just so happened that Snowden was one of 30,000 employees at the National Security Agency, including all the contractors.
right and it just so happened that you know call it you know five percent you know call it you know 30
percent of those employees were under the age of 30 you know of those you know five percent were
like politically like radical civil you know liberties ideologues and then of those five percent
were so radical that they actually had an eFF sticker on their laptop which snowden did and you only
need one right and so not only will there be a snowdon for the NSA there will be a snowden for the
Chinese state security agency there will be a snowdon for gCHQ there will be a snowdon for gCHQ there will be a
for Citibank and on and basically we'll all have Snowden's.
And so in a world where there are Snowden's kind of in every organization, maybe this kind of thing
where we all think we can, you know, these large organizations think they can operate
under cover of darkness.
Maybe that's just not the way it's going to be.
And it may just be that the U.S. government is the first large organization that really
has to directly confront this.
This is not cover of darkness, but it's suit anonymous.
Bitcoin.
How does Bitcoin sort of fit into your view of where things need to go and as an aid in
kind of securing things in a better way.
Yeah. So first of all, I have to be careful on the topic of Bitcoin
because I can very easily do the full cruise job
and bang my shoe on the table for six hours.
So I'll try to do the short version.
So Bitcoin emerges at a very interesting time, I think, for two reasons.
One is just broadly architecturally, the idea of the blockchain
and the idea of decentralized trust.
And for those who haven't looked at this,
it's really quite clever the way the system works
in terms of being able to have people who have not met each other,
be able to actually establish and maintain trust relationships online through cryptography.
Like, I mean, I can't think of a better time for this technology to emerge.
I wish it had emerged 20 years ago, you know, so that we could have built it in to the web,
and we could have built in the browser, and we could have everybody using it now.
But, you know, interest in these topics is sky high.
So this is a very interesting time for a new technology like this.
So that's sort of the big picture.
And then tactically, payments.
Bitcoin is a real solution to this problem I mentioned before,
of kind of indirect incentives and indirect accountability. And so one of the things interesting
about Bitcoin is it's as a payment method as a way to actually represent value and pay people
online. It's a bearer instrument, right? So it's like cash, or it's like a bearer bond as opposed
to a credit card number. And one of the interesting things is I can pass Bitcoin, I can send
Bitcoin from myself to somebody I've never met before. And I don't have to reveal anything
about myself, right? I don't have to give my credit card number, my payment credentials,
make anything. And, you know, it's public-private key
cryptography, and like, it just works, and I'm completely safe and
secure, and it doesn't matter what happens after that. The other person
has the value, but they can't, they can't blow back on me. And so
it's actually been really funny. Economists think that this is a huge step
backwards, like they think that the modern economy of credit and
debit and so forth was evolved over time and having to move back to cash is
like a big step in the wrong direction. But I would argue
online, because of this incentives problem, you know, you want
people to be responsible. The target hack was a
a good example. Like one of the things about the target hack is I think they're going, I don't know for
sure, but I would imagine they're going to be fighting for years about who covers the losses
on the target hack when the credit card database got breached. In the case of Bitcoin, if my account
gets breached or if target gets breached and the hacker steal the Bitcoin, there are no other
consequences other than the fact that my Bitcoin or Target's Bitcoin got stolen. There's no
ability to use that information to then go hack somebody another, you know, a second time.
And so it is a much more direct linkage of
sort of negligence or lack of attention to detail
or lack of awareness of security coupled with
financial consequences that we just don't have today
in a lot of banking.
But if we can't even get people to do two-factor
authentication, how do we get them to shift into like, oh, God,
it's digital currency that, you don't even know how it works.
Just trust us it does.
You know, the answer is most people are not going to use Bitcoin directly.
Most people are going to use services.
We funded a company called Coinbase.
that makes it really easy to use Bitcoin.
Basically makes it easy to use Bitcoin
as PayPal makes it easy to use dollars.
And so for anybody who can use PayPal,
they can use Coinbase.
So a lot of people will use commercial services.
But Bitcoin itself, like from a technology standpoint,
normal people may not understand it.
But the use cases are very interesting.
The architecture is very generalized.
So it sort of disappears, like lots of good technology does
and we just start using it.
I have another question around Internet of Things.
You know, things are complex enough as it is,
You know, you guys deal with endpoints in the numbers of millions, but we're talking billions upon billions.
First, define internet of things for us, you know, from your perspective, and then how does that present kind of another massive layer of complexity or does it?
Yeah.
So, yeah, so I think the best assumption is probably trillions.
I think the number of things is going to, a number of things online is going to get very big.
So the way I think about it, this goes back to what I was talking about, about living in the virtual world, is that basically,
Any physical object, any physical item is going to want to have a chip in it.
And then any physical item with a chip in it is going to want to be connected online.
So literally everything over time gets connected online.
There's two interesting books in this I recommend.
There's a book, I believe the title is Enchanted Objects that came out.
And it's a guy who kind of goes through this.
His kind of argument is, like, we're going to live in Harry Potter world.
Like Harry Potter, like, you know, he's walking down the hall at Hogwarts.
And the picture lights up and starts talking to him.
And then he's got his, I don't know, he's eating utensil and turns into a snake and slithers.
off or whatever, all the different things.
Like, everything basically gets animated.
Like, there is nothing that's just, like, static and just sits there.
Like, everything is active.
And, you know, and at first, you know, that seems like it's pushing things too far.
And then, you know, and then we see the pitches we see every day.
We're literally getting people, I mean, we're in one of those phases of the industry
where anything that can get dreamed about is going to get explored.
And it's going to be a magical inventive time.
The security consequences of this, I think, are going to be, I would say, awesome
in both the very terrifying sense of the work.
and in the very inspiring sense of the word, which is, I mean, look, there's no way we can
help self-driving cars with the current level of security of the average desktop PC.
Like, we just, like, there's no way we can't do it.
Self-driving cars, very exciting.
Self-driving cars, if every car on the road is self-driving, all cars can go 300 miles an hour,
right?
And they could weave through traffic.
There would be no more stoplights, and you could basically cut auto fatalities to zero,
right, as long as they don't get hacked, right?
Right.
So with that slight, you know, additional kind of thing.
And so Internet of things, like if we weren't already required to take security more
seriously internet of things would definitely trip us over.
So here's my theory.
I think self-driving cars are actually going to be,
I think they're actually going to be owned by hedge funds.
So I guarantee they're not going to want to take responsibility.
So I think what's going to happen is hedge funds are going to spend a billion dollars
and they're going to buy a fleet of self-driving cars,
and then they're going to bid them out through services like Uber and Lyft to passengers.
And so you're going to be standing outside.
You need a ride to get home.
You click the button and it like bids out over a network like Uber or Lyft to, you know,
whatever cars nearby, which is probably owned by somebody with a big balance sheet,
probably a hedge fund.
I see.
And so in a case like that where something goes wrong, you've got the driver, or the driver, the passenger,
you've got the, and of course, then there's a question of whether the person in the car had any ability to take control or not, right?
Because then, you know, should the person have taken control?
Should the none have taken control?
Then you've got the hedge fund.
Certainly people blame the hedge fund, just on general principle.
And then, you know, the route planning software, the guidance software, you know, the stream of Google Earth data that's going to be coming in.
Right, right. Yeah, it will be, yeah. It's going to be a mess. As usual, lawyers will be kept busy for a lot of that.
It'll be fun. So, final question, Silicon Valley and the economy, I mean, technology, you have this, you know, sort of overarching to do this software eats the world. And at the firm, one of our fellows, Benedict Evans, says that tech has outgrown tech. Is the tech economy is sort of a separate thing? It's just on fire here in the valley. How do you look at Silicon Valley's economy, the technology economy, and as it relates to sort of the rest of the world,
world bumping along doing its thing.
Yeah. So I'm a much bigger optimist.
There's been a lot of negative kind of coverage of the tech industry kind of being, if
anything, sort of ironic, actually, for those of us who live, as many people in the room
did, live through the 2000 crash.
Everybody by 2003 knew that tech was all stupid and dead.
And so to have gone from that to tech is maybe now too powerful and too successful,
with no intermediate steps anywhere in the middle, has been kind of entertaining to live
through.
I think the consequences, I think the consequences for the global economy and for
for basically people everywhere, much more positive
than people are talking about right now.
In two ways.
One is we're giving people incredibly powerful tools, right?
This is sort of the big understated thing.
I think there's this, like, there's still this kind of sense
of like we're giving, so the good news is we're living in a world
where smartphones, Android smartphones now are down to $25, right?
And so India, Pakistan, you know,
whole range of developing world countries, Indonesia,
you go to the local store and you literally get an Android smartphone
for $25, right?
And that is the equivalent of a supercomputer from $25,
years ago, you know, that basically everybody in the planet is going to, is going to have one,
right? People who have smartphones now don't have, to this day, running water or electricity
in their homes. And I think there's a view of like, oh, yeah, fine, okay, they can make phone calls
or they can watch, you know, World Cup videos or whatever, but like, you know, this is,
this is not like for somehow a tool of production. I think these are tools of production, right?
I think people who have smartphones and then over time, tablets and laptops and all the technologies
that come from this, I think are in a position, and if either position, either for themselves or
for their kids, you know, for education and access to information, access to careers,
access to work, access to banking service, modern banking services, financial services,
lending, the ability to take products to market globally, right, is something, the ability
to get educated, is something that is becoming available to everybody on the planet in a way
that just hasn't been before. And we're just in this kind of, you know, phase right now where
the technology is literally just getting to, like, we're just in the phase now where the technology
is actually getting to everybody. And so I think 20, 30 years out, I think it's going to
be amazing to see what people are going to do with these tools when they have them in their hands.
Then all the kind of second and third order effects that will come from that.
And then I think it's indisputably true that there is going to be, and there is today,
significant disruption.
I mean, it's certainly, you know, nobody's idea of a good time to be a taxi driver in the era
of Lyft and Uber or to be a small independent bookstore in the era of Amazon.
But, you know, without sounding callous about it, all of these shifts are the result of consumer
choice. All these shifts are the result of consumers voluntarily deciding to spend their money
one way or another way. And kind of the history of economics is when consumers have the decision,
have the free decision to be able to spend money the way they want. You know, really, really good
things happen in the economy. And so we're going to go through a lot of change. I think we're in
this period of time where it almost look, I think it looks worse than it is because we see all the
change happening. We don't yet see the payoff because we don't see what everybody's going to do
with all these new tools. But I think we will. And I think over the next five or ten years, I think,
especially what's going to come out of the developing world, is going to be phenomenal.
I'll just give you one example.
A good friend of mine, Chris Schroeder, who used to work in the State Department and then ran a big Internet company,
spent two years in the Middle East.
He's highly networked throughout Egypt and Syria and Jordan and all through the Middle East.
And it turns out there's a whole internet startup boom happening in the Middle East.
And this is a fairly big deal because, like, there's lots of other stuff happening.
And there are kids busy working away on apps.
startups, you know, in Jordan and in Syria, just the same way they are here.
And in fact, the most inspiring part of, of, this didn't happen before he wrote the book,
but he wrote an essay about this later.
After he wrote the book, he got one of the very few passes.
There's like 20 a year of American business people who get to go to Iran on its State Department
program.
And he went and he spent two weeks on the ground in Tehran.
And he said there is an absolutely vibrant internet startup scene on the ground in Tehran.
And the kids who are working on these startups are just like as excited as can be.
They know everything.
They're completely current on every.
They know everything that all the guys
who come in our office every day.
You know, no.
They're completely current.
They've read all of, you know, they've read all of, you know,
posts.
They've read all of our, like, it's everything.
They've read everything.
And they've got their apps and they got their ideas.
And like literally their big issue is they're under an embargo, right?
Like they just, they can't get their stuff to market.
But they could not be more excited about it.
And so I think you're seeing lots of signs around the world
of sort of a huge amount of latent energy,
creativity, economic growth and development.
But, you know, hopefully the world will be stable enough
over the course of the next couple of decades.
We'll really be able to see that play out.
Thank you so much.
Great.
Thank you, everybody.
Great.