00:00hi and welcome to the a 16z podcast this
00:03episode is all about the state of
00:05security a cyber physical and national
00:08security become one in the same how does
00:10that change how we think about the
00:12problem and how we address it from
00:13software to hardware the conversation
00:16was recorded at our summit event in
00:18November 2017 and includes steena air
00:21inspired founder and CEO of yubico joel
00:24de la garza co-op box and Niels Provos
00:27distinguished engineer at Google and is
00:29moderated by Martine casado general
00:31partner at a 16 Z I work for the
00:34intelligence community and I used to go
00:36to these kind of think tanks for the
00:37government which were about sovereignty
00:39ending events and so you have these
00:40different experts in different areas and
00:41you think what can we do to the US
00:43critical infrastructure to create the
00:44end of sovereignty and then you'd have
00:45the civil engineer and you have the
00:46electrical engineer and you have some
00:48that understands hydro and we'd all sit
00:49in a room and what always struck me
00:51about this was two things like number
00:53one hydro security and electrical
00:55security it's just like security right
00:57it's part of security thing and the
00:58second thing is anytime you found a
00:59vulnerability for example in the
01:01electrical power grid like the people
01:02that were responsible for they kind of
01:04you know but yeah okay well do some
01:05incremental fix or for a cyber security
01:07had to kind of our own world and then
01:09anytime you know someone found a
01:11vulnerability like we don't understand
01:12what we're doing we're gonna kind of
01:13make it all over again
01:14have we evolved as a discipline enough
01:16so we can just stop talking about
01:17cybersecurity is this entirely special
01:19new thing and we can just talk about
01:20security more broadly or is
01:22cybersecurity really that separate that
01:24it kind of deserves its entire
01:25discipline so pretty similarly at
01:28Citigroup around 2005 we generally had
01:31the belief that well we're a bank we're
01:33a financial intermediary we run the
01:35global economy people kind of don't want
01:37to destroy your business they may want
01:39to steal from you but the idea of
01:40someone coming in to destroy your
01:41business and to destroy a key piece of
01:43banking infrastructure seemed a little
01:44kind of far-fetched at the time and then
01:47we had the al-qassam cyber brigade with
01:49the targeted attacks against Saudi
01:50Aramco they turned all their pcs into
01:52bricks and then we saw the dark soul
01:54attacks out of North Korea and it became
01:56pretty clear to us that there are
01:58actually well-funded nation-state actors
02:00out there that just kind of want to
02:01destroy things and that kind of changed
02:03the way we think about it right so I
02:05think to a large extent there's a really
02:08weird thing about information security
02:10in that it's an industry that for the
02:11most part shouldn't exist if you bought
02:14and your car dealer made you pay an
02:15extra 200 bucks to not have your car go
02:17up in flames you'd be able to sue them
02:19and the cybersecurity industry to some
02:22extent is filling that gap of the
02:23software or the service that you bought
02:25is going up in flames and so I think as
02:27business models evolve as we make this
02:28transition to the cloud as blockchain
02:30becomes more widely deployed security
02:32starts to become more of a feature and
02:34less of a product and I think we start
02:35thinking less about kind of the specific
02:37technical security issues and more
02:39broadly about business process and how
02:41we define these intermediary
02:42relationships actually that which I love
02:44you on that selassie why should we even
02:46care about security doesn't seem to cost
02:49anything if you don't have security I
02:51was giving this talk a couple weeks ago
02:53a future of computer security research
02:54and I was sort of wondering have we done
02:57much over the last thirty years and I
02:59talked about them when a professor at
03:01Stanford he said Niels the purpose of
03:03computer security research you know it's
03:04that there really you know separate
03:06that we have to do right we have to you
03:08know find new vulnerabilities find
03:10defenses for them and then make sure
03:12that industry is aware of it and if you
03:14sort of look at it from that lens we
03:16have done great over the last 20 years
03:18we have found lots of new
03:19vulnerabilities we have found lots of
03:21new defenses but we don't seem to be
03:24able to translate them at a practice and
03:26if you look at every other week we seem
03:28to be reading in the newspaper about
03:30another company that has been
03:31compromised and so that really makes me
03:35wonder it's probably not really a
03:36technology problem it's an incentive
03:38problem how do we create a world in
03:40which people actually want to have
03:41better security you know so I do believe
03:45that security is the most critical thing
03:48we need to solve on the planet today and
03:50it will affect every part of a business
03:52any software on a computer or a phone or
03:56a server eventually will be hacked if
03:59you were talking about cars you can't
04:01sell a car today if it's not safe in the
04:03first cars that came they didn't have
04:04any seat belts and people died and
04:06someone say only need a seatbelt then
04:08you know then there's crush zones and
04:09there's but the three things that happen
04:11when that problem in our society what is
04:13the six years ago happen it had to be
04:15easy the three points Ebola easy it had
04:17to just be there natively supported in
04:20the car it shouldn't be something that
04:21you have to be difficult to go and get
04:24and then it has to be an open standard
04:27and eventually the government said hey
04:29you need the secret or would sue you and
04:30I think that's sort of the same process
04:33that this industry is taking super easy
04:36to use you don't even have to think
04:37about it just their standards that make
04:40it native and the government is already
04:42starting to take some actions with the
04:43gdpr and other things I loved if you
04:45describe a little bit about kind of
04:46white ufa and what it means and then
04:48what you think government's role is in
04:50this slaughter question the number one
04:52biggest security challenge that we're
04:54facing to the infinite today is a stole
04:56and username/password probably 90% of
04:59everybody she read about is a user
05:01credential that is being compromised and
05:03it's either a static password or a weak
05:07you know two-factor authentication like
05:08SMS or an app that is being taken so if
05:12you just say let's not try to solve
05:14every problem on the planet just 90%
05:17then that's let's do that and the first
05:20implementation of that is video BK
05:22that you plug into your computer and you
05:24touch it and there's all kind of
05:26security smart things happen behind the
05:28scene but from a user perspective you
05:29literally just touch it or you tap it to
05:31your phone and if it made me very
05:33we have mandated a hot were second
05:35factor for everybody at Google since
05:37you know everybody is using a security
05:39key nowadays we have not had a single
05:42successful phishing attack against a
05:44Google employee since then so I want to
05:46continue to thicken this question
05:47because what I've heard is I've heard
05:49Google which everybody knows saying this
05:51is a good way to do things and many
05:53people following I've heard an open
05:54standard which is an industry consortium
05:56but I'm actually curious if government
05:58does have a role actually Joel you used
06:00to work for the government do you think
06:02this is something that the industry is
06:03solving and with these two huge
06:05innovators like we're seeing or do you
06:06think that there is kind of more of a
06:08public role in this yeah there's a
06:09couple different ways that the
06:10government can help in a couple ways
06:11that it's historically hurt part of my
06:13job working as a CSO CSO for an Internet
06:17property or a bank is that you get to
06:19get involved with people that try to
06:20hack you and you get to make decisions
06:22about whether or not you're gonna
06:23prosecute them work with law enforcement
06:24how that relationships going to happen
06:26the criminal justice laws the laws
06:28around computer intrusions in this
06:29country are really profoundly broken
06:31there's not a lot of sophistication or
06:33nuance in them it's essentially treating
06:35every kind of computer intrusion like it
06:36was armed robbery and that creates a lot
06:38of problems with when you decide to
06:39prosecute and how you want to
06:41pursue any kind of legal remedies around
06:42these issues so that's one area where
06:44historically we've seen businesses get
06:46hurt we've seen individuals get hurt
06:47we've seen some pretty negative things
06:49on the positive side the adoption of the
06:51NIST 853 standard by the US government
06:54for cloud security for cloud vendors
06:56basically the US government said if you
06:58want to sell services to us you have to
06:59adhere to this baseline security
07:01standard I'm typically of the opinion
07:03that compliance and security are the
07:05enemies of each other but this is one
07:07instance where I think it's actually
07:08really starting to raise the bar and to
07:10the earlier point about automobiles and
07:12safety I think we're gonna get to a
07:13point where our consumer electronics
07:15will have that kind of security stamp on
07:17the back that'll be based on some kind
07:18of measurable meaningful standards I
07:20don't know if it's gonna happen within
07:21my lifetime but hopefully it does at
07:23some point yeah what do you think the
07:24government sebab is it possible for the
07:26government to be involved in a way
07:27that's a net benefit or you don't have
07:29to project I mean how do you view that
07:30so we were talking about compliance
07:32standards and frequently what they
07:35achieve is compliance they don't achieve
07:39maybe the standard Joel mentioned missed
07:41853 you may change that but they are
07:45sort of you know some fundamentals that
07:46still tend to be true about security
07:48right one of them is we don't really
07:51know how to write secure code yeah so
07:53that means that one of the things that
07:55we always must be able to do is patching
07:57and now if you have government
07:59regulations let's say you know FIPS
08:02140-2 that essentially create incentives
08:05not to patch you're probably not better
08:08off it does seem that government
08:10realizes that maybe the commercial
08:12clouds are a place for them as well they
08:15can help with maybe changing the way
08:18that we look at regulation and actually
08:20create best practices and standards that
08:22meaningfully improve security
08:24so between steel and Neos we've got two
08:27representatives of like Harbor roots of
08:29trust being used as security in very
08:31serious ways I mean so you bikies this
08:32is a hardware key that you put in and
08:34that provides you a writ of trust you
08:35know so Google is actually very famous
08:38for the titan chip so the servers have
08:40like a specific chip which is a hardware
08:42root of trust which the security
08:43community for a long time has been
08:44saying that you need Harbor roots of
08:46trust now Joel has had deep industry
08:49inexperience on the buyer side both at a
08:54where you don't have the same level of
08:56control that perhaps Google does ravenna
08:59dozen so like how practical is or how
09:01much of a shift do you think the
09:02industry needs to go through well a
09:04first do you think like hardwoods to
09:05truss are required and be is this
09:08something that we think can practically
09:09be adopted broadly or wow that's a
09:11loaded one I mean historically we've had
09:15issues so we've been working with a lot
09:16of the commercially available hardware
09:18roots of trust not represented by anyone
09:21on the stage but I want disclose the
09:22vendors and have generally found that a
09:24lot of those hardware solutions have
09:25some pretty serious security issues key
09:27extractions possible and a number of
09:29them there's a bunch of CDSs
09:31vulnerabilities that we've reported are
09:33CV vulnerabilities we reported around
09:34some of those products I think there's
09:36two sides to that equation right Laura
09:38like defense contractors heavily
09:39regulated industries will continue to
09:41need that Hardware route of trust I
09:43think what's more interesting to me is a
09:45lot of the stuff that Amazon is doing
09:46around kms and some of the stuff that
09:48Google is doing around their virtualized
09:49key services anything that can make that
09:52kind of root of trust beyond kind of
09:54saving secrets locally in a not safe way
09:56can really help drive kind of security
09:59across the organization but by and large
10:00it is very difficult to integrate a lot
10:02of these things and for us as a
10:04relatively small company compared to a
10:06Google it's hard to make those
10:07investments in building in hardware and
10:09getting custom chips printed that's a
10:11dream so to see that you know you
10:13because done some of the fundamental
10:15work and making harder to trust
10:16generally accessible and you've spent a
10:18lot of time in the field like how open
10:20do you find the industry being to that
10:22idea and then their ability to consume
10:24this absolutely not open at all really I
10:27mean when I started this company 10
10:29years ago they people said this is not
10:31the future the future is biometrics and
10:33there's big data geolocation mobile apps
10:37everything but a hardware USB an NFC key
10:40but eventually you know I'm here so I
10:42think the time has worked with us and
10:44I'm not saying that any of the other
10:46things that I mentioned is not also the
10:49future it's just like there is a clear
10:52need for that hardware route of trust in
10:54addition to all the other things that we
10:57also want the security has to be
10:59monitored and managed a many levels so
11:02we're not solving all the security
11:03problems with the hardware key and it
11:05also depends on who you really want to
11:08so Google rolled out this advance
11:09protection program yeah where you are
11:11forced to associate a security key with
11:14your account that's the only way that
11:15you can get to with your account but
11:17that is not something that we can offer
11:18to billions of users but there's
11:20something we might go to journalists or
11:22dissidents or people who we believe are
11:24specifically targeted by more answers
11:26I'd necessary say look you know for you
11:28this may be of a real benefit and then
11:29the question is how much utility do you
11:32lose is it convenient and with the NFC
11:34you be keys right you put them at the
11:36back of your phone the phone is then
11:38bootstrap with a secret that needs and
11:40and you go so I think that has become
11:42much easier than it used to be I know
11:43there's a GP and a large firm I'm more
11:45and more concerned about security and so
11:47I'm like moving off of email and I'm
11:48using signal what would you recommend as
11:50far as like a tool chain for like the
11:52most paranoid of us is it like the
11:53normal thing and like you wait for IIT
11:55is there things that we can do on our
11:56behavior I continue to be a big
11:58proponent of something like a Chromebook
12:00with a security key right essentially if
12:02an endpoint that cannot be compromised
12:03even if you try because the weak point
12:06in all of this continues to be the human
12:08I can talk anybody including myself into
12:11doing something that we should not be
12:13and so with a Chromebook you get the
12:15benefit of you can't install software
12:17anymore right yeah once the largest
12:18vectors for people being compromised and
12:21then it sort of really depends on your
12:22level of paranoia you may want to and
12:25get the advanced protection program
12:26right if what we want to use signal or
12:28you know some other open whisper system
12:30but that's not the recipe for everybody
12:32and it's not general guidance Jolla I
12:34mean are there things that like like lay
12:36and users can do that will meaningfully
12:39improve things or is this really a
12:40problem for the seaso or the
12:42organization we also do 2fa for all of
12:44our services and whenever an executive
12:47goes to a hostile foreign nation we send
12:48them with a Chromebook and then we
12:49donate it to a charity in East Palo Alto
12:51so that their intelligence agents can
12:53watch kids grow and develop it's kind of
12:55a joke we play on people I would say
12:58that you know beyond that where we get
12:59our single largest return on investment
13:01in terms of security spenders around
13:03training and engagement and just helping
13:04get people like yourselves to know that
13:07your targeted how you're going to be
13:08targeted we've seen a lot of the issues
13:10move out of the targeted phishing
13:12attacks to the like I'm buying you a
13:13drink at a bar or I'm talking to you at
13:15a conference to solicit private
13:17information it's really just about
13:18getting people to understand kind of
13:20inside of this because we are
13:22essentially the weakest link in any kind
13:24of security model that we build and it's
13:26really about kind of investing after
13:28you've taken care of patching universal
13:31and then your Chromebooks educating your
13:33users on just being paranoid about what
13:35the risk isn't how it works but if you
13:36do that you're already better pretty
13:38good you're doing a great job yeah
13:41that's that's 90 percent of it and give
13:43it all the things on the table how do
13:44you prioritize so assume you're being
13:46targeted by a nation-state actor with a
13:49lot of resources a lot of skill and sort
13:51of potential catastrophe that you want
13:53to avoid how do you prioritize closing
13:57your gaps and for the most part we have
13:59not figured that out right we do not
14:01know how to measure risk and so you know
14:04for companies such as Google we just
14:06invest a lot of resources and money and
14:08security but for other companies that
14:10really becomes a problem and then it
14:12goes back to the what are the incentives
14:13but if security doesn't really cost you
14:16anything you know if you get breached
14:18why should you invest in it and then you
14:20get companies such as Equifax losing a
14:23lot of very census information and you
14:25wonder did they really get any lasting
14:27harm from that it's not clear with the
14:29GDP or in Europe it will cost a company
14:32if they get bridge is four percent of
14:34their revenue if they have not taken the
14:37security measures needed but it's
14:40surprising Europe continues to be
14:43SwedishAmerican but I do believe that
14:45European has started with security here
14:48in America is being more about
14:50convenience of speed while Europe as
14:52sort of the convenience of speed is is
14:54not as important of security generally I
14:56think the hackers sort of mentality are
14:58the intruders of penalty where there's
14:59nation-state or whatever the case is
15:02gonna be why I picked the lock if the
15:03windows open you can just take care of a
15:05lot of these basics you can really up
15:07level it if you get to the point where
15:08you're worried about like the Mossad
15:10you're probably already dead another
15:15thing that remains true is accessories
15:17often go to the place where the bars
15:19lower yeah yeah right so you oftentimes
15:21don't need to achieve perfect security
15:22smokey security is also we hire than
15:25somebody else random and faster than the
15:27bear right yes alright so in 10 years
15:30let's say the four of us are back up
15:32here in front of this audience well
15:34the problem be just as bad will it be
15:37and what I am a true optimist I believe
15:40that the world is going to be much
15:42better in ten years and going back to
15:45the car and the seatbelts today we have
15:4710 times more cars on the street
15:49compared to 60 years ago and we have
15:52actually fewer fatal accidents and it's
15:55because there is built-in security so
15:57security is going to be native in
15:59platforms and browsers with standards
16:03in 10 years everybody is going to be on
16:05a professionally run cloud that takes
16:11what he said no I think that hopefully
16:14my goal is to put myself out of a job in
16:16a positive way not in a negative way and
16:17that in 10 years it's all about
16:19standards and then it ultimately becomes
16:21about risk transfer right some form of
16:22insurance and it's about leveraging
16:24standards to mitigate as much of the
16:25risk as possible and then transferring
16:27the risk that you can't control through
16:28a some kind of an insurance policy so
16:30the cloud discussion cuts both ways
16:31some people be like actually moving to
16:32the cloud is less secure because there's
16:35larger attack surface at Astra and
16:36you've been making this argument for
16:38quite a while now that the cloud will
16:39make you more secure why do you think
16:41that that is the argument over you just
16:43end up getting economies of scale there
16:45are lots of companies that can just
16:47modify of security that's required these
16:50days yeah in companies such as Google or
16:52Microsoft Amazon will just be able to
16:54that much much better and you could do
16:56yourself that's not said that there
16:57won't be some companies who will still
16:59be better off doing it themselves
17:01because they can invest all the
17:02resources yeah but that's gonna be the
17:04minority thank you very much please help
17:06me thank the panelists thank you