Podcast
    Threat Intelligence

    Get Cyber Resilient Ep 54 | The intersection of cybersecurity and politics - with Dmitri Alperovitch

    Dmitri Alperovitch joins the GCR podcast this week. Founder and former CTO at CrowdStrike, Executive Chairman of Silverado Policy Accelerator, and a man whose accolades include MIT Technology Review's ‘Top 35 Innovators Under 35’ and Fortune magazine’s ’40 under 40’. 

    CR_podcast_general.png

    In this very special episode, Gar and Dmitri discuss what it’s like to have a front row seat at the intersection of cyber security and politics, the importance of know-your-customer regulations, the rise of ransomware, and the imaginary “new normal” for cyber security.

     

    The Get Cyber Resilient Show Episode #54 Transcript

    Garrett O'Hara: Welcome to the Get Cyber Resilient Podcast. I'm Gar O'Hara, and today I'm joined by Dmitri Alperovitch, the founder and former CTO at CrowdStrike. Currently executive chairman of Silverado Policy Accelerator, and more generally a globally well respected figure in cybersecurity.

    His long list of accolades include MIT Technology Review's Top 35 Innovators Under 35, Fortune Magazine's 40 Under 40 for influential people in business, and Foreign Policy's Top 100 Leading Global Thinkers. In the episode we talk about what it's like to have a front row seat when history is happening at that intersection of cybersecurity and politics, the importance of know your customer, or KYC regulations, ransomware, attribution, the imaginary new normal for cybersecurity, national and international approaches to cybersecurity, and the value of public facing audits.

    It's a packed episode, and given Dmitri's global influence in cybersecurity, we're very grateful to have gotten the time with him. Over to the conversation.

    Welcome to the Get Cyber Resilient Podcast. I'm Gar O'Hara. Today I'm joined by Dmitri Alperovitch, executive chairman at Silverado Policy Accelerator, and, many people who would know as the cofounder and CTO of CrowdStrike. And also a board member for many, many organisations. Good morning Dmitri, how are you doing today?

    Dmitri Alperovitch: Great. Thanks for having me.

    Garrett O'Hara: we always start with a little bit of a bio. And, I guess, you know, many people will obviously know, [laughs], who you are. but it would be lovely to hear, yeah, just from you, kind of your journey, how you got to, to where you are today, with Silverado.

    Dmitri Alperovitch: Absolutely. I- I've been in cybersecurity for 25 plus years, been at small companies, been at huge companies, before starting CrowdStrike. I was at McAfee, which we sold to Intel, and stayed at Intel for a few year, for about a year. And then, got the idea to start CrowdStrike, really, because of one pivotal event, and that was the hack of Google in 2010 from China. actually 29, 2009, and, it was, unveiled in 2010.

    But, that was really the first time where we had seen, in a very public way, nation state going after a private company. It seems crazy now, 11 years later, when we're reading about new stories of that, you know, multiple times a day. But at the time that was something unheard of, and, and there was a lot of, I remember, to this day, confusion about attribution. There were people that were raising questions about it, they were saying, "This is a botnet, this can't be China." you know, "Nation states don't do this sort of thing."

    Uh, these literally were the arguments that some people were making at the time. But, I was involved in that investigation, and ended up naming it Operation Aurora. And I realised that that was a watershed moment, and, that going forward everything was gonna change. When you were dealing with a nation state threat actor, that not only had the incredible resources, from, from the offensive capability perspective, but, could also, use non-cyber capabilities, bribe people, blackmail people to gain access to networks.

    And most importantly, being able to target organisations in a very precise way, and, and really, be like a dog with a bone, not let go until they're able to get in. That presented a completely new threat model that the industry had not yet observed. And that l- ultimately led me, to, co-found CrowdStrike, which, we i- initially tried, to focus on solving that very important problem, figuring that if we could do that. Then everything else would become easy. And, and, it proved out to be, a pretty good idea, you know, 10 years later now.

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: and, last year, having built, you know, an amazing company, having taken it public, it was the right time for me to step back, the company is doing phenomenally well now. And, to focus, you know, the next phase of my life on giving back. And, part of it is really taking advantage of the fact that I live in Washington D.C., uh that I've always had incredible interest in policy and trying to move the country forward in the right direction and just never had the time to really spend on it, full time. And now I c- I have the luxury to do so.

    And that's what Silverado is all about. It's about figuring out, how do we enable the competitiveness of Am- America and its allies in the 21st century in this, time of renewed great power competition? How do we, ensure that, from a government perspective we're doing the right things to, to encourage innovation, to do the right things for our national security? And we're really working in three specific, pillars. one is cybersecurity, won't be a surprise to anyone that that's still an issue that's near and dear to my heart and is growing only more important, when it comes to national security.

    Uh, but the other two are also very important. second pillar is trade and industrial security. How do we make the right decisions a- as a nation along with our allies to promote, economic prosperity through trade and, and through strategic investments? And then the third area is, what we're calling eco-sec. The intersection between ecological and economic security. During this time of climate change how do we, again, leverage innovation? how do we figure out ways to mitigate, impact of, of climate change and, impact on our, ecology in, in a way that also moves the ball forward and promoting our economic interests?

    So those are the three things we're working on, and the goal really is to engage with policymakers in, in Washington and elsewhere to, make sure that we're doing the right things as a government in moving the ball forward. for your Australian listeners you'll, you'll be, perhaps interested to know that one of the people that we're working with closely, and co-chairs our strategic council is your former prime minister, Malcolm Turnbull.

    Um, again, the allies piece is very, very important to us. There's no way that America can succeed in this renewed, what I certainly believe is, is a new Cold War with China, by doing it alone. We need allies. Australia's a key ally to our country and, we need to find ways to work together, in a way that, that promotes both country's interests and interests of our other friends. And Malcolm has been just a fantastic resource. in helping us think through these issues.

    Garrett O'Hara: And s- you know, [inaudible 00:07:06] Malcolm comes from a sort of technology background. And, you know, as, as somebody who has been involved he's probably a particularly good choice for work in this area.

    One of the things I've heard commentary on out of the US and, and probably globally is the, there's a bit of a disconnect sometimes with the people in politics. You know, they're, they tend to be maybe, older people who weren't digital natives, and they sometimes don't understand the technology or the, the threats at a, a, a, sort of a, a- an intrinsic level. what are your thoughts on that, as, as somebody's who's trying to influence policy? How do you, how do you get through to people who potentially don't actually understand the, the gravity of the situation or the implications of things like cybersecurity?

    Dmitri Alperovitch: You know, I think, things have changed a lot, in the US, at least. I- I'm not as familiar with the Australian political landscape. But in the US we have, many new, people that have, gone into politics, people that are... it's amazing for me to say this, but younger than me.

    Garrett O'Hara: [laughs].

    Dmitri Alperovitch: that are in Congress, that are certainly digital natives. many, many of them have served, in the wars in, in Iraq and Afghanistan, and from the military decided to continue engaging in public service. So they certainly understand those issues.

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: And, e- even people who are older, all they have to do is pick up a newspaper, you know, look at, the television news and hear about cyber issues, hear about hacks like SolarWinds and others who we've been, all watching over the last few months, and understand that this is a big deal. They may not understand all the details behind it or what the right solutions are, and that's where we come in to try to help, bring some contacts and education, but more importantly, policy proposals, that we think can be helpful in, in getting, us to a better place.

    Garrett O'Hara: Absolutely. And, and one of the things you've commented on is this idea of know your customer, which, you know, it exists in financial industry in many different countries, and we're starting to see a push for that in, in technology. And, and for context, the, you know, some of the attacks that happened in SolarWinds, or Holiday Bears, as yourself and, some of the people in the industry are, are calling it, you know, the, the attack was using cloud s- infrastructure in the US, which the US agencies then couldn't really get to because it's on, kind of sovereign soil in, in America.

    How do you see know your customer work for technology companies? And, like, are there gotchas? Are there any things we need to be kind of thinking about?

    Dmitri Alperovitch: Yeah, that's a great question. So, so I think KYC, or know your customer, plays, several key roles in, in helping to mitigate the threat landscape. One, and I think most important one is actually not even specific to cyber but, related to cryptocurrency. when you look at the cyber threats we face today, the number one threat, by a mile, is ransomware. when you look at what's ha- taking place, I almost hate to use this term, obviously in the middle of a pandemic, but we really face an epidemic of ransomware today, worldwide.

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: and the saddest thing is it's the most vulnerable, organisations among- amongst us that are falling prey. Hospitals, school districts, small businesses that are gonna be put out of business by a single ransomware attack. And the situation is getting worse and worse, the, ransom payments that they're demanding are now in the tens of millions of dollars. It's really, a huge problem everywhere.

    And the number one reason whey we're seeing this explosion of ransomware cases has to do with cryptocurrency. If we didn't have cryptocurrency, if we didn't have an anonymous way that these criminal groups could get paid, and, orchestrate these attacks, we would not have this issue. It's not su- su- it's, it's not coincidence that ransomware emerged as a big threat after the invention of Bitcoin. You certainly had isolated cases of ransomware before cryptocurrency, but in those days it, you know, you had to leave a message saying, "Please wire me the money to this bank account."

    As you can imagine, that would be pretty easy to trace for, for law enforcement and, and, and they, and they have. And those individuals would get caught, or those payments would be stopped in transit. So it was just never popular among criminal groups because they couldn't execute it until they had a way to sort of pseudo-anonymously collect payments.

    And KYC for cryptocurrency exchanges, which, was actually proposed b- by the Department of Treasury, in December of last year, and they're now working through the issues of how to implement that, are really key to stemming this, this epidemic and, making it much harder for criminals to get paid. And as a res- as a result, from moving their, incentives to, to keep orchestrating these attacks.

    So that's number one. The second one was really an interesting idea, and, when I first saw it, which, it was released by the White House literally on the last day of the Trump administration, so, most people did not notice it, but, when I saw it, I had not heard of this idea before, and I was like, "Wow, that is really, really innovative."

    So what happened is that during SolarWinds, or Holiday Bear operation as, as I call it, as well as, in the Exchange hacks, a few months ago, but also many other attacks, we have seen adversaries appreciate that if they are gonna, buy, or steal infrastructure in the US from US cloud providers, US hosting providers, it's gonna slow down American response. It's not gonna stop it, but it's gonna be much more difficult for US intelligence community and even US law enforcement to get access to that infrastructure.

    Uh, if it's a foreign intelligence threat, then they have to go through what's called a FISA warrant process, and that has, you know, a number of bureaucratic steps that, that slows down, the process, even if it's a criminal action, they still need to get a warrant. So all those things make it easier for adversaries to move quicker and, and slow down the, the ability of the American government to respond, to share information, get intelligence to what's taken place.

    And the adversaries clearly have taken note of that and, and are leveraging that. So one way to respond to that without sort of further violation of civil liberties, which was certainly, most Americans would, would oppose, is to drive those actors away from foreign, from domestic soil to foreign soil. And, this proposal to require cloud providers to perform know your customer checks on, people trying to register new accounts is very interesting, because it would make it much more difficult for foreign intelligence services to provision accounts from shell companies and the like, and, and use them for those attacks.

    It wouldn't make it impossible, that, they could still find ways to do it, but it would raise the cost substantially, to the point where probably it would not be worth it for them to, to keep doing it. So very interesting idea. As you can imagine, the cloud companies are not thrilled. and we'll see what happens. But, it, it, it was a very innovative way to approach a problem.

    Garrett O'Hara: Definitely. And, you've, you sort of pointed to the idea of collaboration here. I mean it, ransomware, as you say, it's absolutely in pull position, it's at the national conversation in Australia, it's sort of both sides of the political divide are producing papers on, you know, how to tackle it. It's become slightly politicised. Very, very slightly, I would say, 'cause I think everybody recognises how important this is to fix. It's of an a, you know, a, a meaningful impact to our economy.

    What do you kind of see, or what are your thoughts on the, the national versus international approach and the collaboration that we presumably need? But also then, the governments versus private enterprise involvements when it comes to the problem of d- specifically ransomware, but probably broader cybersecurity problems.

    Dmitri Alperovitch: Well, like almost every cybersecurity problem, the solution is not national, it's international. And if we're gonna make a dent in this problem we have to absolutely leverage our partnerships with allies. you know, when I look back at, at some of the more successful operations that the US government has done in the area of botnet takedowns, they- they've been taking botnets down going back to the late 2000s. And, a lot of these operations have not succeeding, because they would a technical operation, try to take down a botnet, and then three months later the criminal groups would, resume the operations, they would retool and reconstitute the botnet.

    Uh, and then a few years later they realised this an- and decided to combine the technical takedowns with law enforcement action, with, ideally, arrests. as they've done on many cases. But, in the absence of that, with actually being able to shut down infrastructure physically, so in one case I know they wanted to... Ukraine, with, working with Ukraine and law enforcement, and we're able to take down key servers that we used, in a particular, botnet, that was peer-to-peer but had ventral command servers that, the adversary had used to [inaudible 00:16:37] botnet, in that particular case to keep control of that peer-to-peer network.

    That was critical to the success of the takedown. So all of these things require cooperation, they require use of numerous authorities beyond just national authorities that these law enforcements agencies have. It also requires work with the private sector. Like CrowdStrike, we had participated in a number of these botnet takedown events, providing our technical experts that could do the actual planning and, and execution of, of the botnet takedown, and allowing the law enforcement people execute, to execute it with their authorities.

    So you have to figure out how to bring industry along for the ride here, and, and, and not just, as bystander or an observer, but really a key player in the planning and execution of these types of things.

    Garrett O'Hara: Absolutely. And, you know, there's a whole conversation, I suppose, about how to respond. One of the things that has kind of sparked in my mind, just based on the, potentially the work that Silverado's doing, you know, we- we've talked about the, essentially the response and takedowns, it's technical, it's law enforcement, generally there's some sort of economic incentives in many countries where there's maybe not opportunities for employments, there's social issues that cause people to go and do things that for us are, you know, they're abhorrent and they're, they're horrible.

    But they're driven because of, you know, lack of money and lack of opportunity. How do you see policy playing into that and maybe more preventive measures at a socioeconomic level to m- potentially, you know, in an ideal world, magic wand stuff, you know, take away some of the incentives and the sort of drivers for people to go and, you know, sit in, set up these, these organisations that are, are doing the attacks? And that's probably less nation state stuff but more that just pure economics and, and criminal organisations.

    Dmitri Alperovitch: Yeah, I'm, I'm not too, too optimistic on that front.

    Garrett O'Hara: Yeah. Yeah.

    Dmitri Alperovitch: Crime has always existed, as long as we've had organised societies it will continue to always exist. We're talking, when we're talking about the types of money that these, criminal groups are making, you know, tens of millions of dollars on a single ransom event, and they can execute of these every day, that traction of that money, that's not a socioeconomic, lure, right? that's not someone in poverty that just wants to survive, that someone that wants to drive a Ferrari, that, that wants-

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: ... to buy a yacht.

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: That- That's a different problem all together. there are certainly poor people that are engaged in cyber crime. But when you look at a lot of these [inaudible 00:19:04], a lot of these, transnational criminal organisations, they are not doing this because they are poor, they're doing this because, they know that they can earn tremendous amounts of money.

    And many of them are present in countries that happen to be adversarial to the United States, Russia, China, around North Korea, and they are being supported, and in many cases, helped by, the nation states, in which they reside.

    Garrett O'Hara: Absolutely. And you talked, it's many years ago now, AusCERT's 2013, you know, when it comes to, to this stuff, generally it's the sort of asymmetry that exists in terms of the investment efforts and the return of investment. As you said, it's tens of millions of dollars at this stage. Your talk was nearly a decade ago, like, have you sort of seen anything in that equation shift? And, and if so, what?

    Dmitri Alperovitch: Yeah, I have. I, I, I, I think that we are finally arriving, as an industry, at the right mindset for how we should approach these problems. Like, for many years, for literally decades, we have taken the approach of, we're gonna build the biggest fence we can around the perimeter of our networks and try to stop people from coming in. And that was just never gonna work, it doesn't work in a physical world, it doesn't work in cyber. Capable adversaries will always find a way around them, the- they- they'll, they'll bring a ladder, they will, you know, bribe someone on the inside to let them in, they- they'll find some sort of vulnerability that you don't even know about to try to get in.

    And, the better approach, that people have started to appreciate, after the Google hacks and, and some of the other events I was involved in, is to assume that they're in, right? Assume breached, mentality where you are gonna instead invest most of your effort, not all, but most, into trying to find them within your network, hunting for them, and ejecting them as quickly as possible, right? And, and it all becomes about speed, speed of action, speed of detection, speed of investigation, speed of response.

    And rinse and repeat. that- that's not to say that we shouldn't invest in perimeter solutions, we shouldn't, invest in prevention, but the, investments today are completely out of whack. We spend 90% of our efforts and money trying to prevent things. And only the remaining 10% on trying too, identify the failures in that prevention and respond. This needs to be completely flipped. yes, invest in prevention, 10, 20% of your budgets, and time, and personnel, 80% focused on detection, and response, and, and, doing so rapidly.

    And that's how you win. That- That's what I'm seeing from the best organisations out there that are dealing with these intrusion attempts from sophisticated actors, nation states, and others on a daily basis.

    Garrett O'Hara: And s- you know, those, those attacks that are happening on a daily basis, Holiday, [laughs], Holiday Bear, you know, is a pretty big ex- a big example. Or, SolarWinds, as, as many people would know it. Do you see that as a new normal? I suspect you're somebody who's been involved in things in the background, and what appeared to be maybe a huge indifference type of attack for somebody like you wasn't. but, but maybe I'm wrong there.

    Like, do you see what was happening in December and, and the sort of, what feels like a difference, is that actually a difference? Like, is this a new normal? Like, the, the sophisticated attacks that we're seeing?

    Dmitri Alperovitch: Well, it has been the new normal for years. Of course, we, we just have not been paying close attention to it. but, you know, attacks like NotPetya, the most destructive attack in history, was mostly targeted at Ukraine, so only a few international companies got hit. I work with some of them. And, it was supply chain attack. They came in through compromise of, of a software update for an accounting tax software that they use in Ukraine. There have been many others attacks, Chinese have leverage supply chain for many years. they leveraged security software updates, people may recall CCleaner-

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: ... you know, tool, security tool that, who's update was compromised and used to deliver malicious code. There've been very sophisticated intrusions into Juniper, back almost eight years ago now. I think, where they had modified source code, for Juniper VPNs to enable them to gain access to, to networks. So this is not new. Most people just have not paid close attention to it. the scale, and sophistication of this attack was notable, but, i- it was not unprecedented.

    Garrett O'Hara: Yeah. I think about a, you know, physical attack, we can see it, right? We can, I can visually a, a bomb blowing up a building, or somebody physically attacking somebody else. Like, that's a picture I can paint in my mind. But when it comes to cyber it's ones and zeroes, it- it's slightly abstract. Do you feel like there's some level where that- that's part of the problem? That it sits in the background and people don't fully comprehend the, the scope and the scale of what's actually happening.

    'Cause sometimes it feels like there's full scale cyber war happening in the background. But as citizens we kind of walk around and, you know, we drink our coffees and feel like everything's okay.

    Dmitri Alperovitch: Yeah, I don't think we're in cyber war. I, I don't actually believe in the concept of cyber war. I think there is war in which cyber plays a component but, um-

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: ... I, I do think that, it, it is difficult to capture people's imaginations on cyber. And sometimes it's interesting to see what captures specific people's imagination, you, you had these big attacks to Holiday Bear, SolarWinds attack, and, the Exchange hacks happened within a very short period of each other. And I recently wrote a piece in, in [Laffer 00:24:49] arguing that one, the Holiday Bear one was actually a traditional espionage campaign that was done in a fairly responsible manner, that they, even though they had access to over 18,000 victims, they voluntarily shut down that access to 99% of those networks. Didn't try to do anything destructive, went primarily after government networks for IT and security companies that they could use to go after government networks.

    Like, the types of things that you would expect from a nation state conducting sophisticated espionage. And then contrast that with the Chinese Exchange hacks where they hit everyone on, on the planet that was running Exchange, that was vulnerable to these attacks, not just compromising their network but left these web shells that were often password, not password protected or, protected with default passwords that could then later on be used by others, like criminal groups, to execute ransomware operations against these victims.

    Completely reckless, very dangerous. And yet the Holiday Bear So- SolarWinds hack captures everyone's attention, we're talking about it, you know, months later-

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: ... Exchange hacks they're starting to sort of, dwindle in our, collective minds. Not really covered much in the press. and in part I think it's because of the targets. In SolarWinds it was sexy targets, it was, security companies like FireEye and others, that were targeted. government agencies, Department of Justice, Department of Treasury, very, very sexy stuff. In exchange the hundreds of thousands of victims, but many of them are small think tanks, school districts, etc. And that's not sexy.

    Garrett O'Hara: What did you think of the FBI's work, sort of proactively going in, removing web shells?

    Dmitri Alperovitch: I loved it.

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: I thought it was incredibly creative. the people that are sort of wringing their hands of, like, "Oh my God, they could've done something." well, first of all, what they did was very, very simple, technically. It's, literally a [inaudible 00:26:55] get request, to, to a web server, with a delete, file command. there's virtually no way that you could really mess it up. And certainly, what the Chinese did originally in compromising those servers was way more dangerous.

    Uh, and then leaving them open to ransomware actors, is, is, is completely unacceptable. So to wring our hands about, you know, the r- the highly remote, if not completely zero chance that FBI could've messed it up, it strikes me as focusing on, on the wrong issue. but no, I thought it was great. the FBI, has done, things of this nature before. They, they, they, as I mentioned, they used to do, botnet takedowns, installing [inaudible 00:27:44] kill commands to victims that they would sinkhole.

    Uh, but this was taking it a step further and actually sort of remediating, the malware, in this case a web shell, from those systems. Of course, they can only do it in the US, with law enforcement authorities. But, I thought it was, a great step forward. And, and they only do it, did it as a la- as a measure of last resort. They, they tried to notify people that they identified as having these issues, some of those people were able to clean it up.

    And only when they exhausted that, option, they decided to take the next step, get a court order, court order, which, which was very ingenious in a, in a legal sense, because it was actually a search warrant court order that allows them to access, lots of machines, in this particular case, they were not actually searching those machines, they were executing the delete command on them, but in a l- in, in a legal framework, of course, there is no, authority to do that. So they had to use a search warrant authority.

    Garrett O'Hara: Yeah, clever. And, and a good outcome. It's, it, it sort of points to some of the stuff that's happening, I think at a, government level. In Australia we have a National Critical Infrastructure Bill, which is being worked on. And I know Biden's kinda got some stuff, you know, the 100-day plan for protecting the energy infrastructure in the US. how do you see that play out? I mean, it, we- we're... In Australia there's discussions around the, proactive assistance of governments with c- you know, d- agencies and, and entities that fall under the bill.

    So healthcare, some of the universities, you know, those, those kind of... energy obviously. where the government can command and, and sort of proactively, "help" based on, you know, what's perceived as a threat to the, the nation. y- you know the FBI case, good move. How do you see that go forward and the potential for it not to go well? Or do you feel comfortable with t- with that sort of an approach by government?

    Dmitri Alperovitch: I'm comfortable with the FBI did in this particular case. but, you know, I'll tell you in America, we're much more allergic than, than, than you guys to government help. we still remember the famous phrase from Ronald Reagan saying, "There's no, scarier words in the English l- language than hearing that I'm from the government and I'm hear to help."

    Garrett O'Hara: [laughs].

    Dmitri Alperovitch: So, to America that resonates very strong- strongly. Americans, I know, in, in Europe and Australia, the, the view is quite different. but, you know, we've always had this individualism culture where, you know, obviously, given our history of fighting the British to form the country, we- we've always been suspect of the government and potential [inaudible 00:30:19].

    But, you know, more problematically we've had the government demonstrate great incompetence in cyber. not the FBI, but other parts of the government. you know, it's no coincidence that the government was compromised thoroughly in the SolarWinds hack. that, we've seen cases like OPM breach and others that have been devastating, to security. So when industry hears government talk about what industry should be doing to protect their network, this does appear too many to be highly hypocritical, and people living in a glass house and throwing stones.

    So, I do think that when it comes to critical infrastructure, there is a big push back, in industry and, in America at least, to say, "Wait a second, like, demonstrate that you actually have the ability to, to do this well before I'm gonna let you onto my network and have an impact on my business." and, that's where were we have not gotten as far as you guys have on that front.

    Garrett O'Hara: Yeah. It'll be interesting to see, well, yeah, where that lands. Another thing you've, you've talked about is this idea of, third party audits of vendor software. And, you know, that, that idea of kind of publishing the results of pen tests, of, you know, security audits of software. And when I was reading that I was thinking, that's actually a really, it's a, obviously a clever idea. But you get this, potentially the result of, like, trickle down security where a vendor that's gonna go after, you know, federal contracts or government contracts has to be audited, has to publish the pen test results, so it forces good security.

    But then private enterprisers, smaller businesses who are buying that same, certainly, SAS platforms or, or security will benefit from those audits. d- d- d- do you think that's something that will happen? Like, is that a, a, a realistic expectation that we'll see those kind of... And I know it sort of happens already to a certain extent, but where do you, where do you see that going?

    Dmitri Alperovitch: Yeah, so the administration is working, the, the Biden administration on an executive order. that will hopefully come out, in the, in the coming, coming days, maybe weeks. and, and they'll look hard, and they had to, obviously, after, after Holiday Bear, at the supply chain issue.

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: And, e- you know, one of the things that they, they saw is that, you know, if you are selling the- these critical enterprise software to the government, like what SolarWinds was doing and many others, software that runs with administrative privileges on the network, s- software that, perhaps there's a cloud system that, has access to highly sensitive data, maybe software that touches source code, you, you can kind of define what critical may mean.

    That there needs to be higher level standard for that than for a vendor that's, you know, selling M&Ms to, the cafeteria. of some agency. And, the, the traditional approach that the government has always taken was to say, "Well here is, you know, an encyclopaedia worth of regulations that we're gonna need you to, to meet. And, and we're gonna audit you on that." And, and that compliance-centric approach has not gotten us safer, and, has, in fact, made things worse.

    Um, my good friend, Heather Atkins, who runs security for Google where I worked with back during the Aurora days, had a great line back then that is still true today, that compliance is the death of security. Once you turn security from a risk management decision to a checklist of, "Yes, I did this. No, I didn't do that." that's how you, start losing the fight. And with, what I've proposed, and we'll see, see how much of that gets adopted, you focus not on checklist, but you focus on real outcomes.

    Garrett O'Hara: Yep.

    Dmitri Alperovitch: You force testing of security, realistic testing through pen tests, through, maybe, code audits, by certified third party vendors of these critical software providers, on a regular basis, so that you actually know how they can withstand, you know, an infiltration from, from, you know, capable, firm that's gonna emulate real adversary trade graph, for example.

    Um, and then I thought it would be nice to take that a step further, and not just provide that report to the government, but, but force those companies to publish it publicly so that everyone can benefit from taking a look at how well they're doing in response to these attacks. And by the way, part of the, the motivation, of making it public is, is that it will also encourage these companies to fix, their results very quickly.

    Because, you can imagine, let's say, you hire a company to come in and do a code audit of your software, and inevitably they'll find issues. Every pie- piece of software has issues. Well, if you know that in a month you will have to provide that report to the government, or you'll have, to publish it publicly, guess what? You're gonna rush out to fix those issues as quickly as possible, have that vendor retest you, give you a clean bill of health, so that the report shows that you are in good shape.

    So it creates an amazing incentive that, to actually fix the- these problems, not just identify 'em. quickly. And, and the original aspiration for this was, what New York is doing right now in the restaurant business, where they started posting their health inspection reviews out, on the front windows of those restaurants. And magically in, in a matter of months, quality, of food in New York has been up, and, there have been a lot fewer, food poisoning cases, it... I'm sure part of it is due to COVID and people just eating less in restaurants as well.

    But nevertheless, it clearly, that, that type of public shaming has an effect. People stop working with, with organisations that, they know are not doing a good job on food security or on cybersecurity. And, and that can have a great improvement on, on the whole ecosystem.

    Garrett O'Hara: How does that work economically? So one of the things we have in Australia, or used to have, is a thing called IRAP certification for working with federal governments. And one of the, the commentaries or comments about that was that the, the cost of being audited and going through the process was prohibitive for smaller organisations. So larger companies and larger technology providers could, could do it because they had the, the sort of capital and the finance to, to fund it.

    So it kind of got, got them ahead. But does that sort of stratify the providers into governments based on the, the sort of, the financial implications of being audited or pen tested to that standard and then remediate costs as well? And I'm, I'm, I support the idea, I think it's a great idea. But what's the practicalities there in terms of, you know, the c- the co- the ability for smaller organisations to compete for contracts?

    Dmitri Alperovitch: Well, I'll, I'll tell you this, I mean, it's unfortunate, but if you're providing critical software that touches source code or, you know, has administrative privileges on the network, if you can't afford an external pen test, then you probably can't afford to have great security architectures-

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: ... and, and, and be allowed to operate in this space, right? So, you know, we do have standards, and, you know, if you- if you're participating in, in building a nuclear power plant, y- you know, you can't just be a guy with a dog that's gonna come in and say-

    Garrett O'Hara: [laughs].

    Dmitri Alperovitch: ... "Well I wanna bid on this." Right?

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: There'll be lots of standards that we'll likely ask of you. And maybe it means that a small business won't be able to, to participate. But some things are much more important than enabling anyone, to be a part of, of something when you are talking about, really, this critical enterprise vulnerabilities.

    Garrett O'Hara: And then embroidered in that then, one of things you've, you sort of talked about is the cost of doing security. And, one of the, the things I've, I've had many conversations on this podcast about is the idea that is, as companies, and probably most specifically, startups are trying get to market and get to a point where they, you know, they've, they've sort of h- hi- maybe hit a good momentum, often they can externalise the cost of security. They just go to market, they innovate quickly, but security p- tends to be a little bit of an afterthought, because you can sort of get away with it.

    And there might be some instances. But, you know, it's a PR exercise, that you can hopefully get through. What, what do you s- what, if any, role would you see kind of regulatory, or regulations, or, or legislation playing to kind of level the playing field where it stops being a competitive advantage to not do security? Like, is there any role for policy in, in that?

    Dmitri Alperovitch: Yeah, no, I, I do think that we need to identify beyond just suppliers to the government, but other sectors where we wanna insist on a much higher level of standard security. And the nuclear power industry is one example.

    Garrett O'Hara: Yeah.

    Dmitri Alperovitch: that's pretty obvious. But, but many others as well. air transportation as an example. and, we, when, when there's threat to life, threat to national security, we need to have much higher standards. But again, it's not about a checklist, you know, please meet these, you know, necessary certification requirements.

    Garrett O'Hara: Mm-hmm [affirmative].

    Dmitri Alperovitch: That is much less useful than "Let us come in with a very capable pen test team, red team, that is gonna try their best to get into your network. And let's see if you can identify them. Let's see if you can thwart them, from accomplishing their objectives. And if you can, good for you, I don't care how you did it, what's most important is the outcome. but if not, then there's clearly a problem there that, you need to resolve."

    Garrett O'Hara: You, you, for somebody who's been doing security for quite some time now, and I'd be kind of interested to hear, given that you've been present in part of, you know, those events that you've kind of alluded to even during this conversation, some, some big stuff over the years in the intersection of cyber and politics. I'd be very keen to hear, you’re, like, how, how that's been. You've had a front row seat in, in some f- fairly historic events.

    Um, so that. But also, the transition from Eircode cybersecurity practitioner leader, into really what's becoming a public figure. H- How's that been?

    Dmitri Alperovitch: Well, luckily I'm still pretty involved in the industry, I'm still involved with lots of companies. as a board member, and, working close through the management team to help grow, the company, with some of them very involved in the technical strategy, etc. So, that keeps me grounded and, and, and in touch with what- what- what's going on in the industry. But a lot of my time is now spent on thinking, "Okay, technology. We've got that. You know, the solutions have evolved dramatically, where we really have phenomenal capabilities. How do we now ensure that people are using them in the right way, that the government's providing the right incentives and the right regulations to elevate our overall security?"

    Um, and that's where I see a huge gap. And, that's where I'm trying my best, these days, from a nonprofit, role, to really achieve an effect.

    Garrett O'Hara: What's the, what's the most interesting discussion you've been part over the r- like, what's the most interesting room you've been in the last kind of two decades?

    Dmitri Alperovitch: Oh, interesting room? I mean, I've been in many interesting rooms.

    Garrett O'Hara: Yeah. [laughs].

    Dmitri Alperovitch: some of them I can't even talk about it.

    Garrett O'Hara: Yeah, [laughs]. Yeah.

    Dmitri Alperovitch: But, you know, it, it, obviously the whole, experience over the last few years when we've seen these devastating attacks. You know, the Russian interference in our elections, and [Otpeti 00:42:07] attacks. The attacks on the Olympics in, in South Korea that, many people don't even remember now, from Russia. Also, very, very, impactful. The, the North Korean attack on Sony, where I was the first person to come out with public attribution of that to North Korea back in 2014, and just got eviscerated by many people sort of armchair quarterbacking who had not looked at the data, had not analysed, now and saying, "No, no, no, this is an insider."

    Um, you know, it, it is quite amazing, I've been thinking about this a lot, that in cybersecurity industry we have people that have zero involvement to a case, but yet feel like they're completely qualified, without any data to comment as experts on what actually is going on. And I'm not sure, that happens as much in other areas, of national security.

    Garrett O'Hara: It is, it's, it's always been an interesting one. Because I, I mean, I listen to a lot of security podcasts, and y- you hear that all the time, you know? Everyone's kind of got a, a theory and, it almost becomes like a whodunit, or, you know, it's like an Agatha Christie novel, where people are kind of trying to figure it out, you know, who did it, but without sort of being on the inside track for sure.

    Um, one last question, Dmitri, as we kind of round it out. you're, you, as you said, you're still, very active in the security industry. I'd be very keen to get a sense for you, like, as an investor, as a, you know, person seeing the cybersecurity industry as a whole, what are the areas in the IT landscape these days that are fascinating to you? Today. And maybe what you say as the, the future, or where this is all going.

    Dmitri Alperovitch: I think the biggest trend that we're not, coming to terms with is, as an industry, fast enough, is this whole dev ops, change, and shift in, in software development. we have not fully appreciated that engineers are now in the driver's seats. And most companies are rapidly becoming software companies, right? As Marc Andreessen said a, a number of years ago, "Software is eating the world." I mean, he was absolutely right.

    Um, I've heard it from so many CEOs of Fortune 500 companies that are, you know, manufacturing widgets, or involved in these traditional brick and mortar businesses, and they're telling me, "No, we're not software companies." you know, I think some of them, to, to some of them it's an aspirational goal, [laughs], more than a reality today.

    Garrett O'Hara: Yeah. Yeah.

    Dmitri Alperovitch: But they're all trying to move into that space. And that changes, fundamentally, the role of the CSO, the CSO that, you know, role that's still very new, I think, the first CSO, popped on the scene, you know, just 25 years ago or so. and only recently have they started to get a lot of power inside the organisation to be able to actually present to the board, to be able to actually have a say in, in the architecture of the, of the network.

    Um, y- you know, now they're losing that power, and they're losing that power because the network is disappearing, and COVID has just accelerated that trend, where everyone, you know, can work from home, there's no need for physical infrastructure. You can work in the cloud. but at the same time, the key asset that you're protecting is your software. And who's in charge of that? Not the CSO, it's the engineering leaders that are building, and product leaders that are building that software.

    So, to the extent that the CSO's involved and involved as a strategic advisor, trying to get influence, trying to make sure that the, the right coding practice is in place, that, you know, at this rape, rate of rapid change when you're pushing our releases on an almost daily basis, that the right things are being done, to make sure you don't, you know, push out the secret keys to your cloud infrastructure that will compromise everything. And all these sorts of things that you have to worry about these days.

    And, a lot of the security industry, I think, is still thinking about the traditional of, like, how do I protect this network?

    Garrett O'Hara: Yep.

    Dmitri Alperovitch: And the network is disappearing. so, the, the big security companies that are gonna evolve, over the coming years are gonna be the ones that are gonna figure out how they can market to developers, not market to the CSO. And, and, and provide solutions that actually make the job of the developer easier. and, and enabling them to build software in a secure fashion.

    Garrett O'Hara: Fantastic. With that, we're, we're just about hitting time here. So on that, on the crystal ball, question, we'll leave it there. Dmitri, thank you so much for taking the time out to talk to us. very, very much appreciated.

    Dmitri Alperovitch: Thank you. Take care.

    Garrett O'Hara: And thanks so much to Dmitri for that conversation. And as always, thank you for listening to the Get Cyber Resilient Podcast. Jump into our back catalog of episodes, and like, subscribe, and leave us a review. For now, stay safe, and I look forward to catching you on the next episode.

     

    Haut de la page