Session name: Will security stall the Internet of things?
Up next, security is a big topic so we are going to dive right into it next. It’s going to be ‘Will Security Stall the Internet of Things?’ It is going to be a discussion moderated by Adrian Turner, Founding CEO of Mocana. He is going to be speaking with Steve Bowsher, EVP of In-Q-Tel and Robert Rodriguez, Chairman and Founder of SINET. Please welcome our next panel on the stage.
Adrian Turner 00:34
Thank you. First of all, I would like to introduce the broad context for this panel and hand over to Steve and Robert to introduce themselves. Steve, why don’t you go ahead and let people know a little bit about yourself?
Steve Bowsher 00:53
My name is Steve Bowsher. I am the Managing Partner of In-Q-Tel. We are an independent, not-for-profit, 501C3 that gets money from the CIA and other US intelligence agencies to invest in start up companies who have technologies and products of interest to the US intelligence community.
Robert Rodriguez 01:09
Good afternoon? Robert Rodriguez. Thank you Adrian. Retired Secret Service agent, served 22 years, re-booted and became an entrepreneur in 2004. Company is SINET, connects the investors, the builders, the buyers, researchers in the cyber security domain focused on the advancement of innovation. We believe that innovation in the most simplistic form is just having awareness that solutions technology exist to better society.
Adrian Turner 01:36
Thanks. There’s a lot of ground that we could cover with respect to security, but the focus for this discussion is related to government and the role of government, and whether in fact there should be a greater role of government in regulation as the Internet of things and mobility progresses. To frame that, I would like us all to think to about where the market’s at in terms of four generations around mobility with the first generation being very device-centric, so you saw a lot of NDM companies emerging in that first generation. Second generation being the layering on of a small set of productivity apps; PM calendar, document sharing. The third generation, which is where we are at right now, is about integrating mobility into business processes and deploying the long tail, the specialized applications in the enterprise. The fourth generation that’s kicking off concurrently, is integrating machine processes into mobility and mobile applications becoming control points for the internet of things and the things around us. As we do that, as we move to the third and fourth generation, security becomes critical and essential. I want to make a quick distinction between security and privacy. We’re going to talk about security. Security is a state of being free from danger, privacy, on the other hand, is the state of being free from being observed. This is about the technology of protecting systems, what’s done with that data is policy decisions and ties into privacy. As it relates to security, guys, how real are the threats?
Steve Bowsher 03:30
They are certainly real, Adrian, and we as a country and as a business community have seen the threats increase over the last 10 or 15 years and the pattern is the same. Any time a new platform comes out, whether it’s the internet or mobile and now the Internet of things, it opens up new security threats to the information being transmitted over that platform and offence is always ahead of defense. The offensive guys figure out what those vulnerabilities and exposures are first and then defense has to play catch-up. It has to figure out how to come back and patch those or solve those security vulnerabilities after the fact. The good news is having seen that pattern now a few times. The Internet of things industry is trying to get closer to it right from the beginning. I don’t think anyone expects it to be completely right from the beginning. I am encouraged from conversations I hear that folks who are kind of rolling out the Internet of things. Technologies are thinking of security from day one. That’s important and that’s our best hope of success.
Robert Rodriguez 04:48
In addition to the attacks and the threats, and reading the paper everyday, the ancillary signals are really great market. Money walks, money talks. You look at the MNA market from 2011 to 2012, 72 companies were funded in 2011 and 132 in 2012. Funding volumes went from 760 million to 1.1 billion in 12 month period. The private equity is now involved in playing in cyber security in terms of investments and investing in small numbers that typically they don’t invest in. The US Cyber Command under General Alexander now has 12 offensive operations. In terms of policy, five and a half, six years ago, there were zero bills on the Hill that had the word cyber security in the legislation, now there’s over 50 plus. If you look at the budgets in the government that’s been decimated due to the sequester and all the things over the last 16 months or so, the one area that’s flat or is plus sub is cyber security in the RnD Space in particular DHS, the SnT side of the house, Science and Technology Directorate. Then the entrepreneurs that have continued to innovate and build to address this market, they see an opportunity. They are also marching to Washington D.C. The beltway was typically not a spot that they would go to sell the market. It was typically a private industry. The job shortage according to Cyber Maryland report from a year ago indicated 340,000 jobs vacant. It’s a difficult challenge to hire very talented people in the cyber security space. Lastly, I think that the vertical and horizontal market opportunity is huge for cyber security. I believe if you are a company and I just example SAP, Oracle, going in to sell products buyers were faster, cheaper, better. And by the way, we’re also trusted, secure, resilient, redundant, safe, robust and will be coming down to the word of trust, trusted operating systems and secure. I also believe that this market will be regulated.
Adrian Turner 07:05
That’s a great point. We see that too. Mocana secures connected devices and there are about 250 manufacturers around the world use the products today, and we see that too. Higher awareness of the problem earlier in the design decisions around building connected devices and a practice or competence inside of these companies to focus just on cyber. Moving along in the segway into the regulation that you mentioned Robert, what do you think government’s role should be? Where does legislation make sense in the market?
Robert Rodriguez 07:45
The government’s role is to be the leader, the voice, the evangelist of the importance of the issue. If you look at DoD executives and DHS executives writing Op-ed pieces in the New York Times over the last couple of years highlighting the importance of this space, but empowering the industry to be the actual operators and executors of PD63, if you will, for example. The presidential directive that President Clinton issued putting the onus on private industry, the owners and operators of our nation’s critical infrastructure to raise the bar in terms of having more secure, trusted resilient systems, but there need to be some incentives. There needs to be some tax incentives, good housekeeping skills or the incentives to make the companies step up. And if they don’t, again, it’s probably going to be regulated. Follow the path of the history of the automobile when you didn’t have speed limits, you didn’t have stop lights, stop signs, and then you got into safety bumper, safety glass. Just kind of watch that transition of how that market evolved and changed, even to the concrete. The greater the concrete, the cement that the interstates, the quality and the standards that they had, so cars could travel on. Right now, the NIST Security Framework that’s being led by NIST and supported by DHS and the White House is a great opportunity for private industry to engage, to help shape that framework, whatever it is, before it’s regulated. This way, they have a voice, an opportunity, versus ignoring that and then complaining later that they didn’t get to shape that regulation.
Adrian Turner 09:29
Steve, what about from your perspective and what are some of the models for government involvement that you’ve saying worked well?
Steve Bowsher 09:34
Essentially, I’m not a huge fan of the term regulation. To me that screams rules and none of us likes rules, that’s why we are out here in Silicone Valley, but what government is good at and what is valuable in these sort of situations is standards. Government can often be the leading catalyst for groups coming together, whether it’s public sector groups or private sector groups, and creating standards through which new technologies, industries and platforms can emerge. The Internet of things, as we know, is a wide open green field opportunity for a lot of companies, a lot of technologies, platforms, and if we don’t come together and figure out what the standards of interact ability or standards of communication, standards of data storage, and the standards of data security. It’s going to be hard to make the promise of all this hyper-computer and that’s where government can help.
Adrian Turner 10:35
I agree with the rules and regulations. Interesting casing point and I am not sure if everyone’s aware, at one point, in the not too distant past, the FDA was involved in the regulatory environment and regulation of medical devices to the point where software updates and purchase were treated as a medical device and had to go through the 90 day certification process. The practical implications of that was machines got unplugged from the wall. There’s a balance between when we are dealing with, not only mission-critical, but life-critical systems, making sure that there isn’t about operability, there is a standard for safety, but also that it doesn’t get in the way of the efficacy of the machines. One of the areas that you touched on, Steve, was public-private sector. The financial services industry does a great job of sharing information around breaches. Do you think there needs to be anything that’s done for other industries to replicate that and how can the industry get involved in doing that in terms of information sharing about breaches?
Steve Bowsher 11:54
It’s a great point and the industry overall understands that sharing information about breaches and other attacks is something that’s good for everybody, but it’s hard to make happen in reality. Part of it is incentives, part of it is censor or a desire for privacy that we all have, but the financial service industry, to your point, has greatly benefited from their stakeholders coming together and sharing threats. From a threat perspective, we are moving to a world in which the threats are no longer the generalized rule attacks, the standard virus that gets distributed around the world and attacks everybody and everything, but are moving more towards the targeted attacks and they are targeting industries, they are targeting companies, they are targeting specific commerce mechanisms. As those threats become targeted, those groups that are the targets of the threats need to become more communicative and to just sharing with each other. Like I said, everyone gets this. It’s hard to figure out the incentives and that’s where to Robert’s earlier’s point, government is good sometimes at creating the right incentives for people to come together and do the right things. That is the potential role for government here.
Adrian Turner 13:26
Leading on from that, Robert, you touched on risk. It seems like in the world we are moving to, if there is a breach in the Internet of things, security can manifest in reliability and safety concerns, what’s your thoughts on information sharing safe habits for information sharing?
Robert Rodriguez 13:53
A couple of things. Information sharing is a priority to the government. In fact, numerous bills have the words information sharing. To Steve’s point, it’s difficult. it comes down to one word; trust. If the government is going to share information or they want industry to share information, the government has got to give back. It can’t just continue to take the information without giving back on a platform. Right now the CISOs, a lot of them responsible for protecting intellectual property, the data, the brand reputation of the corporations have their own asymmetrical cells where they pick up the phone or they e-mail each other and talk about the attack that they are experiencing, what tools are other CISOs are using to mitigate that risk. They have their own little ad-hoc platforms in different cities and they are very small but it’s because they are trusted. its hard to scale trust, enterprise-wide or across the nation in terms of when you are sharing your information especially information that could be exposed to society by the media that exposes the vulnerabilities or the weakness of that company that could affect the shareholder value. It’s something that is in play now, how they do it is another thing and how they execute but one thing to remember here is that the government runs on industries critical infrastructure 85% to 90%, so by not sharing, they actually hurt themselves. We want to create an environment where it’s a win-win for both the industry and the government.
Adrian Turner 15:34
As we move to the Internet of things as well, I experienced this first-hand inside of one the consumer electronics company that I worked for previously, we built one of the first connected devices. When that device went down, there was a network operator involved, there was us involved, we made the box, and there was a third party service provider involved and customers didn’t know who to call, where the accountability for the problem lay. Given that security can potentially or security breaches render devices inoperable, what’s your thoughts about how to sort through who is really accountable and responsible? In other industries, there have been instruments like financial instruments to make sure that the incentives between risk and reward are aligned, what’s your thought about how that shapes out?
Steve Bowsher 16:34
It’s still early days and you put your finger on a great problem. I don’t know if we have a great answer or solution for it yet. The Internet of things is going to be a much more complex supply chain and to the act that you described, there is going to be multiple parties who are in that supply chain and the security breach could come from any of their spheres of responsibility. But as an end-user, you are going to be looking for one party to choke and so ultimately, what is going to happen, is in each of those areas, someone is going to emerge as the customer owner. They’re going to take the responsibility with the customer for that and then they are going to have to work that through their own supply chain to syndicate the security risk, if you will. That’s is going to be new and different, and there’s is going to have to be some creative thinking put in to figure that out.
Robert Rodriguez 17:39
We definitely can’t separate risk and reward, they have to be part of the same culture, part of the same model. If you look at what happened back in 1998 with the banking collapse, risk and reward were separate. The reward people will run crazy, 100 miles an hour, and just go nuts and the risk people will be stagnant and stymied. The metrics, the insurance, the actuaries that have been around for hundreds of years are now being applied to cyber security but they are immature metrics because it’s very difficult to measure a very dynamic environment such as the Internet and the speed of things that occur with it. If you think about the internet, how old it is, we go back to the first transmission October, 1969 from UCLA to SRI International, we’re babies. We are at the very beginning in a sense of understanding the complexity and the speed of it. It was also built by good people for good reason without security in mind and so now, there is all these gaping holes and vulnerabilities. Try to compare measure where we are today as a society with this global internet that has no zip-code versus the Laws of Sea that we’re created by the Dutch in 1609 and how many hundreds of years that took to have domestic and international safe harbors and policies. We are just at the beginning in a sense.
Adrian Turner 19:12
And if we get it right, amazing things will happen. We think about the world that we are moving to in the scale, automation has to play a key part. To be able to automate, you have to be able trust the data that you are building business processes around. Let me pause. I will be happy to take questions from the audience if anybody has a question for myself or the group. Steve and Robert, for the entrepreneurs in the group in the room, how should they be thinking about getting involved with security and perhaps even influencing some of the decisions that are going to be made by regulatory bodies and government?
Steve Bowsher 20:06
We just went through sea change opportunity with mobility coming to the enterprise that has produced a number of valuable companies and really is the [caustic?] example of technology disrupting business processes that allow for entrepreneurs to create valuable companies. The difference I see between mobility and internet of things coming is, mobility was able to sort of overwhelm some of the traditional barriers to grow as an enterprise which is the CIO and the CSO of an enterprise. That’s because, for the first time, the CEO of the company came in with his smartphone or his tablet and he said ‘I am using one of these at home, I love it and I want to get access to my corporate data on one of these things. Go make this happen.’ And he/she didn’t want to hear any objections or any sort of ‘It’s not going to be secure. It’s not going to be managed’, all that sort of stuff. CIOs and the CSOs had to play catch-up in the mobility space and we we’re able to see the, [cotty?] stick growth curve that we, industrialists, love to see. Internet of things I’m not sure if there is going to be that same sort of external forcing function that causes the CIOs and the CSOs and their traditional challenges around manageability and security to be overwhelmed. As a result, if you are an entrepreneur thinking about starting a company or have started a company and you want to be a very successful career in this area. You have to figure out how to make your product friendly to the stakeholders. If you can do that, you can separate yourself from a lot of other companies in this industry which I don’t think are paying attention to those constituents and that’s going to come back to by them.
Robert Rodriguez 22:02
To the entrepreneurs, the innovators, and to small and big business, one word that comes to mind is, again, trust. How important is the word trust on your road map? To not only provide the service or product and the things that it does but that it’s going to be robust and secure and trusted, resilient, safe. That and the user friendliness of it. Sometimes gets in the way when you balance security and efficiency because they are different. Maybe there is a balance in there. I also encourage those that are entrepreneurs that are looking at building a company, look at the cyber security market. The MNA market is on fire, the recent IPO of FireEye, acquisitions of Sourcefire by Cisco, and Solera was purchased back in June. It’s an exploding market that according to Goldman Sachs is not going away anytime soon.
Adrian Turner 23:00
Just to finish out, the title of the panel was ‘Will Security Stall the Internet of Things?’ What do you guys think if security is not solved the right way? Can the Internet of things and mobility succeed?
Robert Rodriguez 23:17
If it’s not addressed properly. I hate to use that word again. It could get regulated if it’s not secure enough, and safe enough, and trusted enough, and regulation impedes innovation.
Steve Bowsher 23:33
It’s going to happen no matter what but how we address and embraces security will absolutely have impact on the rate of growth in the certain areas and industries where it can’t grow into without having security progress story.
Adrian Turner 23:50
Steve Bowsher 23:51
Robert Rodriguez 23:51