The Internet's Neighborhood Watch

The Neighborhood Watch dates back to July 1, 1700 in Colonial Philadelphia with the passage of the Safe Streets bill. With no police department yet established, citizens took turns as the appointed watchmen to "go round ye town with a small bell in ye night time, to give notice of ye time of night and the weather, and anie disorders or danger."

In many ways, cyberspace today feels like Colonial Philadelphia - fraught with "disorders and dangers" and no police force capable of apprehending the offenders. No wonder then that last February President Obama signed an executive order calling on Americans in the public and private sector to establish the equivalent of a cyber Neighborhood Watch.

"It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing..."

But sharing cyber threat data is shockingly rare, despite the fact that for the last two decades, hackers have steadily organized a vibrant industry around the tools and services needed to launch cyber attacks --credit card credentials, script kiddies, zero day vulnerabilities, bot armies, and other staples of cyberwarfare are sold through web sites and channels similar to those associated with legitimate IT purchases. And yet up until 12 months ago, when a wave of cyber attacks against US banks, government agencies and media sites exposed our economy's soft underbelly, no enterprise would ever voluntarily discuss its security infrastructure, let alone acknowledge a breach or even an attack, lest they worry their constituents.

But in those 4 months from October 2012 to February 2013, everything changed. A steady drumbeat of DDoS attacks rendered our banks offline and, for the first time, account holders have demanded their banks openly address the problem. In a novel gesture of transparency and collaboration, Bank of America actually asked the Feds for help.

The US has responded by organizing industry and government to start collaborating, so that cyber attackers, as they are detected, cannot simply jump from target to target. Twenty nine federal agencies today share real-time threat data stemming from cyber incidents through an exchange integrated with all the heterogeneous security infrastructure across those agencies. Suspect IP addresses, bad app signatures, malicious domain names, fraudulent host names, and other types of black lists are now updated in real time to broadly deflect attacks as they are discovered.

Furthermore, this federal "ActiveTrust Exchange" has now been opened up to large commercial enterprises, including financial institutions (like BVP) and some mega Silicon Valley tech companies. The President's vision of a national Neighborhood Watch is now a reality.

Paul Ferguson, VP Threat Intel

The company that developed and operates ActiveTrust is Internet Identity ("IID"), a somewhat obscure company in Tacoma, Washington with deep security DNA. IID is pioneering the idea that security technology should be decoupled from security data - that you can't rely on your vendor of security hardware and software to also provide you with all the intelligence you need to filter bad traffic. Your security gear is only as good as the blacklists they enforce; without up-to-date cyber intel, you can't repel the motivated and highly targeted cyber attack.

IID now sells various services and intelligence feeds, but the primary product is membership in the ActiveTrust exchange. ActiveTrust includes highly sophisticated governance modules to anonymize and regulate what you share (to satisfy the lawyers) and what you ingest (to weed out the George Zimmermans from your Neighborhood Watch).

Based on the success of these recurring revenue services, IID has profitably bootstrapped. But the government's collaboration initiative is so important to the viability of the internet that I'm proud to report that I've reached out to IID and Bessemer has just led their first round of venture capital. The Company is now very well funded to invite many more members to join ActiveTrust, starting with critical infrastructure.

I invite you to contact sales-AT-internetidentity.com to apply for membership in ActiveTrust. Let's work together to "to give notice of ye time of night and the weather, and anie disorders or danger."

Richard Dawkins and Atheist A Cappella

Richard Dawkins is a frequent visitor to the Bay Area, often stopping at Kepler's to sign books, or speaking at schools (today he taught evolutionary theory to the students at Nueva). In 2009, while he was here for a book tour for Greatest Show on Earth, I hosted a fundraiser for his foundation, for which I organized the first ever atheist a cappella group from among singers I know who tire of crooning about saviors and magical births. Having read Dawkins' book Climbing Mount Improbable, we called ourselves Hereby Chants.

Photo credit: Steve Jurvetson

Well this Sunday the Hereby Chants had the honor of delivering an encore performance for Richard at a private lunch for his foundation's supporters, and here it is...

An Appetite for Wonder: The Making of a Scientist

Tonight I had the honor of introducing Richard Dawkins at a Kepler's Bookstore book-signing for his memoirs An Appetite for Wonder: The Making of a Scientist. Here are my notes from the intro:

Good evening! I’m your neighbor David Cowan, and with Thanksgiving only 6 weeks away, it’s my job tonight to share with you 6 reasons why we are all very fortunate.

First, we are fortunate to have Kepler’s in our community so we can meet our literary and scientific heroes.

Second we are fortunate because tonight we have a visitor, Richard Dawkins, who ranks among the handful of greatest scientists of our generation. From his perch at Oxford, Professor Dawkins has advanced evolutionary biology, and authored several of the best-selling science books ever published, including Extended Phenotype, Selfish Gene, Blind Watchmaker, Unweaving the Rainbow, Devil’s Chaplain, and God Delusion, which has sold millions of copies.

Another book of his, Climbing Mount Improbable, taught me our third good fortune tonight: that after billions of years of chaos, life sprung on our little planet, our species emerged from a trillion accidents of nature, and the organisms sitting in this room won the lottery of conception. (You may notice that these fortunes are not necessarily presented in any increasing or decreasing order of magnitude.)

And now he’s written his memoirs, An Appettite for Wonder: the Making of a Scientist, and we are quadruply fortunate that after multiple visits here, Kepler’s remains one of Richard’s favorite places to meet his readers.

The first chapter of his memoirs recounts his family history in which Clinton George Augustus Dawkins, consul to Austria and not yet a father in 1830, was fired upon by a cannonball that just barely missed his privates. Naturally, that is good fortune number five for us tonight.

The memoirs go on to document the intellectual development of Earth’s most famous atheist, from humble beginnings on a country farm, and parents who lived sparingly in order to afford the finest education for their children. Reading about the collision of his Anglican indoctrination with natural evidence and common sense evoked strong memories of my own religious upbringing, as I’m sure it would for many of you. He writes:

“I was intensely religious around the time I was confirmed. I priggishly upbraided my mother for not going to church. She took it very well and didn’t tell me, as she should have, to take a running jump.”

But soon Young Richard (or Clinton which we now know to be his true name) started to question the institutional rituals around him. This is my favorite chapter…

[p. 140] I was especially incensed by the hypocrisy of the General Confession in which we mumbled in chorus that we were miserable offenders. The very fact that the exact words were written down to be repeated the following week, and the week after and for the rest of our lives (and had been so repeated since 1662) sent a clear signal that we had no intention of being anything other than miserable offenders in the future. 

But Richard retained his belief in a Creator God, and as a teenager he did continue to worship.... Elvis Presley, that is. Richard privately impersonated the rock and roll legend, and remembers buying the album I Believe.

[p. 142] I listened with delight – for my hero sang that every time he saw the wonders of the world, his faith was reinforced. My own sentiments exactly!...I sort of half believed that in this unexpected record, Elvis was speaking personally to me, calling me to devote my life to telling people about the Creator God. 6. 

Skipping down to our 6th and final good fortune tonight…

I became increasingly aware that Darwinian evolution was a powerfully available alternative to my creator god as an explanation for the beauty and apparent design of life. It was my father who first explained it to me… But eventually a friend – one of the two, neither of them biologists, in whose company I later refused to kneel in chapel – persuaded me of the full force of Darwin’s brilliant idea and I shed my last vestige of theistic credulity, probably at the age of about sixteen. 

Because Richard refused to kneel in chapel, his housemaster Peter Ling summoned his parents for a heart to heart talk over tea.

[p 143] Mr. Ling asked my parents to try to persuade me to change my ways. My father said (approximately, by mother’s recollection): ‘It is not our business to control him in that sort of way, that kind of thing is your problem, and I am afraid I must decline your request.’ 

Richard hasn’t kneeled since then. As Oxford University’s very first Professor for Public Understanding of Science, he has become a powerful agent of social change through his discoveries, lectures, and books. He promotes science education and science-based policy through his private foundation, daily tweets and even last week’s appearance on the Daily Show.

So, neighbors, if you feel as fortunate as I do tonight, please join me in giving a warm Kepler’s welcome to our visiting Biologist, Author, Teacher, Social Activist, Tweeter, and Elvis Impersonator, Professor Clinton Richard Dawkins!

The Coming Wave of Cloud Security Startups

This is a reprint of an article I wrote this week for MIT Technology Review.

Our growing computer security problems will create many new companies.

The threat from cyber-intrusions seems to have exploded in just the last 18 months. Mainstream media now report regularly on massive, targeted data breaches and on the digital skirmishes waged among nation states and cybermilitants.

Unlike other looming technical problems that require innovation to address, cybersecurity never gets solved. The challenges of circuit miniaturization, graphical computing, database management, network routing, server virtualization, and similarly mammoth technical problems eventually wane as we tame their complexity. Cybersecurity is a never-ending Tom and Jerry cartoon. Like antibiotic-resistant bacteria, attackers adapt to our defenses and render them obsolete.

As in most areas of IT and computing, innovation in security springs mostly from startup companies. Larger systems companies like Symantec, Microsoft, and Cisco contribute to the corpus of cybersecurity, but mostly acquire their new technologies from startups. Government agencies with sophisticated cyberskills tend to innovate more on the offensive side. I think that in the coming years we will see many small, creative teams of security engineers successfully discovering, testing, and building out clever new ways to secure cyberspace.

Anyone looking to found or invest in one of those small security companies destined for success should focus on the tsunami of change rocking the IT world known as cloud computing. In a transformation that eclipses even the advent of client–server computing in the 1980s, business are choosing to subscribe to services in the cloud over running software on their own physical servers. Incumbents in every category of software are being disrupted by cloud-based upstarts. According to Forrester, the global market for cloud computing will grow more than sixfold this decade, to over a quarter trillion dollars.

Cloud security, as it is known, is today one of the less mature areas of cloud computing, but it has already become clear that it will become a significant chunk of that vast new market. A Gartner report earlier this year predicted that the growth of cloud-based security services would overtake traditional security services in the next three years.

Just like other software products, conventional security appliances are being replaced by cloud-based alternatives that are easier to deploy, cheaper to manage, and always up-to-date. Cloud-based security protections can also be more secure, since the vendor can correlate events and profile attacks across all of its customers’ networks. This collaborative capability will be critical in the coming years as the private sector looks to government agencies like the National Security Agency for protection from cyberattacks.

The cloud also enables new security services based on so-called big data, which could simply not exist as standalone products. Companies like SumoLogic can harvest signals from around the Web for analysis, identifying attacks and attackers that couldn’t be detected using data from a single incident or source.

These new data-centric, cloud-based security products are crucial to solving the challenges of keeping mobile devices secure. Most computers shipped today are mobile devices, and they make juicier targets than PCs because they have location and payment data, microphones, and cameras. But mobile carriers and employers cannot lock down phones and tablets completely because they are personal devices customized with personal apps. Worse, phones and tablets lack the processing power and battery life to run security processes as PCs do.

Cloud approaches to security offer a solution. Software-as-a-service security companies like Zscaler can scan our mobile data traffic using proxies and VPNs, scrubbing them for malware, phishing, data leaks, and bots. In addition we see startups like Blue Cava, Iovation, and mSignia using Big Data to prevent fraud by fingerprinting mobile devices.

Cloud security also involves protecting cloud infrastructure itself. New technologies are needed to secure the client data inside cloud-based services against theft or manipulation during transit or storage. Some security auditors and security companies already sell into this market, but most cloud developers, focused on strong customer growth, have been slow to deploy strong security. Eventually it should become possible for cloud computing customers to encrypt and destroy data using their own encryption keys. Until they do, there is an opportunity for startups such as CipherCloud and Vaultive to sell encryption technology that is used by companies over the top of their cloud services to encrypt the data inside.

Lastly, cloud security also includes protecting against the cloud, which enables creative new classes of attack. For example, Amazon Web Services can be used for brute force attacks on cryptographic protocols, like that one German hacker used in 2010 to break the NSA’s Secure Hashing Algorithm. Attackers can use botnets and virtual servers to wage distributed denial of service attacks; and bots can bypass captcha defenses by crowdsourcing the answers. Cloud-based attacks demand innovative defenses that will likely come from startups. For example, Prolexic and Defense.net (a company Bessemer has invested in) operate networks of filters that buffer their clients from cloud-based DDOS attacks.

Cloud computing may open up enormous vulnerabilities on the Internet, but it also presents great opportunity for innovative cybersecurity. In the coming decade, few areas of computing will be as attractive to entrepreneurs, technologists, and investors.

How Long Will the U.S. Cloud Market be "Snowed In"?

Do recent revelations about US cyber intelligence activities jeopardize our nation’s market leadership in cloud computing? Will enterprises – domestic and foreign alike – now favor foreign vendors, or even avoid the public cloud altogether? A review of the political and technical realities points to trouble for US cloud providers, but only for the short term.

In recent weeks we’ve seen a tangible backlash against the NSA’s PRISM program and those tech companies who cooperate, especially those who “don’t put up a fight.” It is the natural, reflexive reaction to the sudden awareness of a potential intrusion on our privacy, and it includes new scrutiny by individuals and enterprises as to whether they should entrust their data to US cloud vendors, who have already felt some impact on their rates of sales and churn.

As related news reports and editorials come online, they provoke a lot of comments that reflect public sentiment. These comments have expressed concern about the lack of transparency in federal policies and jurisdiction, and even outrage at what many believe to be unconstitutional surveillance.

But in the past week, public comments on news sites have started to incorporate a more balanced look at the situation. There is acknowledgement that US intelligence agencies are doing their jobs when they gather data on potential threats to national security, just as other governments do; that the NSA does not steal IP for economic gain as many other state agencies do, and that despite our deficiencies, the US agencies operate under tighter oversight than foreign agencies. Especially as Congress moves to improve transparency, there is a grudging awareness that US-based clouds may offer the best privacy, relatively.

But is it good enough to be simply less bad? As long as privacy remains a concern, there will be resistance to adoption of any public clouds, and, as the market leaders, US vendors will suffer.

Fortunately, cryptographic technology will ultimately make this issue largely moot for most cloud infrastructure, platforms and applications. To date, cloud vendors have been slow to implement proper cryptographic protocols, since demand has grown so quickly without it. But with the recent focus on privacy, SaaS, PaaS and IaaS providers must get around to implementing what they should have implemented years ago.

Specifically, data in the cloud must be encrypted using keys that are controlled by the customers who own them. So whether you use SalesForce, Box, Google Apps or Workday, you should have the option of encrypting your data both in transit and storage, and although many cloud providers offer encryption today, they typically use one key for everyone, or at best they offer individual keys that are generated and controlled by the vendor.

The recent, notable exception is Amazon, whose CloudHSM service offers AWS customers access to Hardware Security Modules for key protection inside their cloud. It's time for others to follow Amazon's lead, so that customers can comply with their own regulations, data breaches will be far less catastrophic, and intelligence agencies will have to find new ways to snoop.

Until then, interim solutions from a new class of security startup — like CipherCloud, Vaultive, Vormetric, and Navajo (acquired by SalesForce) — enable you to encrypt your data before you send it to the cloud. Unfortunately, cloud providers cannot do much with encrypted data that they cannot decrypt - their applications cannot provide features such as sorting, fuzzy searches, and comparative metrics. CipherCloud and others have had to invent some kludgy workarounds (e.g. adding additional unencrypted index fields) with some but limited success.These solutions will be less compelling when clouds are properly secured.

For IaaS and PaaS vendors, the imperative to hand the keys to the customer is clear, but for SaaS providers, it's trickier, since their apps need to "borrow" the keys. For those customers who cannot tolerate even the smallest risk of exposure to those nation states with formidable cyber capabilities, tradeoffs will have to be made between security and features. There will also be tradeoffs in convenience, since mobile devices will need key management systems or VPNs. The most difficult application to secure would be one that requires sharing among individuals who do not typically have cryptographic keys, which is why Lavabit and Silent Circle just shuttered their secure email services (although I expect Phill Zimmerman will craft a workable solution in time).

Cloud computing still promises compelling benefits, and US vendors have competed well on features and services, benefitting from deep and rapid innovation. But it's time now for them to properly defend their data, and market share, by attending to security. We should expect these cryptographic capabilities to generally come to market in 2015; until then, the forecast for the sector remains Partly Cloudy.

Five Foot Two

A fun clip from last week's Voices in Harmony concert.

EyePhones Will Replace iPhones

I presented the following prediction as part of a spirited Churchill Club debate with 5 other VCs. It was first published as text in AllThingsD.

Remember MS-DOS commands, and the WordStar keystroke combinations we had to memorize? Then the first Macintosh featured a mouse driven GUI that was game changing because it removed a layer of friction for both the data going in and coming out. When we tried that first model, we knew we could never go back to a C prompt.

And yet the impact of graphical computing was minor compared to how facial computing will change our lives, and how we all relate to The Collective. Think of it as a man-in-the-middle attack on our senses, intercepting all the signals we see and hear, and enhancing them before they reach our brains.

First Generation Mobile Computer

This is not science fiction, and based on prototypes I’ve seen, it’s a good bet that design teams in Google, Apple, Samsung and various military contractors are building eyewear computers that will render smartphones as obsolete as the first generation of mobile computer. I’m not talking about Google Glass, with its cute little screen in the corner. I mean an immersive experience that processes what we see, and then overlays graphical objects onto our field of view: true Terminator Vision. The US military has this capability today, so that troops can see pointers to their platoon members, and markers of known IED locations. So now it’s just a question of making the hardware small, cheap, and available in four adorable colors.

Not only will our favorite apps on eyewear computers be more immediate and engaging, but we’ll experience new computing capabilities so compelling that we find them indispensible. For example, eyewear computers can record our lives, and enable us to summon any relevant conversation or incident from our past. With eyewear computers, we can truly share experiences in real time, transporting ourselves to the perspective of someone on a ski slope, or in a night club, Wimbledon match, or the International Space Station. 

Just as Terminator did in the movie, we will air-click on actual things we see to interact with, investigate, or purchase. We’ll integrate facial recognition and CRM for background data on everyone we meet. When we travel abroad, signs will appear to us in English, and when someone is speaking to us, we can simply turn on English subtitles.

 A new generation of games will be more immersive and engaging than ever before.

Five years from today, when smartphone sales are in decline, we will ask ourselves: Remember when we used to spend our days looking down at those little screens?

He's the Next Jacques Cousteau

Sensationalizing Cyber Surveillance

As we adapt our laws to technology, we struggle to strike a balance between national security and privacy. As we do, we tend to thrash back and forth between extreme policies such as the Computer Fraud and Abuse Act of 1996 criminalizing researchers and hackers to the Patriot Act of 2001, criminalizing everyone else!

If we begin with first principles, I'd guess that as a society most of us would find the following to be a reasonable starting point for resolving this issue: in light of threats from criminals, terrorists and geopolitical rivals, our government agencies should conduct whatever surveillance they need to, so long as they do not violate our constitutional rights in any way. Chipping away at the Constitution is far more dangerous to us as a precedent than any external enemy. But once we establish that imperative, we want the FBI and NSA to do their jobs as well as they can, with all the tools at their disposal.

Unfortunately, many journalists, bloggers and other pundits prefer to stoke the fires of fear. Conspiracy theories, after all, are a time-proven way to increase clicks, grow one's twitter following, and sell books. Yesterday's report of Verizon's compliance with a court order to provide meta-data on phone calls, and today's allegations that NSA's PRISM program has had free rein on the data stores of the largest internet services, have presented just such a golden opportunity (e.g. BIG BROTHER IS HERE), and now the floodgates are open!

PRISM raises tough questions about the need for transparency in our government agencies, but it is unproductive to be reactionary and polarizing, since these qualities mask the best solutions. And there probably has never been a more prolific source of security and privacy solutions than my friend Bruce Schneier, whom I've backed as an entrepreneur, whose books I've read more than once, and whose words have guided me as an investor. But even Bruce slipped into sensationalism when he posted an article today on The Atlantic titled What We Don't Know About Spying on Citizens: Scarier Than What We Know.

Bruce compels the reader that we need better disclosure, but I believe he goes a bit too far in several respects. "The NSA received...everything except the voice content: who called who [sic], where they were, how long the call lasted," writes Bruce. But that seems inaccurate, since the NSA has not received any personally identifiable information of the callers. For that, they need a court order.

"We know [the FBI] can collect a wide array of personal data from the Internet without a warrant," but so can Google and thousands of other internet companies who track everything we do; should the FBI do any less? Bruce asserts that the FBI can use the microphone in our smartphones to bug a room, if they have a warrant; but why shouldn't the FBI use smartphones to effect a warranted bugging?

"We know that the NSA has many domestic-surveillance and data-mining programs with codenames like Trailblazer, Stellar Wind, and Ragtime," Bruce writes, "deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on." But I cannot find any evidence that these codenames -- typical for all government projects -- were invented specifically to stymie oversight.

For a balanced view of the facts and issues, I recommend Joshua Foust's blog post, and I leave you with this conclusion from today's Washington Post editorial:

In the days after the Boston bombings, many asked why the government didn’t connect the dots on the Tsarnaev brothers. Now, many are asking why the government wants so much information about so many Americans. The legitimate values of liberty and safety often compete. But for the public to be able to make a reasonable assessment of whether these programs are worth the security benefits, it needs more explanation.

HACK Won't Always Be a Dirty 4-Letter Word

I presented the following prediction as part of a spirited Churchill Club debate with 5 other VCs. It was first published at AllThingsD.

Ever since Hollywood gave us War Games, the fear of cyber apocalypse has gripped America. We’ve outlawed hacking to such an extent that if you’re shut down by a cyber attack, or your data have been stolen, it’s a federal crime to even probe the attacking computers, let alone disable them. Rather than educate and activate our best and brightest hackers, we prosecute and imprison them. 

Businesses haven’t complained because they’ve never wanted to fight back. You can’t prosecute the attackers even if you find them, and admitting a breach may spook customers and even invite more attacks. So instead of fighting, we’ve just quietly taken the punches, and wished it all away. But wishing it away is like trying to reduce teen pregnancy by preaching abstinence.

Two years ago I watched a TED audience cheer Ralph Langner for exposing the Stuxnet worm that our government developed to retard Iran’s nuclear weapons program. It was as if the US and Israel had invented malware. Somehow, it was evil for us to use cyberspace to stop the most vitriolic, warmongering fundamentalist on our planet from making nuclear bombs. Because cyber is “unconventional”, we somehow consider it to be just as taboo to use as nuclear and chemical weapons.

Meanwhile, the NY Times reported this morning that, “Hackers Find China is a Land of Opportunity.” Not only has China allegedly hacked Google and Evernote to spy on its citizens, but it has funded massive efforts to steal information valuable to economies and national security. Attacks on our banks, utilities, and defense contractors can be traced back to units in the Chinese military. We even know what building they’re in.

I do not advocate the theft of IP for economic gain, but as cyber war rages on around us, I predict that Americans will come to appreciate that cyber operations can achieve our military and intelligence objectives far better than bullets and bombs. Cyber weapons are faster, more effective, safer, and orders magnitude cheaper than kinetic weapons. Stuxnet penetrated where missiles cannot.

Indeed, the stigma associated with offensive cyber activity is breaking down, now that cyber attacks have exploded in frequency and scale. The banks are now asking the Feds to join the fight, so DHS, FBI and NSA are trying to figure out how to collaborate, without going to jail themselves for hacking or disclosing classified data.

 

 "America's economic prosperity in the 21st century will depend on cybersecurity… Protecting this infrastructure will be a national security priority. "

- President Obama

This sea change presents great opportunities for startups to build a new ecosystem of cyber capabilities that actively defend our nation, and support our military and intelligence objectives. We’ve got the best security experts in the world. New startups are enabling the exchange of threat data, using honeypots to collect counter intelligence on foreign hackers, and deploying HADOOP clusters to track botnets. They even develop exploits around newly discovered vulnerabilities to deliver offensive payloads.

Over the next five years, our nation will embrace the capabilities of American hackers to fight back in cyberspace, securing our economy and our lives. Our Defense Department will need fewer bombers, missiles and destroyers, leading to a Cyber Dividend that will fund healthcare, education and debt reduction.