 from Las Vegas. It's theCUBE, covering Kuala Security Conference 2019. Welcome to you by Kualas. Hey, welcome back, everybody. Jeff Frick here with theCUBE. We're in Las Vegas at the Bellagio at the Kuala Security Conference. Pretty amazing, it's been going on for 19 years we've heard in the keynotes. It's our first time here. We're excited to have our first guest. He was a keynote earlier this morning, the author of nine books, Richard Clark, National Security and Cyberist Expert, and the author most recently of the fifth domain. Dick, great to see you. Yeah, great to be with you. Absolutely, so you've been in this space for a very long time. I started doing cybersecurity in about 1996 or 1997. It's the early days, and in preparing for this I've watched some of your other stuff and one of the things you said early on was before there was really nothing to buy, how ironic to think about that. First there was a firewall and basic kind of threat of protection, compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand. Now there's too much stuff to buy. So as you look at kind of this evolution, kind of what's your take and from the perspective of the CIO and the people responsible for protecting us, how should they work through this morass? Well, the CIO and the CFO got used to thinking, you know, cybersecurity costs a little bit, because you can only buy, this is 1997, you can only buy antivirus firewall and maybe then 1997 you could buy an intrusion detection system. Didn't do anything, it doesn't want to beep, but you could buy that too. So we had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it and put aside for security, maybe 2%, 3% of the budget. Well, now if you're only spending 2% or 3% of your IT budget on security, somebody owns your company and it's not you. And that's 2% of the IT budget, that's not the whole budget. No, that's the IT budget. What we found in researching the book is that secure companies, companies that, and there are some. Right. Companies that don't get hacked or they get hacked, but the hack gets in, immediately contained, identified, quarantined, the damage is done, but it's easily repaired. Companies that are like that, the resilient companies are spending 8%, 10%, we found companies at 12% and 17% of their IT budget on security. And to your point, how many devices do you have to buy? You look at the floor at any of these RSA conventions, the blackout or something, there are 2,000 companies in RSA and they're all selling something, but their marketing message is all the same. Right, right. So Pity, the poor CISO, as she goes around trying to figure out, well, do I want to talk to that company? What does it do? We found that the big banks and the big corporations that are secure have not three anymore, but 75, 80 different discrete cybersecurity products on the network, most of its software. Right, right. But if you've got 80 products, it's probably 60 vendors. And so you've got to, for yourself, this is the big challenge for a CISO. She's got to figure out what are the best products, how do they integrate, what are my priorities? And that's a tough task. I understand why a lot of people want to outsource it because it's daunting, especially for the smaller medium-sized business, you've got to outsource it. Right, right. So the good news is there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, is people that have been hacked and know it, and people that have been hacked and just don't know it yet. And the statistics are all over the map, depending where you grab it. It used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is with proper investments, with proper kind of diligence and governance, you can be in that group, some of them, they're trying to get it all the time, but you can't actually stop it. You can actually contain it. You can actually minimize the damage. What we're saying is that there used to be two kinds of companies, those that were hacked and knew it and those that were hacked that didn't know it. Now there's a third kind of company, the company that's stopping the hack successfully. And then not, the average I think was 175 days to figure it out, now it's 175 minutes or less. The attack gets in, does all the five or six stages of what's called the attack kill chain, and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time. It's going to be automated. That's where everybody says they've got AI, but some people really do, and machine learning is absolutely necessary to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming and try to figure out what's going on and figure out in time to stop that attack, quarantine it. You've got to move very, very quickly. So you've got to trust machine learning and AI. You've got to let them do some of the work. It's so funny because people still are peeved when they get a false positive from the credit card company and it's like, do you realize how many of those things are going through the system before one elevates to the level that you're actually getting an alert? So the problem has always been reducing the number of false positives and identifying which are the real risks and prioritizing. And humans can't do that anymore. Right, right, it's just too much data. So let's shift gears a little bit about it in terms of how this has changed, and again, we hear about it over and over, right? The hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe actually doing some damage or stealing a little money. Now it's government funded. It's state attacks for much more significant threats and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff. What's the role of the government helping businesses? What's the role of business? And then it also begs the questions, all these multinational businesses, they don't even necessarily just exist in one place. But now I've got to defend myself against the nation state with arguably unlimited resources that they can assign to this task. How should corporate CIAs be thinking about that and what is the role, do you think, of the government? I'd say you're right, 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night because it was boys in their mother's basement who couldn't get a date. And they were down there having fun with the computer. Now it's not individuals are doing the attacks, it is as you say, nation states. It's the Russian army, Russian intelligence, the Russian military intelligence, the GRU. The North Korean army is funding its development of nuclear weapons by hacking companies and stealing money all over the world, including central banks in some cases. So yeah, the threat has changed. And obviously a nation state is going to be far more capable of attacking. Military is going to be far more capable of attacking. So CISO say to me, I'm being attacked by a foreign military. Isn't that the role of the Pentagon to defend Americans, American companies? And you know, General Keith Alexander who used to run Cyber Command, talks about if a Russian bomber goes overhead and drops a bomb on your plant, you expect the United States Air Force to intercept that, that Russian bomber. That's why you pay your taxes. Assuming you pay taxes. What's the difference, General Alexander says, whether that's a Russian bomber attacking your plant or a Russian cyber attack attacking your plant. And he says, therefore, you know, people should assume that Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company or a retail store? It can't. It can barely defend itself. So, and they're not doing a great job of that either. Defending the federal government. So, do you really want the Pentagon putting sensors on your network, looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And the conclusion, and they shouldn't, by the way, in my view, the conclusion that that gets you to is, you know, defend yourself. And you can right now, if you use the technology that exists. The government has a role, sure. It can provide your warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network. You have to defend your network. And then you have, you took municipalities, I think it's Atlanta, that's the one that keeps getting hit, you know, there's, well, Louisiana, you know, just the other night, Louisiana, the whole state of Louisiana government unplugged from the internet because it was being hit by a ransomware attack. Baltimore's been, the whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here. Because people, many of them are paying the ransom. And they pay the ransom, and they get their network back right away. People ask me, can I trust these criminals? Well, you can trust them to give you your network back because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever gonna pay. So they do give it back. And sometimes that's a lot quicker and a lot cheaper than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris, the driver on the streets of Moscow. But some of that money is going back into R&D so they can develop more effective attacks. So it's an interesting take, right? So most people, I think, would say that the cybersecurity war is completely, always going to be kind of cat and mouse, whack a mole. You know, the bad guys are always a little step ahead and you're always trying to catch up just the way kind of the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing to better increase their chance of, I don't know, blocking, absorbing. It depends on the size of the company. It depends on the size of the company. But I think whether you're a small and medium business or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts. I sit down with the leadership of the company, individually, and ask every one of them, what are you worried about? What could happen? What could a bad guy do to you that matters to your company? Because what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, right? So let's figure out exactly what risk we're worried about and what risk we're just kind of willing to tolerate. And then we can design security around that. And sometimes that security will be outsourced to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in. They've got thousands of people doing the security of the cloud. And if your server's in your basement, good luck. So as you look forward now, you finished the book earlier in the year, it gets published in South and that's great. But as you said, it's a fast moving train and this space has developed 10 years from now. It's not only good 10 years from now, that's way too long. But as you look forward to the next couple, two, three years, what are you keeping an eye on that's going to be, again, another sea change of both challenge and opportunity in this space? We have three technologies we talked about in the book for the three year time horizon, because I can't get beyond three years. More machine learning on the defense but also more machine learning on the offense. And where does that balance work out to whose advantage? Secondly, quantum computing, which we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people in that it might break encryption. If the bad guy's got their hands on the quantum computer. So that's a worry. But one I think most immediately is 5G. What 5G allows people to do is connect millions of things at high speed to the internet. And a lot of those things that will be connected are not defended right now. And are outside firewalls and don't have end point protection and aren't really building the network so they're secure networks. So I worry about 5G empowering the internet of things and doing what we call expanding the attack surface. I worry about that. Right Richard, well thank you for taking a few minutes and congrats on the book. And I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. Book number 10. All right, he's Richard, I'm Jeff. You're watching theCUBE. We're at the Kuala Security Conference at the Bellagio in Las Vegas. Thanks for watching, we'll see you next time.