 from our studios in the heart of Silicon Valley, Palo Alto, California, this is a CUBE Conversation. Hello everyone, welcome to this special CUBE Power Panel recorded here in Palo Alto, California. We got remote guests from around the internet. We have Evan Anderson, Mark Anderson, Phil Lowhouse, thanks for coming on. Evan is with InventIP, an organization that's with companies and individuals that fight nation-sponsored intellectual property theft and also author of the huge report, Theft Nation, almost 100 pages of really comprehensive analysis on it. Mark Anderson with the Future in Review, CEO of Pattern, Computer and Strategic News Service, Chairman of Future in Review Conference and author of the book, The Pattern Future, Finding the World's Greatest Secrets and Predicting the Future Using Discovery Patterns and Phil Lowhouse, American Enterprise Institute, former intelligent analyst researcher at the American Enterprise Institute, studying competitive strategy and emerging technologies. Guys, thanks for coming on. This topic is industrial IoT, the new battleground. Mark, you cover the Future in Review. This is, security is the battleground. It's not just a siloed space. It's horizontally scalable across every single touchpoint of the internet, individuals, national security companies, global. What's your perspective on this new battleground? Well, thank you. I took some time and watched your last presentation on this, which I thought was excellent. And maybe I'll try to pick up from there. There's a lot of discussion there about the technical aspects of IoT or IOT and some of the weaknesses, you know, firewalls failing and assume that someone's in your network. But I think that there's a deeper aspect to this and the problem I think, John, is that, yes, they are in your network already, but the deeper problem here is, who is it? Is it an individual? Is it a state? And whoever it is, I'm gonna put something out that I think is gonna be worth talking more deeply about. And that is the people who can do the most damage are already in there and are ready to do it. And the question isn't, can they? It's why have they not? And so, literally, I think if you ask world leaders today, are they in the electric grid, yes. Is Russia in ours? Are we in theirs? Yes. If you said, is China in our most important areas of enterprise, absolutely. Is Iran in our banks and so forth, they are. And you actually see states of war going on that are nuisances but are not what you might call cyber-getting. And I really believe that the world leaders are truly afraid, perhaps more afraid of that than of nuclear war. So the amount of death and destruction that could happen if everybody cut loose at the same time is so horrifying. My guess is that there is a human restraint involved in this but that technically it's already game over. Phil, cyber-getting, I love that term because that's part of our theme here is apocalypse now or later. Industrial IoT or IoT or the internet, all these touch points are creating a surface area that for penetrations purposes, any packet can get in. Nation states, malware, you name it, it's all a problem. But this is the new war battleground. This is now digital cyber-getting. Forget the wall on the southern border, physical wall, we're talking about a digital wall. This is, we are major threats going on to our society in the United States and global. There's new rules of engagement and no rules of engagement on how to compete in a digital war. This is something that the government is supposed to protect us for. I mean, if someone drops troops in California, physical people, the government's supposed to stop that. But if it's a digital war, it's packets. And the companies are responsible for all this. This doesn't make any sense to me. Break it down, what's the problem and how do we solve this? Sure, well, the problem is, is that we're actually facing different kinds of threats that were even typically used to facing in the past. So in the past, when we go to war, we may have a problem with a foreign country or a conflict is coming up. We tend to, and by we, I mean in the United States, we tend to think of these things as we're gonna send troops in or we're going to actually have a physical fight or we're gonna have some kind of other decisive culmination of events or end of a conflict. What we're dealing with now is very different. And it's actually something that isn't entirely new, but the adversaries that we're facing now, so let's say China, Russia and Iran, just to kind of throw them into some buckets, they think about war very differently. They think about the information space more broadly and partially because they've been so used to having to kind of be catching up to America in terms of technology, they found other ways to compete with America and ways that we really haven't been focusing on. And that really, I would argue, extends most prominently into the information space. And by the information space, I'm speaking very broadly, I'm talking about not just information in terms of like social media and emails and things like that, but also things like what we're talking about today, like IIOT and these are new threat landscapes and ones where our competitors have a integrated way of approaching the conflict, one in which the state and private sector kind of are molded or fused or at least are compelled to work together. And we have a very different space here in the United States and happy to impact that as we talk about that today, but what we're now facing is not just about technical capabilities, it's about differences in governing systems and differences in governing paradigms. And so it's much bigger than just talking about the technical specifics. Evan, I want you to weigh in on this because one of the things that I feel strongly about and this is pretty obvious from the commentary and experts I talked to is the United States has always been good at defending itself physically, war and being places, but digitally we've been really good at offense but terrible on defense and has been the metaphor. I spoke with former four star general Keith Alexander who ran the NSA and was the first commander of the cyber command who now is the CEO of IronNet. He and I were talking on camera and privately and he's saying, look it, we suck at defense digitally. We're great at offense. We can take someone out on the offense but we're talking about IoT, about monitoring and these are technical challenges and this is network nerds and software engineers have to solve this problem through the prism of defense. This is a new paradigm. This is what we're kind of getting to and Mark you kind of addressed it but this is the challenge. IoT is going to create more points that we have to defend that's we suck now at defending while we're going to get better. This is the paradox. Yeah, I think that's certainly accurate and one of our problems here is that as a society we've always been open and that was how the internet was born and so we have a real paradigm shift now from a world in which the US was leading an open world that was using the internet for, I mean there have been problems with security since day one but originally the internet was an information sharing exercise and we reached a point in human history now where there are enough malicious actors that have the capabilities we didn't want them to have that we need to change that outlook. So looking at things like industrial IoT what you're seeing is not so much that this is the battlefield in specific it's that everything like it is now the battlefield. So in my work specifically we're focused more on economic problems, economic conflicts and strategies. And if you look at the doctrines that have come out of our adversaries in the last decade or really 20 years they very much did what Phil said and they looked at our weaknesses and one of those biggest weaknesses that we've always had is that an open society is also unable necessarily to completely defend itself from those who would seek to exploit that openness. And so we have to figure out as a society and I believe we are but we're running a fine line and we're negotiating this tightrope right now that involves defending the values and the foundational critical aspects of our society require openness while also making sure that all the doors aren't open for adversaries. And so we'll continue to deal with that as a society. Everything is now a battlefield in a much grayer area and IoT certainly isn't helping and that's why we have to work so hard on it. I want to talk about the economic piece on the next talk track around theft and also appropriating that you cover deeply but Mark and Phil this notion of cyber getting meets the fact that we have to be more defensive again, principles of openness are out there. I mean, we have open source or there is a potential path here. Open source software has been, I think, depending on your type fourth generation or fifth depending on how old you are but it's now mainstream enough. Now, are we ever going to get to a formula where we can actually be defense strong at defense as well as just offense with respect to protecting digitally. Phil, you want that? Oh, well, yeah. I mean, I would just say that I'm glad to hear that General Alexander is confident about our offensive capabilities but one of the large things about here too is the NSA that is conducting these offensive capabilities. When we talk about Russia, Iran, China or even a smaller group like let's call let's say like an extremist group or something like that there's an integration between and command and control that we simply don't have here in the States. So for example, the Panasonic the Panasonic and Sony examples or always come to mind is ones where there are attacks that can happen against American companies that then have larger implications that go beyond just those companies. So, and this may not be a case where the NSA is even tracking the threat. There's been some legislation that's come out rather controversial legislation about so-called hacking back initiatives and things like that but I think everybody knows that this is already kind of happening. The real question is going to be how does the public sector and how do private sector work together to create this environment where they're working in synergy rather than across the purposes? Yeah, and this brings up, I've heard this before. You've talked about the fact that open source nation states can actually empower by releasing tools in open source via the dark web or other vehicles to actually not have their quote fingerprints on any attacks. This seems to be a tactic. Or go through criminals, right? Use proxies, things like that. I mean, it's getting even more complicated and Alexander's talked about that as well, right? He's talked about the convergence of crime and nation state actions. So, whereas with nation states, it's already hard to attribute enough if that's being outsourced to either whether it's patriotic hackers or criminal groups, it's even more difficult. I think Keith is a good friend of Oliver is obviously a good guy. His point is a good one. And I'd like to take it a little more extreme state and say, defense is worth doing and probably hopeless. So, as they always say, all takes is one failure. So, we always talk about defense, but really he's right. Offense is easy. You want to go after somebody, we can get them. But if you want to play defense against a trillion points of failure, potential points of failure, there's no chance. One way to say this is, if we ignore individuals for a moment just like in nation states, it's pretty clear that any nation state of size that wants to get into a certain network will get in. And then the question would be, well, once they're in, can they actually do damage? And the answer is probably, yeah, they probably can. Well, why don't they? Why don't they do more damage? So kind of back to the original premise here that there's some restraint going on. And I suspect that Keith's absolutely right because in general, they don't want to get attacked. They don't want to have come back at them what they're about to do to your banks or your grid. And we could do that. We all could do that. So my guess is that there's a little bit of a failure on our part. You have deep discussions about how great our defenses either are or are not. When frankly, the idea of defense is a good idea, a worthwhile idea, but not really achievable. Yeah, it's a great point that comes up a lot where it's like people don't want retaliation. So it's a big critical event that happens. It's noticeable as a counter-strike or equivalent. But there's been discussion of the, I call it the slow bleed where they pushed the line of where that is and like slowly infiltrate and just cause disruption and inconvenience as a tactic. This has become something we're seeing a lot of whether it's misinformation campaigns on fake news to just disrupting operations slowly over time and just kind of, you know, thousand paper cuts, if you will. Your guys' thoughts on that, is that something that you guys see out there that's happening? Well, you saw Iran go after our banks and we were pushing Iran pretty hard on the sanctions. Everybody knows they did that. It wasn't very much fun for anybody, but they didn't, what they didn't do is take down the entire banking system. Not sure they could, but they didn't. So yeah. Yeah, I would just add there that you see this on multiple fronts. You see, this is by design. I mean, if you, I'm sure that Mark is talking about this in his report, but where they talk about this incremental approach that, you know, over time can, this is part of the problem, right? Is that we have a very kind of black or white conception of warfare in this country. And a lot of times even companies are going to think, well, you know, we're at peace. So why would I do something that may actually be construed as something that's warlike or offensive or things like that? But in reality, this is, even though we aren't technically at war, all of these other actors view this as a real conflict. And so we have to get creative about like how we think about this within the paradigm that we have and the legal structures that we have here in this country. Well, there's no doubt in my least my non-expert military opinion, but as someone who is a techie, been on the internet from day one all my life and all those tools you guys as well, I personally think we're at war. 100% is no debate on that. And I think that we have to get better policy and around this and understand it better because it's happening. And one of the obvious areas that we see in the news every day is Huawei and intellectual property theft. This is an economic impact. I mean, let's just look at what's happening in Brexit in the UK. And if that was essentially manipulated, that's the ultimate smart bomb is to just destroy their financial system which ended up happening through that misinformation. So there are economic realizations here, Evan, that not only come from the misinformation campaigns and other attacks, but there's real value with intellectual property. This is the report you put out, your thoughts. There's very much an active conflict going on in the economic sphere. And that's certainly an excellent point. I think one of the most important things that most of the world doesn't quite understand yet, but our adversaries certainly understand is that wars are fought for usually just a few reasons. And there's a lot of different justification that goes on, but often it's for economic benefit. And if you look at human history and if you look at modern history, a lot of wars were fought for some form of economic benefit, often in the form of territory, et cetera. But in the modern age, information can directly and very quite obviously translate into economic benefit. And so when you're bleeding information, you're really bleeding money. And when I say information, again, it's a broad word, but intellectual property, which our definition here at InventIP is quite broad too, is incredibly valuable. And so if you have an adversary that's consistently removing intellectual property from what I would call our information ecosystem and our business ecosystem, we're losing a lot of economic value there. And that's what wars are fought over. And so to pretend that this conflict is inactive and to pretend that the underlying economy and economic strength that is bolstered or created by intellectual property isn't critical, would be silly. And so I think we need to look at those kinds of dynamics and the kind of the Grazlin law of doctrine and the essential doctrine of unrestricted warfare that came out of the People's Republic of China are focused on avoiding kinetic conflict while succeeding at the kinds of conflicts that are more preferable, particularly in an asymmetric environment. And so that's what we're dealing with. Mark and Phil, people waking up to this is the reality. I mean, I'm certainly, people in the know are that I talk to you, but generally speaking across the board, is this a woke moment for tech? This Armageddon now later? It's a woke moment for politicians, not for tech, I think. So they're the old, I'm sure Phil would agree with this, but the old guard, it'd go back to when Keith was running the NSA, but at that time, there was a very clear distinction between military and economic security. And so when you said security, that meant military. And now all the rules have changed, all of the ways that CFIIS works in the United States have changed, the legislation is changing. And now if you want to talk about security, most major nations equate economic security with natural security. And that wasn't true 10 years ago. That's a great point. That's really profound. I totally agree. On the, on the- Yeah, I would just- Phil. I think you're seeing a change in realization in Washington about this. I mean, if you look at the cybersecurity strategy of 2018, it specifically says that we're gonna be moving from a posture of active defense to one of defending forward. And we can get into the discussion about what those words mean. But the way that I usually boil it down is it means going from defending, but maybe a little bit forward to actually going out and making sure that our interests are protected. And the reason why that's important, and we were talking about offense versus defense here, obviously the reason why, from what Mark was saying, if you have, if they're already in the networks and they haven't actually done anything, it's because they're afraid of what that offensive response could be. So it's important that we selectively demonstrate what costs we could impose on different actors for different kinds of actions, especially knowing that they're already inside of our networks. That's a great point. I mean, that's, I think that's again, another profound statement because it's almost like the pin in the grenade. Once they pull it, its damage is done. Again, back to our theme, Armageddon, now or later. How, what's the answer to this guys? I mean, is it, is it to push the policy conversation and the potential consequences higher, get that narrative going? Is it more technical protection in the networks? What's some of the things that are people talking about, thinking about around this? And it's really all of the above. So the tough part about this for any society and for our society is that it's expensive to live in a world with this much insecurity. And so when these kinds of low level conflicts are going on, it costs money and it costs resources. And companies had to deal with that. They spent a long time trying to dodge security costs. And now, particularly with the advent of new law like the GDPR in Europe, it's becoming untenable not to spend that defensive money even as a company, right? But we also are looking at a deep need to change policy. And I think there's been a lot of progress made marketing from the CFIF reforms. There are a lot of different essentially games of whack-a-mole being played all around the world right now, figuring out how to chase these security problems that we let go too long. But there's many, many, many fronts that we need. And whack-a-mole's a great example. Visualization of that, it's horrendous. Not the ideal scenario. But I got to get your point on this because one of the things that comes up all the time in our conversations on theCUBE is, the government's job is to protect our security. So again, if someone came in and invaded my town in Palo Alto, it's not my responsibility to fight for the town, maybe defend my own house. But if I'm a company and I'm being attacked by Russia or China or Iran, isn't it the government's responsibility to protect me as a citizen and the company doing business there? So again, this is the kind of the confusion that people have that Sony's got to defend their hack. I certainly got to put security practices in place. This is a new ground for the government, digitally speaking. When we started this in VIP project out it was about seven years ago. And I was told by a very smart guy in DC that our greatest challenge was going to be American corporations, global corporations. And he was absolutely right. Literally in this fight to protect intellectual property and to protect the welfare even of corporations, our greatest enemies so far have been American corporations. And they lobby hard for China while China is busy stealing from them and stealing from their company and stealing from their country. All that stuff's going on on a daily basis and they're in DC lobbying in favor of China. Don't do anything to make them mad. And they're getting their pockets picked at the same time they're trying to do business in China. They're getting their pockets picked. That's what you're saying. They're going for the quarterly earnings report and that's all. So the problem is their companies themselves are kind of self-inflicted wounds here for them. Yes, yes. Yeah, just to add to that, I mean on this note there have been some businesses that are interest. And this is something that you're seeing a little bit more of. There's been legislation through CIFIUS and things like that. There've been reforms that have discouraged the flow of Chinese money into Silicon Valley. And there's actually been a measurable difference in that because people just don't want to deal with paperwork, they don't want to deal with the reputational risk, et cetera, et cetera. And this is going to really be the key challenge is having policymakers not only that are interested in addressing this issue because not all of them are even convinced it's a problem if you can believe it or not, but having them interested and then having them spun up and having them understand the issue in a way that the legislation can actually be helpful and not get in the way of things that we value such as innovation and entrepreneurialism and things like that. So it's going to take sophisticated policymaking and create aligning incentives so that companies actually want to participate in helping to make America safer. So right about the politicians, Capitol Hill is really not educated. I mean, I tell my kids, and they ask the same question. Just look at Mark Zuckerberg and Sundar Pakai present to the government. They don't even know what an Android phone versus an iPhone is, never mind what the internet and how this global economy works. This has become a makeup problem of the personnel in Capitol Hill. You guys see any movement? I mean, I'm seeing some change over with a new guard, a new generation of younger people coming in, certainly from the military, that's an easy when you see people get this. But a new generation of young millennials was saying, hey, why are we doing this the old way? And actually becoming more informed, not being the lawyer at the lawmaking, it's actually more technically savvy. Is there any movement, any bright hope there? I think there's a little hope in the sense that at a time when Congress has travel keeping the lights on, they seem to have bipartisan agreement on this set of issues that we're talking about. So that's hopeful. We've seen a number of strongly bipartisan issues supported in Congress with the Senate, with the House, all agreeing that this is an issue for us all, that they need to protect the country, they need to protect IP, they need to extend the definition of security. There's no argument there. And that's a very strange thing in today's DC to have no argument between the parties. There's no, there's no error between the GOP and the Democrats as far as I can tell. They seem to all agree on this. And so it is, hopefully. Freedom has its cost. And I think this is a new era of modern freedom and warfare and protection. And all these dynamics are changing, just like cloud 2.0 is changing application developers. Guys, this is a really important topic. Thank you so much for coming on. I appreciate it. I'd love to do a follow up on this again with you guys. Thanks for sharing your insight, some great profound statements to appreciate it. Thank you very much. Thank you. Thanks for having us. It's been a CUBE power panel here from Palo Alto, California with Evan Anderson, Mark Anderson, and Phil Lohaus. Thank you guys for coming on. Power panel, the next battleground in industrial IoT. Security is a big part of it. Thanks for watching. This has been the CUBE.