 from the Hard Rock Hotel in Las Vegas. It's theCUBE, covering Hoshokon 2018, brought to you by Hoshokon. Hello everyone, welcome back to theCUBE's exclusive coverage here live in Las Vegas for the first ever security conference around blockchains called Hoshokon. It's put on by Hoshokon, an industry participant, small but intimate and the smartest people in the industry kind of coming together, trying to solve and understand the future for security as it relates to blockchain. I'm John Furrier, host of theCUBE. Next guest is Neil Kittleson, who's the CEO of Encrypt, formerly the NSA's variety experience with security across the board from early days. Many waves of technology innovation had a panel here talking about securing the blockchain and the nuclear codes, basically implying that if you had to secure it, the nuclear codes. Welcome to theCUBE. Well thanks, thanks John, it's great to talk to you. That's exactly it, right? So the blockchain is meant to really provide high assurance for a lot of really big transactions, right? So the internet evolved over time to hold information, to share information, but it was never meant to conduct transactions. Now we do a lot of e-commerce on it, but it wasn't meant to be unchanging, right? But the blockchain is. And so the idea is, if we lose control of that, if we don't secure it in a way that we can protect our most important digital assets, then it's not good enough for anything. And so that's why I compared it to, you know, what would it take to secure something like the nuclear launch codes on it? Clearly we wouldn't, you know, there's no reason to. But it's a mindset. It shifts your focus on, okay, think that level of impact. Absolutely. Money. Right, because people are putting, you know, it doesn't matter whether you're 16 and you're putting your only $500 in crypto, or whether you're an institutional investor with $500 million in it, right? That's catastrophic if you lose it, right? And yet we don't always treat it that way. We haven't made the systems easy enough to use for the general user, right? You know, so we talk about adoption, right? You know, I mean, let's talk, so if you don't mind, let's talk about adoption, right? That's why we're here is we're trying to figure out what's it going to take to get to the next billion users in crypto? What has to be easy? And we don't make it easy today in a secure enough way. And it has to be baked in from the beginning. It can't be like, okay, I built an app, I built some architecture, I'm doing some blockchain. Oh, by the way, security is really hard because we have to make it so complex for users because it's complex in general. Right, and if we build the app first and we get it deployed to say even 50,000 people and then we go back and say, you know what, we need to build this, it's more expensive, right? It's harder to do, it delays deployment, and it confuses users because now they're changing the way that they're interacting with that application. Let's talk about the adoption in context to architecture. It's one of the things that we've been covering, certainly the CUBE folks know in our audience, cloud computing has changed the architecture of how people deploy IT and technology to DevOps, horizontally scalable. You've had a lot of experience over the years and generations of computing evolving through the trend lines. Here, the architecture is interesting. So if you think about the architecture of security and blockchain in general, the security paradigm has to be compatible with a new architecture. So it's kind of a moving train at multiple levels, right? So what is the preferred architecture? What are some of the blockchain architects and or, if you're going to have token economics, you're going to have to have certain business model and or workflows that ties into the technology enablement. How should people think about an architectural view to make the adoption or user interface or user experience or where the expectation is kind of new? So does it all come together? So I'm challenging people to think about it differently, right? So the blockchain in itself is really pretty secure, right? It creates an immutable ledger, immutable record. Where we're going to get in trouble and where we do get in trouble is when you start to transact with it, right? Where you start to actually use a device, right? Whether it's your own phone or it's a computer, right, you're transacting with it and people don't have the security mechanism that was built in there. You know, and it goes back to what we've talked about for the last 20 years, whether it was with the trust computing group, the global platform, or I think the design standards. So you've got probably in this PC, you've got the, well, I guess it's a Mac. It's a Mac, yes. So in your phone, right? In most computers, you've got the security primitives that you need to use hardware to secure those transactions, but we're not using them. Yeah, we've been waiting for that kind of killer app to use hardware to secure transactions and blockchain might just be that. Let's talk about the hardware because that conversation is coming up a lot here in the hallways. Stodial services, custody, these are kind of the business conversation that converts into technology, which is, okay, hardware is actually a good time to actually implement this. Google's doing a lot of stuff with their two-factor authentication with a hardware component. You hear Stephen Spray get rivets talking about a solution that he has. It is at the time, it's like the perfect storm for just a simple hardware solution. I think it is, and you're right. It has to be simple, right? Hardware solutions can get complex. We can make them too difficult to use, but they don't have to be. Like I said, we have the primitives built into most of these devices. I mean, the billions of devices. Yeah, if you've talked to Stephen, you've heard him talk about the number of devices that are carrying the primitives he needs to use for his hardware. But if we don't make it simple enough, then users won't adopt if they won't use it. Have you used a hardware wallet? I'm sure you probably have, if you have one that most of us have. Right, it's not a simple process today because it requires external pieces, external components. It's not a workflow that we understand. It's not something we've been trained to and grown up with. And it's interesting. I was also talking to Steve off camera. He didn't, because he had the interviews over, but we're talking about the supply chain compromise. And obviously Bloomberg kind of had the story, they had the facts wrong, but we kind of understand that this hack has been out there for a while around modifying and or root kit on the boards. You have a bracat had a live demo on stage in 2015 where they actually showed malware that could not be removed from boot memory. So I mean, this is not new, right? But the supply chain has always been, and you've been in the government, you've got to know where all the components are. So the old days, hey, outsource it, manufacture it in China, build it the cheapest way possible. Commodity, DRAM went down this path years and years ago and Japan dominated that and it was low commodity, low margin, or high commodity, low margin. And then Pentium comes out. So you're starting to see that hardware supply chain changing. What's different now? What do people got to do to make sure that the hardware is better? What's your opinion on that? Well, I don't know if it needs to be better, but what we need to know is where the hardware came from. We need to know that the hardware is what we expected it to be. That's a really unique question. We all buy hardware all the time and you just expected if it came from Vendor X that it's what you expected. And let's talk about something even simpler. Let's not talk about maliciousness. Most computers you buy are built to order today, right? You order all the different components. When you get that at home, you don't check to make sure you got the actual RAM that you asked for. You know what's on this? You have no idea. None of us do that, right? And likely the vendor doesn't really have a great record to know that absolutely they put in there what you specifically wanted. Now they intend to, right? But there's a lot of room in that for changes to be made that aren't expected. Like I said, for good or bad, for malicious or non-malicious intent. So what that means is that we really need to get used to saying, you know what? I got this new piece of hardware that I'm going to conduct transactions with that are really critical to my financial survival, my personal privacy. And we can't trust them until we know we should be able to trust them. So that's where hardware comes into play. What are some of the trends you're seeing in the hallway conversations you had here in your talk? Obviously people grab you after and talk to you in the hallways. What are some of the hallway conversations that you've been having here at OSHOCon? You know, the most common question has been how do you convince people that security is important? I mean, which is a really, really basic question. And you know, right now I just point them to news after news article, you know, to say, you know, you've got the hardware reported attacks. You know, you've got the privacy attacks with a lot of social media and internet companies. If somebody today doesn't believe that security is important, I don't know if you'll ever convince them. So that becomes a question of how do you get them to adopt it? And you know, getting your family members to adopt two-factor authentication when it's not as easy as not adopting it is sometimes a hard push. One of the things I worry about just kind of just because I'm paranoid sometimes is that, you know, what is going on with my kids? I got four kids, 16 to 23. You know, I got a Wi-Fi in my house. I got a password on it, but I'm sure it's been hacked. They're downloading music, movies. I don't know what they're doing. They're gaming. I mean, their service area in my house is pretty much who knows what's going on. I don't even know what's going on in my network. This is kind of just in my mind, a little paranoid, but that's what average people think about these days is like, okay, I got my own home network. I got these things going on. I'm out in the wild. Is it a device-centric security model that we're moving to? Do you see it where, you know, hey, my phone, you know, I know when I leave my phone at home and it takes me three seconds to realize I got to turn the car around. So, yeah, I don't leave my wallet at the restaurant when I'm done with my meal. So these are kind of a device-centric philosophy. Is that a better direction, you think? So I don't know that you can yes and no, right? For the personal devices, but now, you know, if you go to most networks, right, with IoT, you may have 40 or 50 devices on your network. You know, things that don't move, you know, you may have a light bulb that's got a key to it, right? It's really about making sure that you own it and that you own the keys. I mean, that's what security all comes down to, right? It's key ownership. So when you take a look at how you do that, we need systems in place that help us understand where those keys are, what they're doing, and how we cut them off if we need to. That's awesome. Well, I wanted to get into what your company's doing, but I also want to talk about the trip I had in the Middle East, General Keith Alexander was with us on, with Amazon all across the new region. I know you worked with him at the NSA. And, you know, one of the things he's doing in his new startup is crowdsourcing. We're hearing some of that in here as well where people are using crowdsourcing as a way to have a security mechanism. Is that something that you think is viable? Do you think that this crowdsourcing idea is going to be helpful or it's just a small piece of the puzzle? I think it's a small piece of the puzzle. I think it's the opposite end of the spectrum than a device-centered hardware component. I think it takes both pieces. It's a matter of making sure you know what you have and that you use only what you trust and that you're able to connect to the network in a way that you're comfortable. And then that crowdsource piece comes in to make sure that you're monitoring kind of all those transactions. So you're a big believer, I'm assuming, based on the conversation that hardware and software combination is going to be the preferred user interface for... It has to be. I think we've proven that over the last 20 years. Cell phones are a great example of that. Although we do get some spoofing today and that's been a big talk of this conference, it's not as prevalent as it was in 1994. I mean, I like the idea, too, of we want to know what's in my computer. I'd love to go look at a blockchain ledger and say, here's what's in my Mac. That's a good use case of blockchain. But what if you didn't even have to go look at it? What if every time you booted it up, it checked it against a record that was on the blockchain that said, this is what your Mac should look like. And it said, you know what? You can go ahead and connect to the internet. Go ahead and conduct that transaction. That's a great act. Go ahead and... That's a great use case. I saw it encrypt your company. What are you guys doing? What's the main focus of your opportunity that you're pursuing? So we formed it in May of this year to focus on blockchain security. When I left the agency, I realized there was this really big gap in the conversation people were having around it. I think it's a transformational technology. Is it a skills gap, technology gap, all the above? What are you seeing? It's both, right? You've got computer science graduates come out without a good understanding of hardware security. It's not being taught in most curriculums. It's a general understanding of how to apply the hardware against it. It's a general misunderstanding of what you can trust, right? You know, we've got a generation now that have grown up with iPhones in their hands. They just assume it's okay to use. It's just saying you mentioned the computer science programs. I mean, I grew up in my degree in computer science in the 80s, so we had to learn computer architecture as a double E class actually. And you know, gates and all that, you know, the hardcore components stuff, as well as coding systems, systems kind of programming model. Now it's a little bit different and more diverse. Certainly there's a lot of, you know, new opportunities within computer science. So it's broadened, certainly. In the skill gap, that's what comes up a lot. We hear, obviously, more cybersecurity jobs are open than ever before. Automation is a term that's been come known in the cloud business where, you know, you start to see that now. Security Ho Show's got this automation component that they're adding in for tooling. Is the tooling, and for developers who are actually building stuff, out there, is it early innings? How would you put the progress of some of the tooling? That's reliable. I mean, this is, you know, you still got people trying to build products and companies. They need help. What's the status in your mind of the ecosystem around platforms and tooling and open source? So over the last 10 years, there's been a great push to create better tools. A lot of it was done in the open source. A lot of it was done around Linux because it would work. Windows, honestly, Microsoft has done a great job in getting secure boot implemented on every PC they supply. You know, Apple does a great job with their boot security, but they're not making available, and mobile is probably the worst example, right? The TEE, the trusted execution environment, which is the secure space in a mobile phone, isn't open for most developers to access, right? So, you know, that hardware component isn't there. It's not available, so. Yeah, I know. I always get these updates when I go to China. Hey, Apple has an update for you. Would you like to download it? Like, hmm, is this really Apple? Right. I mean, no, turn off my iPhone, right? I mean, this is kind of the interception of the fraudulent, some of the malicious things that are going on, and that still is a concern, but I think generally speaking, you got entrepreneurs here, and I noticed at this conference in some of the earlier investor conferences we've been to, there's a ton of alpha entrepreneur activity. Real smart people trying to build durable technology and solutions. This is the main focus, so it's kind of like, and the capital markets, as we know, is pretty much in the toilet right now, but, you know, it's still growth. And so we're trying to unpack that. What's your opinion on entrepreneurship? Because every trough is always an uptick, and we'll probably see some growth in those companies that survive and thrive will probably be the leaders. Right. What are you seeing? What's your opinion of the landscape of ventures out there? So, the crypto market's been really interesting. It's all been focused on consumer and crypto. There's, and even on the floor today, there's a big push into the enterprise market for blockchain deployments. Simba's a company that's got a great tool set here today to help big enterprises understand how to deploy smart contracts into a blockchain and the enterprise. To me, the exciting part is the use cases outside of cryptocurrency and tokens that blockchain brings to the marketplace. I think that's where we'll see the next wave of entrepreneurship come into play. Andrea's side on stage had a comment. It's like, hey, you know, one of the Q&A sessions. Substitute, I think your best proposal is substitute database with blockchain. If it reads the same, it's probably not revolutionary. Absolutely. Him teasing out essentially that the, you know, the old guard being replaced with the new guard, same models to new faces. You know, taking over the industries that not really changing them, so to speak. And security kind of hints to the same way where if you're going to have a distributed and decentralized architecture with IoT, with all these things connected with digital assets and digital devices, security's going to be thought differently. What's your current take on how to tackle that world? I mean, is there a certain approach you found? So, I'm not sure I'm going to answer your actual question, but there's this really interesting debate. Like you said, Andrea said, you know, if you can replace database with blockchain, it's probably not the right fit. And a lot of early crypto adopters have made that argument. Jimmy Song says that publicly all the time, right? There's no place for blockchain in the enterprise essentially, right? And you can talk about ways, but the blockchain offers something to an enterprise that doesn't require the distribution. It offers the ability to create immutability, right? The inability to change that record, which we don't have in most cases today, in a fairly simple and easy to deploy way. And it offers smart contracts. So if we go back to the use case we talked about where every time a machine boots up and it creates a record of that machine and writes it, we've never had that capability. We've tried, when I was at the agency we built a system that sort of did that, but it didn't have the same sort of underlying strength of mechanism. It will allow us to trust it forensically almost. You know, I interviewed Jimmy Song at the consensus event and I don't necessarily agree with him on that point because I think there's use cases in the enterprise that actually make blockchain very viable. And it's almost like the cloud world. You'd have public and private hybrid coming. I mean, so that's kind of my take on it because it's interesting. IBM has been advertising heavily and others are looking at supply chain. There's low hanging fruit opportunities. Let me talk about the computer supply chain. So supply chain is a chain. It's a value chain and value chains now are changing. So you can track it in a way that's efficient. Why wouldn't that be a use case? So that's kind of my opinion. Do you agree with that? Absolutely. I mean, I think the distributed nature for crypto makes a lot of sense, but the blockchain in a non-distributed manner and the permission to blockchain makes a lot of sense for a lot of different use cases in big organizations. I agree. I've talked to different people that have just tried to replace databases with blockchain because it sounded cool. Yeah. Raising money or want to get some attention, get some momentum. I want to ask you a question in your new venture and Crips because you talked to a lot of folks out there. Certainly your historic and pedigree is amazing and security and you've seen a lot of things, I'm sure. What have you learned? What's your observation? What's the learnings that you can take away and share from your conversations? Is there any patterns that you're seeing emerging that could help people either navigate, understand, orientate towards something that they might want to use? What have you learned? So I think the biggest thing I've learned is that this community is the most diverse community I've ever worked with in technology. You've got people from all walks of life and it's absolutely amazing. I mean, just walking around the show here, walking around consensus, I mean, it just drives diversity like you've never seen before in tech conferences. And that diversity has driven a thirst for knowledge so that people are completely open to discussions about security that they've never had before in other realms. So when I talk to them about hardware-based security, they get excited and want to learn more. And honestly, in the PC community over the last 15 years, I got a little pushback on that, right? They say, well, we've heard about that, we don't want to, right? It works the way it is. People here realize they're building something brand new and it's time to build it right and that they really want this to succeed for their own reasons, right? Whether it's a corporate enterprise or whether it's almost a crypto-anarchist, right? They've all got the same sorts of goals. And there's a cultural thing too. I think the Bitcoin money aspect of it, pretty much anyone on the age of 30 that I kind of take a straw poll on, it's like, oh, this is going to change the world. Like, can you describe it? No, no, but it's great. Right. I actually heard that in the hallway earlier. I'm having a phone describing somebody that never heard of Bitcoin, how it's going to revolution. Well, Neil, thanks for coming on. I want to ask you a final question. Five years, where are we in your mind? Shoot the arrow forward. What's happening in five years? How does these dots connect in the next couple of years? In your opinion. So I think that if we're able to lay in the groundwork today to make user accessibility to the blockchain easy enough and secure enough, I think you'll see that it grows in ways that we really can't imagine, right? You know, I can't predict the crypto markets, but I think you'll see people starting to use tokens in different ways. I think there's some incredible use cases for tokenization, for rewards programs, things like that. I think enterprises in the next five years are going to start to figure out what use cases make sense. I think they're going to see great efficiency. I think they'll see, you know, much greater scalability and ease of use. Use cases really are going to be driving all this. Absolutely. Well, I want to find a question since it's just popped in my head. I want to get this out there. One trend I've been hearing here at this conference and seeing it kind of boil in into this community is the conversation, not just about cryptography and security, cyber security on a global scale has now come in because of the hacks, because of the nation states, because of the geopolitical landscape. You know, cyber security is a big conversation now. It is. Not always, probably in the wheelhouse, a lot of these guys, but a lot of these guys are also kind of adjacent involved with cyber security. Your view of the impact, the cyber security pressure is going to have on the industry, this industry. So I think that you're hearing the conversation because suddenly security became really, really important to people personally, right? In the past, if you lost money with your bank account, it was refunded to you. Now if somebody steals your private key, you're out whatever money was attached to that private key. So it's very personal. So people have started to think about all the different things that they need to do to really protect those keys. I mean, it's almost an organic conversation that we've been trying to drive for 40 years in the space. Yeah, and one of the things I worry about is the whole regulatory aspect of this, because it can be a driver or an enabler and a driver, or it could be dampening innovation. That's always something to watch out for. I think there's a Senate discussion today about it. I think there's some great work going on in that space, both at senior levels in Congress, as well as the regulatory commissions. But it's going to take a lot of education. There's a lot of fear around this space. Well, Neil, thanks for coming on. I'm looking forward to having more conversations with you. Great to have you on theCUBE and sharing your insight. Give a quick plug for Encrypt. What are you guys doing? What's the update? What's the status of the company? How do people get a hold of you? Why should they call you? What's the update? Well, so like I said, we formed in May. We've grown faster than we would have expected to because there's a thirst for the sorts of things that we're doing. We're always happy to talk to any enterprise or a consumer about the use cases around the products that they have, how they'd fit into the blockchain environment, and how to do it securely, properly. So, Encrypt.com, N-K-R-Y-P-T. And you're in Maryland. We're in Maryland. We're in the DC area, so hey, cool, great. Absolutely. Well, thanks for coming on. Appreciate it. Live from Ho Show Con, this theCUBE's coverage of the first security conference. John Furrier, you're watching theCUBE. Stay with us for more coverage. We'll be right after this short break.