 Live from New York City, it's theCUBE. Covering CyberConnect 2017. Brought to you by Centrify and the Institute for Critical Infrastructure Technologies. In government industries together for the first time, a unique kind of collaboration, unlike normal events like Black Hat or RSA that are mostly about hacks and really geeky sessions. There's a great place for that. But again, this is the first of its kind and it's presented by Centrify. It's CUBE, it's an exclusive partner here. I'm John Furrier, co-founder of SiliconANGLE, my co-founder Dave Vellante here. Dave, I mean, Centrify really taking an industry proactive role, not having their own event. Instead, using their money to fund an industry event. This is the trend in digital media, presented by Centrify, not sponsored by or their event. We've seen this in the big data space before where events are sponsored for the community. You know, cyber security, really a big topic. You know, General Keith Alexander, retired general was on the stage as the keynote, really talking about the crisis in the United States and around the world, around cyber security, cyber war, whole new reality. This is the thrust of the event. Well, they say content is king. Well, context is kind of the empire and the context here is the world is changing and the seriousness of that change is significant. General Alexander, many people may not know, General Keith former, retired general, Keith Alexander. He was the first head of chief of cyber security at US appointed by Obama. John, he was appointed director of the NSA in 2005. Now, you guys remember, I'm sure Stuxnet was right around 2004, 2005 when it was developed and it bridged the Bush to the Obama administration. So he had all the inside baseball. He didn't talk about Stuxnet, but that was- He did share some nice war stories. Yeah, but that was the first and most significant the way they got into New Tans and he was at the center of all that and he did share some war stories. He talked about Snowden. He talked about collaboration with the FBI. He talked about saving lives and basically said, hey, I stood in front of the ACLU. They basically undressed him, right? And then came back and said, hey, this is one of the most ethical agencies and law-abiding agencies I've ever seen. So he read that note from the head of the ACLU who was very proud of that. Yeah, and the Stuxnets is in the news, as obviously just yesterday was reported, actually the day before November 1st, November 2nd, that Stuxnet was highly underestimated. In fact, the digital certificates that were spoofed were been hanging around and it's been a malware has been out there. Again, this is an indictment of the problem that we have, which is we got to get the security. Now the things that the general talked about I want to get your reaction to because certainly I honed in on a couple of key things. Foundational tech for common defense. So he talked a lot about the Constitution and the role of government. I did a tweet on that, but what is the role of the government? That's the common defense of the United States. Citizens and business, one. Not just protect the Department of Defense. At the same time, he did kind of put a plug in that we need the civil liberties and privacy to be addressed. But this is the biggest crisis we have and it's a problem that can only be solved by working together. And if you look at Dave, the trends that we're following on theCUBE and SiliconANGLE and Wikibon, the common thread is community. If you look at blockchain and what's going on in that disruptive, decentralized world, the role of the community is critical. If you look at what's going on in security, it's the role of the community. If you look at open source, the biggest success story of our multiple generations and now impacting the younger generation in the computer science industry and computer industry, open source software, community. You're starting to see the role of communities where knowing your neighbor, knowing who's involved with things is really critical and he can't highlight it any more than this conference that Centrify is presenting with these gurus because they're all saying the same thing. You got to share the data. The communities got to work together. So common defense, maintaining civil liberties and maintaining privacy at the same time, solving the biggest crisis of our time. Well, the other big thing that John, you actually made this prediction to me a couple weeks ago was that government and industry are going to start working together. It has to happen. General Alexander basically said that, is it the government's role, job, to protect commercial industry? And it was an emphatic yes and pulled out his fake version of the Constitution and said yes and he got in front of Panetta and in front of the US Senate and made the case for that and I think there's no question about it that industries control critical infrastructure and industries aren't in a good position to protect that critical infrastructure. They need help from the government and the government has some of the most advanced technologies in the world. And the other thing we've been hearing from the executive at Atina is maintaining intelligence on the data and sharing is critical to resolve the problem. But his point was that most people spend time on an attack vector that's usually wrong. He said quote, you're better off having people be idle than chasing down an attack vector that's wrong. So his point is report that to the agencies quickly to one reverse engineer the problem. Most likely you're going to get better intel on the attack on the vector, then you can start working effectively. So he says a lot of problems that are being solved by unconventional means. Well, General Alexander said that when he was head of Cyber Command, his number one challenge was visibility on the attacks. They could only respond to those attacks. So my question to you, John, is how will data, big data, machine learning, AI, whatever you want to call it, how will that affect our ability as an industry to proactively identify threats and thwart them as opposed to just being a response mechanism? I think it's going to be critical. I think if you look at the AI and machine learning, AI is basically machine learning on steroids. That's really kind of what it is now, but it hopefully will evolve into bigger things. It's really going through the massive amounts of data. One of the points that the general Alexander talked about was the speed and velocity of how things are changing and that most IT departments can't even keep up with that right now. Nevermind security. So machine learning will allow things to happen that are different analysis faster, rather than relying on data lakes and all kinds of old modeling, just not fast enough, so speed. The other thing too is that as you start looking at security, this decentralized approach, most attacks are coming in on state sponsored but democratized attacks, meaning you can use open source and public domain software to provide attacks. This is what he's been talking about. So the number one thing is the data. Sharing the data, being part of a community approach where companies can work in sectors because there's a lot of trend data coming out that most attackers will come out and or state sponsored attacks will target specific things. First of all, the one problem that can be solved immediately, there's no way any of the United States military and or energy grid should be attached to the internet and you can mask out all foreign attacks just by saying only people in the US should be accessing. That's one network conventional thing you do, but getting the data out there is critical. But working in sectors, most attacks happen like on the financial services, industry, so if you're sitting there and trying to solve the problem and keep it on the down low, you're going to get fired anyway. The business is probably going to get hurt. Report it early with your peers in the community, share some data, anonymize that data, don't make it privacy breaching, but get it out there. Number one thing. Well here's the problem, is $80 billion has spent a year on security and a vast majority has still spent on perimeter security and we heard today that the number one problem is things like credential stuffing and password, poor user behavior and our response to that is education. Jim Ruth talked about that's a conventional response. We need unconventional responses. I mean the bottom line is there's no silver bullet to security. You talked about critical infrastructure should not be connected to the internet, but even then when you have an air gap and go back to Stuxnet, New Tans had an air gap and Musad got through the air gap. There's always a way to get through somehow. So there's no one silver bullet. It's a portfolio of approaches and practices and education and unconventional processes that you have to apply. And as we talked about- Well I mean there's no silver bullet but there are solutions and I think that's what he's saying. He gave a general Alexander gave specific examples when he was in charge of the NSA command center was terrorist attacks being thwarted. Those are actual secure problems on the terrorism front that were solved. There was a silver bullet for that. It was called technology. So as you generalize it Dave, I can hear you saying because IT guys want a silver bullet. I want to buy a product that solves my security problem. So here's the problem I have with that is I used to read Art Covey-Ello's memo every year. It was like he tried to do like the and he still does. But I look back every year I said do we feel safer and more secure than we were last year and every year the answer is no. So we, despite all the technology and we've talked about this on theCUBE with Pat Gelsinger, security is essentially a do-over. We do need unconventional new ways of attacking the problem. No debate. Well I'm just highlighting the point. I mean if you look at it from an IT perspective the old conventional wisdom was I want to buy a product. Hey vendor, sell me your security product. What general's kind of pointing out is he's kind of pointing out and connecting the dots is like hey what they learned in the NSA was it's an ongoing iterative thing that's happening in real time. It's not an IT solution anymore. It's a more of a holistic problem. Meaning if you don't understand the problem space you can't attack it. So when they talked about the terrorist attack they had a phone record. They had to give it to the FBI. The FBI had to get into it. They discovered the guy in basically 24 hours and then it took a week to kind of vet the information. You know luckily they caught it and saved a subway attack in New York City in 2008 that would have been devastating. Okay still they were successful but weeks. So machine learning and to your point is only going to accelerate those benefits. And again the real counterpoint that's general pointed out is civil liberties and privacy. Well Tom. I mean what do you want? You want subway attacks? Or you want to have your email and your email be clean? Or you want to have people read your email and no subway attacks? I mean come on. Well you and I have talked about this in the Cube and over the number of years and talking about Snowden and General Alexander brought it up. Basically he told the story and he was pretty emphatic as to his job was to protect not only the citizens in the United States but the infrastructure and basically saying we couldn't have done it without the laws that allowed us to analyze the metadata. I mean I think in my opinion what I think is going to happen is we're going to have a completely re-imagined situation on government. If you look at the trends with GovCloud what's going on with AWS, Amazon, web services in the federal area is an acceleration of massive agility and change happening. You're going to see a re-imagined of credentials. Re-imagining of culture around hiring and firing people out of the right people. I always say there should be a Navy SEALs for cyber, a West Point for cyber. So I think you're going to start to see a cultural shift from a new generation of leaders and a new generation of citizens in the U.S. that are going to look at citizenship differently. So for instance, Centrify which is putting on this event has an identity solution. That's an easy solution. Take it out of IT's problem. No one should be patching 1200 different IT systems in the government. Screw it. It's like a driver's license. Here's your credential. So there's new ways to think about it. Radical ways, progressive ways, whatever you want to call it. I think those are going to be coming so fast. Blockchain is a solution. Well I was going to ask you about that. So four out of five breaches are password related from credential stuffing or just bad password behavior. Everybody uses the same password because they can remember it across all these sites. So four out of five of the breaches can be traced back to poor password behavior. So will things like blockchain or single sign-on, really the answer, that's the wrong question. When will and how will things like blockchain come to front and center to solve that problem? I don't know Dave. I mean all I know is in today's Wall Street Journal and Andy Kessler writes a story that if you want to predict the future it's all about dodgeball. You got to get in the game and get hit by a few balls to know what's kind of going on around you. So you got to fail first. Everyone has an opinion. Nobody actually knows the answer. This has been a premise in the tech business. In my opinion, my opinion is to reimagine things. You got to look at it differently. So if you look at like Jim Ruth at the CSO at Etna said, you know, he said, look, we're going to solve these problems in a way. And he said, I'm not even a computer science major. I'm a history major and I'm running Etna's security practice. And his point was, as a history major, civilizations crumble when trust crumbles. Okay, so trust is a huge issue. So trust on the government, trust on the systems, trust with email. So he's looking at it and saying, hey, I want systems that don't erode trust because the civilization of the world will just disintegrate. So trust is a big factor. These are the new things that the best minds have to solve. I think the other thing that really important topic that came up is public policy. And there was a discussion on sort of the, you know, hacktivists versus state sponsored terrorism. And so the payload or the signature of a hacktivist malware is dramatically different than that of a state sponsored, you know, initiative. State sponsored initiatives are much more sophisticated and much more dangerous. And so Robert Gates, when he was on theCUBE, brought this up and he said, listen, we have the best technology in the world, the best security in the world. And we apply that largely for defense. And he said, we could go on the offensive. He said, the problem is so can everyone else. And we have as a nation a lot more to lose. So when we talk about Stuxnet earlier, Stuxnet basically was your tax dollars at work, getting into the hands eventually to the bad guys who then used that to come back and say, okay, we can attack critical infrastructure, U.S., so you better be careful. It's bigger than that though, Dave. That's one, that's old point, which is a good point. But Stuxnet was the beginning of a movement that state sponsored actors were doing. In the old days, a state sponsored actor in Iran case came from a state sponsor. They revealed their hands and their hacks a little too early and we could counter that. But if you look at the specific attacks over the past 15 years, if a state sponsored attack on the U.S. was happening, it was there, they had to show their hand. That's different now with, with WikiLeaks and a public domain, states can still remain anonymous and saying, it wasn't us and point to these organizations by democratizing hacker tools. So whether it's Stuxnet, Stuxnet or something else, you're seeing state sponsored actors, and I won't, you know, China, Russia, whoever they are, they can actually enable other people that hate the U.S. to attack us. Their signature's not even on it. So by democratizing the hacker tools increases the number of people that could attack the U.S., and so the state sponsors aren't even doing it. Well, so Jim Routh talked about WannaCry and NotPetya, which were generally believed to be ransomware. And he said, no, they weren't ransomware. They only collected about 140,000 from that in U.S. dollars. They were really about state sponsored political acts. I don't know, sending warnings. We're going to ask him about that when he comes in the queue. All right, we've got a big day here at New York City here for CyberConnect 2017 and it's the inaugural event presented by Centrify. All the top leaders in the industry and government are here. Solving the problem, the crisis of our generation, cyber attacks, security, both government and industry coming together. This is theCUBE. We'll be back more live coverage after this short break.