 Live from Washington, D.C., it's theCUBE. Covering AWS Public Sector Summit. Brought to you by Amazon Web Services. Welcome back everyone to theCUBE's live coverage of the AWS Public Sector Summit here in our nation's capital. I'm your host, Rebecca Knight, co-hosting alongside John Furrier. We are joined by Jamil Jaffer. He is the VP of Strategy and Partnerships at IronNet. Thanks so much for coming on theCUBE. Thanks for having me, Rebecca. I know you've been watching us for a long time. So here you are, soon to be a CUBE alum. I have always wanted to be in the CUBE. It's like being in the octagon, but for computer. I'm pumped about it. I love it, okay. Why don't you start by telling our viewers a little bit about IronNet and about what you do there. Sure, so IronNet was started about four and a half years ago, five years ago by General Keith Alexander, the former director of the NSA and founding commander of US Cyber Command. And essentially what we do is we do network traffic analytics and collective defense. Now, I think a lot of people know what network traffic analytics are. You're looking for behavioral anomalies and network traffic trying to identify the bad from the good, getting past all the false positives, all the big data. What's really cool about what we do is collective defense. This idea that one company standing alone can't defend itself, it's got to work with multiple companies, got to work across industry sectors, potentially even with the governments and potentially across allied governments, really defend one another. And the way that works, the way we think about that, is we share all the anomalies we see across multiple companies to identify threat trends and correlations amongst that data so you can find things before they happen to you. And so the really cool idea here is that something may not happen to you but it may happen to your colleague, you find out about it, you're defended against it. So it takes a real commitment by our partners, our companies that we work with to do this, but increasingly they're realizing the threat is so large, they have no choice but to work together and we provide that platform that allows that to happen. And the premise is that sharing the data gives more observational space to have insights into that offense. That's right. It's as though, it's almost like you think about an air traffic control picture or a radar picture, right? The idea being that if you want to know what's happening in the airspace, you've got to see all of it in real time at sort of machine speed and that allows you to get ahead of the threats rather than sort of being reactive and talking about instant response, we're talking about getting ahead of the problems before they happen so you can stop them and prevent the damage ahead of time. So you're an expert, you're lucky to have, you talk about what you've been doing before this, obviously a lot of experience in security, talk about some of the things you've done in the past. So I have to admit to being a recovering lawyer but you have to forgive me because I did grow up with computers. I had a Tandy TRSAD color computer when I first started, 4K of onboard RAM. We upgraded to 16K. It was the talk of the rainbow computer club. What do you do with 16K of RAM? I mean, it was basic programming language, stored on cassette tapes. I mean, I remember you said to punch a hole in the other side of a five and a quarter floppy disk to make it double-sided. Right, right. Glory days. Yeah, I paid my way through college running a network cable but I'm a recovering lawyer and so in my job in the government, I worked at the House Intelligence Committee, the Senate Foreign Relations Committee and then the Bush administration on the comprehensive national cybersecurity initiative, both the Justice Department and the White House. You've seen the arc, you've seen the trajectory. The progress we're making now seems to me slower than it should be. Obviously a lot of inertia, as Annie Jastly said today, about a lot of these public sector government agencies and whatnot, but a real focus has been on it. We've been seeing activity. Where are we in the state of the union around the modernization of cyber and awareness to what's happening? How critical are people taking this threat seriously? Well, I think a variety of things to say on that front. First, the government itself needs a modernized assistance. We've seen that talked about in the Obama administration. We've seen President Trump put out an executive order on modernization of federal infrastructure. The need to move to the cloud. The need to move to shared services make them more defensible, more resilient long-term. That's the right move. We've seen efforts of the Department of Defense and elsewhere. They aren't going as fast as they need to. More needs to happen on that front. IT modernization can really be accelerated by shifting to the cloud. And that's part of why one of the things that Ironett's done really aggressively is make a move into the cloud space, putting all of our back end in the cloud and AWS. And also, ability capability to do surveillance and monitoring. I mean network threat detection, not surveillance of the old kind, but network threat detection in the cloud, in cloud-enabled instances too. And so both are important, right? Classic data centers, but also in modern cloud infrastructure. You know, one of the things people want to know about is what your enemy looks like. And now at the democratization with open source and democratization of tools, the enemies could be hiding through obscure groups. The states, the bad actors and the state actors can actually run covert activities through other groups. This is kind of a dynamic that creates confusion. No, in fact, it's their actual, it's their mode of operating, right? It's exactly what they do. They use proxies, right? So you'll see the Russians operating, looking like a criminal hacker group operating out of Eastern Europe. Part because a lot of them are Russian criminal gangs are in actuality. You see a lot of patriotic hackers, right? I would tell most people, if you see a patriotic hacker, you know, there's probably a government behind that whole operation. And so the question becomes, how do you confront that threat, right? A lot of people say deterrence doesn't work in cyberspace. I don't believe that. I think deterrence can and does work in cyberspace. We just don't practice it. We don't talk about our capabilities. We don't talk about our red lines. We don't talk about what'll happen if you cross our red lines. And when we do establish red lines and they're crossed, we don't really enforce them. So it's no surprise that our enemies or our adversaries, our hiddenness in cyberspace or testing our boundaries, it's because we haven't really given them a sense of what's where those lines are and what we're going to do if they cross them. Are we making any progress on doing anything here? What's the state of the market there? Well, you know, the government has appeared, appears to have gotten more aggressive, right? We've seen efforts in Congress to give the Department of Defense and the U.S. intelligence community more authorities. We've had seen the stand-up as the U.S. cyber command. And we've seen more of a public discussion of these issues, right? So that's happening. Now, is it working? That's a harder question to know. But the real hard question is, what do you do on private sector defense? Because our tradition has been in this country that if it's a nation-state threat, the government defends you against it. We don't expect Target or Walmart or Amazon to have service to air missiles on the roof of your buildings to defend against Russian bear bombers. We said the government to do that. But in cyberspace, the idea's flipped on its head. We expect Amazon and every company in America from a mom-and-pop shop all the way up to the big players to defend themselves against script kiddies, criminal hacker gangs, and nation-states. And ransomware has been taking down cities, Baltimore recently, multiple times, hit that well many times. That's right, that's right. Talk about where the U.S. compares. I mean, here, as you said, the U.S., we are starting to have these conversations. There's more of an awareness of these cyber threats, but modernization has been slow. It does not quite have the momentum. How do we rate with other countries? Well, I think in a lot of ways, we have the best capabilities. When it comes to identifying threats, identifying the adversary, the enemy, and taking action to respond. If we're not the top one, we're in the top two or three. And the question, though, becomes one of, how do you work with industry to help industry become that good? Now, our industry is at the top of that game also. But when you're talking about a nation-state which has virtually unlimited resources, virtually unlimited manpower to throw out a problem, it's not realistic to expect a single company to defend itself. And at the same time, we as a nation are prepared to say, oh, the Department of Defense should be sitting on the boundaries of the U.S. Senate as if you could identify them even, right? And we don't want that. And so the question then becomes, how does the government empower the private sector to do better defense for itself? What can the government do working with industry? And how can industry work with one another to defend each other? We've really got to do collective defense not because it makes sense, which it does, but because there is no other option if you're going to confront nation-state or nation-state-enabled actors. And that's another threat. We've seen the leakage of nation-state capabilities out to a lot broader audience now. That's a problem, even though that may be sort of, you know, 2013, Calder wants its hack back. Those things still work, right? What we saw in Baltimore was stuff that has been known for a long time. Microsoft has released patches long ago for that and yet still vulnerable. And the evolution of just cyber, central command, cyber command seems to be going slow at least from my opinion. Maybe I'm not in the know, but what is the imperative? I mean, you know, there's a lot of problems to solve. How does the public sector, how does the government solve these problems? Is cloud the answer? What are some of the things that people at the top mind's discussing? Well, I think cloud is clearly one part of the solution, right? There's no question that when you move to a cloud infrastructure, you have a sort of a more bounded perimeter, right? And that provides the ability to also rapidly update. You can update systems in real time and in sort of, and mass, you know, there's no going around bringing your floppy disk and loading software. And it sounds like a, you know, that's sort of a joke about an older era, but you look at what happened with Nopetcha and you read this great Wired article about what happened with Nopetcha and you look at Maersk. And the way that Maersk brought his systems back up was they had a domain controller in Africa that had gone down due to a power surge where they were able to recover the physical hard drive and re-image all their worldwide domain controllers off that one hard drive. You think about a major company that runs, you know, you know, huge percent of the world's ports, right? And this is how they recovered, right? So we really are in that sort of take your disk and you know, go to computers in a cloud infrastructure. You think about how you can do that in real time or rapidly refresh, rapidly install patches. And so there's a lot of that. That's a huge part of it. It's not a complete solution, but it's an important part. Yeah, one of the things we talk about a lot of tech guys is that this debates around complexity versus simplicity. So if you store your data in one spot, it's easy to audit better for governance and compliance, but yet easier for hackers to penetrate from an IQ standpoint, the more complex it is, distributed harder. But what's the trade off there? How are people thinking about that? That kind of direction. No, it's a great question, right? There's a lot of benefits to diversity of systems. There's a lot of benefit to spreading out your sort of your crown jewels the heart of your enterprise. At the same time, there's real resilience in putting in one place, having it well defended, particularly when it's a shared responsibility and you have part of it for the defense, but the provider too, I mean, Amazon and all the other cloud providers, Microsoft and Google, all have it in their own self-interest and really defended their cloud really well because whether or not you call it shared responsibility, it's your stock price of matters if you get hit, right? And so you have every incentive, you Amazon and all the other cloud players have an incentive to do the right thing and do it really well. And so this shared responsibility can work to both sides' benefits. That being said, there's an ongoing debate. A lot of folks want to do their stuff on-prem and a lot of ways, a lot of us are old school, right? And when you touch it, you feel it, you know it's there and we're working through that conversation with folks. I think that at the end of the day, you know, there are the real efficiency gains and the power of having super computing power at your fingertips for analytics, for consumer purposes and the like. I really think there's no way to avoid moving to a cloud infrastructure in the long run. I know you said you're a recovering lawyer but you are the founding director of the National Security Institute at the Antonin Scalia School of Law. How are you thinking about educating the next generation of lawyers who could indeed become policymakers or at least work on these committees to think about these threats that we don't even know about yet? That's a great question. So one of the things we're doing is we're about to, we're working through the process with the state commission on establishing a new LLM in Cyber Intelligence and National Security Law. That'll be a great opportunity for lawyers to actually get an advanced degree in these issues. But we're also educating non-lawyers. One of the interesting things is, you know, one of the challenges DC has is we make a lot of tech policy, a lot of it not great because it's not informed by technologists and so we've got a great partnership with the Hewlett Foundation where we're bringing technologists from around the country, you know, mid-career folks, anywhere from the age of 24 to 38, we'll bring them to DC and we're educating them on how to talk to policymakers. These are technologists, these are coders, data scientists, all the like. And it's a real opportunity for them to be able to be influential in the process of making laws and know how to involve themselves and talk that speak because, you know, DC speak is a certain thing, right? And it's not typically consistent with tech speak and so we're trying to sort of bridge that gap and the Hewlett Foundation has been a great partner in that effort. On that point about this collaboration, Silicon Valley's been taking a lot of heat lately, obviously in Zuckerberg and Facebook and the news again today, more issues around, you know, irresponsibility, but you know, they were growing a rocket ship. I mean, that company's only 15 years old, roughly. So the impact's been significant, but tech has moved so fast, tech companies usually would hire policy folks in DC that speak the language, educate, a little bit different playbook, but now it's a forcing function between two worlds colliding. You got Washington DC, I call DC, the Silicon Valley, cultures have to blend now. What are some of the top minds thinking about this? What are some of the discussions happening? What's the top conversations? Well, look, I mean, you've seen it in the press. I mean, it's no surprise you're hearing this talk about breaking up big tech companies. I mean, it's astounding, you know, we used to live in a world in which, you know, being successful was the American way, right? And now it seems like at least, you know, without any evidence of antitrust concerns that we're talking about, break up companies that have been otherwise hugely successful, wildly innovative. It's sort of interesting to hear that conversation. It's not just one party, it's you're hearing this in a bipartisan fashion. And so it's a concern and I think what it reveals to tech companies is, man, we haven't been paying a lot of attention to these guys in DC, they can cause us real trouble. We need to get over there and start talking to these folks and educate them on what we do. And the imperative to them is to do the right thing, because I mean, the United States interest breaking up, say Facebook and Google and Apple and Amazon might look good on paper, but China's not breaking up Alibaba anytime soon, so- To the contrary, they're giving them low interest loans and helping Huawei excel, I mean crazy. Yeah, and they have no R&D by the way, so that's been- Right, because they sold all of IP. So the US invest in R&D, that is easily moving out through theft, that's one issue. You have digital troops on our shores from foreign nations, some will argue, I would say yes. Inside the border. Inside the border, inside the interior, access to the power grids, our critical infrastructure. This is happening now. So is the government now aware of the bigger picture around what we have as capabilities and criticalities that we're needed now for digital military? What is that conversation like? Well, I think they're having this conversation. I think the government knows it's a problem. They know that actually in a lot of ways a partnership with tech is better than an adversarial relation. That doesn't change the fact that for some reason, in the last three, four years, we really have seen what some people are calling a tech lash, right? A backlash against technology. It kind of strikes me as odd because of course the modern economy that we're so benefited from is literally built on the back of the innovations coming out of the Silicon Valley, out of the West Coast, and out of the DC metro area where a lot of these tech companies are developing some of the most innovative new ideas out there, frankly, helping government innovate. And so, you know, Amazon's a key part of that effort, right, here in the public sector. And so, you know, I'm hoping that educational will help. I know that the sort of arrival of tech companies here to really have that conversation in an open and sensible way. I hope we'll sort of walk back some of this. But, you know, I worry that for too long, the tech and the policymakers have ignored one another and now they're starting to intersect, as you say, and it has the possibility of going wrong fast, and I'm hoping that doesn't happen. You know, one of the things that Rebecca and I were talking about is this talent gap between public sector and private sector. You know, these agencies aren't going to go public anytime soon, maybe they should get equity deals and get in a financial incentive, you know? They shrink down the cost, increase the value. But as you get this collaboration between the two parties, the cloud is attracting smart people because it gives you an accelerant to value. So, people can see some entry points to land some value out of the gate versus giving up and abandoning it through red tape or other processes. So, you're starting to see smart people get attracted to cloud as a tool for making change. How is that working because, and how is that going to work out? Because this could be coming to the partnership side of it. People might not want to work for the government but could work with the government. This is a dynamic that we see is real. What's your thoughts? I think that's exactly right. Having these cloud infrastructures gives the ability to one leverage huge amounts of computing power but also leverage insights and knowledge from the private sector in ways that you never could have imagined. So, I really do think the cloud is the opportunity to bring real benefits from public, private sector innovation into the public sector very rapidly, right? And so, broad cloud adoption, that's part of why John Alexander, my boss, and I've been talking a lot about the need for broad cloud adoption. It's not just innovation in technology, it's benefits to the warfighter, right? I mean, these are real tangible benefits, pushing data in real time, the warfighter, you know, John Alexander had one of the biggest innovations in modern warfighting where he was able to take symbols and tell us down from weeks and months, down to minutes and seconds, that enabled our warfighters in Iraq and Afghanistan to really take the fight to the enemy. The cloud brings that power scaled up, you know, to a huge degree, right? By power, by orders of magnitude. And so, you know, the government recognizes this and yet today we don't see them yet moving rapidly that direction. So, I think the EO was a good move, a good first step in that direction. Now we're going to see it implemented by the various agencies down below. We'll keep in touch. Great to have you on. I know we're wrapping up the day here, breaking down. We're going to pull the plug literally. We'll keep in touch and we'll keep progress on you. Jamil, you are now a CUBE alum. I love it. Thanks for having me. So, congrats, you joined the club. I love it. I'm Rebecca Knight for John Furrier. You have been watching the CUBE's live coverage of the AWS Public Sector Summit.