 And now I get to start us by introducing Nate Fick. Nate Fick, sorry. The depressing thing about introducing Nate Fick as someone who runs a think tank and has written a book or two, is that Nate did everything by 30 that I did by 50. Just a little, you know, going over his CV. He is awesome. He ran the Center for New American Security as a CEO. He wrote a book about his experiences in Afghanistan. He led Marine Corps Infantry and Reconnaissance Units in Afghanistan and Iraq. His book called One Bullet Away was a New York Times bestseller, a Washington Post best book of the year, and one of the Military Times best military books of the decade. That was not enough. So he is now running Endgame, and you'll hear more about that. And he's an operating partner at Bessemer Venture Partners. So when I was the Dean of the Woodrow Wilson School, I used to tell people you ought to try to work in the public sector, the private sector, and the civic sector. Nate Fick has done all three and all by a very young age. So please welcome Nate Fick. Thank you all very much. Good morning. And Ann Marie, thanks for the kind introduction. I appreciate it. I want to thank Ian Wallace also for the invitation to be here. And I do confess that even five years later, I still feel a little uncomfortable standing in front of a New America sign given my previous employment. But I think the team that New America is assembled is incredible. The work they do is phenomenal. This gathering, the third of its kind, is one not to be missed in this community. And so I'm thrilled to be here. Ian assigned me the topic of what's next. And all I could think about was one of my favorite papers we published when I was at CNAS, a piece by Richard Danzig, former Navy Secretary, called The Perils of Prediction. Richard's a very smart guy. And his thesis was that our innate human desire to predict the future is outweighed only by our inability to do it. And so with that in mind, I'm going to offer up 10 observations, 10 propositions about the state of the cybersecurity community and how I think the community's responding is likely to respond or needs to respond. And I've grouped them as follows. Three about attacks and attackers, three about defenders and targets and risk management, three about government, and one about the overall culture of this community. First, though, just a very quick plea in this policy-focused audience for recognition that the cybersecurity challenge really is different from almost any other national security challenge in that most of the actors, most of the infrastructure, and most of the impact are, in fact, in the private sector. Government is a part of the problem. Government is a part of the solution. But government's not the whole show, and it's not even the biggest piece of the show. So it requires, I think, many in this community to recalibrate our perspective a little bit. I run an endpoint security software company. I'm an operating partner at a West Coast venture capital firm, but I used to run a national security think tank. I was a Marine, and I'm on two boards now, one a university board and one a public company audit committee, where I'm looking at cybersecurity from the other side of the table as a buyer of technology, as an evaluator of CISOs. And I'm drawing on all of those experiences, and I think that illustrates a point about this field, that it is intrinsically interdisciplinary and that it cuts across so many lines, unlike many others. So, all right. Preface aside, 10 propositions about this community. Number one, the security community is failing if the key success metric is that our collective thinking and action actually result in better security. $50 billion spent last year on security products and services, and yet at least 75% of large enterprises are breached. And adversary dwell times, that is the time from breach to detection, average about 100 days. Public company CEOs fired, D&O insurance policies invoked, government records pilfered, key operational details from our intelligence agencies revealed, the US election perhaps impacted. There are many reasons for this, from structural asymmetry to government policy to product problems to industry culture shortcomings, and I'll talk through a few of them here, but right at the outset, my simple overarching proposition is that the security community is in a state of systemic failure, we are not stopping the attackers. My second observation is that cybersecurity is characterized by structural asymmetry between attackers and defenders. A dollar of offense beats a dollar of defense almost every time. Too often we talk about attacks as if they're acts of God, like weather systems, but attackers are people, and those people have an advantage over the defenders for several important reasons. Whereas the defenders need to be right always, the attackers need to be right only once, whereas the defenders must operate within the constraints of law, policy, and regulation, the attackers have no such constraints. Attribution's very difficult, and sowing doubt about the origins of an attack does weaken deterrence. And when I say attribution, I mean both technical attribution, the challenge of forensically unraveling an attack bounced through obfuscated servers across multiple continents, but also intentional attribution. Was an attacker traced back to a particular building in, say, China with fidelity, acting on the orders of the central government with the tacit okay of some more devolved power, like a military unit, or as a rogue individual? And finally, as we joke at Endgame, it's always been more fun to be a pirate than it is to join the Coast Guard. Does a really talented computer kid wanna go be a hacker, or does he wanna work as a cis admin deep in the bowels of an insurance company? Globally, the attackers too often have a recruiting advantage. My third proposition is that the barriers to entry to developing high-end cyber capability are low and falling. And so we can expect the proliferation of sophisticated attack capabilities to continue. Take, for example, the recent wave of fileless attacks. Fileless attacks are designed to evade anti-virus and next-gen anti-virus products by enabling an attacker to take malicious actions on a computer without introducing any new files. Stuxnet, seven years ago, more than seven years ago, was a fileless attack. And that genie is now out of the bottle. The technique has been disseminated from the nation-state to criminal groups, to hacktivists, and so on. Sophisticated cyber weapons and attack techniques developed at the nation-state level will continue to go mainstream. It's a very different kind of non-proliferation challenge where national borders, satellite reconnaissance, and inspection teams aren't so relevant. So the community's failing, offense is structurally dominant, and sophisticated offensive capability is ever cheaper and easier to obtain. It sounds pretty bleak. So let's shift from the attackers to the defenders for a few moments. The system's dynamic and there's more than one side to any fight. So my fourth proposition is that the underlying cyber risk profile for organizations of all kinds, both federal and commercial, will continue to grow, driven by greater exposure from device proliferation, including the Internet of Things, mobility, automation and AI, and infrastructure as a service. 8.4 billion connected things will be in use worldwide at the end of this year, up 31% from last year, and the number's gonna reach 20 billion by 2020. The underlying risk profile will grow driven by higher probabilities from the proliferation of advanced hacking capabilities as criminals increasingly have access to their disposal, once found only at the nation state level, as I said, driven by more severe consequences from the rising value of intellectual and digital assets magnified by social media in the 24-7 news cycle, and likely driven by greater regulatory and reputational risk from higher customer regulatory and public expectations around privacy and data protection. And the point here is that one might draw doomsday conclusion from the first three propositions and say, okay, the cyber threat in the digital economy is sort of like the earthquake threat in the San Francisco economy. We'll take precautions like building better buildings, we'll transfer some risk by insuring against it, but basically we'll just put it out of our minds and get on with our lives. That doesn't work here. Big earthquakes come in frequently, and even if we know the big one could hit at any time, significant cyber breaches are an increasingly regular part of operating in the digital world. Customers and citizens won't ignore them. So my fifth proposition is really a corollary to number four, and it's because of these underlying macro trends, these structural trends, cyber risk really is a core enterprise risk. If you believe that every company is increasingly a technology company, and I think that's an increasingly accurate and widely held view, then cyber risk is simply a core enterprise risk, and it's existential. So it can't be delegated to a staff communications officer, it can't be delegated to a compliance-focused IT leader, it can't be delegated to a backward-looking audit committee. Companies need to incorporate it into their overall enterprise risk management framework, and they need to take a value-based approach to security rather than a risk averse approach to security. The risk averse approach will result in a decision to buy one of everything or try some of everything. While a value-based approach quantifies risk and recognizes that you can do three things with it. You can accept risk, you can transfer risk via a mechanism like insurance, or you can mitigate it by people, process, and technology. This is gonna be a big shift for CEOs and boards over the coming several years. Call it the healthy normalization of cyber risk as we mature into dealing with it as we deal with other enterprise risks. So let's also talk about mitigation. As I said, you can accept risk, transfer it, or mitigate it, and I spend most of my time in the security products world, the mitigation world, and I've seen firsthand that a long period of overfunding and hype has resulted in a highly fragmented, overcrowded, and largely undifferentiated landscape of smallish vendors. About 1,500 of them in the US right now. The average Fortune 500 chief information security officer has more than 50 security vendor relationships, and at a philosophical level, complexity is the enemy of security. This state of affairs isn't gonna last because it doesn't serve customers well. At a business level, it results in overlapping expenditures and high frictional costs, and at a technology level, it results in poor integrations which favor the attacker. I see two large trends developing in response to this fragmentation. First, platform consolidation, and second, more consumption of security as a managed service. So that's my fifth proposition. The platform vendors who own the real estate in the network and on the endpoint will win by layering in differentiated capability atop their existing platforms, and more and more customers will say, forget it, security isn't my business, I just want a trusted advisor to do this for me. There are lots of examples of this happening as we speak. TPG buying a controlling stake in McAfee and pulling it out of Intel as a standalone company, Sophos buying in Vincia, a multitude of new managed service providers gaining market share, and big service providers like Accenture buying, for example, end game services business, which we spun out from our software business a few weeks ago, and trust me, they're gonna be more. So to recap, among the defenders, both customers and vendors, underlying cyber risk and cyber dependency are only growing. We have an existing framework in ERM and enterprise risk management with which to make informed and business driven decisions about cyber risk, and the industry propelled by customer dissatisfaction with the status quo is in the early stages of a period of meaningful consolidation. So then what about government? I started with industry because it's the most important piece, in my opinion, of the cybersecurity ecosystem. It's the largest, it's the most dynamic, it's where the greatest portion of the talent resides or spends most of its time. But government's obviously essential too, and so I'm gonna focus Proposition 789 on the government. My seventh proposition is that we're suffering from a fundamental deterrence failure in the cyber domain. Because our adversaries don't actually believe that the United States will respond to a cyber attack as it will respond to a kinetic attack, that is by marshaling every ounce of our diplomatic, informational, economic, and military power in accordance with well-defined declaratory and escalatory policies. Because they don't believe that, the cyber domain is still the Wild West. Recall our strange history here. For years, our geopolitical competitors stole American defense industrial IP, and yet the first time a president really stood up publicly in vowed retaliation after a cyber attack was following North Korea's penetration of an entertainment studio. We're getting there. The Obama administration's application of sanctions on Russia after the election, mass late last year, was the right kind of response, but it was too little and it was too late. Peter Singer of New America is excellent on this topic and his testimony in front of the House Armed Services Committee a week ago is well worth reading, if you haven't read it. I see a lot of heads nodding. In short, too many conversations between government and industry focus on information sharing, talent exchanges, and public-private partnerships. All good things, but what we really need from government is that it do what it alone can do. Make sure deterrence works and my eighth proposition, organize itself the right way. So number eight, any good organizational leader knows that one of his or her key tasks is to put the right people in the right roles with the right resources and then get out of their way. This isn't how the government approaches cybersecurity. Instead, we suffer from a structural misalignment of capabilities, authorities, and need. So much capability sits in the intelligence community and DOD while the domestic authorities are in DHS and law enforcement and much of the unmet and growing need is at the state and local level. I commend New America for its work in this area. Very important, I think, and understudied. We're likely to see more attention to cybersecurity, more policymaking, and more spending at the state and local level. And we'll hear later from Terry McAuliffe, who's been a strong advocate for this, as chair of the National Governors Association. I'm not an expert on the capabilities, authorities mismatch by any means, but in general, from my seat in the industry, I favor bolstering domestic defensive capabilities over extending international authorities into the domestic realm. We've watched those errors play out before in this community and the damage was significant. It's important for government to get these things right, in part because of my ninth proposition. The odds that companies will take matters into their own hands by hacking back go up so long as those with the mandate to keep order fail to do so. Hacking back is illegal, but laws change. And there's a draft bill on the table right now to do just that. Hacking back is also stupid. The equivalent, as my old Marine comrades would say, of bringing a knife to a gunfight. The best analogy I've seen is that hacking back is like getting bitten by a rattlesnake, and instead of seeking medical care and buying some tougher boots, deciding to bite the snake back to teach it a lesson. I don't care if you're a Wall Street bank spending a quarter billion dollars on security. The PLA and the FSB are spending more. And if you pick a fight with them or if you escalate against them, they will win. They have escalation dominance. We live in a society where the government has a monopoly on the legitimate use of force and we should keep it that way. So the government, in my view, in addition to focusing on collaboration with the private security sector, needs to do a couple of things that only it can do. Ensure deterrence works and ensure that capabilities and authorities continue evolving as rapidly as this issue is evolving. If the government fails to do these things, fails to be seen as a credible and effective guarantor of basic stability in the cyber domain, then we run the increased risk of others taking matters into their own hands and that's an outcome to avoid. My 10th and final proposition focuses on the security community itself. Security is bedeviled by a dark arts culture that's both self-serving and wrong. Security is no more a dark art than finance or real estate or tax policy or animal husbandry. It's a matter of technology and policy, business, laws, norms, and to wrap itself in a cape of black magic is nothing more than self-importance and a vain attempt at job security. It's bad for customers, but more importantly, it's bad for the talent base in the community itself. I'll appropriate a concept here and say that the arc of great talent bends toward diversity and we can't expect to solve our structural failure to think differently, to stay ahead of a diverse and dynamic universe of attackers if we surround ourselves with the same kinds of people. We need diversity of all kinds if we're gonna think and act differently and we need to have an industry and community culture that recognize that and embrace it as a strategic imperative. They're shining lights everywhere and New America's humans of cybersecurity blog is a good one. We work hard to live this at Endgame. It's one of our core values as a team and a company and I know the same is true here. I implore each of you to please take this on in your company or agency, kill the dark arts culture, diverse teams or better teams and we need our best team on the field in cybersecurity which leads to a final summary observation. The sky is not falling. FUD, fear, uncertainty and doubt should not dominate and I actually believe, despite several bleak propositions here, that the forces of order will prevail. I am not congenitally unoptimist so this is more empirical so I'll run through it. I think that the arrayed talents of entrepreneurs, investors, engineers, data scientists, academics, policy makers, military officers, journalists and others in and focused on this field will carry the day. The data and the trends do seem to back that up. Average adversary dwell times have dropped from 160 days to 100 days over about two years. Products are getting better and easier to use. The market for cyber insurance is becoming more mature and liquid. Corporate boards and management teams are waking up. Interdisciplinary conferences like this when they're happening more frequently and our government's showing the early stirrings of extending deterrence into the digital world. These things need to happen. We all have a shared interest in maintaining a basic level of trust in our digital world for commerce, for communication, for entertainment, for so many aspects of human flourishing. That the stakes are so high is what makes this work so rewarding and so fun. What makes gatherings like this one so important. So thank you.