 Live from Boston, Massachusetts, it's theCUBE. Covering AWS Reinforce 2019. Brought to you by Amazon Web Services and its ecosystem partners. Hello, welcome back, everyone. It's theCUBE live coverage here in Boston, Massachusetts for AWS Reinforce, Amazon Web Services. First inaugural conference around security. It's not a summit, it's a branded event, big time ecosystem developing. We have returning here, CUBE alumni, Bill Jeffert, VP of strategy and partnerships at IronNet, cyber security company. Welcome back. Thanks. Working with General Keith Alexander who was on a week and a half ago at the Public Sector Summit. Good to see you. Good to see you, thanks for having me back. Really appreciate it. So I want to get into some of the Iran cyber command because we had General Keith Alexander. He was the original commander of that division. So important discussions that have around that. But I want to get your take on the event. You guys are building a business in the middle of cyber. You're involved in the public sector. This is commercial, private partnership, public relationships coming together. Your models are sharing. So bringing public and private together is important. No, it's exactly right. And it's really great to be here with AWS. We're a really close partner of AWS. We work with them. Our entire back end today runs on AWS. It's a really neat opportunity to get into the ecosystem, meet some of the folks that are working, that we might work with, that we might partner up with to deliver a great product, right? And you're seeing a lot of people move to cloud, right? And so some of the big announcements that are happening here today, we're looking to partner up with AWS and be a first time provider for some of the key new product developments that AWS is launching in their own platform here today. So that's a really neat thing for us to be partnered up with this awesome organization. I'm doing great work. What's some of the focus areas around reinforce that you're partnering with Amazon? Can you share some specifics? Yeah, so I don't know whether they announced one of these capabilities whether they're doing the announcement yesterday or today, so I forget which one. So I'll leave that one specific piece out, but the main thing is they're announcing a couple of new technology plays. We are a launch partner with them on those technology plays. So we're going to be able to do what we were only once able to do on-prem. We're going to be able to do in the cloud with AWS in the cloud formation. So that we'll be able to deliver the same kind of value that we deliver to on-prem customers inside their own cloud environments and their hybrid environments. So it's a C change for us as a company, a C change for AWS delivering that new capability to their customers and really being able to defend a cloud network the way you would in on-prem network, game changer. Describe that value if you would a little bit more. Well, so you know, one of the key things about an on-prem network you can do is you can look at all the flows coming past you. You can look at all the data, look at it in real time and develop behavioral analytics over it. That's what we're doing with our on-prem customers today. In the cloud we've historically looked to logs, right? And now with this new AWS capability we're going to be able to integrate that and do a lot more the way we would in a normal sort of on-prem environment. So you're really able to deliver that real capability at scale. And lagging has always killed the predictive analytics or visibility into what you could do and it's too late. Exactly right. You guys solve that with this. What are some of the challenges that you see in cloud security that are different than on-premise? Because that's the CISO conversation we've been having. It's like I know on-premise, I've been doing it on-premises for a while. What's the difference between the challenges, sets of challenges and the opportunities that they provide? Well, the opportunities are really neat, right? Because you've got that, even though you have a shared responsibility model, which is a little different than you traditionally have it when it's on-premise, all yours, essentially you own that responsibility and it is what it is. In the cloud, it's shared responsibility between the cloud provider and the data holder, right? But what's really cool about the cloud is you can deliver some really interesting things at scale. You can do patch updates simultaneously. All your back-end, all your client systems, even if depending on how you're provisioning your cloud services, you can deliver that update in real time. You don't have to worry about I've got to go to individual systems and update them and some are updated, some are patched, some aren't, right? Your servers are patched simultaneously. You take them down, you bring them back up and they're ready to go, right? That's a real unique capability that for a CISO, you're delivering this thing at scale. It's awesome. Now, some of the challenges, right? It's a new environment, it's something you haven't dealt with before. A lot of times you have to deal with a hybrid environment. You have both an on-prem instantiation and a cloud instantiation. Those have to talk to one another, right? And you might think about, well, how do I secure those connections, right? Now, how do I think about spending money over here when I've got to also do some spend up here in the cloud and that's going to be a hard thing for CISOs to figure out too. And so there are some challenges, but the great thing is you've got a whole ecosystem of providers. We're one of them here at the AWS ecosystem. There are a lot here today and you've got AWS as a partner itself who wants to make sure that their systems are secure but so are yours because if you have a problem in their cloud, that's a challenge for them to market this to other people. Do you want to talk about your story? Because when we interviewed you a couple weeks ago and you made a comment, I'm a recovering lawyer, kind of, yeah, we all laugh. But you really started out in law. Right. How did you end up here? Well, the truth is, I grew up sort of a technology here myself. My first computer was a Trash80, a TRS80 colored computer, Radio Shack, 4K of RAM on board, right? Only a true TRS80 owner was called Trash80. I know what you're saying there. It was a beautiful system, right? I mean, we stored programs on cassette tapes, right? And when we upgraded from 4K to 16K, we were at the talk of the Rainbow Computer Club in Santa Monica, California. Game changer. It was a game changer for 16K. What are you going to do with 16K of onboard RAM? I mean, this is, you know, this is what are you going to do? And so, you know, I went from that and I... You're getting in trouble with something. You got to go to law school. I was like, because you're in there, right? I mean, come on, see it out. Look, I mean, you know, so my dad, though, was a chemist, right? And so he loved computers, he loved science, but he also had an unrequited political bonus body. He grew up in East Africa, in Tanzania. It was always thought that he might be a minister in government. The socialists came to power. They had to leave at the end of the day and he came to the United States and ended up doing chemistry, which was his course of studies. But he still loved politics. So he raised me on NPR. So when I went to college, I studied political science, but I paid my way through college at UCLA doing computer support. The Life Sciences Department, the Athletics Department, and I ran 10-base TKB on climbing through the ceilings and pulled network cable, do punch-down blocks, a little bit of fiber-splicing. So, you know, I was still a nerd, right? You were writing software on the side, too. Well, we won't talk about that. I will admit to one major error and that was when the web first came out and we had links. I don't know if you guys remember that, it was a tech space browser, right? That's right, of course. And I remember looking to say, this is terrible. Who would use HGP and all these slashes and stuff? I'm going back to Gopher. Gopher's awesome. Well, turns out I was totally wrong about that one. And once I got on Mosaic and Netscape after that, it was all hands on deck for that stuff. And then you got a great career, been involved a lot in the confluence of policy, got politics and tech, which is actually a perfect skill set for the challenges we're dealing with. So I got to ask you, what are some of the most important conversations that should be on the table right now? Because there's been a lot of conversations that have been going on around, from this technology AI has been around for many decades, this has been a policy problem, this has been a societal problem. But now there's a real focus, an acute focus on a lot of key things. What are some of the most important things that you think should be on the table for techies, for policy makers, for business people, for lawmakers? Well, one, I think we've got to figure out how to get real technology knowledge into the hands of policy makers, right? You see, you watch the Facebook here is on Capitol Hill. I mean, it was- A joke. Yeah, it was concerning, right? I mean, anybody with a technology background should be concerned about what they saw there. And it's not the lawmakers fault. I mean, we've got to empower them with that. And so what we got to do is we got to take technologists, figure out how to get them to talk policy and get them up on the hill and in the administration talking to folks, right? And one of the big outcomes that I think has to come out of that conversation is what do we do about national level cyber security, right? Because we assume today that it's the role of the private sector to provide cyber security for their own companies. But in no other circumstance do we expect that when it's a nation state attacker? We don't expect Target or Walmart or any other company, JP Morgan, to have surfaced air missiles on the roofs of their warehouses or their buildings to defend against Russian bare bombers. Why? That's the job of the government. But when it comes to cyberspace, we expect private companies to defend against everything from a script kitty in his basement to the criminal hacker in Eastern Europe to the nation state where there's Russia, China, Iran, or North Korea. And these nation states have virtually unlimited resources. Digital armies. Yeah, digital armies. R&D, technology, and it's powerful. Exactly. It's like a nuclear weaponry kind of impact for digital. Exactly. And how can we expect private sector to come to defend themselves? It's not a fair fight. And so the government has to have some role. The question is what role? How do we do that consistent with our values and our principles, right? And how do we ensure that the internet remains free and open while still ensuring that the private sector is not hampered in doing its job out there? I love this topic. It's tough. It's a lot, sometimes, of future warfare. And that's really what we're talking about. You know, go back to Stuxnet, which opened Pandora's box. The 2016 election hack where you had the Russians trying to control the meme, control the narrative. As you pointed out that one video we did control the belief system. You control population without firing a shot. 2020's going to be really interesting. And now you see the US retaliate to Iran. In cyberspace, allegedly. I was saying that we had a conversation with Robert Gates a couple years ago, and I asked him, I said, should we be more, taking more of an offensive posture? And he said, well, we have more to lose than the other guys. The glasshouse problem. What are your thoughts on that? Well look, certainly we rely intimately, inherently on the cyber infrastructure that sort of is at the core of our economy and at the core of the world economy increasingly today. That being said, because it's so important to us, all the more reason why we can't let attacks go unresponded to, right? And so, if you're being attacked in cyberspace, you have to respond at some level because if you don't, you'll just keep getting punched. It's like the kid on the playground, right? If the bully keeps punching him and nobody does anything, not the school administration, not the kid himself, well then the bully's going to keep doing what he's doing. And so it's not surprising that we're being tested by Iran, by North Korea, by Russia, by China, and they're getting more and more aggressive because when we don't punch back, that's what's going to happen. We don't have to punch back in cyberspace, right? A common sort of fetish about cyberspace. It's a response. The issue is you got to respond to the bully, in this case, your example on the playground. Exactly. Well, talk about the Iran thing. So, if I can, so the response could be, hey, we could do this, let them know you could do this, and then say, you're a move. Well, and this is the key is that it's not just responding, right? So Bob Gates sort of told you, well, we can't really talk about what we're doing. And even in the latest series of alleged responses to Iran, the reason we keep saying alleged is the U.S. has not publicly acknowledged it, but the word has gotten out, right? Well, of course, it's not particularly effective in deterrence if you do something but nobody knows you did it, right? You got to let it out that you did it, and frankly, you got to own it and say, hey, look, that guy punched me, I punched you back in the teeth, so you better not come after me, right? We don't do that, in part because these capabilities grew up in the intelligence community at NSA and the like, and so we're very sensitive about them. But the truth is you don't have to talk about your highest end capabilities. You can talk about your capabilities, you can say, here are my red lines, and if you cross them, I'm going to punch you back. If you do that then, by the way, you've got to punch back. You can't let red lines be crossed and then not respond. And then you've got to talk about some level of capabilities. It can't all be secret, it can't all be classified. Where are we in this debate? I mean, first of all, you were referring to the Thursday online attack against the intelligence, Iranian intelligence community for the tanker and the drone strike that they got against the drone takedown from one of our surveillance drones. But where are we in this debate of having this conversation where the government should protect and serve its people? And that's the role, because if a army rolled in, fiscal army dropped on the shores of Manhattan, I don't think Citibank would be sending their people out to fight, right? So like, this is really happening. Where are we on this? Like, is it just sitting there on the table? What's happening? Well, what's amazing about it? Who's behind this? Who's getting it going? And that's the key. What's been amazing about this, it's been happening since 2012, 2011, right? We know about the Las Vegas Sands attack, right? By Iran, we know about North Korea's efforts. We know about all these things that are going on here in the United States against private sector companies, not against the government. And there's largely been no response. Now, we've seen Congress get more active. Congress just last year passed legislation that gave Cyber Command the authority on the President's Secretary of Defense's orders to take action against Russia, Iran, North Korea and China if certain cyber activities happen. That's a good thing, right? They've been out being given the clear authority, right? And it appears the President's willing to make some steps in that direction. So that's a positive step. Now, on the back end, though, you got to talk about, well, what do we got to do to harden ourselves? If that's going to happen, right? And the government isn't ready to defend the nation, even though the Constitution talks about providing for the common defense. And we know that the Department of Defense for a long time since Secretary Panetta has said that it is our mission to defend the nation, right? But we know they're not fully doing that. How do they empower private sector defense? And one of the keys of that has got to be, look, if you're the intelligence community, you're the U.S. government, you're collecting tremendous amounts of data about what you're seeing in foreign space, about what the enemy is doing, what they're preparing for. You have got to share that in real time at machine speed with industry. And if you're not doing that, and you're still counting on industry to be the first line defense, well, then you're not empowering that defense. And if you're not empowering that defense, how do you expect them to defend themselves against these nation-state threats? That's a real crisis. So a much tighter public-private relationship is what you're calling for. Absolutely, absolutely. And that doesn't have to be the government standing on the front lines of the U.S. Internet, as though you could even determine the boundaries of the U.S. Internet, right? Nobody wants NSA or cybercrime out there doing that. But what you do want is if you're going to put the private sector in the line of first defense, you've got to empower that defense. And if you're not doing that, then the government isn't doing its job. And so the government's been talking about this for a long time. I worked on that first piece of information sharing legislation with the house chairman, intelligence chairman, Mike Rogers, and Doug Troopersberger from Maryland, right? Congressman from both sides of the aisle, working together to get information and legislation done. That got done in 2015, but that's just a first step. The government's got to be willing to share classified information at scale and speed, and we're still not seeing that yet. How do people get involved? I mean, like, I'm not a political person. I'm a moderate, I'm in the middle. But how do people get involved? How does the technology industry, not the policy budgets and the talk that goes on at the top of the tech companies, how do tech workers or people who love tech and our patriots and or want freedom, get involved? What's the best approach? Well, that's a great question. I think part of it is learning how to talk policy. How do I get in front of policy makers, right? And I run a think tank on the side at the National Security Institute at George Mason University's Antonin Scalia Law School. We have a program funded by the Hewlett Foundation, where we're bringing in technologists, about 25 of them actually, our next, our second event in this series is going to be in Chicago this weekend. We're training these technologists. These are data scientists, engineers, and the like to talk policy, right? These are people who said we want to be involved. We just don't know how to get involved. And so we're training them up. That's a small program. There's a great program called Tech Congress, also funded by the Hewlett Foundation, that places technologists in policy positions in Congress. That's really cool. So there's a lot of work going on, but those are small things, right? We need to do this at scale. And so, you know, what I would say is that their technologists out there want to get involved, reach out to us, let us know. We'll work with our partners to help you get information and data about what's going on and get your voice heard. There are a lot of organizations too that want to get technologists involved. That's another opportunity too to get in the mix. So it's a story that we want to help tell and be involved in. Dave and I feel passionate about this. Obviously it's a data problem, so there's some real tech goodness in there. Absolutely. I mean, people like to solve hard problems. I mean, we got a couple big ones. And these are them. You got it. We've got some big hard problems to solve. So for all the people out there who are DevOps, Cloud people, who like to work on solving hard problems, we got a lot of them. Let's do it. So what's going on with Iron Nick? Give us the update, quick plug for the company. Yeah. Keith Alexander, founder, great guy, great guest to have him on theCUBE. Yeah. What's going on, give us a quick plug. Thanks so much. So you know, we've done two rounds of funding, about 110 million all in, so we're excited, we're excited to have partners like Kleiner Perkins, ForgePoint, C5, all supporting us. And now it's all about, we just got a new co-CEO in, Bill Welch from Zscaler and Duo. So he grew Zscaler to a billion dollar valuation. He came into Duo. They obviously had a great exit also. We got him, we got Sean Foster in from industry also. So Bill and Sean came together. We're now making this business move more rapidly. We're moving to the mid-market. We're moving to a cloud platform more aggressively. And so exciting times at IronNet. We're coming to big and small companies near you. We've got the capability. We're bringing advanced persistent defense to bear on some of these hard problems. Network threat analytics and collective defense. That's the key to our operation. We're excited to be doing it. I call NSA as a service, but that's probably not politically correct. But this is theCUBE, so. Well, look, if you want to do defense at scale, right? If you want to do that, you know, NSA knows how to do that. Keith Alexander was at the forefront of that when he was in the government. Well, you guys are certainly on the cutting edge, riding that wave of cognitive societal change, technology impact for good, for defense, for, you know, just betterment. Not just, you know, making a quick buck. Well, you know, look, it's a good business model, by the way, to be in that business. I mean, it's on our business cards and John Xander means it. Our business cards say the mission continues and he really means that, right? We're out in the private sector. We're looking to help companies do the right thing and protect the nation, right? You know, by protecting themselves better. Well, our mission is to turn the lights on, get those voices out there. Awesome. Thanks for coming on and sharing your insights. CUBE coverage here. Day one of two days of coverage. AWS Reinforced here in Boston. Stay with us for more day one after this short break.