 Hello everyone, welcome to a special CUBE conversation here in the CUBE studio in Palo Alto, California. I'm John Furrier, the co-founder of SiliconANGLE Media and also the co-host of theCUBE. We're here with Junay Vizlan, who's the president and CTO of a company called Vitter. Also supports the public sector and the defense community. Teases a class on cyber intelligence and cyber warfare. Junay, thank you for coming in. Well, thanks for having me, it's great to be here. Okay, I'll see, you know, we've been doing a lot of coverage of cyber in context to, one, the global landscape, obviously. In our area of enterprise and emerging tech, you see the enterprises are all shaking in their boots, but you now have new tools like IoT, which increases the service area of attacks. You're seeing AI being weaponized for bad actors, but in general, it's just really a mess right now and security is changing. So I'd like to get your thoughts on it and also talk about some of the implications around the cyber warfare that's going on. Certainly the elections on everyone's mind, you see fake news, but really it's a complete new generational shift that's happening with all the good stuff going on, blockchain and everything else and AI, he's also bad actors. You know, fake news is not just fake content, there's an underlying infrastructure, critical infrastructure involved. Yeah, you're 100% right. And I think what you have hinted on is something that is only now people are getting awareness of that is as America becomes a more connected society, we become more vulnerable to cyber attacks. For the past few years, really cyber attacks were driven by people looking to make 20 bucks or whatever, but now you really have state actors moving into the cyber attack business and actually subsidizing attackers with free information and hoping to make them more lethal attackers against the United States. And this really is completely new territory. When we think about cyber threats, almost all of the existing models don't capture the risks involved here and it affects every American, everybody should be worried about what's going on. And certainly the landscape has changed in security and tech with the cloud computing, but more importantly we have Trump in the office and it's always the brouhaha over just that and itself, but in concert to that, you're seeing the Russians, we're seeing them involved in the election, you're seeing China putting blocks and everything and changing how the rules are getting, it's a whole global economy. So I got to ask you the question that's on everyone's mind is cyber war is real, we do not have a West Point Navy SEALs for cyber yet, I know there's some stuff at Berkeley that's pretty interesting to me, that Michael Grimes at Morgan Stanley is involved in amongst other folks as well, where a new generation of attacks is happening in the US of A right now. Could you comment and share your thoughts and reaction to what's happening now that's different in the US from a cyber attack standpoint and why the government is trying to move quickly, why companies are moving quickly, what's different now, why is the attacks so rampant, what's changed? I think the biggest difference we have now is what I would call direct state sponsorship of cyber attack tools. Great example of that is the vault seven disclosure on WikiLeaks. Typically, when you've had intelligence agencies steal one thing from another country, they would keep it a secret and basically use those vulnerabilities during a time of attack or different operation. In this case we saw something completely different. We think the Russians might have stolen it, but we don't know, but whoever stole it immediately puts it back into the public domain and why do they do that? They want those vulnerabilities to be known by as many attackers as possible who then in turn will attack the United States at across not only public sector organizations but as private. And one of the interesting outcomes you've seen is the malware attacks or the cyber attacks we saw this year were much more lethal than ever before. If you look at the WannaCry attack and then the NotPety attack. NotPety attacks started with the Russians attacking the Ukraine, but because of the way they did the attack, they basically created malware that moved by itself. Within three days, computers in China that were 20 companies away from the original target were losing their data. And this level of lethality we've never seen and it is a direct result of these state actors moving into the cyber warfare domain, creating weapons that basically spread through the internet at very high velocity. And the reason this is so concerning for the United States is we are a truly connected society. All American companies have supply chain partners. All American companies have people working in Asia. So we can't undo this. And what we've got to do very quickly is develop countermeasures against this. Otherwise the impacts will just get worse and worse. It's the old days, if I get this right, hey, I attack you, I get to seek a back door to the US and spy on spy kind of thing, right? So now you're saying is there's a forced multiplier out there with the crowd. So they're essentially democratizing the tools, not we used to call it kiddie scripts. Now they're not kiddie scripts anymore. They're real weapons of cyber weaponry that's open to people who want to attack or motivated to attack the US. Is that going to, am I getting that right? That's right. I mean, if you look at what happened in WannaCry, you had people looking for $200 payout, but they were using tools that could have easily wiped out a country. Now the reason this works for America's enemies, as it were, or adversaries is in the short run, they get to test out weapons. In the long run, they're really learning about how these attacks propagated and make no mistake. If there's a political event and it's in their interest to be able to shut down US computers, it's just something I think we need to worry about and be very conscious of, specifically these new type of attack vectors. Now to put my fear-mongering hat on, because as a computer scientist myself, back on the day, I can only imagine how interesting this is to attack the United States. What is the government doing? What's the conversations that you're hearing? What are some of the things going on in the industry around, okay, we're seeing something so sophisticated, so orchestrated at many levels. State actors democratizing the tools for the bad guys, if you will, but we've seen fraud and cyber theft be highly mafia-driven or sophisticated. Groups of organized under the black market companies. Forms, I mean, really well-funded, well-staffed. I mean, so the HBO hack just a couple weeks ago, I mean, shaking them down with ransomware. Again, there's many, many different things. This has got to scare the cyber security forces of the United States, what are they doing? So I think, one thing I think Americans should feel happy about is, within the defense and intelligence community, this has become one of the top priorities. So they are implementing a huge set of resources and programs to mitigate this. Unfortunately, you know, they will, they need to take care of themselves first. I think it's still up to enterprises to secure their own systems against these new types of attacks. I mean, I think we can certainly get direction from the US government. And they've already begun outreach programs. For example, the FBI actually has a cyber security branch and they actually assign officers to American companies who are targets. And typically that's actually, I think started last year, but they'll actually come meet you ahead of the attack and introduce themselves. So that's actually pretty good. And that's a fantastic program. I know some of the people there. But you still have to become aware. You still have to look at the big risks in your company and figure out how to protect them. That is something that no law enforcement person can help you at, because that has to be proactive. Everyone who watches my Silicon Valley podcast knows that I've been very much talk a lot about Trump. And no one knows if I voted for him or not. Actually didn't vote for him, but that's a different point. We've been critical of Trump, but also at the same time, you know, the whole wall thing is kind of funny in itself, me building walls ridiculous. But let's take that to the firewall problem. Let's talk about tech. The old days, you have a firewall, right? The United States really has no firewall because the perimeters or the borders, if you will, are not clear. So in the industry, they call it perimeter list. There's no more mode, there's no more front doors. There's a lot of access points into networks and companies. This is changing the security paradigm, not only at the government level, but the companies who are creating value, but also losing money on these attacks. So what is the security paradigm today? Is it people putting their head in the sand? Are there new approaches? Is it a do over? Is there a reset? Security is the number one thing. What are companies and governments doing? So I think, well, first of all, there's a lot of thinking going on, but I think there's two things that need to happen. I think one, we certainly need new policies and laws. I think just on the legal side, whether if you look at the most recent Equifax breach, we need to update laws on people holding assets that they need to become liable. We also need more policies that people need to lock down national critical infrastructure like power systems. And then the third thing is the technical aspect. I'd bring it. We actually, in the United States, actually do have technologies that are countermeasures to all of these attacks, and we need to bring those online. And I think as daunting as it looks like protecting the country, actually it's a solvable problem. For example, there's been a lot of press that, foreign governments are scanning U.S. power infrastructure. And from my perspective as a humble networking person, I've always wondered why do we allow basically connectivity from outside the United States to power plants which are inside the United States? I mean, you could easily filter those at the peering points. And I know some people might say that's controversial. Are we going to spy on it? And porch too, like porch of New Orleans. I always thought of the CTO there. I'd be saying maritime's accessing the core network. Yeah, so from my perspective as a technical, I'm not a politician. That's good, thank God. We need more of you out there. Yeah, and I've worked on this problem a little bit. I would certainly block inbound flows from outside the United States to critical infrastructure. There is no value or reason, logical reason, you would give of why someone from an external country should be allowed to scan a US asset. And that is technically quite simple for us to do. It is something that I and others have talked about, publicly and privately. I think that's a very simple step we could do. Another very simple step we could do across the board is basically authenticated access. That is, if you are accessing a US government website, you need to sign in and there will be an MFA step up. And I think this makes- What's the MFA step up? Well, like some kind of secondary. So say you're accessing the IRS portal and you want to just check on something that you're going to sign in and we're going to send a message to your phone to make sure you are you. I know a lot of people will feel, hey, this is an invasion of privacy, but I'll tell you what's an invasion of privacy. Someone's stealing 140 million IDs or your backgrounds and having everything. Which just happened for MFA multi-factor authentication. So I think again- Now let's say hack your cell phone, which the Bitcoin guys have already done. But it's easy for hackers to hack one system. It's hard for hackers to hack multiple systems. So I think at the national security level, there are a number of simple things we can do that are actually not expensive that I think we as a society have to really think about doing because having governments which are very anti-American, destabilizing us by taking all of our data out doesn't really help anyone. So that's the biggest law. And there's no risk for the destabilizing America enemies out there. What's the disincentive they're going to get put in jail? There's no real enforcement. I mean, cyber is a great leverage. So one of the things that I think most people don't understand is the international laws on cyber attacks just don't exist anymore. They have a long way to catch up. Let me give a counter example, which is drugs. There are already multilateral agreements on chasing drug traffickers as they go from country to country. And there's a number of institutions that monitor that and enforce that. That actually works quite well. We also have new groups focusing on human trafficking. You know, it's slowly happening. But in the area of cyber, we haven't even started a legal framework on what would constitute a cyber attack. And sadly, one of the reasons it's not happening is America's enemies don't want it to happen. But this is where I think as a nation, first you have to take care of yourself. And then on a multilateral perspective, the US should start pushing a cybersecurity framework worldwide so that if you start getting emails from that friendly prince who's actually a friend of mine about putting in some, we can actually go back to that country and say, hey, we don't want to send you any more money anymore. Yeah, yeah, exactly. Everyone's going to make $18 million. They get their username, password, social security number. All right, final question on the segment around the cybersecurity piece. What's the action going forward? I'll say it's early days and hardcore days right now. It's really the underbelly of the internet globally is attacking. We see that the government is, doesn't have a legal framework yet in place. They need to do that. But there's a lot of momentum around creating a Navy SEALs and the version of land, air and sea or multidisciplinary combat efforts out there. This has been conversation certainly in some of our networks that we talk about. What's the young generation? I mean, you've got a lot of gamers out there that would love to be part of a new game, if you will, called cyber defense. What's going on? I mean, is there any vision around how to train young people? Is there an armed forces concept? Is there something like this happening? What's the next step? What do we need to do as a government? So you've actually touched on a very difficult issue because if you think about security in the United States, it's really been driven by a compliance model, which is here's these set of things to memorize and this is what you do to become secure. And all of our cybersecurity training courses are based on models. If there's one thing we've learned about cyber attackers is these people are creative and do something new every time and go around the model. So I think one of the most difficult things is actually to develop training courses that almost don't have any boundaries because the attackers don't confine themselves to a set of attack vectors, yet we in our training do, we say, well, this is what you need to do. And time and time again, people just do something that's completely different. So that's one thing we have to understand. The other thing we have to understand, which is related to that, is that all of US's cybersecurity plans are public in conferences. All of our universities are open. So we actually have, there's been- The playbook is out there. We actually, so one of the things that does happen is if you go to any large security conference, you see a lot of people from the countries that are attacking us showing up everywhere, actually going to the same university, going to universities and learning the course. So I think there's two things. One, we really need to think deeper about just how attacks are being done, which are unbounded. And two, which is going to be a little bit more difficult, we have to rethink how we share information on a worldwide basis of our solutions. And so probably not the easy answer you wanted, but I think- Well, it's complex and it requires unstructured thinking that's not tied up. I mean, it's like the classic, the frog in boiling water dies and you put a frog in boiling water and it jumps out. We are in this false sense of security with these rules thinking we're secure and we're bitten, people are killing us with this security. Yeah, and like I say, it's even worse when we figure out a solution. The first thing we do is we tell everybody, including our enemies, giving them a lot of chance to figure out how to attack us. So I think we do have some hard challenges. So don't telegraph, don't be so open. Be somewhat secretive in a way. It's actually helpful. I think sadly, I think we've come to the very unfortunate position now where I think we need to, especially in the area of cyber, rethink our strategies because as an open society, we just love telling everybody what we do. And- Well, so the final question, final, final question is just for the end, again, in this segment. So cyber security is real or not real? I mean, how real is this? Can you just share some color for the folks watching who might say, hey, you know, I think it's all smoke and mirrors. I don't believe the New York Times, I don't believe this. I'm Trump saying this and is this real problem and how big is it? I think it is real. I think we have this calendar year, 2017. We have moved from the classic kind of like cyber attack, you know, like someone's being fished to really the beginning of a cyber warfare. And unlike kinetic warfare where somebody blows something up, this is a new face that's long and drawn out. And I think one of the things that makes us very vulnerable as a society is we are an open society. We are interlinked with every other global economy. And I think we have to think about this seriously because unfortunately there's a lot of people who don't want to see America succeed. They're just like that, even though we're nice people. But so it's pretty important. It requires some harmony and requires some data sharing. Junay is the long president and CTO of Vidder talking about the cybersecurity, cyber warfare dynamic that's happening. It's real, it's dangerous, and our country and other countries need to get their act together. Certainly I think a digital West Point, a digital Navy SEALs needs to happen. And I think there's a great opportunity for us to kind of do some good here and keep an open society while maintaining security. Junay, thanks for sharing your thoughts. I'm John Furrier with theCUBE here at Palo Alto. Thanks for watching.