Power Panel: Is IIOT the New Battleground? CUBE Conversation, August 2019

Power Panel: Is IIOT the New Battleground? CUBE Conversation, August 2019


(energetic music)>>Announcer: From our
studios in the heart of Silicon Valley; Palo Alto, California. This is a CUBE Conversation.>>Hi everyone, welcome to this special CUBE Power Panel recorded here in Palo Alto, California. We’ve got remote guests
from around the Internet. We have Evan Anderson,
Mark Anderson, Phil Lohaus. Thanks for comin’ on. Evan is with INVNT/IP, an organization with companies and individuals that fight nation-sponsored
intellectual property theft and also author of the
huge report Theft Nation Almost a 100 pages of really comprehensive analysis on it. Mark Anderson with the Future in Review CEO of Pattern, Computer
and Strategic New Service Chairman of Future in Review Conference, and author of the book
“The Pattern Future: “Find the World’s Greatest Secrets “and Predicting the Future
Using Discovery Patterns” and Phil Lohaus, American
Enterprise Institute. Former intelligent analyst, researcher at the American Enterprise Institute, studying competitive strategy
and emerging technologies. Guys, thanks for coming on. This topic is, is industrial
IoT the new battleground? Mark, you cover the Future Review. Security is the battleground. It’s not just a silo’d space. It’s horizontally scalable
across every single touch point of the Internet, individuals,
national security, companies, global, what’s your perspective
on this new battleground?>>Well, thank you, I
took some time and watched your last presentation on this, which I thought was excellent. And maybe I’ll try to pick up from there. There’s a lot of
discussion there about the technical aspects of IoT, or IIoT, and some of the weaknesses,
you know firewalls failing, assuming that someone’s in your network. But I think that there’s
a deeper aspect to this. And the problem I think, John, is that yes, they are in your network already, but the deeper problem here is, who is it? Is it an individual? Is it a state? And whoever it is, I’m
going to put something out that I think is going to be worth talking more deeply about, and that is, if people who can do the most damage are already in there,
and are ready to do it, the question isn’t “Can they?” It’s “Why have they not?” And so literally, I think if
you ask world leaders today, are they in the electric grid? Yes. Is Russia in ours, are we in theirs? Yes. If you said, is China in our most important areas of enterprise? Absolutely. Is Iran in our banks and so forth? They are. And you actually see
states of war going on, that are nuisances, but are not what you might call Cybergeddon. And I really believe
that the world leaders are truly afraid. Perhaps more afraid of
that than of nuclear war. So the amount of death and
destruction that could happen if everybody cut loose at the same time, is so horrifying, my guess is that there’s a human restraint involved in this, but that technically,
it’s already game over.>>Phil, Cybergeddon, I love that term, because that’s a part of our theme here, is apocalypse now or later? Industrial IoT, or IIoT, or the Internet, all these touch points are
creating a service area that for penetration’s
purposes, any hacker can get in. Nation-states, malware, you name it. It’s all problem. But this is the new war battleground. This is now digital Cybergeddon. Forget the wall on the southern border. We’re talking about a digital wall. We have major threats
going on to our society in the United States, and global. This is new, rules of engagement,
or no rules of engagement on how to compete in a digital war. This is something that the government’s supposed to protect us for. I mean, if someone drops troops in California, physical people, the government’s supposed to stop that. But if it’s a digital war, it’s packets. And the companies are
responsible for all this. This doesn’t make any sense to me. Break it down, what’s the problem? And how do we solve this?>>Sure, well the problem is is that we’re actually facing different kinds of threats than we were typically
used to facing in the past. So in the past when we go to war, we may have a problem
with a foreign country, or a conflict is coming up. We tend to, and by we I
mean the United States, we tend to think of these things as we’re going to send troops in, or we’re going to actually
have a physical fight, or we’re going to have some other kind of decisive culmination of
events, end of a conflict. What we’re dealing with
now is very different. And it’s actually something that isn’t entirely new. But the adversaries that we’re facing now, so let’s say China, Russia, and Iran, just to kind of throw
them into some buckets, they think about war very differently. They think about the
information space more broadly, and partially because they’ve been so used to having to kind of be
catching up to America in terms of technology,
they found other ways to compete with America,
and ways that we really haven’t been focusing on. And that really, I would
argue, extends most prominently to the information space. And by the information space
I’m speaking very broadly. I’m talking about, not just
information in terms of social media, and emails,
and things like that, but also things like what we’re talking about today, like IIoT. And these are new threat landscapes, and ones where our competitors have a integrated way of
approaching the conflict, one in which the state and private sectors kind of are molded or fused or at least are compelled to work together and we have a very different space here in the United States. And I’m happy to unpack that
as we talk about that today, but what we’re now
facing, is not just about technical capabilities, it’s about differences
in governing systems, differences in governing paradigms. And so it’s much bigger
than just talking about the technical specifics.>>Evan, I want you to
weigh in on this because one of the things that
I feel strongly about, and this is pretty obvious
from the commentary, and experts I talk to is, the United States has always
been good at defending itself physically, you know war, in being places. Digitally, we’ve been
really good at offense, but terrible on defense,
has been the metaphor. I spoke with former four-star
General Keith Alexander, who ran the NSA and was first commander of the cyber command, who is now the CEO of IronNet. He and I were talking
on-camera and privately and he’s saying, “Look it. “we suck at defense digitally. “We’re great at offense,
we can take someone out “on the offense.” But we’re talking about
IoT, about monitoring. These are technical challenges. This is network nerds,
and software engineers have to solve this problem
with the prism of defense. This is a new paradigm. This is what we’re kind of getting to. And Mark, you kind of addressed it. But this is the challenge. IoT is going to create more
points that we have to defend that we suck now at defending, how are we going to get better. This is the paradox.>>Yeah, I think that’s
certainly accurate. And one of our problems here is that as a society we’ve always been open. And that was how the Internet was born. And so we have a real paradigm shift now from a world in which the U.S.
was leading an open world, that was using the Internet for, I mean there have been problems
with security since day one, but originally the Internet was an information-sharing exercise. And we reached a point
in human history now where there are enough malicious hackers that have the capabilities
we didn’t want them to have, but we need to change that outlook. So, looking at things like Industrial IoT, what you’re seeing is
not so much that this is the battlefield in specific, it’s that everything like
it is now the battlefield. So in my work specifically
we’re focused more on economic problems. Economic conflicts and strategies. And if you look at the
doctrines that have come out of our adversaries in the last
decade, or really 20 years, they very much did what Phil said, and they looked at our weaknesses, and one of those biggest
weaknesses that we’ve always had is that an open society is also unable necessarily to
completely defend itself from those who would seek
to exploit that openness. And so we have to figure out as a society, and I believe we are. We’re running a fine line, we’re negotiating this tightrope right now that involves defending the values and the foundational critical aspects of our society that require openness, while also making sure that all the doors aren’t open for adversaries. And so we’ll continue to
deal with that as a society. Everything is now a battlefield
and a much grayer area, and IoT certainly isn’t helping. And that’s why we have
to work so hard on it.>>I want to talk about the economic piece on the next talk track of rounds. Theft, and intellectual
property that you cover deeply. But Mark and Phil, this
notion of Cybergeddon meets the fact that we
have to be more defensive. Again, principles of
openness are out there. I mean, we have open source. There is a potential path here. Open source software has been, I think, depending on who you talk to,
fourth generation, or fifth, depending on how old you are, but it’s now mainstream enough now. Are we ever going to get to a formula where we can actually be strong in defense as well as just offense with respect to protecting digitally?>>Phil, do you want that?>>Well, yeah, I would just say that I’m glad to hear that General Alexander is confident about our
offensive capabilities. But one of the… To NSA that is conducting
these offensive capabilities. When we talk about Russia, Iran, China, or even a smaller group, like let’s say an extremist group or something like that, there’s an integration between commanding control, that we simply don’t have here in the States. For example, the Panasonic
and Sony examples always come to mind, as
ones where there are attacks that can happen against American companies that then have larger implications that go beyond just those companies. So and this may not be a case where the NSA is even tracking the threat. There’s been some
legislation that’s come out, rather controversial
legislation about so-called hacking back initiatives
and things like that. But I think everybody knows that this is already kind of happening. The real question is going to be, how does the public sector, and how does the private sector work together to create this environment
where they’re working in synergy, rather than across purposes?>>Yeah, and this brings
up, I’ve heard this before. I’ve heard people talk about
the fact that open source nation states can actually empower by releasing tools in open source via the Dark Web or other vehicles, to not actually have,
quote, their finger prints, on any attacks. This seems to be a tactic.>>Or go through criminals, right? Use proxies, things like that. It’s getting even more complicated and Alexander’s talked
about that as well, right? He’s talked about the convergence of crime and nation-state actions. So whereas with nation-states it’s already hard-attributed enough,
if that’s being outsourced to either whether it’s patriotic hackers or criminal groups, it’s
even more difficult. I think you know, Keith is a good friend of all of ours, obviously, good guy. His point is a good one. I’d like to take it a
little more extreme state and say, defense is worth
doing and probably hopeless. (everyone laughs) So, as they always say, all
it takes is one failure. So, we always talk about
defense, but really, he’s right. Offense is easy. You want to go after somebody? We can get them. But if you want to play defense against a trillion potential points
of failure, there’s no chance. One way to say this is,
if we ignore individuals for a moment and just
look at nation-states, it’s pretty clear that
any nation-state of size, that wants to get into a
certain network, will get in. And then the question will be, Well, once they’re in, can
they actually do damage? And the answer is probably
yeah, they probably can. Well, why don’t they? Why don’t they do more damage? We’re kind of back to the
original premise here, that there’s some restraint going on. And I suspect that
Keith’s absolutely right because in general, they
don’t want to get attacked. They don’t want to have
to come back at them what they’re about to do
to your banks or your rig, and we could do that. We all could do that. So my guess is, there’s a little
bit of failure on our part to have deep discussions
about how great our defenses either are, or are not, when frankly the idea of
defense is a good idea, worthwhile idea, but
not really achievable.>>Yeah, that’s a great point. That comes up a lot where it’s like, people don’t want retaliation, so it’s a big, critical
event that happens, that’s noticeable as a
counterstrike or equivalent. But there’s been discussion
of the, I call it “the slow bleed” where they push the line of where that is, like slowly infiltrate, and just cause disruption
and inconvenience, as a tactic. This has become something
we’re seeing a lot of. Whether it’s misinformation
campaigns on fake news, to just disrupting
operations slowly over time, and just kind of, 1,000
paper cuts, if you will. Your guys’ thoughts on that? Is that something you guys see out there that’s happening?>>Well, you saw Iran go after our banks. And we were pushing Iran
pretty hard on the sanctions. Everybody knows they did that. It wasn’t very much fun for anybody. But what they didn’t do is take down the entire banking system. Not sure they could, but they didn’t.>>Yeah, I would just add
there that you see this on multiple fronts. You see this is by design. I’m sure that Mark is talking about this in his report but… they talk about this incremental
approach that over time, this is part of the problem, right? Is that we have a very
kind of black or white conception of warfare in this country. And a lot of times, even
companies are going to think, well you know, we’re at peace, so why would I do something that may actually be construed
as something that’s warlike or offensive or things like that? But in reality, even though
we aren’t technically at war, all of these other actors
view this as a real conflict. And so we have to get creative about how we think about this within
the paradigm that we have and the legal strictures that
we have here in this country.>>Well there’s no doubt
at least in my non-expert military opinion, but as
someone who is a techie, been on the Internet from
day one, all my life, and all those tools, you guys as well, I personally think we’re at war. 100%, there’s no debate on that. And I think that we have
to get better policy around this and understand it better. Because it’s happening. And one of the obvious areas that we see in the news
everyday, is one way and intellectual property theft. This is an economic impact. I mean just look at what’s
happening in Brexit in the U.K. If that was essentially manipulated, that’s the ultimate smart bomb, is to just destroy their financial system, which ended up happening
through that misinformation. So there are economic realizations here, having that not only come from the misinformation
campaigns and other attacks, but there’s real value
with intellectual property. This is the report you put out. Your thoughts?>>There’s very much an
active conflict going on in the economic sphere,
and that’s certainly an excellent point. I think one of the most important things that most of the world
doesn’t quite understand yet, but our adversaries certainly understand, is that wars are fought for
usually, just a few reasons. And there’s a lot of different
justification that goes on. But often it’s for economic benefit. And if you look at human history, and you look at modern history, a lot of wars are fought for some form of economic benefit, often in the form of territory, et cetera,
but in the modern age, information can directly
and very quite obviously translate into economic benefit. And so when you’re bleeding information, you’re really bleeding money. And when I say information,
again, it’s a broad word, but intellectual property,
which our definition, here at INVNT/IP is quite broad too, is incredibly valuable. And so if you have an
adversary that’s consistently removing intellectual property
from what I would call our information ecosystem,
and our business ecosystem, we’re losing a lot of
economic value there, and that’s what wars are fought over. And so to pretend that
this conflict is inactive, and to pretend that the underlying economy and economic strength that is bolstered or created by intellectual property isn’t critical would be silly. And so I think we need to look
at those kinds of dynamics and the kind of Gerasimov Doctrine, and the essential doctrine
of unrestricted warfare that came out of the
People’s Republic of China are focused on avoiding kinetic conflict while succeeding at the kinds of conflict that are more preferable, particularly in an asymmetric environment. So that’s what we’re dealing with.>>Mark and Phil, people waking up to this reality are certainly. People in the know are that I talk to, but generally speaking across the board, is this a woke moment for tech? This Armageddon now or later?
>>Woke moment for politicians not for tech, I think. I’m sure Phil would agree with this, but the old guard, go back to when Keith was running the NSA. But at that time, there was
a very clear distinction between military and economic security. And so when you said
security, that meant military. And now all the rules have changed. All the ways CFIUS works in
the United States have changed. The legislation is changing,
and now if you want to talk about security, most major nations equate economic security
with national security. And that wasn’t true 10 years ago.>>That’s a great point. That’s really profound, I totally agree. Phil.>>I think you’re seeing
a change in realization in Washington about this. I mean, if you look at the
cybersecurity strategy of 2018, it specifically says that
we’re going to be moving from a posture of active defense
to one of defending forward. And we can get into the discussion about what those words mean,
but the way I usually boil down is it means,
going from defending, but maybe a little bit forward, to actually going out and making sure that our interests are protected. And the reason why that’s important, and we’re talking about
offense versus defense here, obviously the reason why,
from what Mark was saying, if they’re already in the networks, and they haven’t actually done anything, it’s because they’re afraid of what that offensive response could be. So it’s important that we
selectively demonstrate what costs we could
impose on different actors for different kinds of actions, especially knowing that they’re already operating inside of our network.>>That’s a great point. I mean, I think that’s again
another profound statement because it’s almost like
the pin in the grenade. Once they pull it, the damage is done. Again, back to our theme,
Armageddon, now or later? What’s the answer to this, guys? Is it the push to policy conversation and the potential consequences higher? Get that narrative going. Is it more technical
protection in the networks? What’s some of the things
that people are talking about and thinking about around this?>>And it’s really all of the above. So the tough part about burning
society and for our society is that it’s expensive to live in a world with this much insecurity. And so when these kind of
low-level conflicts are going on, it costs money and it costs resources. And companies had to deal with that. They spent a long time trying
to dodge security costs, and now particularly with
the advent of new law like the GDPR in Europe,
it’s becoming untenable not to spend that defensive money, even as a company, right? But we also are looking at a
deepening to change policy. And I think there’s been
a lot of progress made. Mark mentioned the CFIUS reforms. There are a lot of
different essentially games of Whack-A-Mole being played
all around the world right now figuring out how to chase
these security problems that we let go too long,
but there’s many, many, many fronts that we need to–>>Whack-A-Mole’s a great example. The visualization of
that is just horrendous. You know, not the ideal scenario. But I got to get your point on this, because one of the things
that comes up all the time in our conversations in theCUBE is, the government’s job is
to protect our securities. So again, if someone came
in, and invaded my town in Palo Alto, it’s not my responsibility to fight for the town. Maybe defend my own house. But if I’m a company
being attacked by Russia, or China or Iran, isn’t it the
government’s responsibility to protect me as a citizen and the company doing business there? So again, this is kind of the
confusion that people have. If somebody’s going to defend their hack, I certainly got to put
security practices in place. This is new ground for the
government, digitally speaking.>>When we started this INVNT/IP project, it was about seven years ago. And I was told by a very smart guy in D.C. that our greatest
challenge was going to be American corporations,
global corporations. And he was absolutely right. Literally in this fight to
protect intellectual property, and to protect the welfare
even of corporations, our greatest enemies so far
have been American corporations. And they lobby hard for China, while China is busy stealing from them, and stealing from their company, and stealing from their country. All that stuff’s going
on, on a daily basis and they’re in D.C.
lobbying in favor of China. Don’t do anything to make them mad.>>They’re getting their
pockets picked at the same time. And they’re trying to
do business in China. They’re getting their pockets picked. That’s what you’re saying.>>They’re going for the
quarterly earnings report and that’s all.>>So the problem is–
>>Yeah so–>>The companies themselves are kind of self-inflicted wounds here for them.>>Yes.>>Yeah, just to add
to that, on this note, there have been some… Business to settle interest. And this is something you’re
seeing a little bit more of. There’s been legislation through
CFIUS and things like that. There have been reforms
that discourage the flow of Chinese money in the Silicon Valley. And there’s actually a
measurable difference in that. Because people just don’t want
to deal with the paperwork. They don’t want to deal
with the reputational risk, et cetera, et cetera. And this is really going
to be the key challenge, is having policy makers not
only that are interested in addressing this issue,
because not all of them are even convinced it’s a problem, if you can believe it or not, but having them interested
and then having them understand the issue in a way that the legislation
can actually be helpful and not get in the way
of things that we value, such as innovation and entrepreneurialism and things like that. So it’s going to take
sophisticated policy-making and providing incentives
so that companies actually want to participate and
helping to make America safer.>>You’re so right about the politicians. Capitol Hill’s really not educated. I mean I tell my kids, and
they ask the same questions, just look at Mark
Zuckerberg and Sundar Pichai present to the government. They don’t even know what
an Android phone versus an iPhone is, nevermind what the Internet, and how this global economy works. This has become a makeup problem of the personnel in Capitol Hill. You guys see any movement? I’m seeing some change with a new guard, a new generation of
younger people coming in. Certainly from the
military, that’s an easy when you see people get this. But a new generation of young millennials who are saying, “Hey, why are
we doing this the old way?” and actually becoming more informed. Not being the lawyer at law-making. It’s actually more technically savvy. Is there any movement,
any bright hope there?>>I think there’s a little
hope in the sense that at a time when Congress has
trouble keeping the lights on, they seem to have bipartisan agreement on this set of issues that
we’re talking about. So, that’s hopeful. You know, we’ve seen a number
of strongly bipartisan issues supported in Congress, with
the Senate, with the House, all agreeing that this
is an issue for us all, that they need to protect the country. They need to protect IP. They need to extend the
definition of security. There’s no argument there. And that’s a very strange
thing in today’s D.C. to have no argument between the parties. There’s no error between
the GOP and the Democrats as far as I can tell. They seem to all agree on
this, and so it is hopeful.>>Freedom has its costs and
I think this is a new era of modern freedom and
warfare and protection and all these dynamics are changing, just like Cloud 2.0 is changing
application developers. Guys, this is a really important topic. Thank you so much for
coming on, appreciate it. Love to do a follow-up on
this again with you guys. Thanks for sharing your insight. Some great, profound statements
there, appreciate it. Thank you very much.>>Thank you.
>>Thanks for having us.>>It’s been a CUBE Power Panel here from Palo Alto, California with Evan Anderson, Mark
Anderson, and Phil Lohaus. Thank you guys for coming on. Power Panel: The Next
Battleground in Industrial IoT. Security is a big part of it. Thanks for watching,
this has been theCUBE. (energetic music)

Danny Hutson

Leave a Reply

Your email address will not be published. Required fields are marked *