The recent massive security breach at the Office of Personnel Management highlights both the increasingly intrusive nature of cyber threats, as well as the growing risk they represent not only to national security, but to the industry, as well. So why aren’t Silicon Valley and Washington working together more closely to tackle the problem … especially considering how some of today’s smartest cyber security entrepreneurs had prior careers in government?
Entrepreneurs at three of our portfolio companies at Kleiner Perkins Caufield & Byers can rightly be considered experts on this question. Besides being great technologists, Nathaniel Fick, Jay Kaplan and Oren Falkowitz each have a stint of government service on their resumes.
Since October is National Cyber Security Awareness Month, and the U.S. Senate just passed its Cybersecurity Information Sharing Bill, it seemed a good time to sit down and ask some questions about this crucial topic.
Ted Schlein, General Partner, Kleiner Perkins Caufield & Byers: How would you describe the state of cooperation on cyber security between the U.S. government and the technology world — either tech in general, or Silicon Valley in particular?
Nathaniel Fick, CEO, Endgame: On “critical infrastructure,” government cooperation with private enterprise is generally pretty good. But the relationship with Silicon Valley is different, in part because of the Valley’s focus on consumer applications, which are often less than critical for security. There are cultural issues, too. Where Silicon Valley is risk-acceptant, Washington is risk-averse — though perhaps that’s understandable in a world where bad strategy loses wars, not market share. And while the Valley is fast, Washington is slow — and not always because it was designed that way in the Constitution.
Jay Kaplan, founder, Synack: The Silicon Valley-D.C. connection seems on the surface to be strong, but in fact, there is a long way to go before we see anything productive resulting from it. Too many events — like visits from Washington officials to the Valley — are often “for show,” and don’t result in any actual work getting done.
Oren Falkowitz, CEO, Area 1: There are some high-profile tensions, especially related to the Snowden revelations and the recent encryptions debate. But overall, the state of cooperation is positive and robust. For instance, DJ Patil has gone from LinkedIn to the country’s first chief data scientist, and is doing amazing work, making a real impact. And Secretary of Defense Ash Carter has strong ties to the Valley. Further federal funding for scientific research and activities like DARPA’s “Grand Challenges” have been key drivers in this region’s business development and our nation’s success.
Schlein: Some people say that greater cooperation between Washington and Silicon Valley sounds like a nice idea, but wouldn’t really accomplish anything. What do you think?
Fick: Actually, I think greater cooperation is a key to solving the problem. Marines like to joke that while there are very few silver bullet solutions to hard problems, there are plenty of thousand-lead-bullet solutions. Cyber security is a classic thousand-lead-bullet problem — always evolving, with living, breathing human adversaries constantly changing their methods of attack. To cope with that, you need close cooperation and coordination in your defenses, with people bringing to the fight everything they have. Both Washington and Silicon Valley have important contributions they can make; Washington, with its resources and legal authorities, and Silicon Valley, with its innovation and expertise.
Kaplan: Absolutely. The majority of highly innovative cyber security companies are based in Silicon Valley. Couple that with the fact that Valley companies have the best tech talent on the planet, and you have an immediate advantage compared to the adversary. Cyber security is very much a skills game; those who employ the best talent will ultimately win.
Falkowitz: Cooperation is key to preventing cyber attacks. An especially useful form of cooperation involves information sharing, not just on specific threats, but also involving trends in cyber criminal activities and motivations.
Schlein: What needs to change before we can have a more secure computer infrastructure in America?
Fick: For the Valley: I love ride-sharing apps and photo-sharing sites, but it would be exciting to see more investors and entrepreneurs focus on big problems that matter to the security and welfare of the world. Cyber security is one of them. For Washington: Get past the misguided notion that only big companies can solve big problems. It’s common sense with a new product to buy a little, try it out, and then either scale it up or turn it off. But government doesn’t think this way, and certainly doesn’t buy this way. That needs to change.
Kaplan: The government needs a presence in the Valley. Not just a few individuals, but an official security-related entity. This office needs to take cultural cues from innovative companies, and pay market salaries. It should interface regularly with innovative companies, and establish rapid paths to government adoption of useful technologies. And it could serve as an additional source of funding to companies with the potential to make a difference.
Falkowitz: We need to make actionable information accessible at the time it matters, which would result in the early detection and prevention of cyber campaigns. Right now, we too often find out about threats only when it is too late to do something about them.
Schlein: How would you increase cooperation between the government and the tech sector?
Fick: The government should get over the paranoia that leads to overclassification of information. It should also get serious about legal indemnification for companies that exchange security-related information sharing. And we should all remember that many other parts of the country besides the Beltway and the Valley have great cyber talent pools — places like San Antonio and the Space Coast of Florida.
Kaplan: Instead of always trying to reinvent the wheel, the government should embrace the innovation that is occurring everywhere in corporate America. And when they’re not leveraging existing technology out of the private sector, government should be leaning on top tech companies to help produce new capabilities that can appeal to a broader audience. And data sharing is imperative. The government has capabilities to detect threats and help America bolster its security posture.
Falkowitz: Cooperation is built upon trust, transparency and shared experiences. And so to overcome the schism of culture and ideology between the government and corporations, we need more people to serve, work, exchange and integrate themselves into each other’s cultures. And this increased cooperation between the government and corporate America should not be confined to cyber security.
Schlein: Is there one thing that really annoys you about how the Valley deals with security issues?
Fick: The Valley is filled with people who are awesome competitors when it comes to their businesses, but then they somehow lose that edge when they’re talking about competition at the level of nation-states. Make no mistake: The U.S. government and American companies are competing in the cyber domain against adversaries who want to beat us. Addressing the security of our critical infrastructure in a serious way requires that we turn the map around and understand the world from the perspective of our adversaries, and that we automate the hunt to identify, contain and eliminate them from enterprise networks where they are currently causing an enormous amount of damage and loss. I wish more people in the Valley seemed to get that.
Kaplan: Good security hygiene and quality engineering are not mutually exclusive, yet continue to be treated as two completely separate challenges. This isn’t an issue isolated to Silicon Valley, yet the Valley is in a unique position to pioneer a new way of thinking about security and instill that thought leadership in the broader public and private sectors. We need to start baking security into our software from the ground up, starting with the brightest engineers in the world who reside here. The problem is improving, but not fast enough.
Falkowitz: Silicon Valley is an amazing ecosystem for building a technology company. But security issues have an enormous human component to them that demands a different type of practitioner’s experience beyond pure tech. I’d encourage more young engineers to pursue opportunities to work and learn through a unique and rewarding experience in D.C. There are no stock options, but they’ll get unique expertise that will last a lifetime.
Ted Schlein joined Kleiner Perkins Caufield & Byers in 1996, and focuses on early-stage technology companies in the enterprise software and infrastructure markets, including ventures within the networking and consumer security arenas. He was the founding CEO of Fortify Software, a pioneer in the software security market and now an HP company. Before joining KPCB, he served as vice president, Enterprise Solutions, at Symantec. Schlein is the former chairman of the National Venture Capital Association (NVCA), a national alliance advocating the role of venture investing in job creation, technology innovation and economic development. He is also the former president of the Western Association of Venture Capitalists, and the founder of the Department of Defense-sponsored DeVenCI program.
This article originally appeared on Recode.net.