>> Announcer: From Las Vegas, it's theCUBE. Covering Qualys Security Conference 2019, brought to you by Qualys. >> Hey welcome back everybody, Jeff Frick here with theCUBE, we're in Las Vegas at the Bellagio, at the Qualys Security Conference, pretty amazing, it's been going on for 19 years, we heard in the keynote. It's our first time here, and we're excited to have our first guest, he was a keynote earlier this morning, the author of nine books, Richard Clarke, National Security and Cyber Risk expert, and author most recently of "The Fifth Domain." Dick, great to see you. >> Great to be with you. >> Absolutely. So you've been in this space for a very long time. >> I started doing cybersecurity in about 1996 or 1997. >> So early days. And preparing for this, I've watched some of your other stuff, and one of the things you said early on was before there was really nothing to buy. How ironic to think about that, that first there was a firewall, and basic kind of threat protection. Compare and contrast that to walking into RSA, which will be in a couple of months in Moscone, 50,000 people, more vendors than I can count on one hand, now there's too much stuff to buy. Do you look at this evolution? What's your take? And from a perspective of the CIO and the people responsible for protecting us, how should they work through this morass? >> Well, the CIO and the CFO, got used to thinking cyber security costs a little bit, 'cause you can only buy, this is 1997, you can only buy antivirus, firewall, and maybe, in 1997, you could buy an intrusion detection system. Didn't do anything, it just went "beep," but you could buy that too. So you had three things in 1997. And so that resulted in the IT budget having to take a tiny little bit of it, and put it aside for security, maybe 2%, 3% of the budget. Well, now, if you're only spending 2 or 3% of your IT budget on security, somebody owns your company, and it's not you (laughs). >> And that's 2 or 3% of the IT budget, that's not the whole budget. >> No, that's the IT budget. What we found in researching the book, is that secure companies, and there are some, there's companies that don't get hacked, or they get hacked, but the hack gets in, immediately contained, identified, quarantined. The damage is done, but it's easily repaired. Companies that are like that, the resilient companies, are spending 8%, 10%, we found companies at 12 and 17%, of their IT budget on security, and to your point, how many devices do you have to buy? You look at the floor at any of these RSA Conventions, Black Hat, or something, now there are 2000 companies at RSA, and they're all selling something, but their marketing message is all the same. So pity the poor CSO as she goes around trying to figure out, "Well, do I want to talk to that company? "What does it do?" We found that the big banks, and the big corporations, that are secure, have not three, anymore, but 75, 80, different, discreet cybersecurity products on their network, most of it software, some of it hardware. But if you've got 80 products, that's probably 60 vendors, and so you got to, for yourself, there's the big challenge, for a CSO, she's got to figure out, "What are the best products? "How do they integrate? "What are my priorities?" And, that's a tough task, I understand why a lot of the people want to outsource it, because it's daunting, especially for the small and medium-size business, you got to outsource it. >> Right, right. So the good news is, there's a silver lining. So traditionally, and you've talked about this, we talk about it all the time too, there's people that have been hacked and know it, and people that have been hacked and just don't know it yet, and the statistics are all over the map, anywhere you grab it, it used to be hundreds of days before intrusions were detected. Kind of the silver lining in your message is, with proper investments, with proper diligence and governance, you can be in that group, some they're trying to get in all the time, but you can actually stop it, you can actually contain it, you can actually minimize the damage. >> What we're saying is, used to be two kinds of companies, those that are hacked and knew it, and those that are hacked that don't, that didn't know it. Now there's a third kind of company. The company that's stopping the hack successfully, and the average, I think, is a 175 days to figure it out, now it's 175 minutes, or less. The attack gets in, there's all the five or six stages, of what's called "the attack killchain," and gets out very, very quickly. Human beings watching glass, looking at alerts, are not going to detect that and respond in time, it's got to be automated. Everybody says they got AI, but some people really do (laughs), and machine learning is absolutely necessary, to detect things out of the sea of data, 75 different kinds of devices giving you data, all of them alarming, and trying to figure out what's going on, and figure out in time, to stop that attack, quarantine it, you got to move very, very quickly, so you've got to trust machine learning and AI, you got to let them do some of the work. >> It's so funny 'cause people still are peeved when they get a false positive from their credit card company, and it's like (laughs), do you realize how many of those things are going through the system before one elevates to the level that you are actually getting an alert? >> So the problem has always been reducing the number of false positives, and identifying which are the real risks, and prioritizing, and humans can't do that anymore. >> Right, right, there's just too much data. So let's shift gears a little bit about in terms of how this has changed, and again, we hear about it over and over, right, the hacker used to be some malicious kid living in his mom's basement, being mischievous, maybe, actually doing some damage, or stealing a little money. Now it's government-funded, it's state attacks, for much more significant threats, and much more significant opportunities, targets of opportunity. You've made some interesting comments in some of your prior stuff, what's the role of the government? What's the role of the government helping businesses? What's the role of business? And then it also begs the question, all these multinational business, they don't even necessarily just exist in one place, but now, I've got to defend myself against a nation state, with, arguably, unlimited resources, that they can assign to this task. How should corporate CIOs be thinking about that, and what is the role, do you think, of the government? >> Let's say you're right. 20 years ago we actually used to see the number of cyber attacks go up on a Friday night and a Saturday night, because it was boys in their mother's basement who couldn't get a date, you know, and they were down there having fun with the computer. Now, it's not individuals who are doing the attacks. It is, as you say, nation states. It's the Russian Army, Russian Intelligence, Russian Military Intelligence, the GRU. The North Korean Army is funding its development of nuclear weapons by hacking companies and stealing money, all over the world, including central banks, in some cases. So, yeah, the threat has changed, and obviously, a nation state is going to be far more capable of attacking, military is going to be far more capable of attacking, so, CISOs say to me, "I'm being attacked by a foreign military, "isn't that the role of the Pentagon "to defend Americans, American companies?" And General Keith Alexander, who used to run Cyber Command, talks about, if a Russian bomber goes overhead, and drops a bomb on your plant, you expect the United States Air Force to intercept that Russian bomber, that's why you pay your taxes, assuming you pay taxes. What's the difference? General Alexander says, whether that's a Russian bomber attacking your plant, or a Russian cyber attack, attacking your plant, and he says, therefore, people should assume the Pentagon will protect them from foreign militaries. That sounds nice. There's a real ring of truth to that, right? But it doesn't work. I mean, how could the Pentagon defend your regional bank? How could the Pentagon defend the telephone company, or a retail store? It can't. It can barely defend itself, and they're not doing a great job of that either, defending the federal government. So, do you really want the Pentagon putting sensors on your network? Looking at your data? No, you don't. Moreover, they can't. They don't have enough people, they don't have enough skills. At the end of the day, whatever the analogy is about how the Defense Department should defend us from foreign military attack, they can't. And they shouldn't, by the way, in my view. The conclusion that that gets you to, is you got to defend yourself, and you can, right now, if you use the technology that exists. The government has a role, sure. It can provide you warnings, it can provide the community with intelligence, it can fund development and stuff, can train people, but it cannot defend your network, you have to defend your network. >> And you have municipalities, I think it's Atlanta, is the one that keeps getting hit, there's-- >> Well Louisiana, just the other night, the whole state of Louisiana government unplugged from the internet, because it was being hit by a ransomware attack. The whole city of Baltimore's been down, the whole city of Atlanta, as you said. There's a real problem here, because people, many of them are paying the ransom, and they pay the ransom, and they get their network back right away. People ask me, "Can I trust these criminals?" Well you can trust them to give you your network back, because they have a reputation to maintain. Think about that. This whole thing about ransomware depends on their reputation, the bad guys' reputation. If they get a reputation for not giving you your network back when you pay, no one's ever going to pay, so they do give it back, and sometimes that's a lot quicker, and a lot cheaper, than saying no and rebuilding your network. But if we give them the money, what are they doing with it? Yeah, they're buying Ferraris to drive round the streets of Moscow, but some of that money is going back into R&D, so they can develop more effective attacks. >> So it's an interesting take, right, so most people, I think, would say that the cybersecurity war is completely always going to be kind of cat and mouse, whack-a-mole, that the bad guys are always a little step ahead, and you're always trying to catch up, just the way the innovation cycle works. You specifically say no, that's not necessarily always true, that there are specific things you can do to, not necessarily have an impenetrable wall, but to really minimize the impact and neutralize these threats, like a super white blood cell, if you will. So what are those things that companies should be doing, to better increase their probability, their chance, of, I don't know, blocking-- >> Depends on the size of the company. >> Absorbing. >> Depends on the size of the company. But I think whether you're a small-to-medium business, or you're an enterprise, you begin in the same place. And I do this with all of my consulting contracts, I sit down with the leadership of the company individually, and I ask every one of them, "What are you worried about? "What could happen? "What could a bad guy do to you "that matters to your company?" 'Cause what matters to one company may not matter to another company. And you can't spend your entire budget defending the network, so let's figure out exactly what risk we're worried about, and what risk we're just kind of willing to tolerate. And then, we can design security around that, and sometimes that security will be outsourced, to a managed security provider. A lot of it means getting into the cloud, because if you're in Amazon or Microsoft's cloud, you've got some security automatically built in, they've got thousands of people doing the security of the cloud, and if your server's in your basement, good luck. (laughs) >> So, as you look forward, now you said you finished the book earlier in the year, it gets published, and it's out, and that's great, but as you said, it's a fast-moving train, and the spaces develops. 10 years from now, we don't want to look at 10 years from now, it's way too long. But as you look forward the next couple, two, three years, what are you keeping an eye on, that's going to be, again, another sea change of both challenge and opportunity in this space? >> The three technologies we talk about in the book, for the three-year time horizon, 'cause I can't get beyond three years, more machine learning on the defense, but also more machine learning on the offense, and where does that balance work out? To whose advantage? Secondly, quantum computing, which, we don't know how rapidly quantum computing will come onto the market, but we do know it's a risk for some people, in that it might break encryption, if the bad guys get their hands on the quantum computer, so that's a worry. But one I think most immediately, is 5G. What 5G allows people to do, is connect millions of things, at high speed, to the internet. And a lot of those things that will be connected are not defended right now, and are outside firewalls, and don't have end-point protection, and aren't really built into networks on a secure network. So I worry about 5G empowering the Internet of Things, and doing what we call expanding the attack surface, I worry about that. >> Right, Richard, well thank you for taking a few minutes, and congrats on the book, and I'm sure within a couple of years the gears will start turning and you'll put pen to paper and kick another one out for us. >> Number 10. >> All right. He's Richard, I'm Jeff, you're watching theCUBE, we're at the Qualys Security Conference at the Bellagio in Las Vegas, thanks for watching, we'll see you next time. (upbeat music)

>> Announcer: From New York, it's The Cube! Covering Blockchain Week. Now here's John Furrier. >> Hello, and I'm John Furrier with The Cube. We're back here on the ground for coverage of Consensus 2018, part of Blockchain Week New York, and we've got some amazing action going on here. We got Omar Bham, who's with Crypt0, C-R-Y-P-zero. Also got a great podcast. Great to see you. Crypt0 News, you're doing a lot of great social. Love the hat, love the swag. >> Thank you so much. >> Lookin' good. >> Thank you so much. Yeah, this is a swag actually, a follower of mine actually sent me, so I get these random boxes of just shirts, but I love 'em because my entire closet is crypto shirts, and now Goodwill, because I donate all these crypto shirts. (laughs) >> That's awesome. >> Yeah, thanks. >> Well, great to have you on. >> A pleasure. >> You're a celebrity, media celebrity, but you're really an example of a rising new kind of stakeholder in the ecosystem and the community. You're producing content. You're producing with the community. It's a co-development model. You're building a network. >> Yeah, it's... >> Not audience, they're already there, but you've got a network. >> Yeah, it's that thing where you want to find that niche. >> You know? >> John: Yeah. >> And it's just we've been blessed, some of us, to find this space pretty early on and develop that presence before others perhaps could. It's just a blessing. >> So what's your take on all this place? I got to ask you, what's your thoughts? Massive crowd. What's the analysis? >> You know, I was here last year, and we were expecting, I think it was 2750 last year, this year 4000. Turns out to be 8000 people, and a big trending Twitter post today was do you think that you're getting work done? This is my Amin Gunsir. He's one of the big blockchain, he looks at the code very deeply in different blockchains. And so he said, do you feel like you're getting work done with that many people, or do you feel like you're not? And more people were actually getting work done. I think it was, like, 62% to 38%, the vote. (John chuckles) So even with the amount of people here, people are close, tight, and still getting work, you know, (mumbles). >> Well, one other thing, and this brings up a good point. I mean, when you're face to face at a physical event, you have engagement on a whole nother level. It's not digital. Not digital face to face. >> Yeah. >> And I was down in the cafeteria for the little cafe. It's supposed to be public, open, for when you buy your lunch. >> Yeah. >> It was like a conference room. I couldn't sit down. People having meetings. There is so much business being done, relationships being built. So this community really is kind of getting work done. >> Yeah. >> And a lot of it's relationship-based. >> Sure. Yes, absolutely. And, you know, it's a lot of it to do with old relationships blossoming into new relationships. It's that I trust somebody who I already trust. So a lot of these guys have been coming to conferences together for years. >> John: Right. >> And you get introduced to somebody, and then it just works that way. And that kind of a beautiful... >> John: Yeah. >> It's like a mesh network. It's not just coming here and trying to, you know, like, necessarily shill. It's like, oh, here's my friend who I trust. >> John: Yeah. >> We went to school together. And naturally automatically, maybe it's a human thing, we just connect to that person a little bit easier. >> Talk about the work you do. And you got a YouTube channel, you got a podcast, you do some Facebook. >> Yeah. >> What's the format of the show? What's your style? What are you looking for? What kind of content are you producing? Obviously it's very engaging, it's very popular. >> Yeah. >> What's your style? >> Well, originally my style was a belief that the economy was going to collapse, so I was a big investor in stocks, I was trading, and I was trying to save my 401(k). Believe it or not, this was a while back. And I was thinking, how do I grow my capital and preserve it? I was worried that we were going to have another collapse, like 2008 was the beginning of it. So I thought about the future, the singularity, and this one point where we look at Moore's law where computing prices get cut in half for chips every year and a half, was the original road map. Prices cut in half. And basically how do we connect that old world collapsing, perhaps, (John chuckles) into this new infrastructure? And cryptocurrency came at that point, where I had already had some bitcoin, and then Ethereum was coming out, and I realized Ethereum could very well provide that base protocol for the next internet of things, so... >> And the developer community uptake has been phenomenal for Ethereum. >> Yeah, it's incredible, yeah. >> So let's do a little show right now. Omar, what's going on? How's it going? (Omar laughs) What's the content like? What's the coolest thing you're seeing here? Share some stories from the show. What have you seen? >> Let me see. I did interviews with some huge people. So it's so cool just to run into, like, the creator of Lightcoin's right there giving out stickers for his cryptomagical friends. Creator of Monero talking about how he lost all his crypto in a boating accident to me yesterday. (John laughs) Talking to some big trader dudes. Hearing about some stuff I can't even talk about, like, because I promised, and we did a verbal NDA, and I honor those. But, I don't know, it's, everywhere you look, there's something to learn, and you'll be amazed. >> It's got everything into it. I mean, I love this wave, right, because one, technically it's some magical shit happening. >> Sure. >> And it's happening big time. Starting out is growing fast. Business side, radical disruption to business models. Community has been open source, kind of an extension to open source communities. So, and then you've got a glam factor, money. >> Um-hum. >> (laughs) Right, so, I mean, money, I mean... Well, what is it missing? >> You know, I had a friend actually tell me that he got kidnapped, he got kidnapped, tied up, and held at gunpoint for three hours for all his crypto, so he lost all his crypto. So mostly the people who are, like, way up there don't do all that flaunting and showy stuff. You look at the big developers aren't rolling up in the Lambos and Ferraris. Generally you want to be pretty humble and modest about what your earnings are. And so I think it's, maybe it's a sign of, like, that Floyd Mayweather phenomenon, let me show it off. >> John: Yeah. >> Yeah, let's flaunt it. But mostly, like, I think it's that, you know, when you work for somebody, you wear a suit. When you work for yourself, no offense. (laughs) >> Yeah. >> I think you look great. You go the jeans on. >> I'm not wearing a tie, so... >> Exactly. And then when you work for yourself, you can show up in pajamas. >> Yeah. >> So... >> Well, I got to agree with you that I love the mojo, and I think one of the things that's notable in this industry is the pioneers, the guys who are making the money on the front end, they're developers, too. >> Um-hum. >> They're not just, you know, guys rolling the financial Wall Street kind of thing. They're making money and they're paying it forward, right? There's a huge pay it forward culture here. >> Yes, absolutely. >> And I think that is, I think, the differentiator that no one sees, is that that ethos is self-governing. >> Um-hum. >> Yeah, I think there'll be a mainstream adoption pretty quickly. >> Um-hum. >> But still right now it's tight-knit. >> Um-hum. >> It's very cool, and it's a pay it forward culture. >> This is mainstream to me, man. Two years, seeing this space just blossom. But we're getting there. I think it's the early adopter phase. >> John: Yeah. >> Maybe a little bit of early adopter, early majority in the United States. It depends where you are in the world. In LA, everyone has at least heard of bitcoin... >> John: Yeah. >> ...or has some bitcoin where I live. It wasn't the case before when I was living in Miami and (mumbles). >> Well, Omar, I'm a big fan of your work. We showed you the clip or two. >> Oh, I'm a fan of yours. >> We're going to get that to you. >> I love what you're doing. Thank you so much for sharing it to me. >> Yeah. >> I have to have you on my own show, for sure. >> Yeah, what's the URLs? Give a plug, what's the URLs, YouTube channel, coordinates, how do people get in touch with you? >> You can go to youtube.com slash C-R-Y-P-T-zero, so it's basically crypto, but without a zero. You can go to Twitter, so you can follow me on... >> Without an O. >> Yeah? >> It's crypto without an O, or with an O? >> Not the letter O, just the letter, the number zero. >> The number zero, okay. >> So C-R-Y-P-T-zero. Then you go to Crypt0's News. Same way, I'm always Crypt0 with a zero at the end instead of a letter. So Crypt0's News, Instagram, Twitter. We're on SteamIt, Crypt0 everywhere. >> Well, let's do some code development together. You're now a Cube alumni. >> Yeah. >> Welcome to The Cube. >> Thank you so much for having me. We just met... >> Yeah, yeah. >> ...but I'm really excited to have met you. Super personality, man. >> Love the new producers. We love co-developing. We do it out in the open. We're in the open right now. We're on the floor here at Consensus 2018 bringing you all the coverage. Going to do 10 more interviews tomorrow. I did eight interviews last night. We interview anything that moves that's high-quality. Omar, thanks for coming on. It's The Cube. I'm John Furrier. Thanks for watching. >> Thanks, John. >> Announcer: Live from the campus of MIT in Cambridge, Massachusetts, it's The Cube! Covering the MIT Chief Data Officer and the Information Quality Symposium. Now here's your host Stu Miniman.