Season 3, Episode 1 - "Should Fortune 100s trust the cloud?" with Richard A Clarke, CEO @ Good Harbor

Andrew Wertkin: Hey, it's Andrew and welcome back to season three of Network Disrupted, where I, along with some very smart guests, help fellow technology leaders trade notes on navigating disruption in our space. This season, I've set a goal of exploring the issue of enterprise cloud adoption from many angles as I can. And it really feels great to be back. Joining us today is none other than Richard A. Clark, an internationally known security expert and author who served in the White House under three US presidents as America's first cyber czar and its first counterterrorism czar. Richard was the national crisis manager on 9/ 11 and is now a sought- after consultant on corporate security risk in cybersecurity. In this episode, you'll hear us touch on cybersecurity as we dive deep in into the topics of ransomware, what cloud adoption means for your security posture. And Dick's very actionable advice on all that for both medium and massive enterprises. And as a special treat, I'll be giving away two copies of one of his books. If you follow this show's LinkedIn or Twitter accounts, all you have to do is comment your favorite part of the episode on to the most recent post you see. My producer will add your name to the proverbial drawing hat. And finally, my producer is asking you if you haven't yet, please leave a review on Spotify, Apple Podcasts, or wherever you listen to this, the feedback's always helpful and you'll be helping more people like you discover the show.

Speaker 2: Maybe you can give me a sense of the complexity.

Speaker 3: We love the pilot proof of concept approach.

Speaker 4: It influences everything. It influences the human experience.

Speaker 5: There were several failures along the way.

Speaker 6: We want to be early adopter customer.

Speaker 7: You are handling sensitive information.

Speaker 8: Network Disrupted.

Andrew Wertkin: So, Dick, thank you again for joining us, I'm thrilled to have the opportunity to have this conversation with you. I always learn when I talk to you and looking forward to it. So, obviously right now, there's a great deal of concern around ransomware for enterprises, for governments given everything that's been publicized and is happening recently, obviously going on for much longer than that. And a lot of fear and not necessarily clarity on how one should assess the risks and how any enterprise should start trying to protect themselves from ransomware. Where does a company start?

Richard A. Clarke: Well, I think the first thing a company needs to look at is its insurance policy, because insurance is driving a lot of this. We've seen cases where criminal gangs hack into a company and look for its insurance policy. And once they know how much money they can get from ransomware, then they do the ransomware and demand that amount of money. And there have been dialogues back and forth with the criminals where the criminals have said," Oh, come on, don't tell me you can't afford that. I'm reading your insurance policy. I know you can afford that." And the insurance companies are routinely telling their clients to pay rather than to try to rebuild the system. And the reason for that is it's better for the insurance companies. Most of the insurance policies allow you to choose whether you're going to pay up or you're going to rebuild. If you choose to rebuild, they have to pay for that. And that's 10 times as expensive, usually eight to 10 times as expensive as paying the ransom. So, the insurance companies are actually kind of forced for not good here because they're urging people to pay. Now that ransomware has become the other pandemic, the insurance companies are hurting because they are paying so much. And so, they're increasing their rates when policies need to be reupped. In some cases they're excluding ransomware from the policies. So, I think the first thing a company needs to do is know what your policy is and know what it covers and know when it expires and have a conversation with them. I think the second thing they need to do is to realize no matter how hard you try, you might get hit with this. And therefore, how could you have the option of restoring your essential services? One way is to have a backup made routinely and stored completely offline-

Andrew Wertkin: Right.

Richard A. Clarke: ...and to have it for at least, have several backups going back at least two months. And the reason for this is the ransomware guys, the criminals now, wait until their software is backed up.

Andrew Wertkin: Ah, yeah.

Richard A. Clarke: So, that when you bring down the backup and mount it, there it goes again. So you want to have an old, a reasonably old backup and we recommend two months because they're not that patient. They usually only wait by the month and it doesn't have to be one backup. You can have golden discs for key pieces of software that you use and you need to have a restoration plan. You have an incident response plan. It's detailed. I know BlueCat does.

Andrew Wertkin: Right.

Richard A. Clarke: You need to have an incident response plan specifically for ransomware that's fairly detailed. That is assuming you're willing to try to restore services. You also might want to have what we call a stealth network. Let's assume everything is encrypted. Your VoIP phones, your iPhones, printers around the whole nine yards. Well, you can't crisis manage without any communications devices. So, you want to have a kit somewhere of phones, smartphones that nobody knows about. So, they can't access them. You want to probably have a stealthy website somewhere that you can activate when you need to. Maybe a whole stealthy network, doesn't have to be the whole mirror image. Some minimal essential things so that you can get back up and running. And so, that you can using DNS change over to another website somewhere. I'll tell you a quick horror story if we have time here and it involves the Canadian company BlackBerry when the North Koreans hit Sony Pictures with wiperware.

Andrew Wertkin: Right.

Richard A. Clarke: And not ransomware, but wiperware, they didn't encrypt. They just wipe all the software off. So, all of the electronic devices were just bricks. They didn't work. So I arrived there at the Hollywood lot and they were there in chaos. And I was sitting in the conference room with all these people, yelling at each other. They couldn't communicate with Tokyo. They couldn't communicate with New York. Finally, a guy walked in with a box of BlackBerries and he said," I found the BlackBerries. We never turned them off. We still have BlackBerries that work. And so they could communicate. But then these 20 senior executives of Sony Pictures Entertainment were fighting over who would get the 10 BlackBerries.

Andrew Wertkin: Right.

Richard A. Clarke: That's where this idea comes from, have a backup. Have a backup communications plan.

Andrew Wertkin: Oh, for sure. Yeah. It's almost like a emergency manage, crisis management system in the city or something." If all communications should fail, how are we going to communicate?" and-

Richard A. Clarke: That's why you have the satellite phones, right?

Andrew Wertkin: Right, right.

Richard A. Clarke: So, the other thing, obviously you should do in terms of minimizing the hurt of one of these attacks is microsegmentation of the network.

Andrew Wertkin: Yeah.

Richard A. Clarke: And that's only as good as your identity access management around that. And that's going to be multifactor and probably more than two- factor to prevent the ransomware from spreading. Most of the time, the ransomware gets in by phishing, not always, most of the time. And so you really want to ramp up your anti- phishing efforts, which means largely education.

Andrew Wertkin: Yeah.

Richard A. Clarke: Getting one of these companies like KnowBe4, or there are several of them that send out test emails all the time to see if people in the company will fall for phishing attempt and they get penalized if they do that more than three or four times and they get rewarded if they are always good and catch them. So, microsegment the network, educate people about phishing, have a clean communication system, look at your insurance policies, back things up offline and back them up for a long period of time.

Andrew Wertkin: Yeah.

Richard A. Clarke: That's what the company can do. What the governments can do is outlaw paying. And every time I say this, and I've said it a lot, the governments are saying," It's illegal to pay." People immediately say," But you can't stop a hospital from paying because the hospital has to get back up." And I agree, a hospital has to get back up. And hospitals have unfortunately been hit with ransomware.

Andrew Wertkin: Yeah, absolutely.

Richard A. Clarke: But I think the answer here is a combination of things where the government has the right to wave penalties under some circumstances if people pay and the governments can work with the private sector to have flyaway teams to go in and help. If a hospital can't afford to have a good incident response team come in and help, hospital is a community service, the government ought to have on standby teams, both from the government itself and from private companies like inaudible, they can rush in and help a hospital or some other critical infrastructure.

Andrew Wertkin: Right. And perhaps even help them ahead of time with assessments in general, given that they're critical infrastructure should be prepared.

Richard A. Clarke: Yeah. But in a way, ransomware is Darwinian. It identifies the people in the herd who are going to lag behind, right?

Andrew Wertkin: Right.

Richard A. Clarke: And be eaten by the tiger. It's a great way of identifying companies and institutions that haven't done a good job on cybersecurity.

Andrew Wertkin: Right.

Richard A. Clarke: We had a big city here, Baltimore where the city government was hit by ransomware. And the mayor said," Well, hell we're straining as it is to pay for schools and healthcare and police, you can't expect us to pay for cybersecurity." Well, yeah, actually I can. I can't imagine that same mayor saying," Well, you can't expect us to pay for electricity."

Andrew Wertkin: Right.

Richard A. Clarke: "You can't expect us to pay for the water." Yeah. Well, cybersecurity is like electricity and water and telephone service. It's an essential, these days for any modern institution, government or private sector, you have to have cybersecurity and you have to pay a certain price for it. And in the book that Rob Knake and I did, The Fifth Domain, we asked companies," How much do you spend as a percentage of your IT budget? How much do you spend on cybersecurity?" And if the companies said, 3%, 4%, 5%, then we knew the answer to the next question which is," Have you been hacked?" And the answer was always, yes. If the company said," Oh, we spend 12%, 15% of the IT budget on security," then we knew the answer would be," No, we haven't been hacked in years."

Andrew Wertkin: Right.

Richard A. Clarke: And there're a lot of CIOs out there and a lot of the CFOs who are just fighting that. It just comes down to, if you don't pay now for security, you pay later for cleaning it up. And when you have to clean it up, it's going to cost you 10 times as much.

Andrew Wertkin: Yeah. My concern always is, or one of my concerns is it's easy to spend 10% to 12% that doesn't necessarily mean you're spending it wisely or you're utilizing the things you've bought appropriately, and so, I think companies can run into the situation where they're buying a lot of different things to solve for different whatever known issues or somebody knows somebody on the board and says," You need to buy this," or whatever the case might be. But at the end of the day aren't necessarily in a better posture than they would've been if they were spending 3%.

Richard A. Clarke: No, that's right. It's the necessary, but not sufficient condition.

Andrew Wertkin: Right.

Richard A. Clarke: Is to say you're willing to budget that amount of money, but then you're right. You got to get someone to figure out what is the risk I'm designing against. And you've got to have somebody willing to integrate all of that stuff for you. Very often, that's too hard for a company. And that's where the managed security providers come in.

Andrew Wertkin: Yeah.

Richard A. Clarke: And if you're a small or medium- sized company, I think you ought to be using security service to take away, at least some of the burden on the IT security team, maybe all of it.

Andrew Wertkin: Right. No. And you're not going to be able to necessarily hire the appropriate professionals, but certainly not at the scale you would be as an enterprise or large enterprise, if you're a smaller company and I see that working really well, but like everything else, there's really good managed service security providers and others that... A lot of, it's this weird thing, right? So ransomware is real, it's painful. A lot of people being hit with it. It's also making a lot of cybersecurity companies a lot of revenue because they're selling a lot of solutions to protect it. I used to always joke around if they can just fix email crosstalk.

Richard A. Clarke: It's gotten the attention of the boards in a lot of the companies. It's also gotten the attention of the president of the United States, which I've been following president's actions on cybersecurity since the 1990s. I think I got the president in this case, Bill Clinton to hold the first crisis meeting on a cyber incident.

Andrew Wertkin: Right.

Richard A. Clarke: But this is the first time in the last few months where a president picked up the phone and called another world leader and Biden called Putin and said," Knock it off."

Andrew Wertkin: Yeah.

Richard A. Clarke: "I know this evil group, criminal group is in Russia. We know exactly where it is. We know exactly who they are and so do you. So, either you go stop them from doing ransomware in my country, or we will violate your sovereignty, we will violate your cyberspace and we'll deal with them."

Andrew Wertkin: Right.

Richard A. Clarke: Well, that message, I think resonated in Russia because that group seems to, for the moment have gone away. Now, I stress for the moment, I expect they will be back with another name and with software that's slightly different. But even though they seem to have gone away, ransomware hasn't. Other people are doing it. And it continues to be a problem. I like the idea however, of the president getting involved and trying to organize a community of like- minded nations around something and saying to scofflaw governments like the Russians," Here's the standard. Either you do this, or there will be a price to pay and not just a price that we're going to impose on you, but this group of like- minded nations..." If you can get the United States, Canada, Germany, Australia, Japan, the United Kingdom behind something, and you then go to the scofflaws and say," Do this or stop doing this or else," and you have some specific or else in mind, I think that can work. And we've never really tried it with cybersecurity, believe it or not. There's been a lot of talk about doing that, but we haven't done it yet.

Andrew Wertkin: Well, there's this ongoing debate if we should be considering those sorts of attacks on the same line as we would more traditional armed forces type attack, they're attacking our sovereignty in both circumstances, just through different tools.

Richard A. Clarke: Right. And I think the Pentagon actually addressed this issue fairly well back in the Obama administration and they issued a written policy that said," We will consider a cyber attack, an attack on the United States. And we will respond as though it were not a cyber attack, taking into account the level of damage done. So if you break into the city of Baltimore to continue to pick on Baltimore and do something to their internet, okay, fine, will respond appropriately and proportionately. If you take down the Eastern power grid in Canada and the United States, we may respond a bit more."

Andrew Wertkin: Yeah. Right.

Richard A. Clarke: And that policy also was finally adopted by NATO, which said that," Cyber attack is an attack and we will consider response not based on the means that you use, but on the damage that you did."

Andrew Wertkin: Right.

Richard A. Clarke: So, the other thing coming back to what companies are to think about in terms of ransomware, in terms of security in general, moving some security burden off to a managed security provider and there are lots of good ones. Can we name names?

Andrew Wertkin: Yeah. Go for it.

Richard A. Clarke: I think in Canada, eSentire, great company. In the United States, ReliaQuest, Expel, Arctic Wolf, all great providers. So, you have some choices. In addition to moving some of the security burden off onto people like that, I think you also have to move it into the cloud because depending upon how you do your cloud configuration, which cloud you're in, which cloud's plural, I should say, because I always commend multi- cloud, you can get some of the security done by the cloud provider. I think AWS and Microsoft are sort of competing to say we provide good security. Well, I love that. I love that kind of competition.

Andrew Wertkin: Yeah. No, that's good. And outside of just cloud, Microsoft in general is pushing very hard even on endpoint security and elsewhere on not being the consumer low- cost solution, but being the solution for enterprises. They're investing heavily in security.

Richard A. Clarke: They are, which is a... If you're old enough like been in this business as long as you and I have, you know that's a complete turnaround over the last 20 years.

Andrew Wertkin: Yeah. Yeah.

Richard A. Clarke: Because they really didn't care at all about security. A quick war story there, the Microsoft product, Windows was so bad. So, back in the 1990s and the early 2000s that the banks, the major Wall Street banks got together, organized a group and went out to Redmond and met with, I think it was Bill Gates. So, it was probably in the late nineties and said," If you don't clean up Windows, we're all moving to Linux. And if you don't believe that, you might want to look into what the US government has done. It's just issued a secure version of Linux."

Andrew Wertkin: Right.

Richard A. Clarke: And I was at the White House at the time, my phone started ringing, like," Did you authorize them to do a secure version of Linux?" Like," Yeah."

Andrew Wertkin: Yeah. Yeah. It has been a turnaround obviously and I remember that story. I didn't know the meeting happened at Microsoft, but I certainly remember the early adoption of secured Linux from the US government standpoint or reading about it. But yeah. And just back to the cloud perspective, I think it's great that they're innovating, competing there and I think that's because it's also core buying criteria. And the cloud gives a great deal of opportunity to do things correctly because in many cases it's greenfield as well as you're moving stuff there. So, you're not thinking through this probably wrong security architecture of your corporation today and by probably wrong, I mean you only know so much and you've a bunch of stuff on the network, discovering and great, but you've got massive complexity versus," I'm going to go start deploying stuff into cloud and so now here's some greenfield," and that's microsegmented by default in most cases. It's forget about portion protocols. You can go to a higher level and start defining identity and identity access, why something should speak to something and so you can do it right. You can also make a complete mess out of it and do stuff that's absolutely insecure. So, I think the strategy's different, the complexity's different, but this idea that's greenfield I think is fantastic. And the security services that the cloud vendors are competing on, create revenue for them, which is also fantastic, right?

Richard A. Clarke: Right, absolutely.

Andrew Wertkin: It's shared value. The better they do, the more I'll pay you and the more we'll both succeed.

Richard A. Clarke: But let's remind listeners that what we're not saying, we're not saying if you go to the cloud, AWS or Microsoft will take care of all of your security for you.

Andrew Wertkin: Right.

Richard A. Clarke: That's not true. They will give you a base, a baseline. So, if you push some of the security work off on them, some of the security work off on a managed security provider that works on cloud accounts, then you've got still some work to do yourself.

Andrew Wertkin: Absolutely.

Richard A. Clarke: And you have to have tools that work in the cloud and the tools that you had on- prem are not necessarily going to work in the cloud. Does your DLP work in the cloud? Maybe, maybe not. Does your vulnerability scanner work in the cloud? And what alarm is going to go off if you have an unsecured S3 bucket somewhere? You need to have a different expertise and different set of questions and a different set of products for the cloud. But if I ever had a customer, a client say to me," Well, inaudible what should I do? Should I move or not? And if so, which one? My answer would be A, be a hybrid. If you can still have some stuff on- prem somewhere for some functions, do and have the ability to run that up, expand that if you have to.

Andrew Wertkin: Sure.

Richard A. Clarke: And two, be multi- cloud, because I understand that AWS has never come down for a prolonged period of time or Microsoft cloud Azure has never come down for a prolonged period of time, but there's a first for everything in security, right?

Andrew Wertkin: Yeah.

Richard A. Clarke: And having the ability to have at least two clouds running and be able to shift load if you have to, I think is important. It also allows you to negotiate a better deal.

Andrew Wertkin: And also, and this is again, what I'm trying to express is like it's good for everything. So you talked about reliability, a cloud can go down. It might be because of security, might just be because of reliability in general, but ultimately when you're pushing especially new applications to cloud, one of your goals is global scale and deploying multi- cloud, deploying across multiple regions. All of this is probably part of how you wanted to deploy or you should be thinking about deploying the application anyway. So-

Richard A. Clarke: And you may have to because of GDPR and other privacy rules, you may have to have multiple clouds.

Andrew Wertkin: Yeah. Again, that now increases complexity and cost as well. So it's one of those trade offs to your point on cost before to negotiate a better rate, great. But if you're a SMB, then that multi- cloud, you need to weigh against the skill sets you need to best utilize those clouds, so. And yes, there's plenty of products out there that will make that more agnostic, but then you lose some of the capabilities of the cloud and it's an ongoing debate, but frankly from the customers I know well, from our broad customers, I can't think of a single one that has a single cloud strategy. They all for a variety of different have multi- cloud strategies.

Richard A. Clarke: Well, I think the Fortune 100 all do, absolutely.

Andrew Wertkin: Yeah.

Richard A. Clarke: Yeah.

Andrew Wertkin: Yeah. And the whole idea of hybrid cloud along with data center are great. And again, from a security side as well, but even there's a lot of naive moves to cloud early on." Okay. I own all this hardware, it's working fine, but I'm going to move it all to the cloud because I think it's going to reduce cost, but I'm not going to rearchitect it to take advantage of the cloud and so I ended up paying way more than I was paying on premises and surprised why my bill is so large and so I think there's a strategy there as well.

Richard A. Clarke: There is, and I generally don't have high regard for the big consulting firms that come in and help you with migration and all of that, but if you're a medium or large enterprise and you're beginning fresh to migrate into the cloud, you probably ought to get a consulting service to come in and help you think about that because it's not straightforward.

Andrew Wertkin: Right.

Richard A. Clarke: As you said, depending on how you architect it, you can save money. Or if you just want to move your old design network into the cloud, you're going to probably spend a huge amount of money.

Andrew Wertkin: And you can say the same thing about securing the cloud and in both cases, I would say, whatever consulting company you hire, if your goal is to hire somebody who comes in, we used to call the Kinko's process, like go search and replace last customer you worked with with new customer name and just Xerox the stuff.

Richard A. Clarke: Well, they do it and sometimes they forget to change the name.

Andrew Wertkin: Yeah. Yeah. But in that approach, which is," Okay, assume I'm a naive, tell me what to do." The outcome probably will not be optimized in the sort of thoughtful, methodical, maybe upfront, how should we be thinking about this? What are the options? There's always context. We talk about this a lot with software development. Like there's no... Everybody can run to Scrum, but if you're going to go run to some formulaic process that is supposed to work in every possible case, then don't be surprised when it's not working well for you because you're not every possible case. You've got a specific context. This is what you're doing. And I think whenever a consulting engagement starts with a," We're just going to listen to this company and do what they do," then, yeah, that's not going to bode well.

Richard A. Clarke: But it's too hard for most companies to do it, to design it with their own staff.

Andrew Wertkin: 100%. So I just mean, you need to augment that with expertise. The problem with cloud in cases is companies don't have the wisdom internally. The stuff is too new. They don't have people who have worked, failed, seen failure modes, understand why those failure modes exist and have strategies around those failure modes. And I strongly believe if you haven't seen things fail, if you don't understand how things can fail, whether it's process, practice or technology, then you don't have the wisdom you need to do that on your own.

Richard A. Clarke: Well, boy, is that correct? I think you should say that again, because that is just, I know it sounds simple, but it's a profound understanding. People who haven't seen failure can't anticipate it.

Andrew Wertkin: Right.

Richard A. Clarke: You mentioned, I wrote several books. One of them was not on cybersecurity. It was on this phenomenon of warnings. And we did, I think 14 case studies, seven of things that have happened in the past and seven of things that might happen in the future. And the question we asked was," Why in every case, was there an expert who predicted the disaster precisely and was ignored and the disaster came, even though there was warning?" And we found all sorts of reasons, but the overwhelming reason in most cases was that that specific kind of disaster had never happened before. And so, because we were trying to make the book sound social sciencey, we called it first occurrence syndrome-

Andrew Wertkin: Right.

Richard A. Clarke: ...that when you're the decider and somebody comes in with their hair on fire and says," This awful thing is going to happen and I'm the expert on this. I'm not a crazy person. I'm an established expert and I'm data- driven. Here's the empirical evidence. This terrible thing is going to happen." Well, no matter how good you are at doing that, very often, the decider will say," Okay, thank you very much. Have a nice day. I'm crosstalk." Or they'll give them lip service. " Oh yeah. We'll do something. We'll do this little thing and see what happens." And then of course the whole thing crumbles around their heads. And it's very interesting because Hillary Clinton in her book about why she didn't get elected, book called What Happened, I think. She picked up on my book and she said, " I think Dick Clarke was onto it. This first occurrence syndrome." Yeah, we knew the Russians were messing around in the US election and they were doing all sorts of things on social media and with cyber attacks on the Democratic Party. But nothing like that had ever happened at scale that had a-

Andrew Wertkin: That was a material impact.

Richard A. Clarke: ...Yeah, a material impact. And therefore, I think we kind of just didn't think that could happen. So, it's very important to have gone through disasters. And if you haven't done it yourself, which no one wants, to at least have studied the phenomenon so that you can think dirty. In our consulting gigs, we frequently go into companies and say," Can we have five people from five different departments around the company," lock them in the room with us." And can you, the CEO come in and say,'We trust these consultants. You can tell them whatever you want. They will not identify the source of information if you give them information. They're not going to say Joe in accounting told me this, so talk to them.'" And then they close the CEO out and we close the door and we say," Okay guys, and girls, what could we do to really screw up this company? Come on. You've thought about it."

Andrew Wertkin: Yeah. Yeah.

Richard A. Clarke: "You've thought about it. Someday it occurred to you, wow, if I did that, that would really..." So, the dirty thinking sessions can be really productive.

Andrew Wertkin: Yeah. I'm sure. Once you've created that sort of safe, trusted space, but yeah, obviously people are thinking through that stuff. The counter, the other thing we've learned through this process over the last few years though, is how easily a significant, a large percentage of the population is happy to believe something happened that didn't happen and just not look at data at all. It's become easier to convince, not necessarily an expert, in some cases, experts, but certainly a meaningful block of voters let's say that something that didn't happen, happened than it is to convince them that something happened actually, or that might happen. And I think obviously we've learned that in a very, very painful way over the last few years and continue to learn it.

Richard A. Clarke: And they've always been conspiracy theories, and there've always been a fairly large chunk of the populace who wants to believe them. I used to joke before social media existed. I used to joke that 27% of the American people in any poll believed anything you wanted to say.

Andrew Wertkin: Right.

Richard A. Clarke: 27% of the American people believed flying sauces had taken people away, alien abductions. 27% of the American people believe that we never landed on the moon. It was always 27%, 28% of the American people believed absolute nonsense. And so, it's not surprising that when social media comes along, they're able to manipulate, Russians and other people are able to manipulate that block of people, that's a big percentage.

Andrew Wertkin: It is. But back on the cyber side, I think especially as it relates to cloud, I always... I don't actually hear the debates anymore frankly, that you would hear like when we first, when my company first started deploying stuff on cloud, there was this,"Oh my God, these sorts of companies will never, ever, ever, ever trust the cloud." Well, now they all trust cloud.

Richard A. Clarke: I remember this.

Andrew Wertkin: Yeah.

Richard A. Clarke: I remember that. Yeah.

Andrew Wertkin: They trust cloud for a variety of different reasons. And also understand that to remain competitive and to continue to build the sort of technology they need to meet their strategies, they need to use that sort of technology. And so, nobody debates if the cloud is a thing anymore.

Richard A. Clarke: But it's interesting that they did. And I remember the period you're talking about where I would get calls from CIOs and others, because they would think before they called me that I would say," No, don't go to the cloud. It's not secure."

Andrew Wertkin: Right.

Richard A. Clarke: And so, they would call me and say," My boss wants us to go to the cloud. That wouldn't be secure. Would it?" And I'd say," Well, actually it could be more secure."

Andrew Wertkin: Right. Right.

Richard A. Clarke: "Itdepends."

Andrew Wertkin: Yeah. No, it totally depends. And just back to what we were talking about before, so now how do I assess that and how do I make sure my strategy is right and I'm using it correctly? And obviously there's people, process, practices available to help with that process, but it's critical. In the US government is in different standards and frameworks, along with the UK and the EU as well, there's plenty of guidelines out there to help assess your security posture in some of these areas that can be used as starting points. But I think we see a lot of companies just struggling in the boundary between what we've done on premises forever and what we're doing in the cloud, and really trying to understand how do I take my requirements and build the right architectures in the right areas in order to meet the requirements? The requirements don't change. I'm protecting against a specific threat. I'm protecting against ransomware, whatever it might be. But the solution's going to be different in cloud than it was on premises. You can't necessarily hammer the same solution into both nor should you expect you can. So, it's this sort of distinction that I talk a lot about between architectures exist to meet business requirements and then there's design and engineering in order to fulfill the architectures. And in often cases, the requirements are the same, the architectures might be filled separately in different domains, but you can't think of it as just trying to extend what you were doing on premises to the cloud. And so what we see often is this conflict between the two areas where oftentimes even though the... I don't know. Let's say it's a firewall Next- gen firewall expert on- premise or team. Okay. So we're not going to just take virtual firewalls and throw them in the cloud, we have a different strategy there. That doesn't mean that the knowledge and capability of those people shouldn't be part of the conversation of how we're going to secure things up in the cloud because they bring just a wealth of expertise. Back to what we're talking about before, they've seen stuff fail. They understand failure modes, they understand packet captures. They understand what data looks normal, what data doesn't look normal. They come with a ton of experience. We see failure modes of just this being done in isolation, I guess.

Richard A. Clarke: Yeah. And they know if you've experienced failures before, they know what questions to ask because they proceed from a, what could go wrong perspective and all too often, this is the difference between CIOs and CISOs. CIOs ask," What can I get done and how can it save money and how can it create efficiency and reliability?" CISOs ask," What could go wrong?" And they really that's where they put their thought. And they really try hard to imagine all the different vectors and all the different combinations of things that could result in a real risk. I think people don't take seriously enough the idea of a cyber risk register. When I go in on the consulting gig and one of the first things I ask is," Can I see your cyber risk register?" And Andrew, I got to tell you, half the time they don't have one. And then my work is really cut out for me. But if you have cyber risk register, it has to be constantly updated because threats are changing and technology is changing and you have to review," You've got something here on the risk register, you're going to get to in two years. Well, you've got to move that up because the world has just changed."

Andrew Wertkin: Yeah.

Richard A. Clarke: And the beauty of a cyber risk register is it also allows you to say," Look, I understand this is a multi- year solution. And I have a two- year plan or a three- year plan," because you can't solve all the security problems, no matter how much money you spend in the year.

Andrew Wertkin: No, for sure. But those are the dimensions, right? If that cyber risk registry doesn't have the dimension of the likelihood of this risk coming to fruition like this actually happening and also doesn't have a dimension of the pain it would create, then it's sort of meaningless, right? And those things can change. The likelihood of this happening has now changed, the pain is still low. Well, then great. Keep it on the roadmap. The pain high, then you better change your priorities. Right?

Richard A. Clarke: Let me quibble with you because-

Andrew Wertkin: Okay.

Richard A. Clarke: ...you just outlined the approach of risk management which is likelihood times damage.

Andrew Wertkin: Right.

Richard A. Clarke: I don't like that approach. I know that's the established canonical approach. I don't think you can really judge likelihood.

Andrew Wertkin: Right.

Richard A. Clarke: I think if something can happen, it probably eventually will, even though it's very unlikely. My entire history of crisis management in the government and out revolved around things that were entirely unlikely, but were happening. If they were likely, then I probably didn't have to deal with them. Somebody else would. I always got stuck with the ones that would like... This is so unlike crosstalk.

Andrew Wertkin: Super good point. Right, right. Right. The things you need to be concerned about are the things that you think are unlikely to happen.

Richard A. Clarke: Yeah. Because if you think about just your history textbook that you were taught in high school or something. It's a list of dates where events occurred that had never occurred before and were unlikely. That's why they made historical interest. So, I take a different approach. I say," Tell me what can happen or tell me what you think you have blocked from happening? So, let's start with, what do you think you have blocked from happening? Okay. Now, what would have to change? Or what would a bad guy have to do to get around the thing that you put in place, the security measure you put in place? How do I get around that? Don't just tell me,'Oh, I have a security measure,' and check that risk off.'I've solved that risk because I've done this.'" Constantly think about how do I defeat that security measure? Because if you take that approach, then likelihoods go up. So, my combination is," What's the cost to you if it happens and how could somebody who really wanted to make it happen and was smart, how could somebody make it happen?

Andrew Wertkin: Understood. And somebody can always make it happen.

Richard A. Clarke: Yeah. And CIOs and some CISOs, but mainly it's CIOs just don't want to think that way. They want to think of," I've solved the problem, moving on." They never want to say," I'm I'm an attacker. I'm going to put my mind into the attacker mode and I'm going to spend some real brain cells, some real cycles here, figuring out how to defeat what I've got in place."

Andrew Wertkin: Right.

Richard A. Clarke: That's the CISO's job.

Andrew Wertkin: Yeah. Look, and you multiply all of that by how quickly things change now, which is dramatic from a good and bad side. The pace of change of innovation right now is unbelievable. And the barriers to entry for good and bad are removed. Everybody has access to all of the compute and network they need to build whatever they want crosstalk.

Richard A. Clarke: And the bad guys are adopting attack techniques that used to only be available to governments.

Andrew Wertkin: Yeah.

Richard A. Clarke: Now, that's in part because those techniques have been around for a while and people have noticed them. It's in part because the bad guys are frequently government people moonlighting.

Andrew Wertkin: Right.

Richard A. Clarke: Of course selling off the bad guy techniques.

Andrew Wertkin: Yeah. One of our large customers once told me the truth, which is that they live with the assumption that they're not only obviously constantly being attacked, but that there are things that they don't know already happening inside of their network.

Richard A. Clarke: Yeah. If you don't think that you're not sufficiently paranoid.

Andrew Wertkin: Right. And so, their huge part of their goal is to just reduce the time to detection. And they assume if it's like nation state, that might be six months to a year optimally. That would be great.

Richard A. Clarke: Now, if you look at the SolarWinds case, I think we got lucky in discovering it at nine months.

Andrew Wertkin: Right. But again, you're just starting with that assumption that it's going to happen or it's already happened, I guess, in many cases.

Richard A. Clarke: Yeah, because SolarWinds is a good case study to persuade people about that. So, for nine months, hundreds of large companies and government agencies, departments were compromised, even though they were spending a lot of money.

Andrew Wertkin: Yep.

Richard A. Clarke: Had every security device imaginable. And nonetheless, they were being successfully hacked during that period and they didn't know it because they had so taken over the network that they were turning off security systems. They were erasing logs. What's fascinating is however, there were some security products they couldn't turn off and they knew it. There were just some security products that they hadn't gotten around to hacking. And when they found themselves on a network that had one of those products, they gave up and went away.

Andrew Wertkin: Yeah. Yeah. They hid.

Richard A. Clarke: Yeah.

Andrew Wertkin: Yeah.

Richard A. Clarke: So they just said," Look, we can't deal with this network. We've got enough other networks that we're in, we'll go deal with those."

Andrew Wertkin: Right. And there's risk to them if they were detected on those networks, because then crosstalk.

Richard A. Clarke: Then the whole thing is.

Andrew Wertkin: Exactly.

Richard A. Clarke: Yeah. So they can't be detected on one network. Yeah. That's exactly right. They can't be detected on one network because then perhaps everyone will find out. And so they lost opportunities because some networks had security products that they couldn't defeat. And I look at that list of security products that they couldn't defeat. It's kind of random. It's not necessarily what you would've concluded. And I think it's because frankly, they only have so many people and they can only do so much research. And they went after most of the security products that they knew about and figured out ways to defeat them, but they didn't get to all of them.

Andrew Wertkin: Yeah, no. It was interesting obviously, look in the DNS market and when I look at those sorts of attacks, things where at the end of the day there's domain indicators and that part of the indicators are compromise are domain indicators that DNS is being used either for command and control or simply just to access something outside of the network. At some point, we push hard on the idea that we should limit, that's a known thing. It's not a user- driven device. It's infrastructure service that normally does these things. So, can you segment everything else from that? It queried something from a DNS perspective it had never queried before. They did a nice job of picking old domain names that they recycled, so these weren't brand new domains. They picked things that were... Like you look at it and you're like," Oh, that sounds legit. It wasn't bobsbaitshop. com," and if bobsbait. shop is out there and it's a real domain, apologies. But they picked, I think it was avsvmcloud. com or something. Something that doesn't necessarily look bad, doesn't look domain- generated. It doesn't..." Oh, this thing, it's an infrastructure monitoring." It might be and yet crosstalk.

Richard A. Clarke: The fact that they chose those old domain identities that hadn't been used anymore and they took them over, that was such a smart move.

Andrew Wertkin: 100%. It was understanding how they could be defeated, right? And so, pick something that's been there before and pick something that doesn't look odd, it's not going to catch somebody's eye. It's not going to catch a simple algorithm that's looking for perplexity or complexity of the domain name-

Richard A. Clarke: Or domains that were established last week.

Andrew Wertkin: Yeah. Or domains that were established last week and let's use it. And so, but the one thing for sure is that that software hadn't looked up that domain. That server had not looked up that domain before. It was new to that server. And in those cases, I think it's always better to confine what something can do than try to predict if what it's doing is good or bad, right? We try to come up with strategies that align more to that difficult to do given the behavior of different things. But I think much like when I buy a product that I'm implementing, it will tell me what ports and what firewalls need to be open so that it can speak to A, B or C, at some point, I think in those contexts, DNS needs to be somewhat," Okay, here's my product and here's what DNS domain is going to query." And companies should not allow it to query anything else than those. Again, you couldn't do it with a user- driven device, but certainly for a backend server where that's predictable, then reduce the threat opportunity.

Richard A. Clarke: Yeah. Well, the Russians in the case of SolarWinds used domains in Canada and the United States because they knew we would be looking for domains in Russia or Eastern Europe, but not everybody's that smart.

Andrew Wertkin: Right.

Richard A. Clarke: And so, there are a huge blocks of IP addresses that you can just block because your company doesn't do business in Africa.

Andrew Wertkin: No, for sure. Look, there's also TLDs from a DNS standpoint. Like you don't do business with people that use the dot accountants TLD or dot... There's a bunch of them like that, right? And I'm not saying the dot accountants does this, but there are domain registrars for some of these TLDs that monetize bad behavior and they facilitate it because they make money doing that. But the point is, if more than 90% of the active domains on a TLD are malware or spam- related, like it's garbage, it's too risky to go to anything that use that domain and.

Richard A. Clarke: And you can just shut it off-

Andrew Wertkin: Shut it off, yeah. Block it all. Yeah.

Richard A. Clarke: ...You can shut it off countries, TLDs. Admittedly, there are ways for the attacker to get around that and in the case of SolarWinds, they did, but-

Andrew Wertkin: Yeah. 100%, but there's some unfortunate named country code TLDs out there. Like I think Cameroon is. cm. Do you know how many typos there are out there? And we see it all the time when somebody's going to their bank. com and forget the O in com-

Richard A. Clarke: Yep.

Andrew Wertkin: ...And guess who owns a bunch of those domains? People are smart. I'm going to wrap it up here. It was a pleasure speaking to you, Dick and I really enjoyed that.

Richard A. Clarke: Enjoyed it. All right. Talk to you later.

Andrew Wertkin: Thanks.

Richard A. Clarke: Bye.

Andrew Wertkin: Bye- bye.