# Stanford CS153 Frontier Systems | The Road Ahead: Resilience Required

https://www.youtube.com/watch?v=g50FHC-PzK8

[00:09] I I have two kind of themes that I want to touch on that I hope at the end of this uh session um kind of get a little bit in your brain.
[00:19] Uh I have been working in technology since the 1990s uh when I got out of school.
[00:26] I um moved uh here to Northern California in 1995.
[00:29] And when I got to San Francisco in 1995, I was working for the US Department of Justice.
[00:34] And it was funny, Mike said had asked me, "How do how did you get like into doing technology uh for the for the government and it was because I asked the Department of Justice if they would give me a direct internet connection to my desk in 1995 and they said absolutely not.
[00:52] we can't let our network touch the internet.
[00:55] So I just kept asking and eventually they let me have a separate computer to use on the internet.
[00:59] And then I was the only person in the office who had a computer that was connected to the internet and I became the gatekeeper to everything.
[01:09] Um but let me tell you a little bit uh
[01:11] About, let's see, how do we...
[01:18] Here's my background.
[01:20] So, I spent my first eight years with the Department of Justice.
[01:22] And then I uh in 2002 I went to eBay.
[01:25] Back then, eBay was kind of like the hottest company in Silicon Valley.
[01:30] And it was a really fun place to work for a few years.
[01:31] Right after I got there, we acquired uh PayPal.
[01:34] And so I spent a bunch of time uh for eBay and PayPal um building out kind of both the legal side and the um safety and security side of those companies.
[01:47] And then in 2008, I went to Facebook uh when it was smaller than MySpace.
[01:49] Uh it was here in downtown Palo Alto.
[01:52] We were scattered in a bunch of little uh uh I don't know, I was like in an old law firm office where I was working with a with a group of other people.
[02:06] And uh we it took us years to get to having a campus.
[02:08] Um, and so I was at Facebook until we became basically the company.
[02:12] you know now after we'd integrated Instagram, WhatsApp, Oculus and all that.
[02:17] And then I went to Uber and became their first head of security.
[02:21] So at Facebook I I inherited three engineers and built it up to a large group.
[02:26] Then I went to Uber, inherited three engineers and built it up to hundreds.
[02:30] And then in 2018 I went to Cloudflare, inherited three engineers and built it up again.
[02:34] So today that's a lot of what I do.
[02:36] I work with startups that need to scale security and technology really fast.
[02:40] So I have my own company and uh we work with three or four startups at a time helping them scale.
[02:45] I also advise uh cyber security companies startups and uh some nonsecurity companies on on security best practices.
[02:53] Um I I'm a venture partner at Costaoa Ventures and I am the CEO of a nonprofit helping kids in Ukraine.
[03:02] So that's kind of my background in a nutshell, but I'm going to take you through uh in particular something uh that I had to go through when I was at Uber.
[03:11] If you look at my
[03:14] roles and my career, there's one theme.
[03:16] which is uh I've been at the intersection of where government and technology tech companies meet.
[03:24] And uh I've spent a lot of time like when I when I was that federal prosecutor here in Northern California,
[03:31] I would go around all the tech companies and I would say tell me about your cyber crime.
[03:33] I want to prosecute it.
[03:34] And they would all say, "We don't have any."
[03:41] There was no incentive.
[03:42] If you're a company and you're having bad things happen to you, why would you tell anybody about it?
[03:47] Is it good for your brand?
[03:48] Is it good for your business?
[03:50] Not at all.
[03:50] So the companies would always say to me, "Oh yeah, we have this."
[03:51] And so they would tell me about all these other issues they had.
[03:56] I ended up like prosecuting the was actually a a guy from Stan who'd gone to Stanford.
[03:58] He was a joint uh he had a law degree and MBA joint degree from Stanford and he ran all of business development for Cisco and he felt that the CEO of Cisco didn't
[04:14] appreciate him enough apparently.
[04:16] So he stole 40 mill as they acquired companies.
[04:19] he created his own uh subsidiary called Cisco Systems Inc. Bahamas and he um uh when when they would divide up the stock portfolio, he would put about half of it in actual Cisco and half for himself.
[04:32] And then eventually we figured it out and and so I prosecuted him and I was like that's not exactly cyber crime.
[04:39] Uh, but you know it was interesting.
[04:42] Uh, and then I had to build trust with the companies and then they would actually start telling us about the real issues when they understood they could trust us to actually just go prosecute and not do big negative PR against the companies.
[04:54] Then I switched over and was on the company side.
[04:56] And at eBay, our number one problem was trust.
[05:01] Like if you remember, maybe you don't remember before PayPal, but the business model of eBay when I joined was identify an item, win the auction, put money in an envelope, mail it to the
[05:16] seller, and hope they send you the goods.
[05:18] That was literally the eBay business model.
[05:21] When I joined the company, a small percentage of transactions were going through this little startup called PayPal.
[05:26] and we had our own competitor to PayPal and then eventually you know digital payments caught up and now um we are able to use credit cards and things like that and have asurances on our transactions.
[05:39] But I went to 46 of the 50 states for eBay to talk to regulators and trying to get them to work with us and uh to enable this platform.
[05:49] I trained law enforcement in like a dozen different countries on how they could uh prosecute somebody for doing bad things on eBay.
[05:55] So, we were like trying to pull law enforcement and government to pay attention to what happened on the internet in the early days.
[06:03] By the time I got to Facebook, it was it was still the same thing.
[06:06] Uh but there was a little bit more tension.
[06:08] There was a whole uh situation with that guy Eric uh Snowden and you know, he left the NSA and he
[06:19] revealed all these documents that made it look like uh Silicon Valley was sharing everyone's data behind the scenes with the NSA.
[06:27] Um, that wasn't the actual full story.
[06:28] I ended up in the middle of all that basically as the face of of Facebook interacting with the NSA because I had managed our relationship with them all along.
[06:40] And so that was the backdrop when I got to Uber in uh 2015.
[06:45] And Uber was kind of like um the beginning of that mobile explosion.
[06:54] If we think about like the transition and how technology has become such a bigger part of our lives in the last 20 years, it was really like phase one was like regular internet.
[07:03] Uh oh, we can do e-commerce.
[07:07] Wow, this is amazing.
[07:09] And then part two was that mobile explosion.
[07:12] Uber couldn't exist until there was an iPhone.
[07:13] And uh it's like led to this next generation of explosion of
[07:20] technology companies really taking over the world.
[07:25] And when this happens, when technology becomes the most important thing, all of a sudden the government folks really start to care about technology.
[07:31] And that's what's happened in the last decade.
[07:35] We've seen a lot more initiative going back to around the time of the uh first Obama administration, 2008 to 2012, they really started trying to figure out how do we get closer to Silicon Valley.
[07:45] U President Obama came and visited us at at Facebook.
[07:52] uh so did George W. Bush and Al Gore.
[07:56] Uh and so like you started seeing uh a lot more of that interaction.
[08:03] So I was at Uber, everything seemed to be going okay and then one day I got this text or email.
[08:11] It was from Eric Newcomer who's a reporter at Bloomberg and he messaged me because he wanted to know about me getting fired from Uber.
[08:19] I had no idea what he was talking about.
[08:22] I was on vacation with my family up by Lake Tahoe.
[08:24] It was Thanksgiving week.
[08:26] I'd taken the week off.
[08:26] Um, after uh getting that, this was the headline I saw.
[08:34] He wrote, published an hour later.
[08:37] I paid hackers to delete stolen data on 57 million people according to the news.
[08:45] And it just blew up across the planet.
[08:47] My phone started going crazy with people texting me, trying to call me.
[08:53] And right in the middle of that, my phone stopped working because my phone had been issued by Uber and my team had put software on that.
[09:01] And then my team used that software to break my phone and my computer because the company had decided to fire me.
[09:11] So I was all of a sudden like the most famous person in cyber security for the wrong reason uh about a decade ago and um
[09:23] that hurt a lot.
[09:26] Uh I w I um I'm still involved in litigation related to that.
[09:29] But I um I went into hibernation for about 2 months, grew a beard, didn't want to show my face, and then in early 2018, I decided I got to get off my butt and get back going in life.
[09:41] And so I went out and tried to apply for some jobs.
[09:45] And that was when I got um hired.
[09:48] Well, the funny thing was after after going through this, the first three companies to contact me about working for them and running security, Huawei, Wei Work, and Bite Dance.
[10:07] I am dead serious.
[10:10] They would love to have me despite all this.
[10:14] Uh instead I chose to go uh work at a small startup called Cloudflare.
[10:17] Uh and Matthew Prince uh I think maybe speaks to this class.
[10:23] Um Matthew did his due diligence.
[10:26] He talked to Travis who had been my CEO at and manager at Uber and a lot of other people and decided he would take a chance on me.
[10:32] So I went to So I went and worked at um Cloudflare starting in uh spring of 2018.
[10:40] And then 2018 was the midterm elections and 2016 was when President Trump was elected for the first time and then there was the midterm elections.
[10:51] Cloudflare got so much negative heat because I got doxed and this uh organization uh these group of organizations I'd never heard of went after me.
[11:00] Please don't go to that URL because you'll see the entire doxing of me because Google refused to take it down uh even though I submitted a takedown request.
[11:13] But uh I guess if you go there, you'll see uh I have six brothers and sisters.
[11:16] You can see all of their addresses.
[11:18] You can see my family's information.
[11:20] Uh there's a whole timeline.
[11:22] There's all kinds of
[11:23] information about my mom who worked for the CIA like the and and lots of other stuff that I didn't even know about myself.
[11:32] Um, and so like just me because of what I'd gone through before, I ended up inflicting this on Cloudflare.
[11:40] And um, the thing I'll say about Cloudflare is that is a company that really cares about transparency.
[11:47] Um when I joined the company uh I had my first security incident and um I had been through a lot of other security incidents where we don't get to control the communication about the security incident on the security team.
[12:03] It's a cross functional thing.
[12:04] You're supposed to work with you know the communications team and the legal team.
[12:07] Legal says what can go out.
[12:10] Communication team polishes it up.
[12:12] The CEO has to sign off.
[12:13] That's the way communications work in companies, right?
[12:16] So, at Cloudflare, I had my first security incident.
[12:18] I call Matthew, our CEO.
[12:21] It's a Friday night because security incidents only happen on
[12:24] Fridays.
[12:27] Um, so that your team has to work all weekend.
[12:30] Um, it's it's it's a science.
[12:30] It's been proven.
[12:33] Uh, and so on that Friday night, I call Matthew and I say, "We have a security incident."
[12:39] And he said, "Who's writing the blog post?"
[12:42] And I always remember that.
[12:44] And I'm like, "What do you mean who's writing the blog post?"
[12:47] We we're bleeding here.
[12:47] I need to make sure we stop bleeding and make sure that our customers are safe.
[12:51] And he's like, "Who's writing the blog post?"
[12:53] I was like, "I'll figure that out later."
[12:56] And so I hang up.
[12:57] Five minutes later, who pops onto the Zoom but our CTO.
[13:00] I'm like, "John, why are you on this?"
[13:02] He's like, "I'm writing the blog post."
[13:04] like our CEO had made our CTO just join my incident response kind of working room just to write down and document everything so we could be transparent.
[13:14] A year later, we had our first big real outage as a company.
[13:17] I was over in London and it was our local team in London uh uh pushed a uh a rule
[13:26] to our W that basically took down half the internet.
[13:29] And fortunately, most of the United States was asleep because of of the timing of it.
[13:34] But John and I had to we called every large customer that we had.
[13:39] We put out a detailed uh blog report.
[13:42] We had literally disrupted the entire internet.
[13:45] And a day later, if you went online and you looked at how Cloudflare was being discussed, they were praising us for transparency.
[13:54] Instead of break getting like slammed for breaking the internet, we were getting praised for being transparent
[13:58] and I think there's this constant tension between transparency and not around technology what the good and bad of it and I think we need to bias more and more the way Cloudflare has towards this transparency.
[14:13] So after that what h uh it's tw now 2020 and uh the FBI issues this press statement saying that they have arrested
[14:26] Me.
[14:28] My eldest daughter uh was moving into her dorm at UT Austin at the time and she calls me because a friend of hers had heard on NPR that I had been arrested.
[14:37] And so she is freaking out and she calls me.
[14:41] I'm sitting at my desk here in Palo Alto.
[14:44] I live by Midtown in Palo Alto.
[14:46] I was sitting at my desk on a Zoom for Cloudflare.
[14:50] I hadn't been arrested.
[14:54] Um, so we have to add one thing to this.
[14:56] Um, so uh for I hadn't been arrested, but what I had been uh was charged with a crime.
[15:05] So I've never been arrested, but I did get charged.
[15:07] I got charged with obstruction of justice and misprision of a felony.
[15:14] Without going into all the details, what it basically means was I was being personally held responsible for the company's failure to be transparent with the government in 2017 or 16 when that security incident happened.
[15:25] Um, so I
[15:29] want to take you through the security incident a little bit.
[15:33] I'm going to skip the legal stuff.
[15:36] I went to trial against the government in September of 2022.
[15:41] One of my daughters drew this picture because you're not allowed to take cameras in federal courts.
[15:44] Uh so this was during the trial.
[15:46] This was uh uh the person on the stand there was a lawyer from Uber.
[15:52] Coincidentally, when my daughter drew this picture, this is the chief privacy, the head of privacy and regulatory for legal.
[15:58] and she testified, "It's my team's job to tell the government about security incidents and and my team owns responsibility and my team was the one that uh and I personally knew about that security incident and yes, we did not tell uh the government agency that was investigating us about the security incident."
[16:18] So, she said all that, but I was the one who was the defendant sitting in the courtroom wearing a mask because it was COVID times.
[16:22] The jury never actually saw my face through the whole trial.
[16:26] they only saw a guy in a suit with a mask on.
[16:28] Um, so what what
[16:33] was the case actually about?
[16:35] Uh, I really believe in this concept of responsible disclosure and trying to get the hacker community to work well with corporations.
[16:41] So when I in 2007 when I was at PayPal, we published a responsible disclosure policy.
[16:47] It was the first time a company published one.
[16:49] If you do security research, you know what this these policies are.
[16:54] Or if you don't, you've probably never heard of them.
[16:57] But what we did, what we said in 2007 at PayPal was, "If you find a vulnerability, please tell us about it."
[17:03] We promise we won't sue you.
[17:05] We promise we won't tell law enforcement about you.
[17:07] We want to have an open dialogue.
[17:10] So, we did that in 2007 at PayPal and other companies started to follow suit.
[17:13] I uh went to Facebook in 2008 and we published a responsible disclosure policy there.
[17:18] Right after I got there because it was something that I cared about.
[17:25] Then a couple of years later, there was this movement in the hacker community that was like, "Wait, that was
[17:33] nice that you said you won't prosecute us, but why don't you actually pay us money cuz you're you're finding vulnerabilities.
[17:39] we're finding vulnerabilities. We're making you safer.
[17:43] And I remember the first time I got that email from a hacker and it said, "Pay us money and we'll tell you about the vulnerability in your systems."
[17:52] And if you own the system and you own security for that system and you get that message, you get kind of mad.
[17:57] And I used to be a prosecutor.
[17:58] So I was like, I'm this I get double mad.
[18:02] And I start thinking, how can I use the law against you, right?
[18:06] It's like and then and then my team's like, Joe, shut up.
[18:08] Like we should be paying these people and I came around to that.
[18:14] And so I think it was 2011 10 or 2011 at Facebook, we launched the third ever bug bounty program.
[18:19] Like bug bounty programs are a thing everywhere now.
[18:21] Google last year paid out I don't know how many millions of dollars in bug bounties and they just announced a new uh program where you can get $250,000
[18:33] for a single vulnerability.
[18:36] And so like the world has been evolving to this place where we recognize that our goal should be the best possible security uh and that we should cultivate these relationships.
[18:44] So when I got to Uber in 2015, we published the responsible disclosure policy.
[18:49] Uh and I should add that when I went from Facebook to Uber, about 40 of my team came with me.
[18:56] And so we brought not just me I I went not by myself, but over the course of a few months, a lot of my team so much so that uh the general counsel from uh Meta sent me that warning letter that you sometimes get.
[19:09] Um, and then, uh, we published a bug bounty program.
[19:16] Uh, and, uh, we had it running in private for like a year before we launched it publicly in the spring of 2020, 2016.
[19:23] And in the fall of 2016, this is the email I got.
[19:28] I found a major vulnerability.
[19:29] I was able to dump database and other things.
[19:32] And I did what I always do when I get
[19:33] this email because I've gotten a lot of this email over the years.
[19:37] I forwarded it to the product security team that manages the bug bounty.
[19:41] Member of our security team emailed and said, "Hey, we've we use Hacker 1 for our bug bounty program.
[19:48] Uh, but we're also happy to work with you even if you do it otherwise."
[19:52] This is an email from Rob Fletcher who's now a startup founder somewhere.
[19:58] Uh but he uh he he led the interaction with this person who wanted to be anonymous and they showed us that they had actually found a vulnerability in the way our AWS was configured related to some old databases that we like my team didn't even know existed because they had been deprecated before we got there.
[20:17] Um we treated it like a security incident.
[20:20] We documented everything.
[20:23] We had a centralized tracker uh and all my team's notes are still there from it.
[20:26] Uh because I was going to trial over this.
[20:28] These are all slides from the trial actually from like my lawyer's closing argument was showing like here are all
[20:34] the people in the company who knew. I
[20:36] went to the CEO. He signed off on us
[20:38] paying the bug bounty because we paid
[20:39] $100,000 to these researchers. It was
[20:42] all approved. Legal was three lawyers
[20:44] were in the loop. communicate our two
[20:47] lawyers, the communications team, all in
[20:49] the loop. Um, and we actually had
[20:52] written formal policies and
[20:54] documentation and it said legal is
[20:56] responsible doing the investigation,
[20:58] reporting it, etc.
[21:00] And we ran the whole thing by legal and
[21:02] they said,
[21:04] uh, we don't think we have to disclose
[21:05] it. The communications team had already
[21:07] prepared documents for if they were
[21:09] going to disclose it. They put those
[21:10] aside. Uh, I said to my team, "The these
[21:16] people are still anonymous. Can we find
[21:17] out who they are and actually go
[21:19] interview them and make sure that they
[21:21] have deleted the data?" So, my team did
[21:24] an investigation. I'm not going to go
[21:25] through all the details here, but long
[21:28] story short, we were able to figure out
[21:29] who they were and where they were.
[21:32] Um
[21:34] it turns out at the exact same time that
[21:35] we were doing this investigation, the
[21:37] FBI was also doing the same
[21:39] investigation because uh these two guys
[21:43] uh 19 and 20-year-old 19-year-old down
[21:46] in Florida and 20-year-old up by Toronto
[21:48] who had met in gaming community where
[21:50] they had found vulnerabilities in a few
[21:52] companies of the same type. And so they
[21:53] reached out to a few companies. I think
[21:55] they reached out to five companies and
[21:57] said we found vulnerabilities. We worked
[21:59] with them, paid them, fixed the
[22:01] vulnerabilities.
[22:03] Another one of the companies, which was
[22:05] uh LinkedIn, decided to contact the FBI.
[22:09] The FBI then tried to find them. We
[22:12] didn't know any of this was going on at
[22:14] the time. The FBI couldn't find them. my
[22:17] team was able to um and uh my my team
[22:22] and I still get involved in working with
[22:24] the government on situations like that
[22:26] um because we're really good at that
[22:28] stuff. And so uh we were able to find
[22:31] these guys and um I had a retired CIA uh
[22:37] intelligence officer who's specially
[22:38] trained in interrogation,
[22:40] a top trainer from he trains other
[22:42] people from the CIA on how to do
[22:44] interrogation. So, I sent him down to
[22:47] interview
[22:49] uh Brandon. Well, actually Matt from my
[22:51] team sent this email. We basically
[22:53] figured out who Brandon was, where he
[22:55] was work living uh down in um Florida.
[22:59] And we sent him an email and said, "You
[23:01] got to be really careful in these
[23:02] situations. You'll be viewed as an
[23:04] extortionist. We don't think you're an
[23:06] extortionist. We think that you should
[23:08] be paid." And uh by the way, one of my
[23:11] team Oh, he didn't know we knew his name
[23:13] was Brandon when we sent him this email.
[23:15] So, this was kind of like we send you
[23:16] the email and we send it to his real
[23:18] email address instead of his proton
[23:20] mail. So, you imagine you're Brandon,
[23:22] you wake up that day and there's an
[23:24] email saying, "Hi, Brandon.
[23:27] This is this is Matt from Uber." Uh, and
[23:30] one of my team members is right around
[23:31] the corner. Can you guys meet today? Um,
[23:36] that that happened. And then my team
[23:38] member, the trained CIA interrogator,
[23:40] went in and he prepared for me, I think
[23:44] it was like a six-page psychological
[23:45] profile of the guy and documented and
[23:48] validated
[23:50] uh that the data was deleted, that our
[23:51] customers were protected. So this is a
[23:54] situation where at the end of the day,
[23:56] legal had signed off on uh the
[23:58] communication side and my team had done
[24:01] the work where I felt comfortable, our
[24:03] customers were protected
[24:06] and
[24:07] we closed the chapter on the case
[24:10] um until
[24:13] 2020 when I got charged with the crime.
[24:16] I didn't know until much later that
[24:17] apparently, you know, people were
[24:19] agitating behind the scenes from Uber
[24:21] and others to to to get the government
[24:23] to go dig into this. So, I go to trial.
[24:26] Uh, we come through the trial. My
[24:28] lawyers at the end of the evidence say
[24:30] at the end of the government's case,
[24:32] they said, "Joe, we don't even need to
[24:33] put on a defense. We totally won." I was
[24:36] like, "Okay, sounds good, but like,
[24:38] let's just call a couple witnesses to
[24:39] fill in these little gaps." We did. So,
[24:42] we barely put on a defense. And then the
[24:44] jury goes out and they deliberate for a
[24:47] few days and I'm just like, "Guys, if if
[24:51] it was such an easy slam dunk victory
[24:53] for us, what's going on?" And then this
[24:55] question comes out
[24:58] uh with regard to this uh hacking
[25:01] statute, does Uber have the right to
[25:03] extend authorization after the access?
[25:06] So
[25:08] uh under 18 USC 1030, there's this is
[25:11] basically the computer hacking statute.
[25:13] It says like, "So if I access your
[25:15] computer without your permission, I
[25:17] violated the law." And then there's
[25:18] various levels of significance beyond
[25:20] that point. And so the legal question
[25:23] was when Brandon and the other guy
[25:26] accessed Uber's AWS,
[25:30] could we after the fact give them a
[25:32] permission or was it automatically a
[25:33] crime the second that they accessed our
[25:36] computer? And do we have the ability to
[25:38] unwind it? All the advice I'd ever
[25:41] gotten, and we discussed this a million
[25:43] times before with lawyers, is it's like
[25:45] the they would say, "Oh, it's like the
[25:46] old trespass statutes. You know, if
[25:48] somebody steps into your front yard and
[25:50] you can be like, "Oh, hey, come on in."
[25:52] That kind of effectively by law means
[25:54] it's no longer a trespass. And so that
[25:56] was the advice that like the bug bounty
[25:58] platforms and our lawyers had always
[26:00] told us. But then when the jury asked
[26:03] this question, the judge was not so
[26:05] sure. And the government was arguing at
[26:07] that time, no, we can't uh Uber couldn't
[26:11] give permission. So the jury basically
[26:14] got this instruction, Uber cannot give
[26:17] uh permission. So effectively, it just
[26:20] basically gutted our whole defense. Um,
[26:24] and so I could be held accountable
[26:26] uh for a criminal uh obstruction
[26:29] supporting the bad guys even if I had
[26:32] gotten legal approval and didn't think
[26:34] that we did anything wrong.
[26:37] So, we lose the trial. Uh, it's now
[26:41] October of 2022.
[26:44] I went through that period in 2018 where
[26:46] I had to climb back on my feet. And in
[26:49] 2022, it was a lot harder because I had
[26:52] just lost a trial. So like I called all
[26:54] these different nonprofit cuz I I was s
[26:56] sitting around at home open again and I
[26:58] called all the different nonprofits who
[27:00] always wanted to work with me and they
[27:01] were like uh yeah, we can't be
[27:03] associated with you this time. And so I
[27:07] um I I had been helping Ukraine through
[27:11] my role at Cloudflare and I realized
[27:13] that the only people who were willing to
[27:15] work with me in the fall of 2022 were
[27:17] the Ukrainians uh because they had
[27:19] nothing to lose and they didn't care
[27:20] about my case. Uh so I joined uh a
[27:24] nonprofit called Ukraine Friends
[27:26] and uh became their CEO. Uh I started a
[27:31] program called Digital Wings. I realize
[27:33] that at every tech company, we have
[27:35] these piles of laptop computers that are
[27:37] sitting behind the help desk because,
[27:38] you know, we hire a bunch of people.
[27:40] Half of them don't last two years, but
[27:42] we're not going to give those computers
[27:43] to the next new employee. So, the piles
[27:46] of computers get bigger and bigger. On
[27:48] my first trip to Ukraine, a friend of
[27:50] mine was the CISO of Robin Hood at the
[27:52] time. He gave me 20 of their uh uh
[27:55] cleaned up uh used computers, and so I
[27:57] brought them in my carry-on. You know
[27:59] when you get to the airport and they're
[28:00] like, "Do you have any lithium-ion
[28:02] batteries?" I'm like, "Yeah, I got 20.
[28:06] Uh, they didn't know what to do. They
[28:10] just let me on the plane." Uh, and since
[28:13] I'd already been convicted of a crime,
[28:15] uh, I was like, "Anyway, um, I'm just
[28:20] kidding. I actually I really take
[28:22] seriously the shipping. Uh uh I've
[28:24] shipped thousands of computers to to
[28:26] Ukraine at this point and I've learned
[28:28] everything about safe shipping of
[28:30] lithium ion batteries and the like and
[28:32] it's it's really important you take
[28:33] those things seriously uh because there
[28:35] have actually been fires and things on
[28:37] planes. But public service announcement
[28:39] aside, um I got to Ukraine with a bunch
[28:42] of laptop computers and I realized uh
[28:45] what a need there was. So, my nonprofit,
[28:49] we get kids uh we bring computers to
[28:51] kids who've lost a parent in the war. My
[28:54] last trip to Ukraine was two weeks ago.
[28:56] I was there two weeks ago for the week.
[28:58] Uh uh TD Bank had donated over a
[29:00] thousand computers and so I was there to
[29:03] kind of like oversee the distribution of
[29:04] those. Uh and uh we work directly with
[29:07] military units so that some of the
[29:09] soldiers in the unit can give the
[29:11] laptops to the kids of their fallen
[29:13] brothers. uh you know the the people who
[29:16] survive feel like almost a sense of
[29:18] responsibility for the families of of of
[29:20] of those who didn't survive and so we
[29:23] like to work with them to help them. Uh
[29:25] and uh you know what the people in
[29:28] Ukraine have been going through. It's
[29:29] incredible their resilience. I I come
[29:31] back inspired every time I go. I've been
[29:34] six times in the last three years and I
[29:37] I wish I could go more frequently. Um,
[29:40] so I'm doing this work in Ukraine and
[29:42] I'm waiting and my sentencing keeps
[29:44] getting postponed. I had the most
[29:46] amazing thing happen.
[29:49] I'm in like this funk. No one will hire
[29:51] me. I'm volunteering in Ukraine, seeing
[29:53] sad stuff, and I'm waiting for my
[29:55] sentencing hearing. And the government
[29:57] says, "We're going to argue that you
[29:59] should get three years in p in federal
[30:01] prison."
[30:03] Uh, I guess I'd still be in federal
[30:05] prison if if they had gotten that. Um
[30:10] there's a process that you go through
[30:12] though for uh before you get sentenced.
[30:14] Uh and that in the federal system is
[30:17] there's somebody called there's a
[30:18] probation office and they prepare a
[30:20] pre-sentence report where they kind of
[30:22] review your whole life. And so it's like
[30:24] it's like a 75page document of
[30:28] everything about me so that the judge
[30:30] can make an informed decision.
[30:32] And by the time the probation office got
[30:35] through documenting like that Joe's been
[30:37] a volunteer for the federal government
[30:38] 17 different times since he left the
[30:40] government doing all these different
[30:41] things like um and involved in these
[30:44] different nonprofits and helping people
[30:46] in Ukraine etc. The probation office
[30:49] came in with a recommendation to the
[30:50] judge. You should just give Joe
[30:51] probation and let him go live his life.
[30:54] And the prosecutors when they heard that
[30:56] they dropped down and instead they
[30:57] argued that I should get 18 months. But
[31:00] so during that process
[31:02] um I had the most amazing thing happen
[31:05] which was I got these emails and
[31:09] attached to each email would be a letter
[31:11] to the judge. I got over 200 separate
[31:14] letters to the judge sent to me by
[31:17] people who'd worked with me through my
[31:19] career uh by people who were upset about
[31:22] my case. One letter was signed by 60
[31:25] people in the cyber sec security
[31:26] community, another by 50, another by 40.
[31:29] It was like this mass uprising of
[31:30] support because they felt that the case
[31:32] was unfair or even if they they didn't
[31:35] know anything about the legal stuff,
[31:36] they they they wanted me to be out and
[31:39] and doing what I do. And so
[31:43] I had a sentencing hearing on May 4th,
[31:46] 2023. So literally 3 years ago and a
[31:50] couple weeks a week. Um, and the judge
[31:55] said
[31:56] it wasn't a cover up. That was the best
[31:59] thing I ever could have heard. Uh, the
[32:02] judge then went on to, you know,
[32:04] basically yell at the prosecutor in some
[32:06] sense, saying, "Why why if you're
[32:08] charging a company, why wouldn't you
[32:09] charge the CEO?" The CEO was in the
[32:11] loop. Uh, CEO supported all the
[32:13] decisions. If we're going to hold
[32:15] corporations accountable, let's start at
[32:17] the top. Uh he uh also yelled at the
[32:20] prosecutor like there was no financial
[32:22] incentive for Joe to do this. Why why do
[32:25] why do you think he would do this? Do
[32:27] you think he needed to protect himself
[32:28] for his career? Stuff like that. He just
[32:30] said, "I've never seen a case like this
[32:32] in my life." And then he sentenced me to
[32:34] three years of probation and a small
[32:36] fine and sent me on my way. So I
[32:39] actually finished my probation a week
[32:41] ago. I got a letter saying I'm off
[32:43] probation. Um,
[32:47] thank you.
[32:50] I still get secondary inspection every
[32:52] time I come to the country. But, uh,
[32:56] my daughters really enjoyed it. The
[32:57] first time they're like, "Dad, this is
[32:59] so cool." Uh, but yeah, so I I landed on
[33:03] my feet. I started my security
[33:04] consulting business. I still do the
[33:06] nonprofit stuff. I've been working with
[33:07] some VCs. Costanoa made me a venture
[33:09] partner. I've been advising a bunch of C
[33:11] startups. Uh, this slide's actually
[33:14] outdated because well, four of four of
[33:17] these companies have recently gotten
[33:19] acquired and so I no longer advise them.
[33:21] Um, but I was happy they got acquired.
[33:25] Um, I get to go do keynotes. I I got I
[33:27] get paid to speak all over the world. I
[33:30] this year I keynote at a big AI
[33:32] conference in January in uh Tokyo. This
[33:36] was a very a keynote in Australia. Um,
[33:40] and so I get invited and and paid to go
[33:43] do these things that I love to do and
[33:44] talk about uh things like this case and
[33:48] and and I just want to like spend like
[33:49] five more minutes on like the cyber
[33:52] security and the world of cyber security
[33:54] has changed so much since I got
[33:55] involved. When when that Uber case
[33:58] happened in 2016, it was like the worst
[34:00] case scenario. Data had left the
[34:02] building. Like in cyber security, that's
[34:04] all we cared about for the longest time.
[34:06] And then something new happened around
[34:08] 2018 and 19 which is ransomware. So now
[34:11] in 2025 2026 cyber security is still we
[34:15] care about data leaving the building but
[34:17] we also have to care about operational
[34:19] resilience. Does anybody know what
[34:21] happened to Jaguar Land Rover last year?
[34:25] They got hit with probably one of the
[34:26] biggest cyber attacks. It was a
[34:28] ransomware attack and last I I think it
[34:31] happened last August. They literally had
[34:33] to shut down all of production for all
[34:35] of Jaguar Land Rover for three months.
[34:39] The UK government had to do a bailout of
[34:41] over a billion dollars. A bunch of their
[34:44] supply chain companies. So, you know, a
[34:47] Jaguar is not just all the parts made by
[34:49] Jaguar. They're made by hundreds of
[34:50] little companies. When Jaguar couldn't
[34:52] pay pay them for three months, a lot of
[34:54] those companies went out of business. So
[34:56] like the impact of a cyber attack cost
[34:59] the UK economy literally billions of
[35:02] dollars, billions of pounds and anybody
[35:05] who owned a Jaguar Land Rover during
[35:07] those months couldn't even take their
[35:08] car into a mechanic shop.
[35:11] So that happened. Uh cyber security
[35:15] became about operational resilience and
[35:17] then also you know what's going on with
[35:20] AI. Uh I I just got back from spending
[35:23] the last three days in meetings in
[35:24] Washington DC uh because I do some
[35:27] volunteer support uh for a couple of
[35:29] government agencies now and um you be
[35:33] like it's weird I'm under I'm I'm on
[35:35] probation and under investigation by one
[35:36] part of the government but I usually am
[35:38] helping a different at the same time. I
[35:40] I have had these conversations where
[35:42] it'd be like in the morning I'm with the
[35:43] FBI talking about something and in the
[35:45] afternoon I'm with the FBI talking about
[35:47] them putting me in jail. It's been it's
[35:49] been pretty surreal. Um but so I was
[35:52] there earlier this week and the amount
[35:54] of pressure the government is feeling
[35:55] right now about AI. You know,
[35:59] I I work with some companies that have
[36:01] access to methos, the the cyber model
[36:04] from or the cyber used model from
[36:06] Enthropic. That's so powerful. And it it
[36:08] it is it is as powerful as everybody
[36:11] says. Like we're finding things uh that
[36:14] are amazing uh and scary. And so the
[36:17] government knows that and really needs
[36:19] cyber security to step up in the next
[36:21] six months because those ma that type of
[36:24] model that's being held close right now
[36:26] is going to be publicly available in six
[36:28] months even if it comes from the open
[36:29] source guys. So that's the future we're
[36:32] facing. All of a sudden every CEO really
[36:35] cares about cyber security. I get a call
[36:38] a day Joe this CEO needs a head of
[36:40] security right now. They need somebody
[36:43] who's like has the experience you have
[36:45] where you could you're comfortable
[36:47] reporting to a CEO, sitting in the exec
[36:48] room, co-running a company. That's the
[36:51] kind of people we need in cyber security
[36:53] right now. And I I don't even have
[36:54] enough people to to refer. At the same
[36:57] time, governments are tightening up on
[36:59] the regulatory side. A lot of other
[37:00] countries are thinking about doing
[37:02] enforcement actions like the ones
[37:03] against me.
[37:05] So, it's this weird situation where a
[37:08] lot of my peers call me like I hear from
[37:10] every CISO in every bad situation and I
[37:14] also hear from, you know, like they call
[37:16] me when they're like, "Joe, my we just
[37:18] had a ransomware and the CEO is forcing
[37:20] me to sign something to go to all our
[37:21] customers saying that everything's fine
[37:23] and I know everything's not fine. What
[37:25] do I do?" Like, I get questions like
[37:27] that every week from people in the role.
[37:30] And then the other question they get is
[37:32] like, I'm being asked to take the top
[37:33] seat. do I even want it? Uh because it's
[37:37] really scary to be a cyber security
[37:38] leader in this environment right now.
[37:42] And the thing I'll say is I've been
[37:44] through a lot and one of the things I've
[37:47] realized is that you have to have
[37:48] resilience. And I don't care if you're
[37:50] going into cyber security or what other
[37:53] jobs you all decide to go into, you're
[37:55] going to get punched in the face
[37:57] sometimes. And you got to think about
[38:00] how am I going to handle getting punched
[38:02] in the face. Like you when a boxer goes
[38:06] into the ring, they know they're going
[38:07] to get punched in the face and they
[38:09] think they still have a plan. I think
[38:11] leadership in 2026 and beyond is about
[38:15] that resilience. I these four people
[38:18] like ever since I went through my thing
[38:20] and I've had people say like, "Oh,
[38:22] you're a model of resilience." I started
[38:23] looking. There are a lot of really good
[38:25] models. Like these four people all got
[38:28] punched in the face when they thought
[38:29] they were at the peak of their career
[38:30] and they thought they were at an amazing
[38:32] place and then they end up going 10
[38:33] times higher in their career and you can
[38:36] find so many people like that. And so
[38:38] the thing I would talk you know I do a
[38:41] lot of work with organizational leaders
[38:43] and I you know I I did like a 4hour how
[38:46] do I prepare for I have like a literally
[38:48] a 4hour program on how do you as an
[38:51] executive prepare yourself your team and
[38:52] your company to deal with crisis before
[38:54] it happens. I'm not going to go into all
[38:56] that stuff with you, but I want you to
[38:58] think about and remember
[39:01] that we don't write into the job
[39:05] description resilience and crisis
[39:09] management. But if you're working in
[39:12] technology in 2026,
[39:14] we're so highly visible, there's so much
[39:17] pressure on us, we have to be ready to
[39:20] get punched in the face. And that means
[39:24] thinking about what are the key elements
[39:27] for success in a crisis. I think the
[39:29] number one element for success in a
[39:31] crisis is actually how well you
[39:32] communicate. Like I I brought up how
[39:34] Cloudflare has handled crisis over the
[39:36] years. They always are on the side of
[39:38] transparency and it always builds trust.
[39:42] Uh companies that choose like say Uber
[39:45] in 2016 not to be transparent, it leads
[39:48] to this boiling negativity over time.
[39:51] So my last thought for you is this.
[39:56] Run towards those opportunities. Run
[39:57] towards those stressful situations
[40:00] because the more you go through them,
[40:01] the better you'll handle them.
[40:04] I get invited to work at companies, the
[40:07] coolest companies on the planet, because
[40:09] they have confidence that I have wisdom
[40:11] from having gone through the bad things.
[40:14] If you try and steer your career to
[40:16] never go through bad things, you'll
[40:18] never get the wisdom and experience you
[40:20] need to really succeed.
[40:22] >> So the question is, how did you rebuild
[40:24] your your reputation, which is clearly,
[40:26] you know, world world known?
[40:28] >> Yeah, I um
[40:31] it was interesting. So I I I consider
[40:34] like I consider I lost the trial in the
[40:36] fall of 2022, but I won the sentencing
[40:38] in the spring of 2023. And it was really
[40:41] um my wife who's here in the front row
[40:44] who's a Stanford grad, she came along
[40:46] today. Um she was there with me through
[40:49] it all and having having strong support
[40:52] at home number one. Um was really
[40:56] important. But then I had a lot of
[40:57] support from the community. I got I
[40:59] mentioned those letters. Uh I joke that
[41:02] it was like uh I got to sit through my
[41:05] own Irish wake. you know, the idea that
[41:08] like um I got to hear all these people
[41:11] say good things about me while I was
[41:13] still alive. And I I bring it up a lot
[41:16] with leaders because what you don't
[41:18] realize when you're a leader is how much
[41:20] the little things you do or don't do
[41:23] um your team picks up on. Like I had
[41:27] people write in these letters to the
[41:29] judge talking about things that I I
[41:31] didn't remember at all. It's like I
[41:32] didn't remember. I had lunch with that
[41:34] guy in my team's kid who was thinking
[41:36] about cyber security, but apparently I
[41:38] did. You know, I didn't remember like
[41:39] there were just lots of examples like
[41:41] that. And so, um, so after I won the
[41:44] trial, I reached out to a couple of
[41:47] people. I decided I should I couldn't
[41:49] talk for seven years. My lawyers
[41:50] wouldn't let me talk. So, I was just all
[41:52] negative for seven years. And so after
[41:54] it was over, I reached out and um I
[41:58] reached out to the guy who runs the
[41:59] Defcon conference uh who started it in
[42:02] Vegas back whatever 30 years ago and
[42:04] he'd started Black Hat as well. So
[42:06] they're two of the most well-known cyber
[42:07] security conferences and I said I'd love
[42:09] to get a chance to tell my side of the
[42:11] story and I um and he he contacted me
[42:15] back a week later and he said at Black
[42:17] Hat we have a CISO summit so like all
[42:20] the security leaders from the biggest
[42:21] companies will be there. uh you can do
[42:23] an off thereord talk there if you'll do
[42:25] an on thereord talk at defcon.
[42:28] And so those were the first two times I
[42:30] was talking about my case. It's funny my
[42:33] dad emailed me the other day cuz he
[42:34] found the defcon talk and watched it uh
[42:38] three years later and um and he emailed
[42:41] me about it and I was just reflecting on
[42:44] I was so nervous. I was so nervous
[42:47] because a friend of mine I went who
[42:49] lives here in Palo Alto. He'd been on
[42:50] the early Facebook team with me. I went
[42:52] walking with him and he'd said, "What
[42:55] are you going to do if you get booed?"
[42:58] And so I mentally going into the
[43:00] speaking was worried that I was going to
[43:02] get booed. Uh but I just did it. I got
[43:05] up and went and did it. It was the same
[43:07] thing as like in January of 2018, the
[43:09] first time I went to a security
[43:10] conference after getting fired on Global
[43:13] News. I felt very sheepish and awkward
[43:16] and uncomfortable, but I got through it.
[43:20] When I spoke at Black Hat at that CISO
[43:22] summit, I got ended up getting a
[43:24] standing ovation from like my peers, the
[43:28] best security leaders in the world. And
[43:30] so that just gave me the confidence and
[43:32] courage to to go forward. Uh I started
[43:35] my own consulting business and then I
[43:37] had success doing it. It was mostly what
[43:41] I've learned is that I was mostly able
[43:42] like large companies can't be associated
[43:44] with a felon. Um although I do work with
[43:47] some large companies but they prefer
[43:49] that we keep it under NDA. Um
[43:53] and so I started embracing working with
[43:55] startups even more because startups
[43:56] don't care. They just want to have the
[43:58] best security they can get from somebody
[43:59] who understands them. So I just I just
[44:02] been building it ever since.
[44:04] >> Good. Next question.
[44:06] >> So the question is what are the security
[44:08] issues around Vive coding and what
[44:09] should we be thinking about?
[44:11] >> Yeah. I actually joined the board of an
[44:14] appseac company uh last fall and and
[44:17] with at over at the VC we've been
[44:18] looking a lot at how application
[44:20] security is evolving and I've been
[44:22] thinking about and the uh the companies
[44:25] that I advise and work with are
[44:27] obviously in different stages of of um
[44:30] embracing it. Financial services is
[44:32] really slow on embracing it, but some of
[44:34] the other companies I work with are
[44:36] really deep in uh like a large
[44:38] percentage of their code is being
[44:39] generated through um these tools. U the
[44:43] the first challenge is just the sheer
[44:45] volume of code being generated uh has
[44:47] gone through the roof. Uh like one small
[44:51] southeast bank that uh we work with uh
[44:55] they went from like 250,000 lines of
[44:57] code a month to like 1.25 to five
[44:59] million lines of code a month in in like
[45:02] a two-month period after get uh so
[45:04] challenge number one is the sheer
[45:06] velocity of u of code. Challenge number
[45:09] two is that uh one of the other
[45:12] companies I work with here in the Bay
[45:13] Area they're um their CISO called me and
[45:16] he was like we just had our the first
[45:18] marketing person merge into production
[45:21] and there was a vulnerability and we
[45:23] tried to kick it back to marketing and
[45:24] they don't know how to fix the
[45:25] vulnerability. So like you know whereas
[45:28] an a software engineer would actually
[45:30] like okay here you know security could
[45:33] send them a proposed fix and then they
[45:34] would typ the typical appsac model is
[45:36] the security sends a proposed fix and
[45:38] then the the engineer actually looks at
[45:40] it and thinks about the bigger context
[45:42] but it's somebody from marketing you
[45:44] can't really do that. Um so that's the
[45:47] second challenge. Um the third challenge
[45:49] is um it's not just a vibe coding but
[45:52] like cloud co-work for example is I mean
[45:54] which is really claude code with a
[45:56] rapper um co-work uh it's getting
[46:00] non-technical employees to be even more
[46:02] ambitious with connecting externally and
[46:05] the way that they'll solve problems is
[46:06] if they don't have the API key they'll
[46:08] go out and try and you know literally
[46:11] they'll go try and set up their own
[46:13] remote external server so and create
[46:15] their own API key and you're like
[46:17] there's No way an engineer would do
[46:18] this. So we're seeing all kinds of crazy
[46:20] things. There is no one silver bullet
[46:23] solution. I'd say companies are walk are
[46:25] coming at it from two different
[46:26] directions. Some companies are doing
[46:28] YOLO and then trying to clean up. But a
[46:31] lot of companies and smart companies in
[46:33] particular are are starting out with
[46:35] pilots and constraining to just software
[46:37] engineers who who know better and then
[46:39] are slowly adding um different groups. I
[46:42] really believe that we can't solve um
[46:47] we can't solve the headaches the
[46:48] security headaches of agents inside our
[46:50] environment just by putting guard rails
[46:52] on them because it's not you can't say
[46:55] okay you can have access you can have
[46:57] right access to my email for purpose A
[46:59] but not purpose B. It's like we just
[47:01] can't do that. And so we have to have um
[47:04] kind of like anomaly detection around. I
[47:07] think of it like um agents inside
[47:10] companies are like toddlers in inside a
[47:12] house. They're running around. They can
[47:14] run, but every so often they're going
[47:15] to, you know, if you ever seen a parent
[47:17] of todd toddlers, they're kind of
[47:18] running next to them. It's like real
[47:19] time runtime. Um and that's what I think
[47:22] we're have to get to in in um Agentic
[47:26] Solutions. It's like we'll put some
[47:27] guardrails, but it's not that they have
[47:29] access, it's what they do with the
[47:30] access that we have to pay attention to.
[47:33] >> Interesting. So, so the question is what
[47:35] would you have done differently if you
[47:37] were back leading security at Uber?
[47:40] >> Yeah. So, from a technical operational
[47:42] side, my team, my team, I was so happy
[47:45] that we actually got to get to the trial
[47:47] so that the world could see what my team
[47:48] did technically. Um, I think everything
[47:51] we did I would do the same. I wish we
[47:54] had more documentation. I'm actually an
[47:56] adviser to a company now called Breach
[47:58] RX which uh creates a platform that
[48:01] forces legal and um communications to
[48:04] work more directly with security and I
[48:07] started working with them uh before they
[48:09] even got their seed investment because I
[48:11] really believe that it is about how you
[48:14] get the different teams inside the
[48:15] company to work together on
[48:16] transparency.
[48:18] um like in the middle of a security
[48:20] incident, the security leader doesn't
[48:21] have the credibility around
[48:23] communication or legal issues to say we
[48:26] should be public about this. You have to
[48:28] work through that stuff ahead of time.
[48:30] So, operationally, I wouldn't change
[48:31] anything. We should be paying those
[48:33] researchers. Um we should be uh fixing
[48:37] things. We should be working with legal.
[48:39] Um I think I spend much more time now
[48:44] educating the other executives at the
[48:46] companies I work with Not just the
[48:48] security team. Like there's when you
[48:50] become a leader of a company, you don't
[48:53] actually work on your team anymore. You
[48:55] work on the leadership team of the
[48:56] company. When I mentor a security
[48:58] executive, I always start out with a
[49:00] question that's actually a trick
[49:02] question. The first time I'm meeting
[49:04] with someone new, I say, "Tell me about
[49:05] your team." And they immediately start
[49:07] talking about, "I got this team that
[49:08] does detection. I have this team that
[49:10] does application security. I have this."
[49:11] I'm like,
[49:12] >> "No, no, I mean your team." They're
[49:14] like, "What do you mean?" I'm like the
[49:15] other executives at the company.
[49:18] >> When I was at Facebook, I had an exec
[49:20] coach and she told me that I should be
[49:21] spending 50% of my team with the other
[49:23] executives instead of with the security
[49:26] team. And I actually think for a
[49:28] security leader, it needs to be even
[49:30] more because our world is dark and scary
[49:32] and confusing. It's not very measurable
[49:35] by metrics and you only hear the bad
[49:37] stories. And so it's our job as security
[49:39] leaders to get out and really build
[49:42] trust with the other executives at the
[49:43] company. so that in the crisis moment
[49:45] they'll trust us more.
[49:47] >> Yeah.
[49:47] >> The question is around quantum
[49:49] cryptography.
[49:50] >> I'll tell you that uh this comes up all
[49:52] the time like I was in Florida last week
[49:55] for a closed dooror group of like 20
[49:57] security executives including from a
[49:59] bunch of the large um
[50:02] ga uh gas and energy world oil gas
[50:05] energy world. And we had a whole session
[50:08] talking about like what are we doing
[50:11] about the quantum risk and opportunity.
[50:13] For the most part companies are not
[50:16] doing a lot right now. I think the
[50:18] reality is that we could you know if we
[50:20] look at how the pace of AI uh has like
[50:22] sped up from predictions
[50:25] uh quantum seems like it could be here
[50:27] by 2030. And so arguably we should be
[50:31] doing stuff but for the most part when
[50:34] you think about uh where cryptography
[50:36] exists in our environments I think that
[50:39] um most of the work that needs to be
[50:41] done needs to be done at the Googles the
[50:43] AWS
[50:45] um like the biggest risk probably to
[50:48] most of us right now is that
[50:51] um
[50:53] agencies of governments have vacuumed up
[50:56] a lot of historical communication data
[50:59] that was been encrypted by non-quantum
[51:01] resistant uh encryption. And so if
[51:05] you're part of a terrorist group 5 years
[51:08] ago, you might have some trouble in 5
[51:10] years. Uh that kind of stuff. Um like
[51:14] the quant uh most of our environments
[51:17] that are the main infrastructure
[51:19] companies supporting them are going to
[51:20] be quantum resistant. Um,
[51:24] and also if you flip it around, it's a
[51:29] little bit like the Mythos situation.
[51:31] Once we get quantum, it's not like going
[51:33] to be like all of a sudden every data
[51:35] center is a quantum data center. Quantum
[51:36] machines require extreme cold and all
[51:39] this other stuff. So, it's going to be
[51:40] like a few people have quantum before
[51:43] everybody has quantum. And then there's
[51:45] going to be a period of time
[51:47] >> uh and so hopefully it'll be the good
[51:48] guys get quantum before the bad guys.
[51:51] And then they can do kind of what
[51:52] Andropic and Open AAI have been doing
[51:54] with their new cyber models.
[51:55] >> Actually, just I have a question on
[51:57] those models like with the mythos like
[51:59] what is your opinion on how those tools
[52:01] should be released early and and kind of
[52:04] like what what's the right kind of
[52:06] process there do you think?
[52:07] >> I I have seen it's funny the cyber
[52:10] security community is very critical
[52:12] self-critical and and loves to jump all
[52:15] over each other. So like the first I I
[52:17] think on a mainstream level, Anthropic
[52:19] did an amazing job from a brand
[52:21] standpoint around you know they're
[52:23] coming out of this fight with the deal
[52:24] department of war and then all of a
[52:26] sudden they're just like being noble and
[52:28] helping the world around cyber security.
[52:30] They nailed that
[52:32] >> um from like communication standpoint
[52:34] and then there was this little backlash
[52:35] in the security community of like
[52:38] >> I don't have access to the model. I
[52:40] don't believe it kind of thing and uh
[52:42] this is all hype and why haven't we seen
[52:44] a bunch of CVE submitted and documenting
[52:46] it.
[52:47] >> Um what I can tell you like I said uh
[52:50] one of the companies I work with uh was
[52:51] given access on day one and it's just
[52:55] been um incredibly valuable for them. Um
[52:58] when you get um but when you get when
[53:01] companies and organizations get access
[53:02] to these models it's not like they can
[53:04] just snap their fingers point the model
[53:05] at their infrastructure. you have to
[53:07] have built the harness and kind of like
[53:09] the uh the technology around the models.
[53:11] So I think every company should be
[53:13] building those harnesses right now so
[53:15] that and and honestly you could take
[53:17] some of the other existing public models
[53:19] if you have the right harnesses you can
[53:20] find a lot of the same things if you're
[53:22] intentional about it. So
[53:25] um I don't think I I'm not critical of
[53:29] Antropic in the way they've done it. I
[53:31] will say that um they went public with
[53:33] the names of like eight companies
[53:37] >> and I think that there was some
[53:38] intentionality about that because they
[53:41] imagine you're in their shoes. If you
[53:43] decide to give the access to one gas
[53:46] company but not another
[53:48] >> or one bank but not another, you're it's
[53:51] almost like you're picking winners and
[53:53] losers.
[53:54] >> And so they have to be very careful.
[53:56] They gave access to more than they said
[53:59] they gave access to. like I know of
[54:01] organizations that have access I know
[54:03] multiple organizations that have access
[54:05] that are not on any of the lists that
[54:07] have been public.
[54:08] >> So do I. Yeah.
[54:09] >> So um so it's interesting they they're
[54:12] doing a very public part but they're
[54:14] doing some behind the scenes and then we
[54:16] do hear like some European leaders
[54:17] complaining we don't have access stuff
[54:19] like that but some of their peers in
[54:21] Europe actually do have access. And
[54:24] >> it's it's one of those things where
[54:26] maybe transparency would be better.
[54:28] Maybe this and now I think the the the
[54:31] government is really uh this
[54:33] administration is now thinking a lot
[54:35] harder about how should we get involved
[54:38] in these? Do we want
[54:39] >> like what if next time it's not
[54:41] anthropic, it's somebody else. Um and
[54:44] they're not as intentional about the
[54:45] roll out. Um so
[54:47] >> out of curiosity, where do you sit on
[54:49] that regulatory
[54:50] kind of uh topic?
[54:53] Yeah, I've I mean I've I've spent 20
[54:56] years being the face of companies like
[54:58] I've testified before Congress multiple
[54:59] times on these topics of like should we
[55:01] come regulate PayPal or Facebook because
[55:04] of um
[55:06] >> I think we need to have smart
[55:07] regulation. I'm not anti-regulation.
[55:09] like a lot a lot of Silicon Valley
[55:11] companies and a lot of the companies I
[55:12] work with in general like the whole
[55:15] public policy team's job is to prevent
[55:17] any regulation at all because stupid
[55:20] regulation definitely gets in the way of
[55:23] innovation. Um, at a certain scale
[55:25] though, we need to have regulation to
[55:27] protect people cuz it's not in the best
[55:29] interest of companies that are just pure
[55:31] existing for money uh to take care of
[55:34] everybody who has access to their
[55:35] product.
[55:36] >> And and a lot of products get used in a
[55:38] lot of ways that the companies don't
[55:40] anticipate. Uh like when I was at
[55:43] Facebook, I worked with a lot of um
[55:46] dissident groups in Africa in you know
[55:49] countries that had governments that were
[55:50] very oppressive and the only way they
[55:53] were able to stay in touch with each
[55:54] other was through Facebook and yet uh
[55:57] and they were using the product in ways
[55:58] that I never imagined that they would
[56:00] use it and it wasn't built for and it
[56:02] was putting them at risk and then they
[56:04] were like can you build some other
[56:05] features for us to reduce our risk but
[56:07] there's no economic incentive for us to
[56:09] do that as a company. Uh so you see
[56:12] these weird situations all the time
[56:13] where um governments can make like
[56:17] social media for kids.
[56:18] >> Yeah.
[56:19] >> My daughter who's 23 now is like dad you
[56:22] should have regulated us way more. Um
[56:25] and so like there's no easy answer on it
[56:28] because a lot of the time government
[56:31] shows up and they don't even know how to
[56:33] turn on a computer and you're like how
[56:35] could I let these people regulate me?
[56:38] Uh, I mean the good news is, you know,
[56:39] like we have a lot of smart business
[56:42] people going ever since the second Obama
[56:45] administration when they had that um
[56:47] they really started promoting getting
[56:49] people from the private sector into DC.
[56:52] This administration's doing it too. Like
[56:54] we we were talking about Emil Michael
[56:56] who's the person at the Department of
[56:57] War who's negotiating with Anthropic.
[57:01] There's no person I would rather have
[57:03] representing the Department of War in a
[57:05] negotiation with Anthropic than Emil.
[57:07] >> I agree.
[57:08] >> Yeah.
[57:08] >> Right.
[57:08] >> Yeah.
[57:09] >> Because he's like I worked with him here
[57:12] in Silicon Valley. He understands this
[57:14] world and he understands that world.
[57:16] >> Yeah.
[57:17] >> And and we need to have people in those
[57:19] roles like him.
[57:20] >> We're going to have actually a meal for
[57:22] office hours later in June just as a as
[57:24] a future speaker. Next question.
[57:28] I think it yes it is very difficult for
[57:30] any company to put full security around
[57:33] everything they're doing. Um I I work
[57:36] with a lot of um startups and the number
[57:39] one thing they're worried about is theft
[57:41] of intellectual property. Uh it's that's
[57:43] a big difference between the the
[57:45] companies I work with and a lot of other
[57:46] organizations. A lot of the world thinks
[57:49] about security. Intellectual property
[57:50] theft is a huge risk uh for a lot of
[57:54] different reasons in Silicon Valley
[57:56] companies. And so um you know can we
[58:00] fully vet every employee that we hire?
[58:02] We cannot like we can't do the level of
[58:04] background check. We can't know if you
[58:06] have relatives back home in another
[58:08] country who are being held hostage by
[58:10] the government. I've I've had situations
[58:12] at companies I've worked at and with
[58:14] where we have known that the employee
[58:17] would was put under pressure when they
[58:19] went home and it was like hey you know
[58:21] your your parents have a nice retirement
[58:23] right now but you know we have this
[58:25] luxury suite in Siberia um that if you
[58:29] don't start showing some patriotism like
[58:32] that pressure happens all the time. I've
[58:34] had like um I've had employees uh
[58:38] arrested by governments overseas uh and
[58:41] held in expectation that the company
[58:44] would cooperate. Uh to the point you
[58:46] said about saying that he was worried
[58:47] his hand is cut off. There have been
[58:49] executives at cyber at crypto companies
[58:51] whose hands have been cut off. There are
[58:53] lots of these like well you think about
[58:56] like if you could get access to the the
[58:58] vault of of like one of those crypto
[59:00] banks. Uh, and a lot of times like the
[59:02] main keys are literally like two
[59:04] people's fingerprints have to be
[59:05] involved to be able to unlock it. Um,
[59:07] and so they'll collect the fingerprints.
[59:10] Um, yeah. So I like I built executive
[59:12] protection programs in the physical
[59:13] security side and I've seen a huge ramp
[59:16] up in executives needing to be worried
[59:18] about that. I mean, we heard the story
[59:19] of what happened to Sam Alman recently.
[59:22] I um there are lots of stories like that
[59:24] that don't get as much attention. I
[59:27] could there I you know you could go back
[59:29] 20 years ago one of the co-founders of
[59:31] Adobe was kidnapped here in Silicon
[59:33] Valley and held hostage um like in the
[59:38] East Bay and the FBI went and rescued
[59:41] him like nobody I know that story
[59:43] because I was around then but most of
[59:45] the world like we've been dealing with
[59:46] this type of stuff for a while and it's
[59:49] real because our companies are the most
[59:51] powerful companies in the world in 2026
[59:53] and and the technology is scary. So
[59:55] okay, that's the first part. We can't uh
[59:58] we can't do perfect security and there
[01:00:00] is a risk. I do still think that we
[01:00:02] should be moderating the release
[01:00:06] in the spirit of doing the best we can
[01:00:07] to manage the risk of the release and I
[01:00:10] think that's what an entropic and open
[01:00:11] AI have been doing. Um could we critique
[01:00:15] them? Is there could they do better? the
[01:00:17] more transparent they are about the
[01:00:18] releases, hopefully over time we'll
[01:00:21] figure out what are the like it would be
[01:00:23] nice if we could say here are the five
[01:00:25] best practices for rolling out the
[01:00:27] release of a model and like we we we
[01:00:30] will prevent these organizations and
[01:00:32] they will have signed the right
[01:00:33] agreements and stuff like that. Uh I
[01:00:35] think we're walking but not running in
[01:00:37] that direction and we'll get better and
[01:00:38] better at it over time. Um and
[01:00:41] governments are going to get more and
[01:00:42] more involved because they need to. Um
[01:00:45] what are the other question?
[01:00:46] >> Open source
[01:00:47] >> and then open source I okay on on the
[01:00:50] open source point I don't think we I
[01:00:53] don't think there's I don't think anyone
[01:00:55] knows what the ideal or real world of
[01:00:58] what models are going to be the best
[01:00:59] models three years from now are like I
[01:01:02] don't know if LLMs
[01:01:04] are going to be the center of our
[01:01:05] universe like they feel they are right
[01:01:07] now. Where do world models fit in? Where
[01:01:09] do small language models fit in? Where
[01:01:11] where are vertical models? It's like
[01:01:13] there's so many different things going
[01:01:14] on in so many different startups around
[01:01:16] models. Um like are we going to get to a
[01:01:20] place where the models stop, you know,
[01:01:21] these large language models stop making
[01:01:24] leaps every few months? Are the leaps
[01:01:26] going to get a lot slower? Are the open
[01:01:27] source ones going to catch up? Um the
[01:01:30] economics don't make sense to keep going
[01:01:33] forever on these large language models.
[01:01:34] So I I feel like it's going to be a
[01:01:37] couple of years before we um even know
[01:01:41] what like the steady state is enough to
[01:01:43] debate it.
[01:01:44] >> So So the questions around shiny hunters
[01:01:47] and the canvas and ransomware.
[01:01:49] >> Yeah. So uh it's interesting ransomware
[01:01:52] um
[01:01:54] like let's look at what's the history of
[01:01:56] ransomware. Ransomware actually started
[01:01:59] uh through state sponsored attacks. It
[01:02:02] wasn't for money. It was for political
[01:02:04] reasons. If you go back, the the the
[01:02:06] biggest early ransomware situations were
[01:02:08] not ransomware. They were destructive
[01:02:11] cyber attacks. Saudi Aramco was taken
[01:02:14] out by Iran. Uh the Sands Casino was
[01:02:17] taken out by Iran. Uh North Korea took
[01:02:20] out Sony. Uh that was actually my team
[01:02:22] at Facebook that uh showed that it was
[01:02:25] North Korea that had taken down uh Sony
[01:02:27] in 2012 or 13. And then uh we shared
[01:02:31] that with the FBI. Um and there were um
[01:02:36] and so it evolved uh from those attacks
[01:02:39] into private sector attacks. And right
[01:02:44] now there's literally so much uh
[01:02:46] infrastructure built around the business
[01:02:48] of ransomware. Like a lot of companies
[01:02:50] hire a ransomware negotiator to have
[01:02:52] them on retainer just in case they get
[01:02:54] ransomware.
[01:02:55] I like the idea that there was actually
[01:02:57] a business profession of like I
[01:02:58] negotiate ransomware solutions. Um it's
[01:03:01] a thing in 2026. Um and it's a best
[01:03:05] practice to have one of them on speed
[01:03:06] dial. Um
[01:03:08] >> I think that it's uh we're in the bad
[01:03:10] state because government didn't do
[01:03:12] enough to react and understand the
[01:03:14] implications now that governments like
[01:03:15] the UK government are doing all these
[01:03:17] bailouts. Now that it's hit companies
[01:03:19] like healthcare companies in the United
[01:03:20] States. If you like the first time cyber
[01:03:23] security really impacted American
[01:03:25] citizens was the Colonial Pipeline one.
[01:03:28] A whole bunch of the northeast of the
[01:03:29] United States. People were lining up and
[01:03:31] filling up their cars with gas and they
[01:03:33] block long lines because of a cyber
[01:03:35] ransomware attack. The government is
[01:03:37] finally in the last couple years
[01:03:39] realizing we got to get involved. We
[01:03:41] can't allow these like organized groups
[01:03:43] whether in Eastern Europe or in Asia or
[01:03:45] in the United States itself. Uh
[01:03:48] governments have to get involved. So law
[01:03:50] enforcement is starting to do a lot of
[01:03:52] takedowns and now some other branches of
[01:03:55] government are thinking about how can we
[01:03:57] go after those gangs. So how do we go
[01:03:59] after them before the attack rather than
[01:04:01] after? Like if you think about the FBI's
[01:04:03] role in cyber, they don't prevent cyber
[01:04:06] crime. They try and do arrests after the
[01:04:08] fact. And so we need more government
[01:04:10] involvement on the prevention side. It's
[01:04:12] just been hampered by the fact that, you
[01:04:14] know, when our government goes to meet
[01:04:15] with the leaders of the governments in
[01:04:17] these countries, we're often negotiating
[01:04:19] more about like the war in Ukraine or,
[01:04:21] you know, or Taiwan and the cyber stuff
[01:04:24] is not getting to the top. But because
[01:04:26] the economic because the CEOs are now so
[01:04:28] worried about ransomware, our government
[01:04:30] is starting to become more proactive and
[01:04:33] there are starting to be a lot more like
[01:04:35] if you pay attention the White House uh
[01:04:38] cyber in the last year he's talked about
[01:04:40] allowing companies and organizations to
[01:04:42] go on the offensive. Uh and that is
[01:04:45] really a scary thing but also an
[01:04:47] interesting thing because it's like
[01:04:50] >> like what's your plan when you get
[01:04:51] punched? you want to be able to punch
[01:04:52] back. And some people say, you know, the
[01:04:54] best way to win a fight is to punch
[01:04:56] first.
[01:04:56] >> Uh that was a quote from one of my CEOs.
[01:04:58] I won't tell you which one. Um but like
[01:05:02] you you um you've got to uh be more
[01:05:06] proactive than just waiting until the
[01:05:07] ransomware starts to happen to you.
[01:05:09] >> Great. Thank you so much. Uh
[01:05:12] it's fantastic.