When Spies Meet Startups with Admiral Mike Rogers and Nadav Zafrir

Get this all right hi hi everyone good Afternoon I hope lunch was good Um I'm really excited about this panel Um you know Mike you've spent a very Written note you're ready notes Um we've got a very long Um Career inside of you spent two decades In the Navy you spent five years at the NSA you've certainly it's been almost Four decades I used to have two presidents uh you Oversaw the NSA during you know a period Of heightened tensions between the US And some of the other nations in the World Um you're now a private citizen you are Working for teammates founded by nadav Zafria who is sat next to you hello Who used to run Israel's version of the NSA I'm delighted to have you both here So you know it's been a year since you Retired from the NSA you began working For teammates startup studio and a VC Firm for those who don't know although You should You must have had a lot of options post Government why did you choose teammate So for me I number one I was interested Just as I was in the military it's Probably What attracted me in the first Place I was interested in a mission that I cared about I wasn't interested in Doing something it was just about money

I was interested in doing something that I thought could generate better outcomes And so cyber security was an area it Wasn't just what I did in the government It's something I believed in and I Wanted to be involved in things that I Thought Could improve cyber security in the Private sector and on a global basis not Just here in the United States Um I love the people I love the model and The chance to work with nadav we did not Serve our respective jobs he the leader Of a unit 8200 the NSA equivalent in Israel me the director of NSA the unit 8200 equivalent if you will in the U.S We didn't overlap but I had known him by Reputation and because it's a small World out there in this area and I just Thought man I'd love to work with him so What was the driving force behind you Know working for teammate was it the Startups was it the relationship that You had It's number one the model it's the idea That teammates an organization that Wants to focus on hard cyber security Challenges that if we can solve them Will make a significant difference so That was number one number two I liked The fact that because this is something I used to say in government I would say Look it is great to develop technology

But if we can't actually apply this in a Meaningful way we're spending a lot of Money for no purpose it's about how do We get to outcomes and the outcome isn't Just the development of the technology It's the application of this and I like The fact that the teammate model was all About hey we create companies to Actually help this technology this Approach that we create we then actually Build a structure to actually implement It and execute it I like that idea so You did get a little bit of flack from Some NSA colleagues for joining us Tensibly a foreign firm you know well What do you say to that that criticism Compliant with the law in fact so Anything you do with the form I actually Had to get permission ahead of time so I Went to the government said hey look you Know this is an option for me want to Make sure there's no issues so always Get it reviewed Um secondly my comment would be so let Me understand this you have a problem With me working with one of our closest Allies in the world that's not the world I live in my attitude is if we can't Think more globally if we can't work With Partners we cannot solve problems If you think the answer is Well America is in cyber security well The United States is going to do it all By itself that has not been my

Experience I find that to be a very Narrow Viewpoint and for those who don't Know obviously the relationship between The US and Israel in terms of Intelligence sharing and collaboration Is very close Um so how did you to me if you didn't Have any overlap come back all that uses How did you team meet Well you know the Admiral is a Good-looking gentleman and uh You know we we uh again just like uh Just like Mike said uh we we knew each Other by reputation so uh uh my uh Successors worked very closely with Mike And had just the most wonderful things To say about him Um and so when I heard that Mike was uh Retiring I thought you know in terms of really Thinking big thoughts in terms of really Understanding the fundamental fragility Of the world that we live in Um this is a team sport and what Teammate does is brings together Perspectives right so perspectives could Be the retail perspective from Walmart Aviation from Airbus insurance from Unicory Etc Um but that's not enough you need Industry perspective you need public Perspective you need the attacker's Perspective you need the government's Perspective because if you want to

Unders you don't solve big problems you First of all have to understand these Problems and there's really no one Better than Mike to be sort of a Lighthouse to understand not just what The how why we're fragile today but why Are we going to be a little bit more Fragile two years from now so tell me a Little bit more about about this and What Mike brings to the table and to the Company let's not talk about Mike There's more interesting things out There no I know but I'm interested you Know what what does what does matching Bring to the table with experience and So on You know it's uh uh first of all it's The it's the experience it's the Leadership it's the uh um I'll give you An example we were we were in Tel Aviv a Couple of months ago yeah Um talking to uh csos from about a Hundred of the leading Enterprise uh Around the world about 50 from the US uh Um the rest coming from Latin America Europe Asia and uh what might talk to Them about is you know what does it look Like when you're in a real crisis You know what does it take if you're a CSO uh um to understand the problem to Overcome it to explain it to your Seniors what is a decision-making Process that comes with that uh that's The kind of experience that in the past

Leaders at Enterprise did not have or Did not didn't have to uh to get exposed To but you think about what's happening Today some of the most Important infrastructures that make us As a civilizations are not in the hands Of government like they were in the 20th Century they're the in the hands of Private Industry all the way from the The data the utilities and you know data Doesn't understand geography so trying To so thinking about where a company is Founded is not the question that you Should ask yourself the question that You should ask yourself is do they Understand the challenge do they have The right Scruples do they have do they Share a common ethical infrastructure And if the answer is yes please work With them so you have seven companies in Teammate right now is that right right And so tell me a little bit more about These these you know the comment is that That you have the challenges they're Trying to solve Sure so you know I'll tell you about a Couple right so Um let's start with the physical world That surrounds us right uh um you know Let's all face it if the lights go out Right now Um and we find out uh in a couple of Hours or in a couple of weeks that That's happened because of some kind of

Cyber uh Distortion to the to the local Utility nobody in this room is going to Be extremely surprised right because What's happening is that we're getting Convergence between the physical world And the virtual world and we're getting Convergence between Two different environments that honestly Were never meant to be converged in this Case the internet Um and Legacy environments in the real Physical worlds and utilities Um and so for example that's one thing That we're very concerned about Uh and one of the companies that we Started which is Clarity has the ability To visualize into a very very detailed Manner every black box in every physical Infrastructure so that now you can Connect it to the rest of the world to The iot to the internet but you can do It safely securely optimize everything These are the kind this is one thing That we're very very uh working very Closely in fact Galena one of our Founders is in a crowd Here and they started a tremendous Company that is now literally deployed Around uh you know every continent in The world every industry in the world Making it safer more secure but also Able to be able to modernize it connect It to the rest of the world So one of the things you have the iot

Industrial Control Systems uh companies Focus on privacy Um I'm only you know privacy is is a big Thing these days end-to-end encryption Is is on the rise it's almost ubiquitous As on most messaging apps um With your experience at the NSA how Difficult is the na says is the nsa's Job with the rise of end-to-end Encryption I mean it certainly makes from a Technical perspective it certainly makes Access potentially more challenging You know for us as a foreign Intelligence organization operating when We're doing our mission outside the United States there's things that we can Do where you can think beyond the Encryption you can think a little bit More broadly when you're thinking about Penetration and how you access So that uh you know gives us some Options I thought the bigger challenge Was more wasn't for us and our mission So much But for our law enforcement teammates When I was in the government You know after the local sheriff if You're a State Trooper if you're the FBI And you don't know the technical means To access devices or information that May contain insights criminal activity Exploitation of Youth drugs kidnapping

Application of violence you know how do We as a society and this is something That all of us should be concerned about This shouldn't be the government Unilaterally deciding it you don't want An Intel person or a law enforcement Person deciding this I would also argue No disrespect to the audience but I Don't want the technology I don't want The Tech Community citing this Unilaterally my view is we need to have A conversation as a society About what are we comfortable with with Respect to privacy and securing the Rights of the individual and their the Data associated with them As well as the broader also an Imperative how do we ensure the security And safety of our citizens yeah Right now there seems to be a deadlock Between the tech companies in Silicon Valley and law enforcement and the Intelligence agencies and and the US Government especially when it comes to Encryption and privacy you know there is This deadlock you know is there any way To break that deadline would it require Legislation well my attitude always was Be leery of directing something from the Government not that government doesn't Have an important role but I think just Historically in general we don't always Get that right When I was in government the argument I

Tried to make was can't we do some very Simple coordination between the private Sector and the government and take a Look at what's in the range of the Options because I thought there were two Questions number one is what can we do What's in the realm of the possible And the more important conversation Though was well what should we do Because those aren't always synonymous And one is a very technical kind of Focused discussion the other is much More about ethics morality legal Framework what are we comfortable with What's going to reflect our culture Our Heritage our structure as a nation and The things we value those have all got To be part of this it just can't be well In the name of security we should be Able to access anything anywhere at any Time unilaterally I don't buy that I Mean and I was an Intel professional for 37 years I I didn't buy that yeah Um so teammate is is obviously doing Very well right now you've got um you Know for the security startups in the Audience Where should they be focusing their Energies you know what are the biggest Opportunities Yeah so you know I I think we're we're Moving from protecting the existing Infrastructure to trying to think about Uh on what the what's the world going to

Look like in a few years and so if you Think about privacy for example right uh I think there are three layers that we Should think about if we are going to Make good things happen because when you We speak about cyber we're usually Focused on the really terrible things That may happen uh we don't put enough Emphasis on the really good things that May not happen because uh regulation is Not moving fast enough because Culturally we're not moving fast enough Fast enough because we're finding Ourselves in really bad dilemmas and Conundrums between using the data and Infringing privacy so you know one of The things that we're working on right Now on the technology level Um is introducing New Concept in Mathematics that will enable us to do Both right that is to encrypt data but Still use computation unencrypted data So there's a very smart lady on that uh Her name is Shafi goldwasser she got the Touring prize uh for this uh for the Theory around multi-party computation That literally allows you to take data Encrypt it and run computation on Encrypted data so apropos Government and private for the first Time in the UK we've introduced this as A practical software which allows law Enforcement to shorten the times it Takes to do investigations for serious

Crime anti-money laundering Etc Encrypting their queries so there's no Privacy issues querying the data Lakes Of Banks and other financial services Without actually seeing their data Dramatically shortening the time that it Takes to actually find uh these people Without any privacy issues and so It's always the layers right there's a Cultural layer as Mike said what do we Think about this as a society then there Is the regulator level and I think the Regulator has to move from being Prescriptive to being descriptive Because by the time you prescribe Something as a regulator You know it's always based on best Practices the problem with cyber and and Is that it's moving so fast that by the Time something becomes the best tracks It's obsolete so you have to be you have To be descriptive not prescriptive and Then the layer of the technology is Where we want to come in and bring Fundamental changes Um so Duality which is doing homomorphic Encryption led by uh Professor Shafi Goldwasser and other professors is one Example but there are others we're also Doing uh uh using multi-partial Computation to access blockchain without Using uh uh a key at all uh the company Is called Curve The idea is

Here's how we're protecting the stuff That's already out there here is how we Enable the future uh with using Fundamentally change fundamentally uh Transcending technologies that allow us Not to be in this dilemma uh all the Time can I make one comment sure one Thing I would say to any startup Please think about security as a core Aspect of whatever it is that you are Developing or producing so whether or Not you're a Securities dancer right Right because one of the things that Always a mate look we both ran Organizations in defending their Respective Nations Penetrated networks for living and you Can always tell systems in which Security is a bolt-on that was added After it was written And there are always access potential Access points I I one thing I try to say Organizations is look you can't view Cyber security as an afterthought you Need just as you are always asking Yourself so what's the user interface What's the user experience going to be Like I would argue you also be saying to Yourself so even as I'm optimizing that User experience even as I'm focused on It being the achieving the most Effective efficient way of executing Whatever it is I'm trying to generate Can't you also say to yourself and how

Do I do that within the most reasonable And responsible security framework that I can develop but that part of the Equation is often missing early in the Cycle when it comes to development of Organizations and capabilities you Mentioned you know obviously the NSA Does a lot of an offensive security Works essentially you know hacking into You Know The Enemy Um and now you're working on you know With startups focus on privacy security And defensive measures Um how do you reconcile the two you kind Of go from one you know career to almost It seems like the polar opposite well Remember when I was a director of NSA And the commander of cyber command I not Only worked the offensive side but I Worked the defensive side so the Commander cyber come in for example Responsible for the defense of all DOD Networks data weapon systems and Platforms from cyber perspective also Tasked with applying DOD Department of Defense capability to support critical Infrastructure in the private sector Against cyber activity from non-us Entities so there was always I've done Every bit as much defensive stuff if not More NSA we develop all the encryption For the mathematical algorithms to the Actual production and distribution to Include the football for the president

Etc every missile silo every B-52 with Nuclear weapons so I've worked the been Part of teams that worked the encryption Piece so I was very fortunate my Previous life I've been able to look at This from a kind of tactical day-to-day Execution how do you defend how do you How do you penetrate I've been able to Be part of broader policy discussions About okay so how do we translate this To policy outcomes I was very fortunate And got to spend a lot of time in the Private sector between you know up in New York as well as here in the valley So how can we partner together better so I always try to remind people look I got At the offensive pieces the sexy stuff Secondly one of the things for me that Was a red line was I will not Participate in any private sector Offensive activity that to me should be Retained under the control of the Nation-state obviously there's this Notion of hacking back as well which is Private commercial issue recently so now The challenge with hacking that Challenge part of hacking back is so First it's how you define it I have seen Some people describe this from what I Would consider pretty escalatory Offensive Acts to fairly benign hey look I'm just trying to make sure I can force Stall what they're doing and there's a Wide spectrum there in general

Um and I I can remember saying this in The White House situation room with the Leadership many times Um as an individual who was part of Teams that were tasked with securing and Defending you know the analogy I used to Use with them was look I know sometimes You look at me as the hey you're leading The teams that are helping I wasn't the Only one and the dod wasn't the only Organization but hey you're part of this Broader government effort to secure Cyber What about hackbacks and my comment Would be look I already feel on most Days like it's the wild west and myself And the team I'm a part of We're the Sheriff on the street I said the last Thing in my opinion that you want is More people running on the street with Guns that this isn't the answer I was Also concerned about so how comfortable Are we with precision and attribution Because if you don't get the attribution Right you get massive second and third Order effects from a liability Perspective I'm not a lawyer but one of The conversations I've had with general Counsels of large Companies to small companies is so if You go down the hackback road and you Incur second and third order effects What's the legal liability for you Um and most lawyers will look at you and

Go well that it potentially is pretty Significant just in general to me my Attitude is I certainly would not go Offensive so while I have you two on Stage I mean you both have seen all Kinds of hacks and and activity over the Years Um what do you two do to to keep safe And secure Let the job hey you go first and I'll Give you an opinion you know Under It's I think there's a generational uh Gap so my generation you know we grew up Where Everything was private and you decide What you want to publicize right what do You want to publish and we're almost In a situation today where it's the Opposite you know everything is public But you can still choose what you want To keep private and I think this Generation uh um you know Millennials And Beyond I think there's going to be a Backlash back to privacy and I think the World in which we traded our data and Privacy for convenience That party is about to end I think the Music is Subsiding I don't think that's going to Be the future I think in the future We'll see a backlash back to privacy I Think people value their privacy I think It's a it's a fundamental right that we

Have Um and in that sense I think the key Word is Trust So you know we came from a world where We knew each other we grew up together We had coffee we talked so we got trust And then the world got connected and so We said ah we trust but we need to trust But verify and then the world became Hyper connected and we said ah now we Are going for zero trust and zero trust Sounds very appealing but it's also very Costly and so I think uh where we should Go is beyond trust Beyond trust meaning The stakes have to be at a position Where we're able to collaborate without The high price of zero trust and that's This kind of stuff that we're trying to Do with homomorphic version of The Duality with NPC with curve uh going Forward creating that infrastructure That takes us Beyond Trust Admiral you we only have a minute left On the clock you know you spend five Years at the NSA during a pretty you Know Money Changes interesting time Interesting times let's say let's say Um you oversaw the NSA during the Aftermath of the Slowdown disclosures There were multiple leaks there was the Uh the exposure of the nsa's prized Hacking tools by The Show by the shadow Brokers

What is your biggest regret I'll be honest I have very few if any I Feel more Pride than anything else I got To work with incredibly motivated men And women doing something that mattered Within a legal framework that will be Fully supported and in so doing we Created increased security for the Citizens and our friends and allies and Do you think NSA is loved every day of That and I would do it all again in a Heartbeat and do you think NSA is ready To continue with its mission for the Next five years ten years given the Issues that we're facing with encryption And privacy and so on today yeah I mean There's oh look there's always been Challenges hell I can remember In the late 90s when we were going from Radio frequency based Communications to The world of the network and I can Remember at the time was the executive Assistant to the senior kind of signals Intelligence officer in the Navy and he Was having a discussion with the Director of NSA and the director was Telling them oh man things are terrible You know we're going to lose access We're not going to be able to do some Things we used to do and my attitude is Look you look at these motivated men and Women you look at their focus you look At their commitment you look at the Level of support that this nation that

Citizens the money the legal framework That we've created to try to make sure We strike a balance and that we're Mindful that we are operating as Intelligence Professionals in a Democracy This isn't the authoritarian states of My counterparts in Beijing or Moscow Where I would look at what they would do And I'd go and we not only couldn't do That I would never do that that would Never work within this legal framework And the fundamental idea of the rights Of the individual hey we couldn't Operate I wouldn't operate like that Um bottom line is I'm I always tend to Be a positive individual look motivated Men and women can take heart problems And they'll do well and there are such Motivated men and women on those teams That and I say it it's cyber command I Was very fortunate to be a part of it I Was very fortunate to get to work with Teammates like 8200 in Tel Aviv and in Other places around the world to try to Address problems that you know if we Didn't solve them or if we didn't Improve our ability we were going to see Men and women die you don't ever forget That in the job that's all the time we Have thank you thanks for the time thank You thank you thanks you guys Thank you so much gentlemen appreciate It