Over the last ten years, Dmitri Alperovitch had a front-row seat to some of the biggest cybersecurity incidents and investigations, including the 2014 Sony Pictures hack attributed to North Korea and the 2015 and 2016 data breach involving the Democratic National Committee, which was carried out by Russian government hackers.
It was a little surprising, then, when Alperovitch left his position last year as chief technology officer of CrowdStrike—a company he co-founded in 2011 and now has a market capitalization of more than $42 billion—to launch a type of organization that normally sits on the sidelines: a think tank.
“I’ve been involved in lots of think tanks over the years and was always frustrated that they’re amazing people with great ideas, they just never go anywhere,” Alperovitch told The Record in an interview this week. But his new venture that was officially unveiled in the last month is all about getting things done.
Although Alperovitch has some big ideas for the government—like reorganizing the Cybersecurity and Infrastructure Security Agency to play the role of federal CISO, and tracking large cryptocurrency payments to disrupt ransomware actors—he’s planning to focus on areas that are ripe for action. For example, mandatory breach reporting isn’t on the top of his list, “but the window is open. Let’s try to get something done,” he said. The conversation below has been lightly edited for clarity:
The Record: What can you tell us about your newly-unveiled nonprofit?
Dmitri Alperovitch: Our policy accelerator’s goal is to promote American and broader Western competitiveness and prosperity as we’re entering this new era of great power competition—the rise of China—which is presenting tremendous challenges to us on the military and economic fronts. And we specifically picked three areas that we want to accelerate policy: cybersecurity, which is obviously my area of expertise, and also trade industrial security and what we’re calling ECOSOC, which is the intersection of environmental, ecological, and economic security.
We have experts, including our executive director and co-chair who are experts in those areas. And when you think about all three of those pillars, they all are in some ways related. You may think of them as different, but in the context of our challenges with China, challenges with great powers like Russia, we continuously face against all three of those. The concept behind Silverado was that you have a lot of people both within the Beltway here in D.C., as well as many outside of D.C. who have really interesting, innovative ideas of how to address each of those challenges. But they rarely have an opportunity to actually get those ideas implemented. On occasion, depending on their level, they may be called to testify, they may write a report or participate in some commission, but almost never do those things actually go anywhere, because what you need in D.C. more than anything else is two things: One, sustaining power behind a particular idea, but also an appreciation for the so-called Overton window, which is when a certain political idea can actually move forward. Every cycle you have certain things that become a priority for one side or the other in the political sphere or in the case of many of our issues right now, both. Both parties at the moment realize that China is a strategic competitor, we need a solution to China. So both on cyber as a result of SolarWinds and the Exchange hacks, there is tremendous momentum to get something passed.
And in legislation, the administration is working on a whole slew of executive orders on trade and environment. Obviously, there’s a lot of momentum there as well. So you want to appreciate when there’s an opportunity to do something and work with policymakers to actually hopefully make sure that whatever that something is, that it’s actually beneficial to the country. And as a nonprofit that doesn’t have a commercial stake, that is all about focusing on how do we really improve American competitiveness, we’re finding amazing reception on both sides of the aisle, both in Congress and administration, for people just trying to tap into our capabilities, trying to tap into our connections, to to get educated on these issues and to think through what actually needs to be done. So even though we launched less than a month ago, we already had fantastic engagements and fantastic success on those issues and trying to help shape what the next policy looks like.
To me, it’s always been about speed. The only way you win in cyber is by being faster than the adversary.”
In many ways, what we’re doing, if there is sort of one phrase I can use to describe it, it’s a venture capital approach for policy ideas. So we are looking for the best ideas out there, not just our own, but more importantly, tapping into experts are all over the country and working with them to hone those ideas, to think about the way you can actually get them done. And it’s one thing to have a high-level idea of “government should do X.” Well, the details matter. Who in the government? With what authority? Is this legislation? Is this an executive order? Does someone else need to be involved? Who would stand in the way of that? How do you get around those objections? All those details that actually need to happen to get policy moving. Someone has to do it, and very rarely is it going to be the ideas person doing that. So that’s what we’re here to do.
TR: What have been the biggest differences and similarities between starting a nonprofit like Silverado and a business like CrowdStrike?
DA: Obviously, this is not a commercial venture. We’re not raising funds from venture capitalists. So in that sense, it’s different. But you still are trying to recruit the best talent. You’re trying to get people with the best ideas. I’ve always believed that the way to succeed in any endeavor, whether it’s building a company, building a nonprofit, or building anything, really, is you’ve got to go after the best talent. So we’ve been able to really assemble an amazing team both internally within Silverado, but also our strategic counsel as co-chaired by General Petraeus, former director of CIA, former head of Central Command, and Prime Minister of Australia Malcolm Turnbull. Again the allied component is really important to us. How do we think about this not just as a U.S. problem, but as something that we can work together with allies? So hence Malcolm and a great team of folks really from both Republican and Democratic sides that are experts in their individual areas, national security experts, trade experts, obviously some cyber experts as well, and environmental experts.
So that’s always been the tenor from which I start, regardless of which one should I go about doing. And then in some ways, I do think of Silverado as CrowdStrike 2.0. When I started CrowdStrike, I was really passionate about solving the problem of the nation state threat. That was when we saw the emergence of Chinese espionage, Russia was doing some stuff, and later Iran and North Korea would become a threat. Over 10 years ago, I was at McAfee unveiling some of these early groundbreaking reports—Shady RAT, Operation Aurora Against Google, Night Dragon. And it was amazing to me that no one in security was really focused on this issue of how do we identify these groups, how do we attribute them? Now, you’ve got companies like Recorded Future, FireEye and others that are doing that also. But at the time you had no one who wanted to talk about what was going on publicly. And I wanted to create a company that would try to tackle this problem from a technology perspective, from an intelligence perspective, in terms of unveiling operations by these nation states. And I think we were largely successful at a minimum of changing the conversation and pushing the government to be more open, where now you’ve got indictments coming out on various threat actors on an almost daily basis—an amazing sea change.
I’ve always thought that a really important component of actually fully solving the problem has to involve the government, and has to involve policy. Obviously, I couldn’t do that within the constraints of a commercial venture. I always wanted someday to have the opportunity to do that from a nonprofit angle. I’ve been involved in lots of think tanks over the years and was always frustrated that they’re amazing people with great ideas, they just never go anywhere. And when I started sort of analyzing why that may be, a lot of it is structural. A lot of it is people not actually wanting to get into the nitty gritty policy details, some because they don’t want to lose their nonprofit status, others because of who their funders are. And as a result, you have reports coming out left and right from think tanks in this town that are almost never read. And to the extent that they’re read, they’re put on the shelf and are collecting dust and not actually used as a way to move those ideas forward.
So we wanted to do something where we’re actually helping policymakers, both executive branch and legislative branch, push those ideas forward or at least take their initiatives and help shape them in a way that is most helpful to America.
You have reports coming out left and right from think tanks in this town that are almost never read. And to the extent that they’re read, they’re put on the shelf and are collecting dust and not actually used as a way to move those ideas forward.”
TR: When you talk about challenges that other think tanks may face, like potentially losing their nonprofit status by getting too involved in politics, is that something you’re going to have to be careful about?
DA: It’s not even politics, because we’re working on a bipartisan basis. Everything we do, we try to find bipartisan consensus, which is still very important because it’s still a very divided country, a very divided Congress, 50-50 in the Senate. What they don’t want to do is be seen as too involved in legislative language and other things like that. I understand why organizationally they have a hard time doing that.
But it’s critical, right? You’re not going to get anywhere with high-level ideas. If you ever want to get something done, whether it’s policy or something else, you’ve got to roll up your sleeves and get into the details. And that’s what very, very few folks are doing. I don’t want to say no one, I know there are some organizations that do that in different areas, but we need more of that.
TR: Is there a story behind the name Silverado?
DA: Yeah, there is! It’s named after the Silverado Trail in Napa, which is one of my favorite places and is going to be actually a place where, post pandemic, we will have our annual event. I think few people would refuse an invitation to Napa, so that was part of the concept. But the other big part is I’ve always found that wine helps to lubricate conversations and bring people together more than anything else. And the way you grow wine is in many ways similar to the way you grow policy ideas. You cultivate them, you protect them and help them grow and ultimately produce an amazing fruit that goes into great wine. So we’re in some ways trying to model that at a conceptual level. But also wine is a key part of all our events. We have had a number of private events, so far obviously virtual. We shipped everyone wine and did a great wine tasting before the conversation. And we always found that that really opens people up and helps generate fantastic discussions.
TR: Can you talk more about the venture component of Silverado—what kinds of ideas are you hoping to fund? What kind of founders are you looking for?
DA: It really is across the board. And we’re considering doing an ideas competition where people can submit ideas to us and we can judge which ones are best and move those into the acceleration process. But it’s really anyone from the think tank world that is already working on some of those high-level ideas. We want to work with them to get to the details of how do you actually get this done. You are almost never going to get one omnibus bill passed that is going to just change everything. So you think about it in an incremental fashion, how do you create the right incentives to bring Republicans on board, to have Democrats care about this issue.
So we’re doing that, working with people in industry, working with people in academia. No one has a monopoly on ideas. We are shameless about working with anyone that has great ideas and helping to move those ideas forward. And the only thing that’s sort of a prerequisite for us is we don’t want to tilt at windmills. There may be great ideas out there that just have zero political momentum. And carrying that boulder uphill is just not going to work.
We need to look at things that are within that window of when something can get done. And within that window, sometimes we find ourselves having to work really, really fast because some bill is going to pass or an executive order can be issued within weeks. And if you want to provide input into that and make sure that it does very helpful things, you know, you can’t wait a year.
TR: Can you give an example of something that might be a good idea but just doesn’t have any legs?
AD: There’s all kinds of ideas right now on whether we should have a [National Transportation Safety Board] for cyber. There might be some merit to the idea. I just don’t see any political wherewithal right now to tackle creating a new government bureaucracy at a time when it’s already so high, at a time when dealing with liability issues for breaches is super high priority for folks like the Chamber of Commerce and others. And the challenge with NTSB is that NTSB arrives in the physical world on a scene when lots of people are dead usually, and no one sort of questions the need to investigate. In cyber things are never that stark, thankfully. And every breach involves sensitive information from companies that they may want to keep quiet, confidential. So working through those issues is just a massive landmine when you start thinking about how do you actually get it done. Maybe a great idea, but I just don’t see it moving along anytime soon, so that that just doesn’t seem like something that is worth pursuing to us, at least at the moment.
But there are other things that are moving forward. I think with SolarWinds in particular, there is a huge push in Congress on both sides of the aisle around mandatory breach reporting. You have 50 states that have their own breach reporting requirements, and companies want to have one standard—not 50 different standards. Democrats and Republicans seem really, really interested in getting federal law that preempts it, particularly when everyone realizes now that if Kevin Mandia hadn’t done the courageous thing and come forward with his information, which his lawyers told him he didn’t have to do, we may not even know now that attack occurred [editor’s note: FireEye CEO Kevin Mandia published details about a breach impacting his company, which would later be understood to affect hundreds of other businesses and government agencies].
I’ve heard directly from senators saying this is really important. Well, yes, it is very important. But you need to think about the right way to do that. The problem with existing legislation, the 50 states and GDPR is it’s all focused on personally identifiable information. SolarWinds involved virtually no PII. So that doesn’t seem like the only standard that should be considered. And in some ways, focusing on what was taken is actually less important than focusing on how it was done. Understanding the tradecraft that was used, understanding that it was SolarWinds and other vendors who were compromised as part of the supply chain attack—that seems more relevant than the exact company that was targeted, to be honest with you. So how do you incentivize and mandate sharing of that information? Those are the types of things we’re trying to work through.
TR: I feel like every year policymakers talk about the need for a national data breach notification law. What makes you think that it’s going to be any different?
DA: I’ve never seen as much of a push behind this idea as I’m seeing right now, post SolarWinds. I’ve had people in power tell me that this is going to be one of the top priorities. It doesn’t mean it’s going to be done, but at least there’s a big opportunity. Administration really cares about it. Senate, House, they all care about it. They want to see a win. They want to be seen as doing something post SolarWinds.
For me, it’s important to figure out how do you channel that energy and make sure that it’s something actually impactful and not just another bill that gets passed that does nothing. And just to be clear, I think that mandatory breach reporting is important, but I don’t think it solves every problem. So would it be on my top list of things to do? Probably not. But the window is open. Let’s try to get something done.
TR: What ideas are on the top of your list? Even moonshots that might never make it into policy.
DA: I just testified about this on the Hill in front of the House Homeland Security Committee. I think you need to break this up into a few different areas. First and foremost, this has been a big frustration of mine, which is that the government is spending all this time thinking about how we can protect the private sector. At the same time, they have worse security in the government than virtually anywhere in the private sector. They’re literally living in a glass house, throwing stones, and the first responsibility of the government is actually to protect itself. The things that we’re paying taxpayer money for them to do, they’re actually completely not doing. So I think there needs to be a reorganization.
I think we have CISA as a cyber security agency in many ways, but a cyber security agency in name only, because right now it’s a guidance agency. It’s able to advise, it’s able to, in some cases, order agencies to do things at the margin. But it has no operational role. We need to change that. We need to make CISA the CISO of the federal government where it will actually protect most of the civilian agencies out there in the same way that we’re starting to give that role to Cyber Command on the DoD side. CISA needs to be the civilian counterpart. And we’ve made some progress—I was involved with a push with the Solarium Commission in last year’s defense authorization bill to give CISA authorities to hunt on federal networks even without permission of the federal agency. It’s a huge effort to get that done, it’s super important, but that’s only step one. How do we get into the model where CISA’s offering a variety of different cybersecurity services, where it can become a managed service provider for government agencies? And by the way, it’s not that CISA doesn’t have amazing capabilities right now. It has a lot of work to do to mature. But if you don’t give them a mission, if you don’t focus them, they’re never going to get there.
The people that are arguing that while CISA is incapable, NSA is much better—they’re right. But if we don’t give them a chance, they will never be capable. And turning over security operations to NSA is fraught with other political nonstarter problems. So that’s step number one. Step number two is ransomware. I actually think the world has changed since ten years ago when I was worried first and foremost about nation state threats. I’m still very worried about nation state threat. But the number one threat I think to our nation right now is ransomware, particularly impacting the driver of our economy, which is small businesses who are completely incapable of defending themselves against this. And there’s only one reason why ransomware works—its cryptocurrency. It’s no accident that ransomware really emerged as a major threat after the emergence of Bitcoin, because if you don’t have an anonymous way to pay a ransom, it just won’t work. As a criminal you can’t give your bank account information to the victim saying, please, wire me the money. Well, attribution is going to be very, very easy in that particular situation.
The Treasury Department is actually working towards this so-called KYC, know-your-customer, requirements for large cryptocurrency transfers. So in the same way that if you transfer more than $10,000 through the traditional banking system, boy, you’re going to find out that the bank wants to know the recipient and a bunch of information about you to abide by global anti money laundering and know-your-customer regulations. There’s no reason why we should not have the same requirements in cryptocurrency. I understand people are saying, well, I want the government to stay out of it. I want to pay anonymously. Yeah, but there’s broader issues at hand. And when criminals that are literally stealing billions of dollars in ransoms are using the system to undermine our economy, your desire for privacy in financial transactions, which is not a constitutional right, does not trump that.
TR: Wouldn’t that kind of rule only apply to exchanges that are based in the U.S., not ones operating in countries like Russia or China?
DA: Not necessarily, because the U.S. government has the power of sanctions and any exchange that doesn’t abide by those standards can be literally removed from the global financial system and would go out of business the next day.
TR: So reorganizing CISA’s role in the federal government and disrupting ransomware at its core—Is there anything else on the wish list?
DA: The third one is more of a framework. I’m a huge believer in metrics. The way we start getting the boards of directors and executives and companies understanding cyber is not by telling the nitty gritty technical details of attacks or how technologies work, but giving them a way to understand how well you’re doing as a company, as a government agency, in a very numeric and analytical fashion. I serve on a bunch of boards, and when I get a presentation from a head of sales for a company, I don’t need to know the details of their sales strategy, go to market strategy, the people that they have to know. Whether they made their numbers or not for that quarter, it’s pretty black and white. If the target was a hundred million and you’re below that, it’s pretty stark—we need something like that in cyber for boards.
There’s been a big push in the last few years to say we need cyber experts on boards, and as a board member at a bunch of companies I think that’s nonsense.”
There’s been a big push in the last few years to say we need cyber experts on boards, and as a board member at a bunch of companies I think that’s nonsense because as important as cyber is, it’s maybe one percent of the conversation that takes place in the board—the rest is business strategy, company strategy, etc. So if you’re bringing a cyber expert onto the board that doesn’t participate in 99% of the discussion or is not able to contribute value to that, you’re not doing the company any good. So it’s really important that we take the people that we have on the board and give them a way to understand how well you’re doing.
To me, it’s always been about speed. The only way you win in cyber is by being faster than the adversary. So a number of years ago, I proposed this set of metrics where you measure your time to detect an incident, time to investigate, and time to remediate it. There could be other speed-based metrics like time to patch, for example, that you can add on to that. But the point is, if you start tracking those every quarter, start reporting to the board, the board can now look at this and say how are we doing compared to our peers? And even more importantly, how are we doing compared to last quarter? If it took you 15 days to identify and remediate a breach this quarter, but next quarter it’s 25 and a quarter after that it’s 50… You don’t need to be a cyber expert to know things are going in the wrong direction. It allows you to demand accountability and potentially replace the people in charge, give them more money, whatever the right answers may be. Ultimately, it’s not the job of the board member to figure out the solution. It’s the job of the board member to hold people accountable who are responsible for coming up with a solution. And that’s where we need to get to.