Cybersecurity investor Ted Schlein: ‘I think the whole landscape needs to be completely rethought’
As someone who has been in the cybersecurity business for three decades, it might come as a surprise that Ted Schlein wants to tear up a lot of it.
Schlein, a 25-year veteran of the venture capital giant Kleiner Perkins, thinks both the government and private sector need to embrace radical change to stay competitive in cybersecurity. Companies are too dependent on outdated technologies and practices, like passwords and signature-based detection tools, Schlein says. Organizations and developers must adopt new technologies if they’re going to defend against new threats like deepfakes and SolarWinds-style attacks.
Schlein, who joined Kleiner Perkins in 1996 after helping build Symantec into a cybersecurity behemoth, has also been a long-time advocate for reorganizing the federal government’s approach to cybersecurity. Recent incidents have illustrated how urgent the problem has become, he said.
“The way the U.S. government is organized makes it very difficult to defend the country, its corporations, and its citizens from cyberattacks…,” Schlein said. “We have designed a bureaucratic, decentralized infrastructure because it’s sort of what we do. It’s our core competency. And we applied it against cyber, which takes place in milliseconds. That won’t work!”
The Record spoke with Schlein recently about the state of cybersecurity entrepreneurship, why investors must have a “responsibility quotient,” and what changes he wants to see the Biden administration take on cybersecurity. The conversation below has been lightly edited for clarity.
The Record: What emerging technologies are you most bullish on? What kinds of companies do you think are most ripe to change the cybersecurity landscape?
Ted Schlein: I’ll start at a high level and then drill down to actually answer your question. I think the whole landscape needs to be completely rethought. I’ve been in the cyber world now for about 35 years, so I’ve kind of seen everything. I’ve seen it grow up from nothing to to where we are today. And I would argue a lot of what we’ve done in the cyber world has been incremental: We’re going to tighten the access to ports a little bit better. We’re going to look at IP packets with a different kind of eye on it.
We have to rethink things that we took for granted if we’re going to protect ourselves going forward. This might sound like old news now, but we still live in a signature-based world—we still look for bad signatures, and I think we all realize that it just doesn’t work. When it comes to network protection now and into the future, it’s definitely going to be about data analytics and who applies the best behavioral models, A.I., and machine learning to traffic flows and network flows and event flows. It’s not going to be making a better SIEM [security information and event management tools]. It’s not going to be making a better IDS [intrusion detection system] or a better firewall. It just has to be remade.
The concept of the software development lifecycle—I fortified software like 100 years ago when it was a brand new concept, and the thinking was: “We’re engineers, what do we care about security right now?” It’s kind of seeped into how we develop. People have to have an eye towards security as they’re building things. I think it’s got to be embedded in everything that we do. A really good engineer now is one who is a really good engineer who also builds safe code. You can’t separate those two things. I’ve always fundamentally believed that security is an engineering problem, not an operational problem. And as an industry, we’ve continued to build stuff and throw it all over the wall and tell operations how to figure out how to secure it—that won’t scale anymore
So making sure that security is built into software development from day one is important, and then we also have to go after core things that we’ve always taken for granted. Think for a second about how idiotic the concept of passwords are. What are most of the breaches today? Credentials. The bad guys don’t have to do that much work. You don’t have to always come up with something as sophisticated as the SolarWinds breach and plan it out for months and months. I’m just going to steal your username and password and then I’ll get in and do what I want. We’ve got to get rid of static attack vectors.
I think as cybersecurity practitioners, we have to challenge ourselves to invert how we think about what we do and be receptive to new technologies and new ways to architect and build software and protect our networks unlike any way that we’ve done it before. Otherwise it’s just too hard to keep up with the bad guys. They’re so well funded now and they have a lot of time on their hands. If it’s a nation state you’re battling… [throws hands up] good luck! You’ve got to constantly change the rules of the game, and I think now’s the time to do that. So to answer your question, it’s those technologies that are challenging the norm that are the most interesting to me.
TR: What’s going to motivate that change? At what point will people stop thinking incrementally and start rethinking the whole problem?
TS: You know, we are an industry, a country, a people that seems to react to really bad things. That’s what makes us change. I think the SolarWinds breach kind of wakes you up, the Microsoft Exchange breaches are waking people up. They’re pretty serious. When you’re talking about tens of thousands of different companies potentially being breached and what that means and what damages take place, that tends to get people’s attention.
Think for a second about how idiotic the concept of passwords are.”
I used to say a long time ago—I think I probably borrowed this from my friend Kevin Mandia—that there’s only two kinds of entities in the world, companies that have been breached and know it and companies that have been breached and don’t know it. And this is just waking everyone up that it’s actually true. It’s not just a throwaway phrase. As cyber practitioners, we’ve always been tasked with prevention. We’re going to prevent a breach from happening. Well, as I said earlier, if it’s a nation state that wants in, guess what? They’re probably coming in. If it’s a well-funded set of criminals, there’s a good chance that they’re going to get in.
So again, we have to rethink this. It’s really not about prevention. It’s about detection, containment, and remediation. How fast can you do that to limit damages, and what technologies are going to be necessary to make that happen? I’m talking about milliseconds. If you think about how long a breach sits inside a network before it’s detected, it used to be something like 140 days. Maybe we’ve cut it in half. Whoopie! They’re only in my place for a couple of months. There’s a lot of innovation and work that needs to go into bringing that number down.
TR: What do you think will replace passwords?
TS: There’s now a bunch of new passwordless systems popping up that allow you to authenticate with no passwords. It’s got to be multifactor authentication, it can’t use static credentials. What do I mean by static? Once I know it, I can use it.
I think you can register devices. I think you could register ways to contact those devices. I think you could use the cameras on your phone to scan QR codes and then send a message via some secure message tunnel to ask if it’s you logging on. I think there’s just a lot of innovative ways you could do this without having credentials. And I just want to spur entrepreneurs to think about these creative ways. I’m talking about 100% passwordless from the day that you walk in and log on to your computer. And I think you’ve got to do it in an amazingly frictionless way.
I can tell you one thing I’ve learned after 35 years of doing cybersecurity: consumers and employees (although they have a little less say in it) all want to be more secure unless they actually have to do something about it. Think about fingerprint chips. We had a way to use fingerprints on laptops for a long time. I remember the IBMs had it. But no one used it. Why did it finally take off? Because Apple said if you want to turn on your iPhone easily, you’re going to have to use your finger to do it.
Now, with all that said, if I am a security practitioner in an organization, I would spend a lot of time educating my fellow management—I spend a lot of time talking to boards of directors about security, mostly to give the CEO some air cover. And the thing I always talk about is all systems in your company are not created equal, so don’t treat them equally. Some of them are truly mission critical, meaning that if it goes down, if it gets hacked, if it gets compromised, if it gets ransomware on it, you’re screwed. All right! Focus on those. Segment them, and make it a pain in the ass to log on to them. Most of the other systems you can tone it down a bit, make it easier.
There’s a lot of really cool technology coming around in how to segment the networks in a much smarter manner, and I think that’s key. As I said, security has to be built in from the beginning. When it’s an add on, I think that’s where all the seams come from.
TR: How do you characterize the stage that we’re in with cyber investing? Is it a great time to start a cybersecurity company or are we in a bubble?
TS: You know, some version of that question has been asked of me over the last 35 years, and I would make the argument that it’s always been a great time to be starting a company in this field. I’ve been an operator for 10 years of it and I’ve been an investor for 25 years of it, and every change in architecture, every new area of technology we move into ends up opening new attack vectors, new methodologies, new things to protect, and new opportunities. I like to say that a network or a system’s security is inversely proportional to the number of nodes on that network, the number of applications on that network, the number of users on that network. The last wave was about mobility, the current wave is about IoT. I think it’s a great time to be starting a cybersecurity company—there’s plenty of capital for it, and I think there will be more. I think CISO’s budgets will only get bigger, not smaller. I think consumer awareness is going up more and more, and they want to protect themselves more and more. I think it’s a wonderful time to be a cybersecurity entrepreneur.
Security has to be built in from the beginning. When it’s an add on, I think that’s where all the seams come from.”
TR: Cybersecurity specialists are in extremely high demand right now—not just from technology firms, but from government agencies and other sectors that need to defend themselves. Do you think that competition for talent and the level of perks companies are offering could be a drain on cybersecurity entrepreneurship?
TS: If you’re an entrepreneur, you’re an entrepreneur, It means by definition you don’t really care about the perks—you care about your dream, you’re passionate about it, and you want to go make it happen. The fact that somebody is willing to pay you a big fat paycheck and have a latte machine in the office and all that is not why you’re an entrepreneur. You want to change the world. And there’s plenty of those folks that exist, and then there’s plenty of folks that it’s not their cup of tea, and that’s fine, too. Look, we need great cybersecurity people inside the Fortune 1000 companies, we need them in our government service, and we need a handful of them to be entrepreneurs who want to change the world. The vast majority of folks are going into corporate America or government service using their skills. But you need those few special folks that just want to take those talents and change the world. And I don’t think making them comfy is going to be the big issue.
TR: When I reported on startups for The Wall Street Journal, I would always ask venture capitalists if this is the right time for IPOs, acquisitions, or lying low. We’ve kind of seen that with Discord in recent weeks, when there were rumors that it would be bought by Microsoft but now might be eyeing going public…
TS: Yes—I would just say yes. The world of venture is an interesting one, and entrepreneurship goes in cycles. There are times where we have down cycles and liquidity is far and few between, and there’s up cycles where there’s quite a bit of liquidity. We’ve been in a pretty long up cycle, honestly, right now. You know, there used to be a time where very few cybersecurity companies made it to the public markets. I remember when I did ArcSight back in the early 2000s, it was one of the first cybersecurity IPOs in a long time. But since then we’ve had Palo Alto Networks, FireEye, Tenable, CrowdStrike… there’s been a bunch of others, but those were few and far between before. So I think you have the ability to build very large cyber companies and bring them public, but they’re also extremely lucrative to sell—you can see that some of the multiples that get paid for cybersecurity companies are pretty high. My advice to entrepreneurs is every situation is different, and you need to constantly take a look at what your status is, if somebody is willing to pay you a price today that’s probably more than what you’re going to be worth three or four years from now. You’ve got to think about it, and in today’s markets that’s very possible both via IPO or via acquisition.
TR: A lot of attention has been paid to cybersecurity startups that cross moral lines—perhaps they sell surveillance tools to questionable governments or use technology in a way that invades privacy. How do you deal with these issues as an investor?
TS: I think investors and entrepreneurs have a responsibility quotient. I’m a believer that just because we can build something doesn’t mean we should build it. Just because somebody might pay for it doesn’t mean we actually should sell it. I think you always want to have a level of responsibility as technologists and as investors of technology with where we’re focusing our time, energy, and money.
Sometimes things are built for one purpose and get repurposed for something completely different. That’s harder to deal with—you thought you were doing one thing, but somebody uses it in a completely different manner. That’s a little bit harder to navigate when it happens. But certainly the best intentions sometimes get turned around, and I think that happens in technology quite a bit. I could lead us to an area that I’m kind of fascinated by, which has been around deepfakes and misinformation—deepfakes being another form of misinformation, in a way. It’s basically just using our open systems and our open society against us. And that, to me, is some of the most insidious stuff that we’ve seen from a cyber practitioner standpoint in a long time, because it’s bad posing as good. It’s very hard to deal with and detect, and I’m kind of fascinated by it because of how hard it is to do. I’m fascinated by it because it has to be solved. Otherwise, I think it’s an assault on open democracy, and our open society in general. I’m not trying to be too dramatic about it, but I do think it is a huge threat to everything that we do.
There are ways we can try to prevent it. Asking who are you, are you really the person that should be posting this? Can you validate that? You could also do it around the propagation mechanism, which I’ve been talking about for a long time—the use of automation to propagate allows something false or true to be spread super fast, and so maybe automation shouldn’t be allowed to be used. And then there’s validation. Is it accurate or not? Is it true or not? I would like things to be marked as, “This is supposed to be a fact and it’s not,” or, “This is an opinion about something.” And and so the question is, can we come up with technology or systems that can in real time deal with this problem? You’re cruising the web, you’re looking at something and you want to know if it’s true or not. Is it really a video of Ted Schlein, cutting the head off of a puppy dog? No, and maybe it should show up in a red border or something.
We have designed a bureaucratic, decentralized infrastructure because it’s sort of what we do. It’s our core competency. And we applied it against cyber, which takes place in milliseconds. That won’t work!”
I think it’s a really, really technically hard problem to solve. I’ve spent a lot of time going to universities and talking to researchers who are working on this, and the ones who are enabling deepfakes are much further along than the ones that are trying to detect them. That’s the story about cybersecurity—it’s always a race between the two. And we’ve got to solve it.
TR: Around the 2016 election, you made the argument that we needed to create a cybersecurity department in the government. Now that we have a new administration, do you still think there’s the same need?
TS: I’ve made the point for probably over a decade that the way the U.S. government is organized makes it very difficult to defend the country, its corporations, and its citizens from cyberattacks. And so I proposed a consolidated agency—whether it’s cabinet level or something else doesn’t really matter. I think it gets more attention to say it needs to be cabinet level, and if nothing else, it’s then reporting to the president and therefore it shines a light on it.
I’m far more interested in the fact that we have these pockets of people, each with different authorities, allowed to and not allowed to do different things on our behalf. The best of the best in the U.S. on the cyber side is the NSA. They have to be really good by necessity—they’re a spy agency and their job is to spy on foreign entities and their teams are very good at doing that. But by authority, they can only do that outside the United States. We also have U.S. Cyber Command, which is a military command that executes offensive cyberattacks based on what the president and the director of NSA, who is also in charge of Cyber Command, decide. Again, they focus on foreign entities. You have the FBI, which has a great cyber group that’s very good at law enforcement, usually doing forensics and tracking things down. Each of the military groups have their own cyber unit—Army, Navy, Air Force. Then you have CISA, which reports to the Department of Homeland Security, and they’re supposed to be responsible for helping domestic entities with their cyber issues. CIA, by the way, also has a cyber group.
Who’s responsible? Who navigates all this? Who does the president go to? Who does Congress go to? When you have something like SolarWinds, I think it’s a great example for why what I’ve been saying is so necessary. The bad guys realize that they can dodge NSA and others by using U.S. infrastructure, since they’re only focused on foreign entities. Who’s there to stop it and protect it? CISA would be, but they’re a relatively new organization. Do they have the same level of technical expertise as some of the other brethren? Do they feel that they are chartered with this? The reality is they have an advisory capacity. They don’t have control over the government networks. You would never run a company like this, and the United States of America is the largest company in the freaking world—it’s a complicated company. We have designed a bureaucratic, decentralized infrastructure because it’s sort of what we do. It’s our core competency. And we applied it against cyber, which takes place in milliseconds. That won’t work!
So I think reorganization is necessary. And there’s some really interesting new movements taking place. There’s going to be a cyber director in the White House again. They’re adding cybersecurity and emerging technology to the National Security Council with Anne Neuberger, who is wonderful and came from the NSA. She’s super, super smart. So it shows that this administration is taking this stuff seriously. But I think pretty radical change needs to happen for us as a country to show that we’re really taking it seriously. And I don’t think that means either moving some authorities around and who can do what, or beefing up CISA—it needs to be as technically excellent, quite honestly, as any agency in the entire world. If you’re a Fortune 500 company and you’re breached, you’ll want to go to CISA to get some help. And then maybe you actually want U.S. Cyber Command to do something about it.
Who makes all those calls? And what are the rules of engagement? Do you know? I don’t know! Don’t you want the bad guys to know the rules of engagement? If you do this, this is what will happen to you. I think we need a person who’s very well educated on both the private sector, the public sector, the technology, and the intricacies of this educating Congress and the administration on what rules we’re going to need and why we need them. We just don’t have that yet. And I think it’s necessary. That’s a very long winded answer to your question, but it’s what drives me on this topic.
TR: While we’re talking about the Biden administration, what do you think is one piece of legislation or action that you think needs to be the top priority, besides reorganization?
TS: I’m not so sure I’ll get it to one. There’s a couple of things I think are really needed. I spent a large amount of my time with the private sector and I get to listen to CIOs CISOs all the time, and I’ve watched every administration try and get greater cooperation with the private sector and with the public sector. Every president that I know of has signed an executive order saying we will do information sharing. But that doesn’t end up happening. Give some incentive. It’s usually that you share information with the government, and we say thank you. That’s not information sharing, that’s information taking. So how do you make that happen?
I think something that’s really key to getting over the hump there is to make sure there’s a safe harbor—that if companies, which have the bulk of the information, share it, it can’t be used against them for lawsuit purposes. I think there’s got to be some safe harbor to remove the liability to incentivize the sharing of that information. That would be one.
I think the authorities issue is very real. We either need to reorganize or change authorities—give the NSA authority to track what they believe to be foreign entities on U.S. soil. That would be taking your best operators to go after something, which is what you would do if you had a company. But that’s a touchy situation, obviously, so the converse of that is make CISA as good or better than the NSA, and making sure they have the right authorities to do all these things. Make it so they’re not just the consulting group, but the operational group.
I could throw a lot more at you, and there are many Senators who have had to listen to me on these things. There’s a lot of stuff about acquisitions. If you look at how acquisitions are done here, especially for defense purposes, it’s done through these programs that we fund for decades. I’ve made the argument that the Pentagon needs to be the world’s largest software company, not building more ships and planes and missiles and stuff like that. It’s about the software and the tools and the data. That’s what the Chinese have focused on. Honestly, if somebody is going to go to war with us, do you really think they’re going to sink our aircraft carrier? No, they’re just going to make sure the aircraft carriers can’t communicate with the planes and the planes can’t communicate with our satellites.
That’s radical thinking, but I think we need to get to that level of thinking. In the world of cyber, you can’t budget something two years out. The next six months will bring a different threat. So how acquisitions are done and that whole sort of rule writing all needs to be redone for the world of cybersecurity.
Unfortunately or fortunately, we’ve got a lot of very hard problems to solve and we need a lot of really smart people working to solve them.