People

CrowdStrike co-founder on what's right (and wrong) with US cybersecurity policy

"What we have now is not working," said Dmitri Alperovitch on the U.S.'s efforts to stop hacks in recent years.

Dmitri Alperovitch

The Cyberspace Solarium Commission led by a bipartisan group of lawmakers made many promising recommendations, according to expert Dmitri Alperovitch

Photo: Patrick T. Fallon/Bloomberg via Getty Images

Lawmakers every year pass modest legislation intended to improve cybersecurity, and hackers every year ignore it.

"Over the last four or five years, we've had cybersecurity bills passed every year. Most of them have not been very impactful or modified things at the margins," said Dmitri Alperovitch, who co-founded the cybersecurity firm CrowdStrike in 2011. But that's about to change, he said.

In March, the Cyberspace Solarium Commission, led by a bipartisan group of lawmakers, issued a 122-page report calling for an overhaul of the U.S.' cybersecurity operations. The report makes over 75 recommendations that touch on everything from paper-based voting systems to reorganizing government agencies to better defend against hacks. Many of the recommendations are valuable, said Alperovitch, but what sets the commission apart from past efforts is that lawmakers are committed to turning many of the suggestions into actual policy.

Alperovitch is no stranger to politics. CrowdStrike played a key role in investigating the 2016 Democratic National Committee breach, and became entangled in the impeachment of Donald Trump when the president mentioned the company in a call with Ukrainian President Volodymyr Zelensky and said he believed it was owned by a Ukrainian.

Alperovitch, who was born in Moscow and moved to the U.S. as a child, announced in February that he was leaving CrowdStrike, where he held the role of chief technology officer, to launch a nonpartisan policy accelerator. He talked about what recommendations from the commission he thought were the most and least important, and the hurdles to getting good cybersecurity policy passed.

This conversation has been edited for length and clarity.

What do you think will come of the commission in terms of actual policy?

There have been a million commissions and documents written on this topic, and most of them have been collecting dust for many years. They might have had very good recommendations, but they went absolutely nowhere because the constituency that could do something about it was not involved.

The thing that makes this commission different is that it was initiated by Congress and had members of the House and Senate as commissioners and chairs: Mike Gallagher from the House side and Angus King on the Senate side. In D.C., you get things done by involving the stakeholders, and that's what was brilliant about the setup of the Solarium Commission, that from the get-go it was congressionally authorized, members of Congress are heavily involved, and now these people will be able to get something done.

The other thing to understand is that while the report is a laundry list of 75 if not more recommendations, really the important ones are the ones that Mike and Angus care about, and you're not going to see the majority of them go into legislation, but the important ones will be taken up by their offices and hopefully pushed through legislation. I know Mike Gallagher and have spoken to him a few times on this topic, and he's passionate about moving the ball forward.

I'm optimistic, particularly due to the fact that they're planning to do some of this through the National Defense Authorization Act, which has to pass every year. It's the funding for the military, there's no option but to pass it, so that's a great vehicle to get some of these important things into law.

What recommendations in the report do you think are the most important?

Certainly every time you have a laundry list of recommendations, not everything is going to be great, but several of the recommendations I think are really helpful in moving the ball forward. First, very little attention has been paid to what I think is the number one responsibility of the government in this area: to protect itself. That's the area that hasn't been getting a lot of attention and focus despite the fact that it's been the worst of the worst in terms of cybersecurity when you look at all the breaches from the Office of Personnel Management to the Defense Information Systems Agency and all the others they've experienced.

One recommendation that goes a long way is empowering CISA [the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency] to continuously hunt across government networks. That's critical because most of these networks are already being infiltrated by adversaries — nation states and criminals — on a daily basis. And before you talk about shoring up any security, you have to figure out who is in there, who's trying to get in there, and kick them out before they do any damage.

Getting CISA to be more of an operational CISO for the federal government is where we need to end up. So it's good to see steps in that direction — giving them the ability to have visibility across those networks and start hunting across those networks to help detect and mitigate intrusions on federal government networks.

There was also a recommendation to enable Cyber Command to do this on the Department of Defense's side. That may be a shock to most people, but the reality is the DOD does not have continuous hunting capability across its own networks. Various services and commands do that on their own in isolation, and since we have cyber command with thousands of people, it makes sense to give them the power to do this across the entire DOD network.

What recommendations for private sector cybersecurity do you think are the most important?

On the private sector side, I have a view that we're in a fundamentally different place now than we were 10 years ago when everything seemed hopeless and you had no company that understood how to defend themselves against breaches from nation states and other sophisticated adversaries. We certainly have the knowledge now for how to defend ourselves, and you don't hear about some of the largest companies having breaches.

The fundamental issue now is how do we incentivize more companies to do the right thing, because we know the security strategies proven to be effective. There's recommendation 4.4.4 [amending the Sarbanes-Oxley Act to include cybersecurity reporting requirements] that I thought was great because it recognizes we need regulatory reforms to make these companies — boards of directors and CEOs — care sufficiently about cybersecurity, and the only way to do that is through lightweight legislation.

One of the things I would like to see is a set of metrics that are outcome driven that you would have every public company — and critical infrastructure companies, even if they're not public — track internally and report to the board on a quarterly basis just like how you do with other company metrics like your sales and expenses. What that would do is 1) give the board the right visibility into the right things that their security team should focus on and 2) when there are failures and breaches, you have litigation that gets started almost immediately when there's a big one and this would give the opposing side the ability to subpoena those metrics to see what the board knew and what goals they were setting.

If you can show that quarter after quarter the board was ignoring the dire state of cybersecurity within an organization, then you have a negligence claim against the company, the board and the CEO, and hopefully the threat of that will incentivize companies to pay closer attention to this and start doing the right things.

What recommendations did you not like?

I thought some of the recommendations involving creating additional layers of bureaucracy, like the [Bureau of Cyber Statistics]. I don't think we're going to solve our way out of this problem through more bureaucracy, so I don't find those things particularly helpful or persuasive. There's a bunch of stuff in there that's fine that I don't think is going to move the needle. But those three things I highlighted are really important: addressing what we are going to do about civilian federal government networks, military networks, and the private sector.

Were there any recommendations that you were hoping to see in the report but were absent?

They did a pretty good job of covering lots of topics — probably too many topics, to be honest, more topics than Congress can digest, so some prioritization would have been nice versus the laundry list.

One other thing I really liked that I didn't mention before is that you should give funding to the Election Assistance Commission to support paper-based voting systems across states, which is key. Obviously they couldn't have predicted the coronavirus epidemic, and they didn't recommend mail-based voting, but nowadays we might consider adding that, too.

What are the political hurdles to getting good cybersecurity policy instituted?

This is not a partisan issue, but anytime you try to change something, people stand up. Anytime you talk about regulatory reform, there's people in the private sector that won't be happy about that, and when you talk about CISA getting a bigger role in the federal government, other agencies will be unhappy. Every time you try to do something, you're going to break some eggs, but I think everyone realizes that what we have now is not working, and we need some major changes.

I think highly prescriptive regulation is the wrong way to go. I'm completely opposed to telling companies you need to patch or deploy two-factor authentication, because it completely depends on the organization. I'll give you an example: If you're in critical infrastructure, patching is almost always the worst thing you can do. Patches have taken down more operational critical infrastructure than any piece of malware ever. You need to be thinking about your risk, your operational needs, and what makes sense to you. Sometimes implementing two-factor authentication is the best thing for you, and sometimes it's not.

I think a prescriptive approach of "do X, Y and Z" without understanding the challenge each organization or network has is the wrong way to go about this, but holding people accountable for outcomes and showing that they knew things were bad and were negligent about it — like how Sarbanes-Oxley did — is going to incentivize boards to be much more involved and not to treat this as an issue for the CISO to solve.

The reality is that cybersecurity isn't something that's just the responsibility of the security team. It has to be done at the business level, because sometimes the best thing for a company's cybersecurity is not to do something — not to engage in a particular business line, not to take certain risks that are well beyond the control of the CISO.

The government has already taken a number of steps to deter attacks — it has indicted hackers, issued sanctions and negotiated big agreements — but those don't seem to have worked. Why would things change now?

It's unfair to say we haven't accomplished anything. Over the last five years I think the government has come a long way on doing public attribution, of doing indictments of intelligence operants in other countries. One of the things I've seen is how indictments on Chinese operatives in particular have had an effect in getting them to basically shut down their operations or retool. And either of those is a win. It's important to recognize some major changes have occurred. We've got a long way to go, but we're not just spinning wheels.

The commission recommends that the government should take a more active stance in "defending forward" and increasing the consequences of launching cyberattacks against the U.S. Is there a risk that those measures could create new problems if we get attribution wrong?

There's always a risk in getting attribution wrong, but let's be clear: The U.S. government over the last 30 years has done attribution on thousands if not tens of thousands of cases on the nation state level or the criminal level. I'm not aware of one case where they've gotten it wrong — maybe initially they thought it was someone else, but once they went through the motions, they got the right person. And our ability to do attribution now is light years ahead of where it was years ago.

A lot of people think attribution is still done through tracing attacks through the chain of computers that it occurred. That's not how it's done. In many cases, the intelligence community will have human sources and signal intelligence sources from the other side communicating and devising plans and claiming credit for attacks. In a lot of these cases you have incredibly precise attribution from hearing directly from the actors. So i'm not concerned about that. But I do think the jury's out on whether we can actually deter action on the part of our adversaries purely through cyberspace.

The challenge you have with cyber, and this goes for attacks against us as well as the attacks we do against others, is that they fall into a gray space between peace and war. The challenge cyber presents is that it's between those two where it's bad enough that we can't ignore it but not bad enough to go to war over, and we struggle with how to respond to those issues.

The adversaries are going to have the same situation; what we do to them is not bad enough to get them to stop, and in some cases it can escalate activities. We have not yet figured out how to deter attackers effectively, and I would argue that cyber is not necessarily the answer for deterrence. We need to think about other modes in which we can apply pressure. The right way on Chinese economic espionage activities, for example, is through trade, raising the level of pain. We don't know if it will ultimately be successful, but that's the best chance we have.

What parts of the U.S.' current cybersecurity strategy are misguided?

Some of the actions we've taken against individual operatives are not very productive. If you ask senior government officials what could Russia or China do to you personally in cyberspace to disobey the president, they would say "nothing." Why would it be any different for them? The consequences in countries like North Korea and China of disobeying an order from leadership can be life consequential, whereas here you might just lose your job. Why do you think you could do anything in cyberspace to get them to disobey an order like that? What we need to focus on is how to target the leadership and their thinking, not just individual operatives.

Wouldn't that mean things like indictments aren't going to solve anything?

You may have some opportunities when it comes to contractors who may have a choice, and that's what we've seen in China. Some of the indictments have been against firms, not government employees, that decided to stop that line of business because it was too risky or they said to themselves we're doing this for money and we don't want to be blacklisted for the rest of our lives. When it comes to military intelligence officers, you're less likely to achieve that result. And that's why I think some of the indictments we've done against government personnel in Russia, North Korea and Iran have not had the same effect — they've continued their operations.


Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.


What nation state cyberthreat worries you the most right now?

In terms of the most serious cyberthreat, I actually don't think it's nation states. I think it's ransomware. Those kinds of attacks could come from nation states in the future — we have seen North Korea engage in some ransomware attacks in the past and you could very well see other countries do the same, not for monetary gain but other purposes, like coercing organizations and even countries to bend to their will. But right now criminal ransomware attacks are my number one worry. Ransomware attacks against hospitals would be devastating from a public health perspective. In election times, those attacks against our election infrastructure could create a constitutional crisis.

I worry a lot less about the grid going down or some of these dire cyber 9/11 or cyber Pearl Harbor predictions. Those things are pretty resilient, and the attacks are pretty hard to do, and the fact that we haven't seen anyone do it in 30 years is a fairly good indication that the countries that have the ability to do it are deterred. An attack like that would very likely trigger a kinetic response on our behalf, and that's something other countries are taking into consideration.

Image: Yuanxin

Yuanxin Technology doesn't hide its ambition. In the first line of its prospectus, the company says its mission is to be the "first choice for patients' healthcare and medication needs in China." But the road to winning the crowded China health tech race is a long one for this Tencent- and Sequoia-backed startup, even with a recent valuation of $4 billion, according to Chinese publication Lieyunwang. Here's everything you need to know about Yuanxin Technology's forthcoming IPO on the Hong Kong Stock Exchange.

What does Yuanxin do?

There are many ways startups can crack open the health care market in China, and Yuanxin has focused on one: prescription drugs. According to its prospectus, sales of prescription drugs outside hospitals account for only 23% of the total healthcare market in China, whereas that number is 70.2% in the United States.

Yuanxin started with physical stores. Since 2015, it has opened 217 pharmacies immediately outside Chinese hospitals. "A pharmacy has to be on the main road where a patient exits the hospital. It needs to be highly accessible," Yuanxin founder He Tao told Chinese media in August. Then, patients are encouraged to refill their prescriptions on Yuanxin's online platforms and to follow up with telehealth services instead of returning to a hospital.

From there, Yuanxin has built a large product portfolio that offers online doctor visits, pharmacies and private insurance plans. It also works with enterprise clients, designing office automation and prescription management systems for hospitals and selling digital ads for big pharma.

Yuanxin's Financials

Yuanxin's annual revenues have been steadily growing from $127 million in 2018 to $365 million in 2019 and $561 million in 2020. In each of those three years, over 97% of revenue came from "out-of-hospital comprehensive patient services," which include the company's physical pharmacies and telehealth services. More specifically, approximately 83% of its retail sales derived from prescription drugs.

But the company hasn't made a profit. Yuanxin's annual losses grew from $17 million in 2018 to $26 million in 2019 and $48 million in 2020. The losses are moderate considering the ever-growing revenues, but cast doubt on whether the company can become profitable any time soon. Apart from the cost of drug supplies, the biggest spend is marketing and sales.

What's next for Yuanxin

There are still abundant opportunities in the prescription drug market. In 2020, China's National Medical Products Administration started to explore lifting the ban on selling prescription drugs online. Although it's unclear when the change will take place, it looks like more purely-online platforms will be able to write prescriptions in the future. With its established market presence, Yuanxin is likely one of the players that can benefit greatly from such a policy change.

The enterprise and health insurance businesses of Yuanxin are still fairly small (accounting for less than 3% of annual revenue), but this is where the company sees an opportunity for future growth. Yuanxin is particularly hoping to power its growth with data and artificial intelligence. It boasts a database of 14 million prescriptions accumulated over years, and the company says the data can be used in many ways: designing private insurance plans, training doctors and offering chronic disease management services. The company says it currently employs 509 people on its R&D team, including 437 software engineers and 22 data engineers and scientists.

What Could Go Wrong?

The COVID-19 pandemic has helped sell the story of digital health care, but Yuanxin isn't the only company benefiting from this opportunity. 2020 has seen a slew of Chinese health tech companies rise. They either completed their IPO process before Yuanxin (like JD, Alibaba and Ping An's healthcare subsidiaries) or are close to it (WeDoctor and DXY). In this crowded sector, Yuanxin faces competition from both companies with Big Tech parent companies behind them and startups that have their own specialized advantages.

Like each of its competitors, Yuanxin needs to be careful with how it processes patient data — some of the most sensitive personal data online. Recent Chinese legislation around personal data has made it clear that it will be increasingly difficult to monetize user data. In the prospectus, Yuanxin elaborately explained how it anonymizes data and prevents data from being leaked or hacked, but it also admitted that it cannot foresee what future policies will be introduced.

Who Gets Rich

  • Yuanxin's founder and CEO He Tao and SVP He Weizhuang own 29.82% of the company's shares through a jointly controlled company. (It's unclear whether He Tao and He Weizhuang are related.)
  • Tencent owns 19.55% of the shares.
  • Sequoia owns 16.21% of the shares.
  • Other major investors include Qiming, Starquest Capital and Kunling, which respectively own 7.12%, 6.51% and 5.32% of the shares.

What People Are Saying

  • "The demands of patients, hospitals, insurance companies, pharmacies and pharmaceutical companies are all different. How to meet each individual demand and find a core profit model is the key to Yuanxin Technology's future growth." — Xu Yuchen, insurance industry analyst and member of China Association of Actuaries, in Chinese publication Lanjinger.
  • "The window of opportunity caused by the pandemic, as well as the high valuations of those companies that have gone public, brings hope to other medical services companies…[But] the window of opportunity is closing and the potential of Internet healthcare is yet to be explored with new ideas. Therefore, traditional, asset-heavy healthcare companies need to take this opportunity and go public as soon as possible." —Wang Hang, founder and CEO of online healthcare platform Haodf, in state media China.com.

Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.

The way we work has fundamentally changed. COVID-19 upended business dealings and office work processes, putting into hyperdrive a move towards digital collaboration platforms that allow teams to streamline processes and communicate from anywhere. According to the International Data Corporation, the revenue for worldwide collaboration applications increased 32.9 percent from 2019 to 2020, reaching $22.6 billion; it's expected to become a $50.7 billion industry by 2025.

"While consumers and early adopter businesses had widely embraced collaborative applications prior to the pandemic, the market saw five years' worth of new users in the first six months of 2020," said Wayne Kurtzman, research director of social and collaboration at IDC. "This has cemented collaboration, at least to some extent, for every business, large and small."

Keep Reading Show less
Kate Silver

Kate Silver is an award-winning reporter and editor with 15-plus years of journalism experience. Based in Chicago, she specializes in feature and business reporting. Kate's reporting has appeared in the Washington Post, The Chicago Tribune, The Atlantic's CityLab, Atlas Obscura, The Telegraph and many other outlets.

Protocol | Workplace

How to make remote work work

Hofy made an early bet that COVID-19 would have a long-term impact on workplaces. The company recently raised $15.2 million for its remote workforce equipment management solution.

Hofy recently raised $15.2 million for its remote workforce equipment management service.

Photo: Jannis Brandt/Unsplash

It's your new employee's first day of remote work, but their laptop hasn't shown up yet. Not a good look.

This very 2021 persistent problem is part of why Hofy, a remote workplace management tool, recently raised $15.2 million to help companies deploy laptops, chairs, desks and other physical equipment to their remote employees. The idea for Hofy, which is launching out of stealth today, emerged in the early days of the COVID-19 pandemic — before lockdowns went into effect in the U.S. and the U.K. Hofy's co-founders, Sami Bouremoum and Michael Ginzo, had a feeling that COVID-19 would have a long-term effect on society.

Keep Reading Show less
Megan Rose Dickey

Megan Rose Dickey is a senior reporter at Protocol covering labor and diversity in tech. Prior to joining Protocol, she was a senior reporter at TechCrunch and a reporter at Business Insider.

Protocol | Policy

Tech giants want to hire Afghan refugees. The system’s in the way.

Amazon, Facebook and Uber have all committed to hiring and training Afghan evacuees. But executing on that promise is another story.

"They're authorized to work, but their authorization has an expiration date."

Photo: Andrew Caballero-Reynolds/AFP via Getty Images

Late last month, Amazon, Facebook and Uber joined dozens of other companies in publicly committing to hire and train some of the 95,000 Afghan refugees who are expected to be resettled in the United States over the next year, about half of whom are already here.

But nearly two months since U.S. evacuations from Kabul ended and one month since the companies' public commitments, efforts to follow through with those promised jobs remain stalled. That, experts say, is partly to do with the fact that the vast majority of Afghan arrivals are still being held at military bases, partly to do with their legal classification and partly to do with a refugee resettlement system that was systematically dismantled by the Trump administration.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Protocol | Fintech

How European fintech startup N26 is preparing for U.S. regulations

"There's a lot more scrutiny being placed on fintech. We are definitely mindful of it."

In an interview with Protocol, Stephanie Balint, N26's U.S. general manager, discussed the company's approach to regulations in the U.S.

Photo: N26

N26's monster $900 million funding round announced Monday underlined the German startup's momentum in the digital banking market.

Stephanie Balint, N26's U.S. general manager, said the funding will be used for expansion and also to improve "our core offering to make this the most reliable bank that our customers can trust," she told Protocol.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Latest Stories