Source Code: Your daily look at what matters in tech.

source-codesource codeauthorAdam JanofskyNoneWant your finger on the pulse of everything that's happening in tech? Sign up to get David Pierce's daily newsletter.64fd3cbe9f

Get access to Protocol

Your information will be used in accordance with our Privacy Policy

I’m already a subscriber

CrowdStrike co-founder on what's right (and wrong) with US cybersecurity policy

"What we have now is not working," said Dmitri Alperovitch on the U.S.'s efforts to stop hacks in recent years.

Dmitri Alperovitch

The Cyberspace Solarium Commission led by a bipartisan group of lawmakers made many promising recommendations, according to expert Dmitri Alperovitch

Photo: Patrick T. Fallon/Bloomberg via Getty Images

Lawmakers every year pass modest legislation intended to improve cybersecurity, and hackers every year ignore it.

"Over the last four or five years, we've had cybersecurity bills passed every year. Most of them have not been very impactful or modified things at the margins," said Dmitri Alperovitch, who co-founded the cybersecurity firm CrowdStrike in 2011. But that's about to change, he said.

In March, the Cyberspace Solarium Commission, led by a bipartisan group of lawmakers, issued a 122-page report calling for an overhaul of the U.S.' cybersecurity operations. The report makes over 75 recommendations that touch on everything from paper-based voting systems to reorganizing government agencies to better defend against hacks. Many of the recommendations are valuable, said Alperovitch, but what sets the commission apart from past efforts is that lawmakers are committed to turning many of the suggestions into actual policy.

Alperovitch is no stranger to politics. CrowdStrike played a key role in investigating the 2016 Democratic National Committee breach, and became entangled in the impeachment of Donald Trump when the president mentioned the company in a call with Ukrainian President Volodymyr Zelensky and said he believed it was owned by a Ukrainian.

Alperovitch, who was born in Moscow and moved to the U.S. as a child, announced in February that he was leaving CrowdStrike, where he held the role of chief technology officer, to launch a nonpartisan policy accelerator. He talked about what recommendations from the commission he thought were the most and least important, and the hurdles to getting good cybersecurity policy passed.

This conversation has been edited for length and clarity.

What do you think will come of the commission in terms of actual policy?

There have been a million commissions and documents written on this topic, and most of them have been collecting dust for many years. They might have had very good recommendations, but they went absolutely nowhere because the constituency that could do something about it was not involved.

The thing that makes this commission different is that it was initiated by Congress and had members of the House and Senate as commissioners and chairs: Mike Gallagher from the House side and Angus King on the Senate side. In D.C., you get things done by involving the stakeholders, and that's what was brilliant about the setup of the Solarium Commission, that from the get-go it was congressionally authorized, members of Congress are heavily involved, and now these people will be able to get something done.

The other thing to understand is that while the report is a laundry list of 75 if not more recommendations, really the important ones are the ones that Mike and Angus care about, and you're not going to see the majority of them go into legislation, but the important ones will be taken up by their offices and hopefully pushed through legislation. I know Mike Gallagher and have spoken to him a few times on this topic, and he's passionate about moving the ball forward.

I'm optimistic, particularly due to the fact that they're planning to do some of this through the National Defense Authorization Act, which has to pass every year. It's the funding for the military, there's no option but to pass it, so that's a great vehicle to get some of these important things into law.

What recommendations in the report do you think are the most important?

Certainly every time you have a laundry list of recommendations, not everything is going to be great, but several of the recommendations I think are really helpful in moving the ball forward. First, very little attention has been paid to what I think is the number one responsibility of the government in this area: to protect itself. That's the area that hasn't been getting a lot of attention and focus despite the fact that it's been the worst of the worst in terms of cybersecurity when you look at all the breaches from the Office of Personnel Management to the Defense Information Systems Agency and all the others they've experienced.

One recommendation that goes a long way is empowering CISA [the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency] to continuously hunt across government networks. That's critical because most of these networks are already being infiltrated by adversaries — nation states and criminals — on a daily basis. And before you talk about shoring up any security, you have to figure out who is in there, who's trying to get in there, and kick them out before they do any damage.

Getting CISA to be more of an operational CISO for the federal government is where we need to end up. So it's good to see steps in that direction — giving them the ability to have visibility across those networks and start hunting across those networks to help detect and mitigate intrusions on federal government networks.

There was also a recommendation to enable Cyber Command to do this on the Department of Defense's side. That may be a shock to most people, but the reality is the DOD does not have continuous hunting capability across its own networks. Various services and commands do that on their own in isolation, and since we have cyber command with thousands of people, it makes sense to give them the power to do this across the entire DOD network.

What recommendations for private sector cybersecurity do you think are the most important?

On the private sector side, I have a view that we're in a fundamentally different place now than we were 10 years ago when everything seemed hopeless and you had no company that understood how to defend themselves against breaches from nation states and other sophisticated adversaries. We certainly have the knowledge now for how to defend ourselves, and you don't hear about some of the largest companies having breaches.

The fundamental issue now is how do we incentivize more companies to do the right thing, because we know the security strategies proven to be effective. There's recommendation 4.4.4 [amending the Sarbanes-Oxley Act to include cybersecurity reporting requirements] that I thought was great because it recognizes we need regulatory reforms to make these companies — boards of directors and CEOs — care sufficiently about cybersecurity, and the only way to do that is through lightweight legislation.

One of the things I would like to see is a set of metrics that are outcome driven that you would have every public company — and critical infrastructure companies, even if they're not public — track internally and report to the board on a quarterly basis just like how you do with other company metrics like your sales and expenses. What that would do is 1) give the board the right visibility into the right things that their security team should focus on and 2) when there are failures and breaches, you have litigation that gets started almost immediately when there's a big one and this would give the opposing side the ability to subpoena those metrics to see what the board knew and what goals they were setting.

If you can show that quarter after quarter the board was ignoring the dire state of cybersecurity within an organization, then you have a negligence claim against the company, the board and the CEO, and hopefully the threat of that will incentivize companies to pay closer attention to this and start doing the right things.

What recommendations did you not like?

I thought some of the recommendations involving creating additional layers of bureaucracy, like the [Bureau of Cyber Statistics]. I don't think we're going to solve our way out of this problem through more bureaucracy, so I don't find those things particularly helpful or persuasive. There's a bunch of stuff in there that's fine that I don't think is going to move the needle. But those three things I highlighted are really important: addressing what we are going to do about civilian federal government networks, military networks, and the private sector.

Were there any recommendations that you were hoping to see in the report but were absent?

They did a pretty good job of covering lots of topics — probably too many topics, to be honest, more topics than Congress can digest, so some prioritization would have been nice versus the laundry list.

One other thing I really liked that I didn't mention before is that you should give funding to the Election Assistance Commission to support paper-based voting systems across states, which is key. Obviously they couldn't have predicted the coronavirus epidemic, and they didn't recommend mail-based voting, but nowadays we might consider adding that, too.

What are the political hurdles to getting good cybersecurity policy instituted?

This is not a partisan issue, but anytime you try to change something, people stand up. Anytime you talk about regulatory reform, there's people in the private sector that won't be happy about that, and when you talk about CISA getting a bigger role in the federal government, other agencies will be unhappy. Every time you try to do something, you're going to break some eggs, but I think everyone realizes that what we have now is not working, and we need some major changes.

I think highly prescriptive regulation is the wrong way to go. I'm completely opposed to telling companies you need to patch or deploy two-factor authentication, because it completely depends on the organization. I'll give you an example: If you're in critical infrastructure, patching is almost always the worst thing you can do. Patches have taken down more operational critical infrastructure than any piece of malware ever. You need to be thinking about your risk, your operational needs, and what makes sense to you. Sometimes implementing two-factor authentication is the best thing for you, and sometimes it's not.

I think a prescriptive approach of "do X, Y and Z" without understanding the challenge each organization or network has is the wrong way to go about this, but holding people accountable for outcomes and showing that they knew things were bad and were negligent about it — like how Sarbanes-Oxley did — is going to incentivize boards to be much more involved and not to treat this as an issue for the CISO to solve.

The reality is that cybersecurity isn't something that's just the responsibility of the security team. It has to be done at the business level, because sometimes the best thing for a company's cybersecurity is not to do something — not to engage in a particular business line, not to take certain risks that are well beyond the control of the CISO.

The government has already taken a number of steps to deter attacks — it has indicted hackers, issued sanctions and negotiated big agreements — but those don't seem to have worked. Why would things change now?

It's unfair to say we haven't accomplished anything. Over the last five years I think the government has come a long way on doing public attribution, of doing indictments of intelligence operants in other countries. One of the things I've seen is how indictments on Chinese operatives in particular have had an effect in getting them to basically shut down their operations or retool. And either of those is a win. It's important to recognize some major changes have occurred. We've got a long way to go, but we're not just spinning wheels.

The commission recommends that the government should take a more active stance in "defending forward" and increasing the consequences of launching cyberattacks against the U.S. Is there a risk that those measures could create new problems if we get attribution wrong?

There's always a risk in getting attribution wrong, but let's be clear: The U.S. government over the last 30 years has done attribution on thousands if not tens of thousands of cases on the nation state level or the criminal level. I'm not aware of one case where they've gotten it wrong — maybe initially they thought it was someone else, but once they went through the motions, they got the right person. And our ability to do attribution now is light years ahead of where it was years ago.

A lot of people think attribution is still done through tracing attacks through the chain of computers that it occurred. That's not how it's done. In many cases, the intelligence community will have human sources and signal intelligence sources from the other side communicating and devising plans and claiming credit for attacks. In a lot of these cases you have incredibly precise attribution from hearing directly from the actors. So i'm not concerned about that. But I do think the jury's out on whether we can actually deter action on the part of our adversaries purely through cyberspace.

The challenge you have with cyber, and this goes for attacks against us as well as the attacks we do against others, is that they fall into a gray space between peace and war. The challenge cyber presents is that it's between those two where it's bad enough that we can't ignore it but not bad enough to go to war over, and we struggle with how to respond to those issues.

The adversaries are going to have the same situation; what we do to them is not bad enough to get them to stop, and in some cases it can escalate activities. We have not yet figured out how to deter attackers effectively, and I would argue that cyber is not necessarily the answer for deterrence. We need to think about other modes in which we can apply pressure. The right way on Chinese economic espionage activities, for example, is through trade, raising the level of pain. We don't know if it will ultimately be successful, but that's the best chance we have.

What parts of the U.S.' current cybersecurity strategy are misguided?

Some of the actions we've taken against individual operatives are not very productive. If you ask senior government officials what could Russia or China do to you personally in cyberspace to disobey the president, they would say "nothing." Why would it be any different for them? The consequences in countries like North Korea and China of disobeying an order from leadership can be life consequential, whereas here you might just lose your job. Why do you think you could do anything in cyberspace to get them to disobey an order like that? What we need to focus on is how to target the leadership and their thinking, not just individual operatives.

Wouldn't that mean things like indictments aren't going to solve anything?

You may have some opportunities when it comes to contractors who may have a choice, and that's what we've seen in China. Some of the indictments have been against firms, not government employees, that decided to stop that line of business because it was too risky or they said to themselves we're doing this for money and we don't want to be blacklisted for the rest of our lives. When it comes to military intelligence officers, you're less likely to achieve that result. And that's why I think some of the indictments we've done against government personnel in Russia, North Korea and Iran have not had the same effect — they've continued their operations.

Get in touch with us: Share information securely with Protocol via encrypted Signal or WhatsApp message, at 415-214-4715 or through our anonymous SecureDrop.

What nation state cyberthreat worries you the most right now?

In terms of the most serious cyberthreat, I actually don't think it's nation states. I think it's ransomware. Those kinds of attacks could come from nation states in the future — we have seen North Korea engage in some ransomware attacks in the past and you could very well see other countries do the same, not for monetary gain but other purposes, like coercing organizations and even countries to bend to their will. But right now criminal ransomware attacks are my number one worry. Ransomware attacks against hospitals would be devastating from a public health perspective. In election times, those attacks against our election infrastructure could create a constitutional crisis.

I worry a lot less about the grid going down or some of these dire cyber 9/11 or cyber Pearl Harbor predictions. Those things are pretty resilient, and the attacks are pretty hard to do, and the fact that we haven't seen anyone do it in 30 years is a fairly good indication that the countries that have the ability to do it are deterred. An attack like that would very likely trigger a kinetic response on our behalf, and that's something other countries are taking into consideration.

Protocol | Workplace

In Silicon Valley, it’s February 2020 all over again

"We'll reopen when it's right, but right now the world is changing too much."

Tech companies are handling the delta variant in differing ways.

Photo: alvarez/Getty Images

It's still 2021, right? Because frankly, it's starting to feel like March 2020 all over again.

Google, Apple, Uber and Lyft have now all told employees they won't have to come back to the office before October as COVID-19 case counts continue to tick back up. Facebook, Google and Uber are now requiring workers to get vaccinated before coming to the office, and Twitter — also requiring vaccines — went so far as to shut down its reopened offices on Wednesday, and put future office reopenings on hold.

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

After a year and a half of living and working through a pandemic, it's no surprise that employees are sending out stress signals at record rates. According to a 2021 study by Indeed, 52% of employees today say they feel burnt out. Over half of employees report working longer hours, and a quarter say they're unable to unplug from work.

The continued swell of reported burnout is a concerning trend for employers everywhere. Not only does it harm mental health and well-being, but it can also impact absenteeism, employee retention and — between the drain on morale and high turnover — your company culture.

Crisis management is one thing, but how do you permanently lower the temperature so your teams can recover sustainably? Companies around the world are now taking larger steps to curb burnout, with industry leaders like LinkedIn, Hootsuite and Bumble shutting down their offices for a full week to allow all employees extra time off. The CEO of Okta, worried about burnout, asked all employees to email him their vacation plans in 2021.

Keep Reading Show less
Stella Garber
Stella Garber is Trello's Head of Marketing. Stella has led Marketing at Trello for the last seven years from early stage startup all the way through its acquisition by Atlassian in 2017 and beyond. Stella was an early champion of remote work, having led remote teams for the last decade plus.
Protocol | China

Livestreaming ecommerce next battleground for China’s nationalists

Vendors for Nike and even Chinese brands were harassed for not donating enough to Henan.

Nationalists were trolling in the comment sections of livestream sessions selling products by Li-Ning, Adidas and other brands.

Collage: Weibo, Bilibili

The No. 1 rule of sales: Don't praise your competitor's product. Rule No. 2: When you are put to a loyalty test by nationalist trolls, forget the first rule.

While China continues to respond to the catastrophic flooding that has killed 99 and displaced 1.4 million people in the central province of Henan, a large group of trolls was busy doing something else: harassing ordinary sportswear sellers on China's livestream ecommerce platforms. Why? Because they determined that the brands being sold had donated too little, or too late, to the people impacted by floods.

Keep Reading Show less
Zeyi Yang
Zeyi Yang is a reporter with Protocol | China. Previously, he worked as a reporting fellow for the digital magazine Rest of World, covering the intersection of technology and culture in China and neighboring countries. He has also contributed to the South China Morning Post, Nikkei Asia, Columbia Journalism Review, among other publications. In his spare time, Zeyi co-founded a Mandarin podcast that tells LGBTQ stories in China. He has been playing Pokemon for 14 years and has a weird favorite pick.

The video game industry is bracing for its Netflix and Spotify moment

Subscription gaming promises to upend gaming. The jury's out on whether that's a good thing.

It's not clear what might fall through the cracks if most of the biggest game studios transition away from selling individual games and instead embrace a mix of free-to-play and subscription bundling.

Image: Christopher T. Fong/Protocol

Subscription services are coming for the game industry, and the shift could shake up the largest and most lucrative entertainment sector in the world. These services started as small, closed offerings typically available on only a handful of hardware platforms. Now, they're expanding to mobile phones and smart TVs, and promising to radically change the economics of how games are funded, developed and distributed.

Of the biggest companies in gaming today, Amazon, Apple, Electronic Arts, Google, Microsoft, Nintendo, Nvidia, Sony and Ubisoft all operate some form of game subscription. Far and away the most ambitious of them is Microsoft's Xbox Game Pass, featuring more than 100 games for $9.99 a month and including even brand-new titles the day they release. As of January, Game Pass had more than 18 million subscribers, and Microsoft's aggressive investment in a subscription future has become a catalyst for an industrywide reckoning on the likelihood and viability of such a model becoming standard.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at
Protocol | Policy

Lina Khan wants to hear from you

The new FTC chair is trying to get herself, and the sometimes timid tech-regulating agency she oversees, up to speed while she still can.

Lina Khan is trying to push the FTC to corral tech companies

Photo: Graeme Jennings/AFP via Getty Images

"When you're in D.C., it's very easy to lose connection with the very real issues that people are facing," said Lina Khan, the FTC's new chair.

Khan made her debut as chair before the press on Wednesday, showing up to a media event carrying an old maroon book from the agency's library and calling herself a "huge nerd" on FTC history. She launched into explaining how much she enjoys the open commission meetings she's pioneered since taking over in June. That's especially true of the marathon public comment sessions that have wrapped up each of the two meetings so far.

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Latest Stories