Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management

10/31/2017
06:00 PM
Curtis Franklin
Curtis Franklin
Curt Franklin
50%
50%

Ted Schlein: Interview With a Capitalist

Ted Schlein is a partner with the most storied venture capital fund in Silicon Valley. When Ted talks about cybersecurity, people listen.

At the University of South Florida's Networking the Future conference on cybersecurity last week, Ted Schlein, general partner at Kleiner Perkins Caufield & Byers, gave the keynote address. He talked about both his vision of good security and a good security startup company before an audience of security professionals from business, government, military and educational organizations.

Between his keynote address and a panel where he debated the question of whether there should be a federal Department of Cybersecurity, Security Now had a chance to sit down with Schlein and talk about security in more detail.

Ted Schlein joined Kleiner Perkins Caufield & Byers in 1996 and focuses on early-stage technology companies in the enterprise software and infrastructure markets, including ventures within the networking and consumer security arenas. Before joining KPCB, Schlein served as vice president of Enterprise Solutions at Symantec. One of Symantec's early employees, he played an instrumental role in the company's growth and dominance as a global software leader. Ted led Symantec's successful move into the software utilities market, as well as the launch of its commercial anti-virus solution, an offering that quickly emerged as the industry gold standard.

What follows is an edited transcript of the conversation with Schlein.

Curtis Franklin: I want you to start with something that you noted in your keynote address this morning: That you've been doing this a long time, and yet it seems like we're as far behind the curve as ever. Is it just that the hackers are so darned good or is there something baked into the system that that leaves us constantly playing catch-up?

Ted Schlein: Things that we thought were true, which kind of worked at one point, are no longer true and no longer work very well. We now have adversaries that are far more sophisticated than they were 30 years ago. I can assure you it's not a kid in a dorm room.

We have complete nation-states [acting against us]. We have a completely inter-networked economy on a worldwide basis which gives the avenue and the ability for the adversaries to have access. That's changed dramatically over 30 years.

The adversaries are well-funded and they're well trained. They have a lot of motivation to be doing what they're doing whether it be monetary for informational gains. So the stakes overall are just higher. Do I think that we do a good job at it trying to keep up? Yes, but almost by definition you're kind of going to be behind the eight ball until we have some fundamental discoveries that make us a little bit more preemptive versus reactive.

CF: Does the spillover of nation-state cyber attack into the civilian or commercial world intrinsically change the game for people trying to defend these commercial or private systems?

TS: I think anyone who thinks there are lines drawn between public sector and private sector are just naive, and the adversaries don't see a line drawn. We have different areas of critical infrastructure -- I think technically it's 16 or 17 different areas of critical infrastructure -- everything from financial services to energy utilities.

If you're a nation-state and you want to do harm to another nation-state, you don't sit there and say, "I'm going to go after their military installations." You might take out the financial systems, you might take out the utilities. So the question we face as a nation is: What role should the government have in protecting private enterprises?

I pose it as a question. I think it's well worthy of debate. And it's a question we have to answer thoughtfully, because you don't want to get yourself into an escalated conflict either unknowingly or knowingly and end up with a bad outcome. So you have a nation-state attacking a private enterprise. What should happen? I call that an attack on the United States or whatever country is being attacked.

CF: In your keynote address you talked about making all successful exploits meaningless through the mechanism of encrypting everything. Given the audience at this particular conference I have to imagine that from the stage you you saw some skeptical looks coming back at you, because law enforcement hates that idea. Where are we in that conversation right now?

TS: Unfortunately, the conversation has been an either/or conversation that got forced to be either/or. I think it's unfortunate the way the FBI handled the issue with Apple, where people had to retreat to their sides, and I say that because both were right.

CF: You know, in my opinion, both were right.

TS: OK. It sounds like you agree with me. The question is: How do we solve for both? The more we propagate and push an either/or conversation, I think the less progress we will make, as I said in my talk.

I believe in strong encryption. You know I'm a security guy. I like things being secure. And guess what: I believe in the law of the land and I believe that the job that our law enforcement folks have to do is both hard and important, and can be lifesaving.

My guess is anyone that's going to be a zealot about this, the privacy, will be a zealot up until the fight that might affect them personally. And so I'd like to avoid those things and make the conversation come back together that this can be an and. We can have strong security strong encryption and we can satisfy what we need to do for law enforcement. There is not an ounce of me that doesn't believe that the smart minds in this country can't figure that out. You know we have figured out far harder things in our lifetimes.

CF: Do you think this is something where we are close to solving this technologically, or is this still something that needs a lot of research?

TS: I think it's less a technical solution than it is a policy -- cultural -- and I don't know if "cultural" is the right word but an organizational, operational solution. Let's get the people together that actually have to operationalize this to agree on a plan that satisfies both parties. And I actually think technically we could probably do this today.

CF: How optimistic are you that all the hurdles will get better or at least get to the point where they need to be within our careers?

TS: I'm a venture capitalist so I'm a born optimist. I can't do my job unless I believe, and I think our rate of innovation is accelerating. I think the rate of innovation that's taking place is going to continue to accelerate. So we're going to get better. We're going to get safer. You know, do I ever think we're going to be "safe?" No. But I think we're going to improve quite a bit.

Related posts:

— Curtis Franklin is the editor of SecurityNow.com. Follow him on Twitter @kg4gwa.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...
CVE-2020-25598
PUBLISHED: 2020-09-23
An issue was discovered in Xen 4.14.x. There is a missing unlock in the XENMEM_acquire_resource error path. The RCU (Read, Copy, Update) mechanism is a synchronisation primitive. A buggy error path in the XENMEM_acquire_resource exits without releasing an RCU reference, which is conceptually similar...
CVE-2020-25599
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There are evtchn_reset() race conditions. Uses of EVTCHNOP_reset (potentially by a guest on itself) or XEN_DOMCTL_soft_reset (by itself covered by XSA-77) can lead to the violation of various internal assumptions. This may lead to out of bounds memory a...
CVE-2020-25600
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs 64-bit or Arm (either bitness) ones. 32-bit x86 domains...