Stanford CS153 Frontier Systems | The Road Ahead: Resilience Required

Early Career and Technology Involvement

• The individual has been working in technology since the 1990s, starting with the US Department of Justice in 1995, where they initially requested a direct internet connection to their desk, which was denied, but eventually allowed with a separate computer, making them the gatekeeper to everything 10s.
• The person spent their first eight years with the Department of Justice, then moved to eBay in 2002, where they worked on building the legal and safety sides of the company, including after the acquisition of PayPal 2m6s.
• They then joined Facebook in 2008, when it was smaller than MySpace, and worked there until the company integrated Instagram, WhatsApp, Oculus, and others, before moving to Uber as their first head of security 2m6s.
• At Facebook and Uber, they inherited small teams of engineers and built them up to large groups, and later did the same at Cloudflare, before starting their own company to help startups scale their security and technology 2m6s.

Government and Cybercrime Prosecution

• The individual's career has been at the intersection of government and technology, including working as a federal prosecutor, where they would ask tech companies about cyber crime, but found that companies had no incentive to disclose such issues 4m30s.
• As a federal prosecutor, they prosecuted a case involving a Stanford graduate who stole $40 million from Cisco by creating a subsidiary called Cisco Systems Inc Bahamas and diverting stock portfolio funds to himself 6m20s.
• The person currently works with startups to scale their security and technology, advises companies on security best practices, is a venture partner at Costanoa Ventures, and is the CEO of a nonprofit helping kids in Ukraine 8m0s.

Trust and Security at eBay

• The individual had to build trust with companies in order to prosecute cyber crimes, and this trust was established when companies understood that they would not be subjected to negative PR, 10s.
• At eBay, the primary issue was trust, as the business model relied on users sending money to sellers through the mail and hoping to receive the goods, and this issue was addressed with the introduction of digital payments and services like PayPal, 1m42s.
• The individual worked with regulators in 46 of the 50 states and trained law enforcement in over a dozen countries to prosecute individuals committing crimes on eBay, 2m6s.

Transition to Mobile Technology and Uber

• The situation with Eric Snowden, who revealed documents suggesting that Silicon Valley companies were sharing user data with the NSA, created tension and affected the relationship between tech companies and the government, 3m30s.
• The transition to mobile technology, led by companies like Uber, marked a significant shift in the importance of technology in people's lives and led to increased government interest in the tech industry, 5m20s.
• The individual's experience at Uber, including being fired and having their company-issued phone and computer disabled, led to a high-profile scandal involving a data breach affecting 57 million people, 8m40s.

Uber Scandal and Legal Consequences

• The incident at Uber resulted in the individual becoming involved in litigation and gaining notoriety in the cyber security field for the wrong reasons, 10m20s.
• After a period of personal struggle, a decision was made to get back to normal life and apply for jobs, which led to being hired by a small startup called Cloudflare in the spring of 2018, despite initial interest from companies like Huawei, Wei Work, and Bite Dance 10s.

Joining Cloudflare and Transparency in Security

• The hiring process at Cloudflare involved due diligence by Matthew Prince, who spoke with previous CEOs and managers, including Travis from Uber, before deciding to take a chance on the new hire 1m42s.
• In 2018, during the midterm elections, Cloudflare faced negative heat due to the doxing of the new hire, which included personal and family information, and was made public despite a takedown request to Google 2m6s.
• The doxing incident inflicted on Cloudflare was a challenging experience, but the company's commitment to transparency helped navigate the situation, with the CEO and CTO prioritizing open communication and documentation of security incidents 3m15s.
• An example of Cloudflare's transparency was demonstrated during a major outage in 2018, when the company's CTO, John, wrote a detailed blog post documenting the incident, and the team proactively contacted large customers to inform them of the situation 5m10s.
• The outcome of Cloudflare's transparency during the outage was positive, with the company receiving praise for its openness and honesty, rather than criticism for the disruption caused, highlighting the importance of transparency in technology and security 6m40s.

Legal Troubles and Personal Impact

• The FBI issued a press statement in 2020 stating that an individual had been arrested, which caused concern for their eldest daughter who was moving into her dorm at UT Austin at the time, and she called to confirm the news 10s.
• The individual had not been arrested, but had been charged with obstruction of justice and misprision of a felony, which meant they were being held personally responsible for their company's failure to be transparent with the government regarding a security incident in 2016 or 2017 2m6s.
• The individual went to trial against the government in September 2022, where a lawyer from Uber testified that her team was responsible for informing the government about security incidents, and she personally knew about the incident but did not disclose it 4m42s.

Responsible Disclosure and Bug Bounty Programs

• The concept of responsible disclosure is important, and the individual believes in cultivating relationships with the hacker community to achieve the best possible security, which is why they published a responsible disclosure policy at PayPal in 2007 6m15s.
• The responsible disclosure policy stated that if someone found a vulnerability, the company would not sue them or inform law enforcement, and instead would have an open dialogue, which was later adopted by other companies, including Facebook where the individual worked in 2008 8m1s.
• The hacker community later requested to be paid for finding vulnerabilities, which led to the creation of bug bounty programs, with Facebook launching its program in 2011, and now many companies, including Google, pay out millions of dollars in bug bounties 10m10s.

Uber's Security Incident and Bug Bounty Program

• When joining Uber in 2015, a responsible disclosure policy was published, and a bug bounty program was launched in private, which was later made public in the spring of 2016, with about 40 team members from Facebook also joining Uber 10s.
• In the fall of 2016, an email was received from a person who claimed to have found a major vulnerability in Uber's system, which was then forwarded to the product security team, and it was discovered that the vulnerability was related to the configuration of Uber's AWS and some old databases 2m6s.
• The situation was treated as a security incident, with everything documented, and a centralized tracker was used to keep notes, and the CEO signed off on paying a $100,000 bug bounty to the researchers, with legal and communications teams also involved 2m6s.
• An investigation was conducted to find out who the anonymous researchers were, and it was discovered that they were two 19 and 20-year-old individuals who had met in a gaming community and had found vulnerabilities in several companies, including LinkedIn, which had contacted the FBI 2m6s.
• The FBI was also investigating the individuals at the same time, but Uber's team was able to find them first, and a retired CIA intelligence officer was sent to interview one of the individuals, Brandon, to ensure that he was not an extortionist and to verify that he had deleted the data 2m6s.
• The company had written formal policies and documentation in place, which stated that legal was responsible for doing the investigation and reporting, and the communications team had prepared documents for potential disclosure, but legal advised that disclosure was not necessary 2m6s.
• The individuals who found the vulnerability were paid the bug bounty, and the vulnerability was fixed, with Uber's team working with the government on the situation, and the company's ability to handle the situation was due to its experience in working with the government on similar cases 2m6s.

Handling the Security Incident and Legal Fallout

• A situation occurred where an individual, Brandon, was sent an email by Matt from Uber, and a team member, a trained CIA interrogator, met with Brandon to discuss the deletion of data and protection of customers, and a six-page psychological profile of Brandon was prepared to validate the deletion of data and protection of customers 10s.
• The legal team had signed off on the communication, and the team had done the work to ensure customers were protected, which led to the closure of the chapter on the case, but in 2020, the individual was charged with a crime related to the incident 42s.
• The individual went to trial, and their lawyers believed they had won the case, but the jury deliberated for a few days and asked a question about the hacking statute, specifically whether Uber had the right to extend authorization after access, under 18 USC 1030 2m6s.
• The legal question was whether Uber could give permission to Brandon and the other individual after they had accessed Uber's AWS, and if they could unwind the situation, with the advice being that it was similar to trespass statutes, but the judge and government argued that Uber couldn't give permission 2m6s.
• The jury was instructed that Uber couldn't give permission, which gutted the defense, and the individual lost the trial, leading to a difficult period, including losing associations with nonprofits due to the trial outcome 2m6s.

Founding a Nonprofit in Ukraine

• In 2022, the individual joined a nonprofit called Ukraine Friends, became the CEO, and started a program called Digital Wings, which aimed to utilize laptop computers that were sitting idle at tech companies to help those in need, and found that the Ukrainians were willing to work with them despite their situation 2m6s.
• Many computers are discarded after a short period, with half of them not lasting two years, and these devices are not given to new employees, resulting in large piles of unused computers 10s.
• A nonprofit organization has been established to provide computers to kids who have lost a parent in the war, and it has received donations, including over a thousand computers from TD Bank, which were distributed in Ukraine 2m6s.
• The nonprofit organization works directly with military units to give laptops to the kids of fallen soldiers, and the people in Ukraine have shown incredible resilience in the face of adversity 2m6s.

Legal Trial and Sentencing

• The founder of the nonprofit has been volunteering in Ukraine, seeing the sad effects of the war, and has been waiting for a sentencing hearing, which has been postponed several times, with the government initially arguing for a three-year prison sentence 4m42s.
• A pre-sentence report was prepared by the probation office, which documented the founder's volunteer work, including 17 instances of volunteering for the federal government, and recommended probation instead of prison time 6m15s.
• The founder received over 200 letters of support from people in the cybersecurity community and others who felt that the case was unfair, with some letters signed by multiple people, including 60, 50, and 40 individuals 8m30s.
• The sentencing hearing took place on May 4th, 2023, and the judge ruled that it was not a cover-up, which was a positive outcome for the founder 10m50s.
• The judge in a case yelled at the prosecutor, questioning why the CEO was not charged if the company was being held accountable, and also pointed out that there was no financial incentive for the defendant to commit the crime, ultimately sentencing the defendant to three years of probation and a small fine 10s.

Post-Trial Life and Career Rebuilding

• The defendant finished their probation and is now off probation, but still experiences secondary inspection when entering the country, and has since started a security consulting business, works with non-profits, and advises startups, including some that have recently been acquired 2m6s.
• The defendant has also been invited to give keynotes at conferences, including a big AI conference in Tokyo, and gets to talk about their experiences and the changing world of cyber security, which has shifted from just focusing on data protection to also considering operational resilience 4m30s.
• The cyber security landscape has changed significantly since 2016, with the rise of ransomware attacks, such as the one that hit Jaguar Land Rover in 2023, which resulted in a three-month shutdown of production and a significant impact on the UK economy 6m40s.

Government and AI Cybersecurity Discussions

• The defendant has been involved in discussions with government agencies about cyber security and AI, including the use of powerful models like Enthropic's cyber model, and has experienced a surreal situation where they are both helping and being investigated by different parts of the government 10m20s.
• The government is feeling pressure about AI, and the defendant has seen firsthand the power and potential risks of these technologies, including the ability to find amazing and scary things 12m30s.
• The government is aware that cybersecurity needs to be improved in the next six months because models currently being held privately will be publicly available, making cybersecurity a top priority for every CEO, and this is why many companies are looking for experienced heads of security who can report to CEOs and co-run companies 10s.

Challenges in Cybersecurity Leadership

• There is a shortage of experienced cybersecurity professionals, and at the same time, governments are tightening regulations and considering enforcement actions, creating a challenging situation for cybersecurity leaders who often face difficult decisions, such as whether to sign statements downplaying the severity of ransomware attacks 42s.
• To be a successful cybersecurity leader, one needs to have resilience, which is essential for handling the pressures and challenges of the role, and this resilience is not just important for cybersecurity but for any leadership position, as it allows individuals to bounce back from setbacks and continue to grow 2m6s.

Developing Resilience and Crisis Management

• Resilience can be developed by learning from experiences, both positive and negative, and by preparing oneself and one's team for crises before they happen, which includes thinking about key elements for success in a crisis, such as communication and transparency 2m6s.
• Effective communication is crucial in a crisis, as it can build trust and mitigate negative consequences, and companies like Cloudflare have demonstrated the importance of transparency in handling crises, whereas companies like Uber have shown the consequences of lacking transparency 2m6s.
• Embracing challenges and stressful situations can help individuals develop the wisdom and experience needed to succeed in their careers, and running towards opportunities rather than away from them can lead to personal and professional growth 2m6s.

Personal Growth and Leadership Impact

• The individual considers themselves to have lost a trial in the fall of 2022, but won the sentencing in the spring of 2023, and having strong support from their wife, a Stanford grad, and the community was crucial, with many people writing letters to the judge highlighting the individual's positive actions, even those they didn't remember 10s.
• The individual notes that as a leader, the little things they do or don't do are picked up by their team, and they often don't realize the impact of their actions, citing examples of people writing about interactions they had forgotten, such as having lunch with a team member's kid interested in cybersecurity 2m6s.
• After winning the trial, the individual reached out to the founder of the Defcon conference and Black Hat, two prominent cybersecurity conferences, to share their side of the story, and was offered a chance to speak at the Black Hat CISO summit and Defcon, which helped them gain confidence and courage to move forward 4m30s.
• The individual started their own consulting business, focusing on working with startups, as large companies were hesitant to associate with a felon, although some did work with them under non-disclosure agreements, and they found success in this approach 8m0s.

Application Security and Code Velocity

• The individual joined the board of an appsec company and has been advising companies on application security, noting that the volume of code generated through tools like Vive coding has increased significantly, and financial services companies are slow to adopt these tools, while others are deeply invested 12m0s.
• The sheer velocity of code is a significant challenge, with one southeast bank increasing its code production from 250,000 lines of code a month to 1.25 to 5 million lines of code a month in just two months 10s.
• Another challenge arises when non-technical employees, such as those in marketing, are involved in coding and may not know how to fix vulnerabilities, making it difficult for security teams to provide proposed fixes 1m5s.
• The use of cloud co-work tools is also leading to non-technical employees taking ambitious actions, such as setting up their own remote external servers and creating API keys, which can create security risks 2m6s.

Approaches to Managing Security Challenges

• There is no single solution to these challenges, but companies are approaching them from different directions, with some starting with pilots and constraining access to software engineers, while others are using a more relaxed approach and then trying to clean up 3m15s.
• To address security headaches, companies need to implement anomaly detection and real-time runtime monitoring, rather than just relying on guardrails, as agents inside companies can be unpredictable, like toddlers in a house 4m30s.
• The importance of transparency and collaboration between different teams, including security, legal, and communications, is crucial in managing security incidents and incidents response, and companies should work on this ahead of time 6m40s.

Leadership and Executive Relationships

• Educating executives and leadership teams about security is also essential, as they may not have the necessary credibility or expertise to handle security incidents, and security leaders should focus on working with the leadership team to address these issues 8m10s.
• When mentoring a security executive, the first question asked is about their team, but the intention is to inquire about their relationship with other executives at the company, as building trust with them is crucial for a security leader, especially in crisis moments 10s.
• A security leader should spend a significant amount of time with other executives, more than 50% of their time, as the security world is complex and not easily measurable, and it's essential to establish trust with other executives to effectively manage crises 42s.

Quantum Computing and Cybersecurity Risks

• The topic of quantum cryptography is a significant concern, and many companies are not adequately prepared, with the potential risk of quantum computing being available by 2030, which could compromise historical communication data that was encrypted with non-quantum resistant encryption 2m6s.
• The primary risk associated with quantum computing is that government agencies may have collected historical communication data that can be decrypted with quantum computers, posing a threat to individuals and organizations, and most of the work to address this risk needs to be done by large infrastructure companies like Google and AWS 2m6s.
• The adoption of quantum computing will likely be gradual, with only a few organizations having access to quantum machines initially, and it's hoped that the "good guys" will have access to quantum computing before the "bad guys" to develop effective cyber security models 4m30s.

AI Models and Cybersecurity Innovation

• The release of new cyber security models, such as those developed by Anthropic and OpenAI, is a complex issue, with some experts criticizing the lack of access to these models and the potential hype surrounding their release, while others have found them to be incredibly valuable 6m40s.
• The cyber security community is self-critical, and the release of new models and tools can be met with skepticism, but it's essential to find the right balance between making these tools available and ensuring their effective use 6m40s.
• Companies and organizations need to build harnesses and technology around models to utilize them effectively, and having the right harnesses can allow them to find similar results to other public models if they are intentional about it 10s.
• Antropic's decision to publicly announce the names of eight companies with access to their models may have been intentional, as giving access to some companies but not others could be seen as picking winners and losers, and it is known that they have given access to more organizations than they have publicly disclosed 42s.

Regulation and Ethical Considerations in AI

• There is a need for transparency in the process of giving companies access to models, and some European leaders have complained about not having access, although some of their peers in Europe do have access 2m6s.
• The government is considering how to get involved in regulating the use of models, and the topic of regulation is complex, with some arguing that regulation can stifle innovation, but others believing that smart regulation is necessary to protect people 4m30s.
• The importance of regulation is highlighted by the fact that companies may not always anticipate how their products will be used, and may not have an economic incentive to make changes to protect users, and examples of this include dissident groups using Facebook in ways that put them at risk 6m20s.
• There is a need for smart and informed regulation, and efforts are being made to bring people from the private sector into government to help with this, such as Emil Michael, who is negotiating with Anthropic at the Department of War 9m10s.

Executive Protection and Startup Risks

• Emil is considered a suitable representative for the Department of War in negotiations with Anthropic due to his understanding of the tech world and his experience working in Silicon Valley 10s.
• Companies, especially startups, face significant risks, including theft of intellectual property, and it is challenging to fully vet every employee to prevent such risks 2m6s.
• The pressure on employees can come from various sources, including governments, and can lead to situations where employees are arrested or coerced into cooperating, highlighting the need for executive protection programs 2m6s.
• The main concern is not just about security but also about the physical safety of executives, as seen in cases where executives have been kidnapped or harmed, such as the co-founder of Adobe who was kidnapped in Silicon Valley 2m6s.

Managing AI and Model Release

• Despite the risks, it is essential to manage and moderate the release of new technologies, such as AI models, to minimize potential harm, and companies like Anthropic and Open AI are working towards this goal 2m6s.
• The development of best practices for rolling out new models and agreements with organizations is an ongoing process, and governments are becoming increasingly involved in regulating these technologies 2m6s.
• The future of AI models is uncertain, and it is unclear what the ideal or most effective models will be in the next three years, with various types of models, such as LLMs, world models, and small language models, potentially playing a role 10m42s.

Ransomware Evolution and Government Response

• The development of large language models is rapidly advancing, with significant leaps in progress every few months, but it is uncertain whether this pace will continue or slow down, and it may take a couple of years to determine the steady state of these models 10s.
• Ransomware originated from state-sponsored attacks for political reasons, with notable examples including the attacks on Saudi Aramco, the Sands Casino, and Sony by Iran and North Korea, and has since evolved into private sector attacks with a significant infrastructure built around it 2m6s.
• The business of ransomware has become so prominent that companies are hiring ransomware negotiators to have them on retainer in case of an attack, and it is now considered a best practice to have one of them on speed dial 2m6s.
• Governments have been criticized for not doing enough to react to and understand the implications of ransomware attacks, but are now starting to get involved, with law enforcement conducting takedowns and other branches of government considering how to go after organized groups before they launch attacks 4m30s.
• The US government is becoming more proactive in addressing ransomware, with the White House discussing the possibility of allowing companies to go on the offensive, which raises concerns about the potential consequences of such an approach 6m40s.
• The idea of taking a more proactive approach to ransomware is supported by some CEOs, who believe that being able to "punch back" is essential in responding to attacks, and that waiting until an attack happens is not a sufficient strategy 8m20s.