Jim Maloney and I just returned from the IT Security Entrepreneur’s Forum. A one day conference to increase collaboration between the Feds and emerging security companies, “bridging the gap between Silicon Valley and the Beltway.” What a wonderful, wonderful day. The 70 degree sun and beautiful stanford campus might have had something to do with it too. If you’re interested in learning how to interact and do business with federal agencies (or vice versa), this is the place. Robert Rodriguez, ITSEF founder, sets the perfect stage for open networking among all attendees. Maybe I’m just settling into my role as a vendor but I’ve never felt so comfortable approaching folks at a conference before.
Aside from the promo, I do want to highlight one of the sessions. One of the themes of this ITSEF was Attribution i.e. how can we positively identify criminals. The panel consisted of Jeff Moss and two old school security folks. I believe one was a UK fed, the other from General Dynamics (pretty much a fed). So how do we solve attribution? Obviously there’s no easy answer and the takeaway was we’ll have to innovate and things will have to change. The difference that inspired this post is at what cost?
To over-simply for brevity, Jeff’s view was forcing everyone to identify themselves before participating on the Internet 1. won’t be effective at attribution 2. will do more damage to privacy and free speech than good. His take was we have to improve our ability to investigate the whole of the attack, share information effectively and combine passive analysis with active gumshoe work to follow the trail and root out the true source. The feds didn’t seem to understand why a global ID wouldn’t be effective and seemed inclined to break a few freedom eggs to bring bad guys to justice. I’ve heard Jeff talk a number of times in past blackhat/defcons. This was the first time I’ve seen him sandwiched between two justice-first mentalities in a professional forum and really stand out. After the panel I had to find Jeff and tell him he rocked.
Instead of going into the arguments I’ll summarize with a larger and more sobering thought. While the topic was about cyber crime and attribution, I felt the real story was ideology. It didn’t matter who made the better argument because the audience seemed pre-disposed to hear and believe one side or the other, including me. My internal bias detector was going berserk. I try to empathize with whomever I interact with, especially if we disagree. After I stopped pumping my metaphorical fist after Jeff made each statement, I paused to look around and saw many arms tightly crossed. I think if it went on another 30 minutes it would’ve looked like a religious debate.
So no matter if you lean more toward enforcement or freedom, take this as another example that politics play a larger role in technology than most technologists may like to think. Let’s all get involved, understand both sides, and keep the debate rolling! I’m willing to compromise but ignorance, FUD, and politics are a dangerous combination.
Oh yes, on a lighter note: Jim gave me a tour of Palo Alto and took me to Buck’s for breakfast.
Jim told of bubble past when this was the low-key place where big time venture deals went down. On this sunny thursday, Buck’s still boasted an amazing mix of suits, devs, and locals who tolerated us. Great breakfast if you’re ever in the area or need to sign a term sheet. I just noticed the cars behind me tell the story pretty well…