Space is Open for Business


This post is by David Cowan from Who Has Time For This?

Space is no longer the exclusive domain of engineering behemoths with a “monumental mission” mindset, as a new ecosystem of technology innovators democratizes extra-terrestrial commerce. 
For fifty years, space innovation meant scaling Apollo-era technologies into ever larger, more durable satellites parked above their terrestrial clients in geo-synchronous orbit. Exotic space-ready parts, militarized defenses, and layered redundancies ballooned into multi-billion dollar systems designed to last 40 years or more beyond their conceptions. Only vast organizations with thousands of aerospace engineers could participate.
By the turn of the century, it didn’t matter that geo-synchronous orbit resembled a stadium parking lot on Super Bowl Sunday. The internet had upended and bankrupted the commercial space industry, whose expensive, decades-old satellites could no longer compete with terrestrial means of moving information. And when a financial crisis gripped the global economy one decade ago, constricting the government budgets that funded most space exploration, NASA’s cancellation of its flagship programs seemed to ring the death knell for our colonization of the cosmos.
The space community was dispirited; no one expected an imminent, explosive emergence of a new entrepreneurial ecosystem that now promises unprecedented opportunities in space and vanishing barriers to extra-terrestrial commerce. The prospect of colonizing the Moon, Mars and beyond now seems likely and even palpable.  
The New Mindset
Space colonization began in 1957 with the launch of Sputnik, followed by the monumental Apollo program that landed humans on the Moon. Both Sputnik and Apollo had to develop their entire missions and supply chains from scratch: rocket engines, spacecraft, avionics software, space suits, ground stations, mission control software, and more.
This monolithic approach dominated space missions until recently. In 2010, Brooklynite Luke Geissbuhler and his son Max heralded a new model for space exploration when their amateur weather balloon ferried an iPhone 19 miles above the surface of the Earth, capturing beautiful space imagesas expensive satellites do. Luke and Max’s fun experiment exploited the low cost of mass-produced cell phones, whose batteries, antennas, radios, accelerometers and cameras constitute the most common components of commercial satellites.
Meanwhile, students at Cal Poly and Stanford were using those same cell phone components to assemble what they called CubeSats – 10x10x10 cm buses designed to cheaply ferry their science experiments on Low Earth Orbit. (In LOE, where satellites naturally de-orbit within five years due to drag from atmospheric particles, they don’t need exotic radiation-proof parts.) Standard modules for DIY cubesats can now be procured on hobbyist sites as easily as buying a book on Amazon.
Like the DARPA engineers who coded the internet protocol, these students hadn’t appreciated the impact of their invention. Cubesats sparked a realization that true scalability comes not from bigger satellites, but many cheap small ones, and suddenly five accumulated decades of Moore’s Law turned the space industry upside down. Venture-backed startups like Planet Labsand Skybox (now merged) developed constellations of micro-satellites to image the Earth far faster than enormous, lumbering incumbents.  Other ventures like SpaceX and OneWeb are deploying massive constellations to serve the planet with internet and IoT communications. The Silicon Valley teams behind all these constellations naturally focus on software-driven designs with commodity hardware, enabling satellite operators to quickly launch new apps as we do on our smartphones. The largest general purpose cubesat constellation – roughly 60 “Lemurs” operated by Spire Global – already monitor ships, planes and weather.
The new mindset that space is best colonized by smaller, cheaper, faster computers not only admits entrepreneurial engineering teams – it favors them. Hundreds of other startups are now exploiting the 100X cost savings of microsat constellations to colonize space.
A New Ecosystem
The microsat revolution demands a new ecosystem to support the operators of these constellations. By far the most important and difficult input to procure is launch, since all mature rocket programs were designed long ago to carry enormous, expensive payloads to Geosynchronous Orbit with 5-10 years of advanced notice; new players like Virgin Orbit, Firefly and Rocket Lab promise cheap and frequent carriage to Low Earth Orbit. Next-gen operators also need ground stations, mission control software, satellite tracking, data analysis, life support systems, human habitats, robotic mining systems, space WiFi, and more. Sat and rocket manufacturers in turn need specialized software, subsystems, amplifiers, phased array antennas, miniaturized propulsion, materials, extensible solar panels, and batteries. And innovators in additive manufacturing like Velo3D enable SpaceX and Rocket Lab to design and 3D print far more efficient engines.
Space companies now assemble cheaper, better, faster constellations by mixing and matching off-the-shelf elements from this emerging fragmented ecosystem. This new Space Stack (see illustration) promises a virtuous cycle of innovation, diversity and growth akin to the explosion of datacom startups sparked in the 1980s when the OSI 7-Layer Internetworking similarly disrupted an oligopoly of proprietary networks from IBM, Digital HP and Sun.
Atop the space stack sit the microsat operators who create value for people on Earth. They are extraterrestrial mining companies, agricultural intelligence businesses, pharma manufacturers, internet service providers, weather forecasters, marine tracking companies, and new ones every month.  As the space stack grows, these companies look less like scientific research labs, and more like their terrestrial competitors.

In other words, space is open for business. Entrepreneurs are flocking to the final frontier, where Moore’s Law has unleashed massive, enduring opportunities. This is how Humanity will colonize Low Earth Orbit, the Moon, the asteroids, Mars and beyond – through the emergence of a distributed, commercial ecosystem infinitely more powerful than any single company or government.

Space is Open for Business

Space is no longer the exclusive domain of engineering behemoths with a “monumental mission” mindset, as a new ecosystem of technology innovators democratizes extra-terrestrial commerce. 
For fifty years, space innovation meant scaling Apollo-era technologies into ever larger, more durable satellites parked above their terrestrial clients in geo-synchronous orbit. Exotic space-ready parts, militarized defenses, and layered redundancies ballooned into multi-billion dollar systems designed to last 40 years or more beyond their conceptions. Only vast organizations with thousands of aerospace engineers could participate.
By the turn of the century, it didn’t matter that geo-synchronous orbit resembled a stadium parking lot on Super Bowl Sunday. The

Continue reading “Space is Open for Business”

Space is Open for Business


This post is by David Cowan from Who Has Time For This?

Space is no longer the exclusive domain of engineering behemoths with a “monumental mission” mindset, as a new ecosystem of technology innovators democratizes extra-terrestrial commerce. 
For fifty years, space innovation meant scaling Apollo-era technologies into ever larger, more durable satellites parked above their terrestrial clients in geo-synchronous orbit. Exotic space-ready parts, militarized defenses, and layered redundancies ballooned into multi-billion dollar systems designed to last 40 years or more beyond their conceptions. Only vast organizations with thousands of aerospace engineers could participate.
By the turn of the century, it didn’t matter that geo-synchronous orbit resembled a stadium parking lot on Super Bowl Sunday. The internet had upended and bankrupted the commercial space industry, whose expensive, decades-old satellites could no longer compete with terrestrial means of moving information. And when a financial crisis gripped the global economy one decade ago, constricting the government budgets that funded most space exploration, NASA’s cancellation of its flagship programs seemed to ring the death knell for our colonization of the cosmos.
The space community was dispirited; no one expected an imminent, explosive emergence of a new entrepreneurial ecosystem that now promises unprecedented opportunities in space and vanishing barriers to extra-terrestrial commerce. The prospect of colonizing the Moon, Mars and Continue reading “Space is Open for Business”

Donald Trump Jeopardizes Cyber Privacy And National Security


This post is by David Cowan from Who Has Time For This?

President-Elect Donald Trump recently released a video in which he promised to work with the Department of Defense and Joint Chiefs of Staff on a “plan to protect Americas’ vital infrastructure from cyber attacks.” This promise reflects Trump’s ignorance of how cyber warfare works — calling in the Marines to secure the nation’s computers is about as effective as exterminating cockroaches with a shotgun.

On the vast, interdependent internet, evolving technologies and best practices must be adopted across the ecosystem for anyone to be secure. An effective cyber defense requires long, hard years of continued investment in research, education, strong encryption, standards, regulations, enforcement, and global cooperation. Unfortunately, Trump’s stated policy goals promise to halt and even reverse the hard-fought progress made in recent years defining and enforcing new cyber standards. The impact on national security will be dire.


Furthermore, Trump’s call to boycott Apple for refusing to break their iPhone encryption and his plan for “closing that Internet up” expose a disregard for cyber privacy and freedom of expression that threatens to undermine our rights and our prosperity.

Stop-and-Frisk in Cyberspace

The US is a cyber superpower, alongside China, England, Israel and Russia. While Edward Snowden’s revelations suggest that the U.S. likely harbors the most potent cyber weapons, the agencies that develop and wield them have a clear mandate to use them only on foreign targets — for example, to retaliate against Russia’s repeated pattern of cyber aggression.

To Trump, however, Vladimir Putin is a friend — the nation’s true enemies lurk within the American homeland: illegal Mexican immigrants, Muslim jihadist refugees, obstructive protesters, and conspiring journalists. Echoing Rudolph Giuliani, Trump has touted stop-and-frisk as a legitimate exercise of “law and order” so we should expect the same in cyberspace, as federal agencies redirect their formidable arsenals away from foreign and toward domestic surveillance. No wonder Peter Thiel supported and now advises Trump — his company Palantir sells the software used by intelligence agencies to monitor large populations; investors plowed another $20 million into the Palantir just last week.

Peter Thiel, co-founder of Palantir


Judicial and legislative oversight bodies normally protect US citizens from mass domestic surveillance. But Trump’s tweets and campaign rally warnings about ISIS have escalated American fear of the terrorist threat to the highest point since 9–11, when Congress passed the Patriot Act. The Republican Congress and Trump-appointed judges may give the President broad leeway.

The Danger of Deregulation

Preventing cyber attacks is impossible without regulation, because cyber neglect is like polluting, drunk driving, or refusing to vaccinate — it endangers not only the reckless, but everyone else as well. The security of every online transaction depends upon the integrity of all the vendors in the ecosystem who handle payments, network traffic, email delivery, cloud servers, and more. Furthermore, any infected computer or device can be used to attack others (as we saw in the October DDoS attack that caused massive internet outages). Without broad regulations and enforcement, internet commerce cannot be secured.

Donald Trump’s campaign speeches and web site have consistently promised to reduce the rules, headcount, and overall spending in the SEC, FTC, CFPB, FCC and IS Oversight Office — the very federal regulatory agencies that have taken the lead in defining and enforcing cyber standards. (His adviser Mark Jamison openly plans to nearly eliminate the FCC.) In addition to the budget savings, Trump sees this as a key element in his plan to promote business and increase jobs. By design, these cuts will relax the rules and enforcement of cyber standards for the public companies, banks, consumer-facing merchants, and network carriers that these agencies regulate. We should expect similar cuts in other regulatory authorities such as the Center for Medicare and Medicaid Services (which enforces HIPAA rules for the healthcare industry) and the Federal Energy Regulatory Commission (which oversees NERC standards for the power grid).

Cyber deregulation will empower American businesses to sell our data to anyone collecting profiles of US citizens. Meanwhile, with a U.S. president who actually invited and benefited from Russia’s intervention in the election, Russian cyber attackers feel they enjoy free rein in American cyberspace. With the rollback of cyber regulations, consumer-facing businesses will slash their own cyber security budgets, leading to weaker systems that further accelerate the growth and severity of information breaches. With our private information exposed, brace for a dramatic rise in identity theft and cyber stalking.

In contrast, the European Union has set the standard for privacy laws that limit how businesses and government agencies can use our information. Once disdained by the business community, these laws now give Europe the competitive advantage. In the wake of Snowden’s revelations, mistrustful Europeans moved their data from US clouds and services to EU alternatives — during Trump’s presidency, Americans will join them. While some Americans look to Switzerland as a safe haven for money, and Canada as a safe haven for our families, many will look to Germany as a safe haven for data.

Cyber 9–11

President Trump’s deregulatory policies will jeopardize not only privacy, but also national security. Our homeland’s greatest vulnerability may well be the cyber threat to our critical infrastructure, potentially disrupting life-support services like power and water. Furthermore, a single breach of a water treatment facility, dam, or nuclear reactor can directly kill millions of people — a cyber 9–11. And yet today most of the nation’s utilities run unpatched software on industrial control systems that remain defenseless, awaiting NERC cyber regulations to kick in next year. A four-year reprieve from these rules by Trump’s administration will expose the U.S. to a massive terrorist attack, and open the door for Russia or other nations to embed cyber bombs in our machinery for future activation. Even if the Defense Department can accurately attribute such attacks, they can only retaliate — they cannot prevent them.

The election of Donald Trump has profound implications for the security of cyberspace. Unless Trump reverses his positions on deregulation, government surveillance, and the Russian threat, his administration will dismantle the safeguards of cyberspace, threatening America’s commercial prosperity, individual privacy, and national security.

Donald Trump Jeopardizes Cyber Privacy And National Security

President-Elect Donald Trump recently released a video in which he promised to work with the Department of Defense and Joint Chiefs of Staff on a “plan to protect Americas’ vital infrastructure from cyber attacks.” This promise reflects Trump’s ignorance of how cyber warfare works — calling in the Marines to secure the nation’s computers is about as effective as exterminating cockroaches with a shotgun.

On the vast, interdependent internet, evolving technologies and best practices must be adopted across the ecosystem for anyone to be secure. An effective cyber defense requires long, hard years of continued investment in research, education, strong encryption, standards, regulations, enforcement, and global cooperation. Unfortunately, Trump’s stated policy goals promise to halt and even reverse the hard-fought progress made in recent years defining and enforcing new cyber standards. The impact on national security will be dire.


Furthermore, Trump’s call to boycott Apple for refusing to break their iPhone

Continue reading “Donald Trump Jeopardizes Cyber Privacy And National Security”

Donald Trump Jeopardizes Cyber Privacy And National Security


This post is by David Cowan from Who Has Time For This?

President-Elect Donald Trump recently released a video in which he promised to work with the Department of Defense and Joint Chiefs of Staff on a “plan to protect Americas’ vital infrastructure from cyber attacks.” This promise reflects Trump’s ignorance of how cyber warfare works — calling in the Marines to secure the nation’s computers is about as effective as exterminating cockroaches with a shotgun.

On the vast, interdependent internet, evolving technologies and best practices must be adopted across the ecosystem for anyone to be secure. An effective cyber defense requires long, hard years of continued investment in research, education, strong encryption, standards, regulations, enforcement, and global cooperation. Unfortunately, Trump’s stated policy goals promise to halt and even reverse the hard-fought progress made in recent years defining and enforcing new cyber standards. The impact on national security will be dire.


Furthermore, Trump’s call to boycott Apple for refusing to break their iPhone encryption and his plan for “closing that Internet up” expose a disregard for cyber privacy and freedom of expression that threatens to undermine our rights and our prosperity.

Stop-and-Frisk in Cyberspace

The US is a cyber superpower, alongside China, England, Israel and Russia. While Edward Snowden’s revelations suggest that the U.S. likely harbors the most potent cyber weapons, the agencies that develop and wield them have a clear mandate to use them only on foreign targets — for example, to retaliate against Russia’s repeated pattern of cyber aggression.

To Trump, however, Vladimir Putin is a friend — the nation’s true enemies lurk within Continue reading “Donald Trump Jeopardizes Cyber Privacy And National Security”

Investment Recommendation: Claroty Series A

Today, Claroty came out of stealth, announcing a Series A financing led by Bessemer. $32 Million is  is a lot for Series A, but this is an important company for our nation and our planet. To explain why, I thought I’d share this excerpt from our internal investment memo.

EXCERPT from APRIL 2016:

The Need for Industrial Security

The physical infrastructure of modern civilization runs on machinery: traffic lights, railroad switches, nuclear reactors, water treatment, electricity distribution, dams, ship engines, draw bridges, oil rigs, hospitals, gas pipelines, and factories depend upon mechanical elements such as pressure valves, turbines, motors, and

Continue reading “Investment Recommendation: Claroty Series A”

Investment Recommendation: Claroty Series A


This post is by David Cowan from Who Has Time For This?

Today, Claroty came out of stealth, announcing a Series A financing led by Bessemer. $32 Million is  is a lot for Series A, but this is an important company for our nation and our planet. To explain why, I thought I’d share this excerpt from our internal investment memo.

EXCERPT from APRIL 2016:

The Need for Industrial Security

The physical infrastructure of modern civilization runs on machinery: traffic lights, railroad switches, nuclear reactors, water treatment, electricity distribution, dams, ship engines, draw bridges, oil rigs, hospitals, gas pipelines, and factories depend upon mechanical elements such as pressure valves, turbines, motors, and pumps. These actuators (like the ones in the original Bessemer steel smelting process) were once manually configured, but today these machines are controlled by software running on directly-attached, single-purpose computers known as Programmable Logic Controllers (PLC). PLCs, in turn, are connected in aggregate to computers running Human Management Interfaces (HMI) through closed, vendor-proprietary Supervisory Control & Data Acquisition (SCADA) protocols like DNP3 and Profibus. Industrial manufacturers provide the machines, the PLCs, and the HMIs, and so Operations Technology (OT) teams typically need to use a mix of controllers and interfaces. This is collectively known as an ICS. 

It’s Time for Robots to Mine the Asteroids

Phil Metzger at University of Florida has just published an important and compelling article titled Space Development and Space Science Together, an Historic Opportunity about the need to develop a Self-sufficient Replicating Space Industry that uses robots to harvest space-based resources . The article is detailed, well-cited and fully attentive to the objections often raised.

Metzger calculates that it would take only a third of Earth’s national space program budgets over the coming decades to deploy and complete the industrial infrastructure we need for harvesting resources from space that address major challenges we face in economic development, science, climate change, energy needs and other dwindling mineral resources.

Metzger specifically prescribes an initial focus on mining water for the purpose of fueling steam-based propulsion systems. Robust water deposits on the moon, asteroids, Europa, and elsewhere in the solar system promise bountiful supplies that will propel us to the stars. Another benefit of

Continue reading “It’s Time for Robots to Mine the Asteroids”

It’s Time for Robots to Mine the Asteroids


This post is by David Cowan from Who Has Time For This?

Phil Metzger at University of Florida has just published an important and compelling article titled Space Development and Space Science Together, an Historic Opportunity about the need to develop a Self-sufficient Replicating Space Industry that uses robots to harvest space-based resources . The article is detailed, well-cited and fully attentive to the objections often raised.

Metzger calculates that it would take only a third of Earth’s national space program budgets over the coming decades to deploy and complete the industrial infrastructure we need for harvesting resources from space that address major challenges we face in economic development, science, climate change, energy needs and other dwindling mineral resources.

Metzger specifically prescribes an initial focus on mining water for the purpose of fueling steam-based propulsion systems. Robust water deposits on the moon, asteroids, Europa, and elsewhere in the solar system promise bountiful supplies that will propel us to the stars. Another benefit of hydro-propulsion, explained to me this week by Deep Space Industries @GoDeepSpace CEO Dan Faber, is that water would be easy and safe for entrepreneurs integrating propulsion into their satellites today. Metzger has focused his attention and efforts on developing a lunar mine, Faber’s company looks to mine water from Near Earth asteroids since their negligible gravity makes it easier to extract the water without escaping lunar gravity. (See DSI design, right.)

Metzger outlines other important projects as well, such as a Space-Based Solar Power system and extraterrestrial compute facilities, sorely needed infrastructure that we simply cannot scale on Earth:

Continue reading “It’s Time for Robots to Mine the Asteroids”

"Brief Candle in the Dark: My Life in Science" by Richard Dawkins

"Brief Candle in the Dark: My Life in Science" by Richard Dawkins


This post is by David Cowan from Who Has Time For This?

Oxford Zoology Professor Richard Dawkins is finishing up a whirlwind book tour through the U.S., addressing sold-out venues of free-thinking fans who flock to him as much for his sermons on Reason and Science as they do for a signature on his memoirs.

One of Richard’s favorite stops is always Kepler’s Bookstore in Menlo Park, where I had the pleasure of interviewing Richard about his memoirs before a crowd that sold out four weeks in advance. Richard graceed his audience by reading several excerpts I selected — chosen to give a sense for his writing but, like any good trailer, not to reveal crucial plot lines.

So rather than write a review of the book (which the NY Times and Guardian have already done quite well) I’m here to share a little preview of the story, which covers the second half of Richard’s illustrious life so far. With this taste of the book, you can relish how Richard crafts every message with subtle detail and humor that, in Silicon Valley parlance, delights the user.

The first excerpt gives a glimpse into life at the hallowed institution of Oxford University, featuring brilliant but eccentric personalities who mix profound wisdom with the backseat bickering of children.  As Richard recounts his unwelcome rotation as Sub-Warden, the setting seems less like Oxford and more like Hogwart’s.

Although the Sub-Warden doesn’t have to seat people and their guests (as the presiding fellow does in some other colleges), he is expected to beam the Continue reading “"Brief Candle in the Dark: My Life in Science" by Richard Dawkins”

The Imitation Game (or, Why I Invested in Distil Networks)


This post is by David Cowan from Who Has Time For This?

In 1950, the journal Mind published Alan Turing’s seminal paper, Computing Machinery and Intelligence, in which he proposed a behavioral definition of artificial intelligence. After all, if a machine can demonstrate intelligence, how can it not be said to possessintelligence? Turing’s test challenged computer scientists to create a thinking machine that, through conversation, could fool a person into believing that it, too, is human; Turing’s challenge continues to drive AI researchers today.
With the proliferation of computers in modern life, the prospect of identifying thoughtful machinery takes on more than just theoretical or philosophical interest. Back in Turing’s day, a thinking machine connected only to a “teleprinter” (as Turing envisioned) would have lived a lonely life, but today there are billions of people online with whom to converse, promising profound implications for society. For example, we increasingly find the machines who answer customer service calls to be more productive and thoughtful than human agents.

Machines who demonstrate intelligence can communicate not only with people, but also with other machines designed to communicate with people – specifically, over 100 million web servers that invite human visitors to browse, learn, chat, transact, and share and with them. If a machine can demonstrate human intelligence in the eyes of a human judge, then no doubt it can win over these other machines on the internet, who are naturally less skilled at spotting other humans.

Or are they? If, say, the human judge in a Turing test can distinguish the smartest machines from humans with 60% accuracy, how well could a machine do at judging them? I call this the Turing Judge Test, a corollary to Turing’s Test that marks a subsequent milestone in the development of AI. If a machine conversing with other parties can outperform the human judges in identifying the machines, that right there’s some mighty good thinking.
With the benefits of shared learning and infinite storage, machines only get smarter over time, and so it seems inevitable that they will eventually pass the Turing Judge Test. On the other hand, as artificial judges get smarter, so do the artificial contestants. Even when machines do pass Turing tests with flying colors, how can they ever out-think other best-in-class machines? Or is there a way of distilling human intelligence into a single line of questioning that distinguishes silicon from gray matter?
Such a distillation would have more than theoretical value – indeed, it’s arguably critical for the safety of any information society. This is not just a theory – machines are already smart enough that they account for most web traffic, successfully posing as human visitors to perpetuate fraud on the government and business web servers they talk to. That’s why many sites use Completely Automated Public Turing tests to tell Computers and Humans Apart (CAPTCHAs).

xkcd
But CAPTCHAs create a nuisance for users and an outright obstacle for some disabled users; even worse, they can now be defeated in various ways – in other words CAPTCHA servers are machines who once passed the Turing Judge Test, but only until the machines they judge got smarter!
As a result, malicious bots wreak havoc on the web, perpetuating data theft, account hijacking, application DDoS attacks, form spam, click fraud, and any other naughty action they can scale up through tireless automation.

And that’s why I just invested in, and joined the board of, Distil Networks. Distil is run by a world class team of machine learning experts whose thinking machines can now distinguish other machines from people with over 99% accuracy. Staples, AOL, Dow Jones, StubHub and many others depend upon Distil’s cloud-based service to immediately eliminate entire classes of attack (and free up all the infrastructure they ran to serve the whims of robotic imposters). The Turing Judge Test has a winner!
At least for now.

The Imitation Game (or, Why I Invested in Distil Networks)


This post is by David Cowan from Who Has Time For This?

In 1950, the journal Mind published Alan Turing’s seminal paper, Computing Machinery and Intelligence, in which he proposed a behavioral definition of artificial intelligence. After all, if a machine can demonstrate intelligence, how can it not be said to possessintelligence? Turing’s test challenged computer scientists to create a thinking machine that, through conversation, could fool a person into believing that it, too, is human; Turing’s challenge continues to drive AI researchers today.
With the proliferation of computers in modern life, the prospect of identifying thoughtful machinery takes on more than just theoretical Continue reading “The Imitation Game (or, Why I Invested in Distil Networks)”

Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace

This post originally appeared in TechCrunch.

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.
In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.
Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?

“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)

For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut downaltogether. “When our API collapsed under a DDoS attack, we experienced more customer churn in that one day than we had in the entire two years since our launch,” recalled one CEO.
StubhubUber, and Tinder struggle to battle fraud in their marketplaces. Uber employees themselves were caught defrauding competitor Gett. EvernoteBit.ly,FormspringDropboxCupid MediaZendesk, SnapchatClinkleMeetMeLastPass (a password security company!) and many others have had to tell users they lost their passwords or payment credentials to hackers. Cyber thieves stole $5 million worth of Bitcoins from Bitstamp, and destroyed Mt. Gox and Flexcoin. Hackers exposed the content and identities of Yik Yak accounts. The CEOs of HB GarySnapchat and many other startups have been vilified following the theft and publication of embarrassing emails. Google routinely blacklists websites for weeks due to malware. Appstudio,SendGridHB Gary and others have been defaced or even permanently shut down by anti-Western hacktivists for political reasons. For OnlyHonest.com, the damage appears to have been fatal.
And even if your startup beats the odds and survives its infancy

BVP-Cyber-Security-Graphic

Continue reading “Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace”

Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace


This post is by David Cowan from Who Has Time For This?

This post originally appeared in TechCrunch.

In the past two years, cyberspace has clearly changed in ways that threaten every online business, big or small. Startups now use the cloud infrastructure that mature companies do, and quickly aggregate large, juicy caches of private user data and payment credentials. As malware infestations scale to scour the “long tail” of targets, they don’t discriminate between the Fortune 50 and the TechCrunch 50.
In fact, some increasingly common attacks — like DDoS extortion — specifically target smaller, more vulnerable businesses, whose loose cowboy cultures, shallow security expertise, fragile infrastructure and fresh capital make for easy pickings.
Jeremy Grant at NIST reports “a relatively sharp increase in hackers and adversaries targeting small businesses.” According to a recent survey, 20 percent of small businesses in Canada reported cyber losses last year. Who knows how many more fell victim and just don’t know it?

“Startups are incredibly vulnerable to cyber attacks in their first 18 months. If a business thinks that it’s too small to matter to cybercriminals, then it’s fooling itself with a false sense of security.” – Brian Burch, Symantec (CNN)

For many attacks—API disruption, marketplace fraud, IP theft—the smaller the target, the greater the damage. Startups often lose a year or more when targeted by identity thieves, nation-states, hacktivists, competitors, disgruntled employees, IP thieves, fraudsters or Bitcoin miners. Evernote, Meetup, Feedly, Vimeo, BaseCamp, Shutterstock, MailChimp and Bit.ly all fell victim to extortion rackets, and Code Spaces shut Continue reading “Security for Startups: A 10-Step Affordable Plan to Survival in Cyberspace”

The Failure of Cyber Security and the Startups Who Will Save Us


This post is by David Cowan from Who Has Time For This?

2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties — JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.
The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.
Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.
The Sprawl of Cyberwarfare
The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.
For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.
The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination of resources for such a targeted attack: the technical talent to create zero-day exploits and stealthy implants; labs that duplicate the target environment (e.g. the Siemens centrifuges of a nuclear enrichment facility); the field agents to conduct on-site ops (e.g. monitoring wireless communications, finding USB ports, or gaining employment); and years of patience. As a result of these investments in “military grade” cyber attacks, the best of these teams can boast a mission success rate close to 100%.
But cyber weapons are even harder to contain than conventional ones. Cyberwar victories have inspired terrorists, hacktivists and criminals to follow suit, recruiting cyber veterans and investing in the military grade approach. (Plus, some nations have started targeting companies directly.) No longer content to publish malware and wait for whatever data pop up, criminals now identify the crown jewels of businesses and target them with what we call Advanced Persistent Threats (APTs). You want credit cards? Get 56 million of them from Home Depot. You want to compromise people with the most sensitive secrets? Go to straight to the FBI’s archive of security clearances. You want the design of a new aircraft? Get it from Boeing. You need data for committing online bank theft? Get it for 76 million households at JP Morgan Chase.
That’s why cyberspace exploded in 2014.

This is Not the Common Cold
But why are the crown jewels so exposed? Haven’t these companies all spent millions of dollars every year on firewalls, anti-virus software, and other security products? Don’t their IT departments have security engineers and analysts to detect and deflect these attacks?
The problem is that up until this year, corporate networks were instrumented to defend against generic malware attacks that cause minimal damage to each victim. Generic malware might redirect your search page, crash your hard drive, or install a bot to send spam or mine bitcoin. It’s not looking for your crown jewels because it doesn’t know who you are. It may worm its way to neighboring machines, but only in a singular, rudimentary way that jumps at most one or two hops. It’s automated and scalable – stealing pennies from all instead of fortunes from a few. If it compromises a few machines here and there, no big deal.
But with Advanced Persistent Threats, a human hacker directs the activity, carefully spreading the implant, so even the first point of infection can lead to devastation. These attacks are more like Ebola than the common cold, so what we today call state-of-the-art security is only slightly more effective than taking Airborne (and that’s a low bar). As long as corporate networks are porous to any infection at all, hackers can launch stealth campaigns jumping from host to host as they map the network, steal passwords, spread their agents, and exfiltrate data. Doubling down on malware filters will help, but it can never be 100% effective. All it takes is one zero-day exploit, or a single imprudent click on a malicious email, tweet or search result, for the campaign to begin. Or the attacker can simply buy a point of entry from the multitudes of hackers who already have bots running on the Internet.

Too Big Data
The dependence on malware filters is only half the problem. Ask any Chief Information Officer about his or her security infrastructure and you will hear all about the Secure Operation Center in which analysts pour over alerts and log files  (maybe even 24/7) identifying anomalies that may indicate security incidents. These analysts are tasked with investigating the incidents and rooting out any unauthorized activity inside the network. So even if someone can trespass the network, analysts will stop them. And indeed, thousands of security products today participate in the ecosystem by finding anomalies and generating alerts for the Security Information and Event Management (SIEM) system. Every week a new startup pops up, touting an innovative way to plow through log files, network stats, and other Big Data to identify anomalies.
But sometimes anomalies are just anomalies, and that’s why a human analyst has to investigate each alert before taking any pre-emptive action, such as locking a user out of the network or re-imaging a host. And with so many products producing so many anomalies, they are overwhelmed with too much data. They typically see a thousand incidents every day, with enough time to investigate twenty. (You can try to find more qualified analysts but only with diminishing returns, as each one sees less of the overall picture.)
That’s why, for example, when a FireEye system at Target spotted the malware used to exfiltrate 40 million credit cards, it generated an alert for the Secure Operations Center in Minneapolis, and nothing happened. Similarly, a forensic review at Neiman Marcus revealed more than 60 days of uninvestigated alerts that pointed to exfiltrating malware. SONY knew they were under attack for two years leading up to their catastrophic breach, and still they couldn’t find the needles in the haystack.

And yet, the drumbeat marches on, as security vendors old and new continue to tout their abilities to find anomalies.  They pile more and more alerts into the SIEM, guaranteeing that most will drop on the floor. No wonder APTs are so successful.

A Three Step Program

“Know Thy Self, Know Thy Enemy” – Sun Tzu, The Art of War
We need to adapt to this new reality, and the cyber security industry needs to enable it. Simply put, businesses need to focus their time and capital on stopping the most devastating attacks.
The first step here is to figure out what those attacks look like. What are your crown jewels? What are the worst case scenarios? Do you have patient data, credit cards, stealth fighter designs, a billion dollars in the bank, damning emails, or a critical server that, if crippled by a Distributed Denial of Service attack, would cause your customers to instantly drop you? As you prioritize the threats, identify your adversaries. Is it a foreign competitor, Anonymous, disgruntled employees, or North Korea? Every business is different, and each has a different boogeyman. The good news is that even though most CEO’s have never thought about it, this first step is easy and nearly free. (Cyber experts like Good Harbor or the BVP-funded K2 Intelligence can facilitate the process.)
Second, businesses need real-time threat intelligence that relate to their unique threatscapes. Almost every security technology depends upon a Black List that identifies malicious IP addresses, device fingerprints, host names, domains, executables or email addresses, but naturally they come with generic, one-size-fits-all data. Dozens of startups now sell specialized threat intel, such as BVP-funded Internet Identity, which allows clusters of similar companies to pool their cyber intelligence, or BVP-funded iSight Partners, whose global field force of over 100 analysts track and profile cyber adversaries and how to spot them in your network. What better way for your analysts to investigate the most important incidents, than to prioritize the ones associated with your most formidable adversaries?
This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7″         
– Tony Cole, FireEye VP on CNN
And finally, security analysts need fewer alerts, not more. Instead of finding more anomalies, startups would better spend their time finding ways to eliminate alerts that don’t matter, and highlighting the ones that do. They would provide the analysts with better tools for connecting the alerts into incidents and campaigns, tapping into the skills of experienced “military grade” hackers to profile the attack patterns.
Outlook

The challenge of securing data today is obviously complex, with many other pressing opportunities for improvement such as cloud security, mobile security, application security and encryption. But as cyberwar spreads to the commercial Internet, re-orienting enterprise security to focus on Advanced Persistent Threats should be the single most important initiative for businesses and vendors alike. Of course, inertia is powerful, and it may take boards of directors, CISOs, product managers, entrepreneurs, and venture capitalists another tumultuous year in cyberspace to get the message.

The Failure of Cyber Security and the Startups Who Will Save Us


This post is by David Cowan from Who Has Time For This?

2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties — JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.
The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.
Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.
The Sprawl of Cyberwarfare
The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.
For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.
The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination of resources for such a targeted attack: the technical talent to create zero-day exploits and stealthy implants; labs that duplicate the target environment (e.g. the Siemens centrifuges of a nuclear enrichment facility); the field agents to conduct on-site ops (e.g. monitoring wireless communications, finding USB ports, or gaining employment); and years of patience. As a result of these investments in “military grade” cyber attacks, the best of these teams can boast a mission success rate close to 100%.
But cyber weapons are even harder to contain than conventional ones. Cyberwar victories have inspired terrorists, hacktivists and criminals to follow suit, recruiting cyber veterans and investing in the military grade approach. (Plus, some nations have started targeting companies directly.) No longer content to publish malware and wait for whatever data pop up, criminals now identify the crown jewels of businesses and target them with what we call Advanced Persistent Threats (APTs). You want credit cards? Get 56 million of them from Home Depot. You want to compromise people with the most sensitive secrets? Go to straight to the FBI’s archive of security clearances. You want the design of a new aircraft? Get it from Boeing. You need data for committing online bank theft? Get it for 76 million households at JP Morgan Chase.
That’s why cyberspace exploded in 2014.

This is Not the Common Cold
But why are the crown jewels so exposed? Haven’t these companies all spent millions of dollars every year on firewalls, anti-virus software, and other security products? Don’t their IT departments have security engineers and analysts to detect and deflect these attacks?
The problem is that up until this year, corporate networks were instrumented to defend against generic malware attacks that cause minimal damage to each victim. Generic malware might redirect your search page, crash your hard drive, or install a bot to send spam or mine bitcoin. It’s not looking for your crown jewels because it doesn’t know who you are. It may worm its way to neighboring machines, but only in a singular, rudimentary way that jumps at most one or two hops. It’s automated and scalable – stealing pennies from all instead of fortunes from a few. If it compromises a few machines here and there, no big deal.
But with Advanced Persistent Threats, a human hacker directs the activity, carefully spreading the implant, so even the first point of infection can lead to devastation. These attacks are more like Ebola than the common cold, so what we today call state-of-the-art security is only slightly more effective than taking Airborne (and that’s a low bar). As long as corporate networks are porous to any infection at all, hackers can launch stealth campaigns jumping from host to host as they map the network, steal passwords, spread their agents, and exfiltrate data. Doubling down on malware filters will help, but it can never be 100% effective. All it takes is one zero-day exploit, or a single imprudent click on a malicious email, tweet or search result, for the campaign to begin. Or the attacker can simply buy a point of entry from the multitudes of hackers who already have bots running on the Internet.

Too Big Data
The dependence on malware filters is only half the problem. Ask any Chief Information Officer about his or her security infrastructure and you will hear all about the Secure Operation Center in which analysts pour over alerts and log files  (maybe even 24/7) identifying anomalies that may indicate security incidents. These analysts are tasked with investigating the incidents and rooting out any unauthorized activity inside the network. So even if someone can trespass the network, analysts will stop them. And indeed, thousands of security products today participate in the ecosystem by finding anomalies and generating alerts for the Security Information and Event Management (SIEM) system. Every week a new startup pops up, touting an innovative way to plow through log files, network stats, and other Big Data to identify anomalies.
But sometimes anomalies are just anomalies, and that’s why a human analyst has to investigate each alert before taking any pre-emptive action, such as locking a user out of the network or re-imaging a host. And with so many products producing so many anomalies, they are overwhelmed with too much data. They typically see a thousand incidents every day, with enough time to investigate twenty. (You can try to find more qualified analysts but only with diminishing returns, as each one sees less of the overall picture.)
That’s why, for example, when a FireEye system at Target spotted the malware used to exfiltrate 40 million credit cards, it generated an alert for the Secure Operations Center in Minneapolis, and nothing happened. Similarly, a forensic review at Neiman Marcus revealed more than 60 days of uninvestigated alerts that pointed to exfiltrating malware. SONY knew they were under attack for two years leading up to their catastrophic breach, and still they couldn’t find the needles in the haystack.

And yet, the drumbeat marches on, as security vendors old and new continue to tout their abilities to find anomalies.  They pile more and more alerts into the SIEM, guaranteeing that most will drop on the floor. No wonder APTs are so successful.

A Three Step Program

“Know Thy Self, Know Thy Enemy” – Sun Tzu, The Art of War
We need to adapt to this new reality, and the cyber security industry needs to enable it. Simply put, businesses need to focus their time and capital on stopping the most devastating attacks.
The first step here is to figure out what those attacks look like. What are your crown jewels? What are the worst case scenarios? Do you have patient data, credit cards, stealth fighter designs, a billion dollars in the bank, damning emails, or a critical server that, if crippled by a Distributed Denial of Service attack, would cause your customers to instantly drop you? As you prioritize the threats, identify your adversaries. Is it a foreign competitor, Anonymous, disgruntled employees, or North Korea? Every business is different, and each has a different boogeyman. The good news is that even though most CEO’s have never thought about it, this first step is easy and nearly free. (Cyber experts like Good Harbor or the BVP-funded K2 Intelligence can facilitate the process.)
Second, businesses need real-time threat intelligence that relate to their unique threatscapes. Almost every security technology depends upon a Black List that identifies malicious IP addresses, device fingerprints, host names, domains, executables or email addresses, but naturally they come with generic, one-size-fits-all data. Dozens of startups now sell specialized threat intel, such as BVP-funded Internet Identity, which allows clusters of similar companies to pool their cyber intelligence, or BVP-funded iSight Partners, whose global field force of over 100 analysts track and profile cyber adversaries and how to spot them in your network. What better way for your analysts to investigate the most important incidents, than to prioritize the ones associated with your most formidable adversaries?
This is a global problem. We don’t have a malware problem. We have an adversary problem. There are people being paid to try to get inside our systems 24/7″         
– Tony Cole, FireEye VP on CNN
And finally, security analysts need fewer alerts, not more. Instead of finding more anomalies, startups would better spend their time finding ways to eliminate alerts that don’t matter, and highlighting the ones that do. They would provide the analysts with better tools for connecting the alerts into incidents and campaigns, tapping into the skills of experienced “military grade” hackers to profile the attack patterns.
Outlook

The challenge of securing data today is obviously complex, with many other pressing opportunities for improvement such as cloud security, mobile security, application security and encryption. But as cyberwar spreads to the commercial Internet, re-orienting enterprise security to focus on Advanced Persistent Threats should be the single most important initiative for businesses and vendors alike. Of course, inertia is powerful, and it may take boards of directors, CISOs, product managers, entrepreneurs, and venture capitalists another tumultuous year in cyberspace to get the message.

The Failure of Cyber Security and the Startups Who Will Save Us

2014 will be remembered as the year the cyber dam broke, breached by sophisticated hackers who submerged international corporations and government agencies in a flood of hurt. Apple, Yahoo, PF Changs, AT&T, Google, Walmart, Dairy Queen, UPS, eBay, Neiman Marcus, US Department of Energy and the IRS all reported major losses of private data relating to customers, patients, taxpayers and employees. Breaches at Boeing, US Transportation Command, US Army Corps of Engineers, and US Investigations Services (who runs the FBI’s security clearance checks) reported serious breaches of national security. Prior to last year, devastating economic losses had accrued only to direct targets of cyberwarfare, such as RSA and Saudi Aramaco, but in 2014, at least five companies with no military ties — JP Morgan, Target, Sony, Kmart, and Home Depot – incurred losses exceeding $100M from forensic expenses, investments in remediation, fines, legal fees, re-organizations, and class-action lawsuits, not to mention damaged brands.
The press has already reported on where things went wrong at each company, promoting a false sense of security based on the delusion that remediating this vulnerability or that one would have prevented the damage. This kind of forensic review works for aviation disasters, where we have mature, well understood systems and we can fix the problems we find in an airplane. But information networks are constantly changing, and adversaries constantly invent new exploits. If one doesn’t work, they simply use another, and therein lies the folly of forensics.
Only when you step back and look at 2014 more broadly can you see a pattern that points toward a systemic failure of the security infrastructure underlying corporate networks, described below. So until we see a seismic shift in how vendors and enterprises think about security, hackers will only accelerate their pace of “ownership” of corporate and government data assets.
The Sprawl of Cyberwarfare
The breaches of 2014 demonstrate how cyberwarfare has fueled the rampant spread of cyber crime.
For the past decade, the world’s three superpowers, as well as UK, North Korea and Israel, quietly developed offensive capabilities for the purposes of espionage and military action. Destructive attacks by geopolitical adversaries have clearly been reported on private and public sector targets in the US, Iran, South Korea, North Korea, Israel, Saudi Arabia and elsewhere. While Snowden exposed the extent of cyber espionage by the US, no one doubts that other nations prowl cyberspace to a similar or greater extent.
The technical distinction of these national cyber agencies is that they developed the means to target specific data assets or systems around the world, and to work their way through complex networks, over months or years, to achieve their missions. Only a state could commit the necessary combination Continue reading “The Failure of Cyber Security and the Startups Who Will Save Us”