Niki: I’m Niki Christoff and welcome to Tech’ed Up. Our guest today is Niloo Razi Howe, a cybersecurity expert with 25 years of experience as a tech investor. We’re talking all things cyberspace: cyber bullying and ransomware to disinformation and surveillance. Okay! So, it sounds pretty grim, but we managed to keep it light. And, after all, you can’t fix what you don’t face.
Niki: Good morning, welcome to Tech’ed Up Niloo Razi Howe. Thank you for coming to the studio, bright and early, and joining us on the podcast.
Niloo: Thanks so much Niki. It’s great to be here. Nowhere else I'd rather be!
Niki: Nowhere you'd rather be! [both laugh] We are in a town where it's kind of early to bed, early to rise, and a lot of people who wake up every day, not just in Washington, but around the world are focused on who's attacking us. Americans. We're going to get to that. But first I wanna talk about you. You have done a TED talk about your childhood and how that influenced your life. So [pause] what's your origin story?
Niloo: It's always a little bit awkward talking about myself. But I did do a Ted talk on it, so I guess it's fair game. [both laugh] But, um, so I'm Iranian. I was born and raised in Iran. And when I was 10 years old, there was a revolution and it all happened. It felt like it happened, very suddenly, although of course it was in the works for years. And, as a result of that, we had martial law, declared schools were shut down and my parents decided that they needed their children out of the country because they had no idea what was going to happen and they certainly didn't want us out of school, for an extended period of time.
We got shipped out of the country. I went, I was put into a boarding school in England. I got there at the school and the school year had already started and there was no space for me at the school. But they took me in anyway. And so I had to [chuckle] live in the attic of the boarding school when I first got there. Which was also super interesting because the only other girl who was in the attic was a girl who was about to be expelled. [Niki: Laughs] And that's sort of where they put you when you are on your way out.
So, my, um, first exposure to Western culture was with someone who was about to get expelled from boarding school. So I had learned a lot of interesting language during those months. From there, I came to the U.S. about a year later and it was a pretty tough time to be Iranian. I mean, there was a lot going on and we weren’t exactly liked by a lot of countries.
So, my parents were pretty confident that I could make it into the U.S. but that if we migrated as a family we might not be able to get in. So I actually came to the states by myself when I was 11.
Niki: [interrupts] We sort of both laughed nervously about you going to boarding school as a child alone, but literally had left an incredibly violent situation that was unfolding in your home country, came to the United States as a little girl, by yourself. And it, I think it has informed who you've become, what you have this kind of, like, you play hockey, you heli-ski [Niloo: laughs], you have a 1968 Firebird parked in your yard. [Niloo: chuckles]
And I love that because I think when people think about national security and cybersecurity, and who's working on protecting kind of the Homeland. I don't know that they're picturing someone as I'm about to say cool and hip, which then makes me not seem that, [both laugh] but I miss sort of who has your [pause] style and approach to life. But the origin story both makes you resilient and risk-taking in your personal life and gives you a really important perspective on democracy.
So you started your career, actually, as a writer, you were briefly in the .com space [Niloo: Yep]. You then worked in venture capital and ran deal teams for private equity. And then after 9/11, I won't speak for you, but you sort of made a career shift.
Niloo: I did. So, look, I am absolutely a grateful immigrant. Every day I wake up, grateful to be a citizen of this country and I deeply believe and care for the democracy. And it’s part of the reason why I can't give up. And doing what I can do, in my own small way, in terms of supporting the democracy and trying to make sure the country heads in the right direction.
And, 9/11 was a turning point for me. I mean like many people, I, I was living in California at the time and I had actually just been traveling overseas for a few months. I was woken up by calls from friends in Europe, who weren't sure if I was on one of the planes or not, asking if I was okay. And, like most of America, I was glued to the television for the next couple days. And, the only, the thought that went through my head was not, again! [exasperated] Like, I can't go through this again!
And, instead of just sort of sitting back and worrying about that, the next thought was, all right, how am I going to make a difference?[exasperated] Like, how am I going to join the fight and make sure that this country, the world, is safe from folks who intend to do it harm. I didn't know national security, but the truth was that there hadn't been a lot of tech disruption in national security. So, I figured I could get on that learning curve. And that, that also by the way, comes from my background, which is, I mean, you could ask whether I had any business [chuckle] moving to national security at that point in my career, but I figured I could get up the learning curve as fast as anyone. And I was surrounded by pretty amazing people who understood the, um, the business, well. And I understood tech and investing in entrepreneurship. So it was a pretty good marriage.
Niki: I actually wish more people felt like they had like, maybe I don't have any business going into national security, but they do! Because it leads to sort of the topic of the day, which is there's this global hacker industrial complex- Our last guest was the head of secure global security at Sony Pictures when North Korea hacked them. [Niloo: Yep] And he talked through the persistent, not just nation-state, y’know, threats that companies in the private sector faces, but the countries that harbor them and then the gunslingers sort of on the dark web that can be hired to commit cyber crimes.
And so as we continue down this harrowing path of discussing the hacking threat, I'd love you to describe how you think the current state of affairs is. What is the threat?
Niloo: Sure. Can I go back to something you just said though, which was super important and the importance of more people wanting to come serve in the national security mission in the U.S. government mission from the private sector?
I think that's a really critical point that shouldn't get lost. One of the problems we have today is that the folks on the two sides of the aisle - business on one side, government on the other side, don't understand each other. They don't speak the same language. They don't have empathy for each other's problems and issues or how things work. And we need to start, cross-pollinating because we're not going to come up with durable solutions that work for both sides, unless each side understands the other. And there's very few lawmakers who worked in business. And there are some business people, but not enough, who come and serve in government. We need to have more of that. And that's really the only way to drive these durable solutions. [Niki: Yes!]
So, I can park that for a second, but it was a really important point. [Niki: Yeah!!] And i just wanted to–
Niki: And, I actually have a theory that, so I was at Google when the Edward Snowden allegations, well, not just allegations, facts came out. And I think that working in tech with all the engineers who we had been partners with the NSA to work on national security issues, everything changed during that moment. [Niloo: Yep] And you suddenly had people in tech distrusting the U.S. government not, I think they actually had a really hard time with, I don't know if this is true, with retention. And I think it's actually made the worlds more separate, since then, than they would have been before because people are concerned about surveillance of the U.S. [Niloo: Yep] So maybe we start with election interference as a starting point, and then we get to–
Niloo: [excited] You make so many good points [Niki: laughs] because I want to, like, dig into the Snowden thing too [Niki: Yeah, do it!!]. I mean, look, here's, here's, here's a question: When was the last time you saw China depicted negatively in a movie?
Niki: Great question!
Niloo: I mean, it's certainly not within the lifetime of any millennial and there's a reason for that. Because China doesn't allow it. And they don't allow it because they won't show movies, not just in their market, but they owned AMC. They own regional distribution chains. They do not allow China to be portrayed- any aspect of China- to be portrayed negatively in a movie. So, Red Dawn 2, which was terrible, was initially US versus China. In post-production, they had to change it to Korea because China wasn't going to show it. The movie, Pixels, y’know, an animated movie, the opening scene showed these like, y’know, Pac-Man falling from outer space and destroying the, the seven wonders of the world. One of them was the Great Wall of China. That scene had to be taken out. And yet, in the U.S., we have, rightfully, no restrictions on this. So, we can go against our own government. We can portray it negatively. The government doesn't answer, is part of the problem. Whereas our main adversary today, which is China, can completely control its marketing and branding. [Niki: Yeah] And the reason I want to make this point is the folks who work at theI mean, these are thousands of men and women who are dedicated to protecting this country.
Niloo: And yet they keep getting portrayed in a way that isn't consistent with either the mission they have or how the people perform that mission. So, I wanted to pause on that for a second as well. [laughs]
Niki: Yeah, I know! I often vigorously agree with guests, which probably makes me a bad interviewer [both laugh], but I used to be married to someone in the intelligence community. These are people, not making a lot of money, in demanding jobs, bringing their technical expertise to protect us. And I think we are in a moment of self-flagellation, it's like, as a country. But some of that is by design. Let's talk Russia and election interference.
Niloo: [chuckles] So, you want to talk about the state of hacking industry election interference and, and what's going on. So, first of all, cyberspace is a hot mess. I mean, there's just no other way of putting it. Every form of, I mean, it's this incredible, the most consequential communication medium ever created. Super fast adoption, trillions of dollars of wealth and economic gain that had been created. It's enabled democratization of all sorts of really important things from information to communication, to healthcare, to finance.
So, all this good that's come from it. And yet, there's also every category of harm, everything that we experienced in the real world, every type of harm we experienced in the real world is now starting to happen online. And, it happens in a massively distributed way. So, whether it's cyber war and espionage, whether it's cyber crime, whether it's cyber bullying, whether it's misinformation, disinformation related to election interference. It's all happening online.
When we don't have the norms of find, in terms of what's acceptable behavior and what's not acceptable behavior, it's really hard to enact the laws, regulations, and policies that would govern that. So, as an example, y’know-take cyber crime- we don't tolerate black markets on the internet and every time a, a, dark web market goes up, the world comes together to take it down.
The norm there is really well-defined. Child pornography. We have zero tolerance for child pornography. When it pops up, we will take it down. Misinformation, disinformation. What's the social norm around that?
Niki: To this point, one of the themes of this podcast– it’s not really a theme, it's just sort of happening organically, is beating up on Facebook. [Niloo: Oh yeah]
But one of the points I've made about Facebook, and by made I tweeted and like three people liked it [both laugh], but was that immoral doesn't equal illegal.[Niloo: Right] If, if it's not outlawed, if there's behavior that we don't like online, because companies are allowing things that we think are destructive to democracy or undermining our social fabric, that there are no norms that the private companies have to follow and we're leaving it up to them to make those decisions. [Niloo: Correct]
When really, it should be Congress. So, child sexual abuse imagery. Illegal. [Niloo: Correct] No tolerance. Criminal enterprises on the dark web. Illegal, no tolerance, But there are no, not just norms, but there are no laws around it. I mean, even revenge porn [Niloo: That’s right] doesn't really have laws.
Niloo: Despite all the harm that the public is suffering, as a result of social media, as a result of the internet, it is still not a voting issue, whether or not your elected official understands and is willing to take a stand on these issues. With respect to Facebook, and by the way, I don't put all the tech platforms in the same bucket at all. I think there's a big difference between Google, Amazon, Microsoft, and Facebook, for example, because the other three actually try to do things right and when issues come up, they try to address them. Facebook to me, the equivalency I would draw is with the Sacklers. Much like the Sacklers, every opportunity Facebook had to make a decision that was good for humanity, they chose not to. And that to me is inexcusable.
Niki: So for people who don't know, the Sacklers are the, the family empire of opioids.
Niloo: Correct. Right. So whether you say the Sacklers or Purdue Pharmaceutical, take your pick. But at every moment, every piece of information that came out about the reality behind Oxycontin and how addictive it was, and the harm it was causing to folks, and the harm that their advertising campaigns were causing, they chose not to change. And Facebook is coming out exactly the same. It's not surprising that bad things are happening on the platform. What is absolutely surprising is their unwillingness to do what it takes to go after it.
Niki: Some of it is, also, there's not consensus among the populace, as you say, it's not a voting issue. People aren't aligned on exactly what they should necessarily be doing. And, I know I keep coming back to it, but let's [chuckle] talk election interference [Niloo: Yes!] [both laugh]
So we all know, obviously, there were these coordinated attacks by the Russians. They were infiltrating our own social media content so that we would absorb divisive issues. [Niloo: Yep] And I'd like to talk about that. And then the idea that we focus so much on external foreign threats, but they're also threats right here in the U.S.
Niloo: Disinformation misinformation has been a tool that countries have used for centuries. Russia created an official misinformation office in 1923[chuckles], and they have had these campaigns against, not just the United States, but against the world for a very long time. So, it's not, again, surprising that Russia would, would, launch misinformation campaigns in the United States as they did in 2016.
I believe the estimate is they, they spent about a million dollars. They were playing both sides and to be clear, their goal was not necessarily to get any particular candidate elected. Their goal is to cause us to devolve into such partisan bickering that we become ineffective and unable to counter what they're really trying to do in terms of regionally their sphere of influence and in that they're being pretty effective,
Niki: [interrupts] Especially for a million bucks. I mean, bravo! [laughs]
Niloo: And by the way, shame on us. [Niki: I know] If we believe that a million dollars can throw the election, like, truly shame on us, but here's also, what's interesting. It wasn't just the Russians, Trump had 300,000, affectionately called, shit posters who were putting stories out there on behalf of his campaign.
They weren't, they weren't officially employed by his campaign, but they were mostly young men, y’know, teenage to mid twenties who were putting stories out all over social media with respect to his campaign. So, um, this question of what's acceptable, what's not acceptable. There's no question that nation state adversaries take advantage of our social media platforms to sow chaos and discord, which is what their goal is. We're doing them, we're allowing that to happen. And we're also devolving into it ourselves. Leadership has to come from our elected officials. Leadership has to come from government. I don't, we don't, need them to do innovation. [both laugh] Like, you know, like tech innovation, all of that, comes from the private sector.
We do need them to lead. [Niki: Right] And we need them to help establish what these norms, these acceptable norms of behavior in cyberspace are, and then enact the policies, laws, and regulations that enforce those social norms. How many times we're going to have folks, like, parade in front of Congress testify and then nothing happens except, you know, more reveal of, of the horrors of social media.
Niki: Well, and also, you know, this really, we can say what we want about our elected leaders. We elect them. [Niloo: Correct] We elect them and we also are supplying. I mean, the tech companies, their earnings are, are skyrocketing. Right now! [Niloo: Yeah] This, this last earning cycle. So they're still making money. I think you're right though on, so there are some things we're just never going to agree on.
I consider myself part of the loyal opposition and that doesn't matter who's in office. [Niloo:Right] I'm always the loyal [laughs]. I like to be sort of in a contrarian space, like just center [Niloo: Right] to whichever side of whomever's in office. But I do think that we on cyber, specifically, we should all be aligned. Let's talk about the threat.
So. What Russia has done to Ukraine, for years, is test some of their capabilities. [Niloo: Correct] And now they, are they turning to us?
Niloo: Yeah. I mean, Ukraine is, is the testing ground for what they do. I mean, they, they engaged in a massive misinformation, disinformation campaign, that was fairly effective, when they had this reformist government that was elected in Ukraine and they were unhappy about it. They took down Estonian infrastructure when Estonia removed a statue from Talne that, y’know, was important to Russia. They shut down the Ukrainian grid, just overnight, just as a, as a show of “we can do this, so just understand”. They’re in our grid. We know that, the Chinese are in our grid. We know that.
So, everything that Russia does overseas, we have to understand that they seem to be willing to do against the U.S. On top of that, by the way, y’know, talking about the state of cybersecurity, the biggest issue we have right now is the scourge of ransomware. I mean, it's just endemic.
There is nothing that really is slowing down these criminal gangs running rampant. Mostly Russian, right? Russia’s given them safe harbor because it furthers their national agenda for them to be taking down Western, and especially U.S. companies, and, and bringing us to a halt. There has to be consequences for countries like Russia that enable these criminal gangs from coming after us.
Niki: What's your opinion on, if an American company is held hostage by a ransomware attack, which has happened. Every day
[Niloo: chuckles] we don't hear about it [Niloo: Correct] I think a lot of times, because these companies- it's not in their interest to disclose it. [Niloo: Correct] but it happens. Okay! So, every day, these companies are dealing with ransomware attacks. They're being told, y’know, work on your cyber hygiene, which they should, but if the Chinese are in our grid and the Russians are in our grid, there's only so much [Niloo:Correct] a private company can do. What's the answer? Like, is it retaliation? Should it be a U.S. retaliation or an allied nations response?
Niloo: You only have to make one mistake, [chuckles] for the adversary to get in, which was the case with Colonial, right? It was just this one little mistake that they made with something that they weren't managing an asset they weren’t managing that they managed to get in through. And it's not even just your systems. The weakness is the people, right.? And, and human beings, y’know, we're all beautiful, but we have this operating system that's fundamentally flawed. We make mistakes and we tend to be the, the weak link in the security architecture. So social engineering attacks are still the number one way that you get in.
And, y’know, to the, to the extent that people are posting where they're going on vacation and, y’know, giving talks that reveal corporate information. That's all information that the hackers go after and look at to figure out how to launch a phishing attack that can be effective. So, it's, no matter what you do, there will inevitably be a weak spot that can get exploited by a committed adversary
So that's one piece of it. There are things that only the government can do. You have jurisdictions that harbor and enable these criminal gangs. We have to go after these jurisdictions and there's lots of tools of national power. We don't have to, per se, attack them. And look, we have values. We're not going to launch the same kind of attacks against our adversaries that they launch against us because we're a democracy [Niki: mm-hmm] and we have to uphold the values of democracy.
So, whether it's going after the infrastructure of these criminal gangs, which we're starting to do. Whether it's going after the Bitcoin wallets of these criminal gangs, which we're starting to do. It's, we did it once. It's not necessarily easy, but we'll do it again. Whether it's imposing sanctions against the countries that harbor them and there's different levels of sanctions that we can impose. We've got to use those tools of power and we can't do it alone. We need to have a coalition that goes after them.
Niki: I do think that this goes maybe back to the point of the turning with Edward Snowden, right? This turning against our own intelligence services, because there was a feeling that there's mass surveillance and these huge surveillance requests, especially from the telecos, you know, they'd just hand over all of your[pause] phone call information, you know, [Niloo: It’s metadata, yeah] Right? Your metadata, your metadata, to the government. And I think it was worth the corrective action to make sure that Americans are protected. But I–
Niloo: [interrupts] Can I say something about that though? [Niki: Yes!] That was an authority that was handed to the NSA by Congress. So if we are mad at anyone, we should be mad at the folks who gave that authority, not the folks who exercised the authority, right.? They were just doing what they were being asked to do. Even then, by the way, there's this misconception that, what happened when we talk about surveillance is suddenly the NSA was listening in on everyone's conversation. They weren’t!
Niki: I definitely am one of these people who, whenever I hear a click on my phone, I think, oh, the poor person who’s listening to my conversations [both laugh] about Megan Markle or whatever.
Niloo: [interjects] Well, so, so, what's interesting is that's more likely to be Russians or Chinese [Niki: Ah] than it is to be, to be the U.S. And in fact, as we talk about cyber crime, when we talk about cyber espionage, so you look at Solar Winds and the Microsoft Exchange hacks that happen. We have a blind spot on U.S. infrastructure, right? So we don't have surveillance authorities on U.S. infrastructure. Our law enforcement authorities on U.S. infrastructure are pretty limited. So, if you were an adversary, what infrastructure are you going to use to launch your attacks? Foreign infrastructure where NSA has surveillance authority? Or U.S. infrastructure, where our intelligence community doesn't have surveillance authority? You're going to use U.S. infrastructure.
So, these attacks that were launched that we're hearing about, for the most, part are using U.S. infrastructure.
At some point we are going to have to make, we're going to have to get into a real debate about security versus privacy. And if we want to improve our defense posture- And there's some talk of moving to this concept of a collective defense, right? Where, we're not, each organization isn't defending itself at its perimeter and inside its network, but we're starting to defend the network at the nodes[Niki: mm-hmm]. At the content distribution nodes, throughout the internet. Well, to do that, we need to be able to see the traffic that's going on through those nodes. There's going to be a trade off. Like, are we going to do that? Are we not going to do that? How do the authorities need to be changed in order to enable that? And is it, is it worth it or not? But there is, y’know, we have one perspective on privacy. Europe has a different one and China has a very different concept on privacy.
Niki: Right, right! Although they do have this sort of fake law where they say they care about their consumer privacy.
Niloo: China has never cared about consumer privacy.
Niki: I know! And it's amazing because–
Niloo: 10,000 years of history [Niki: Right] and I know the only thing that matters is the central government.
Niki: Right. And the surveillance–
Niloo: And the, the individual does not matter in China. It never has it never will.
Niki: Maybe Facebook is partly to blame that we're surveilling everyone and then sending them ads. But it's sort of missing the broader point [Niloo: Right], which is we're being surveilled by these other countries. And they are then understanding our psyche and for relatively low dollars turning us against each other.
Niloo: Right. Well, and also let's understand, you know, Amazon might be tracking us to make better recommendations in terms of what we're buying. That's one sort of set of trade offs versus what China is doing: committing two simultaneous genocides against the Uyghur population and the Tibetans. They've now tuned their facial recognition algorithms to spot Uyghur women so that they can,--and it's just, it's absolutely horrifying and perverse.
And by the way, this is another place where we have this strange decision point in front of us, right? When it comes to climate change versus human rights. China makes 70% of the solar panels in the world, and they're mostly made with slave labor in Uygher interment camps. Do we purchase solar?
Niki: Oh no! I was just thinking I was going to purchase solar panels.
Niloo: Right! [Niki: Okay] Do you purchase solar panels knowing that most solar panels are made by slave labor? Or do we wait to change that supply chain? [Niki: Right!] And we've got to change the supply chain.
Niki: And this it's true also, I mean, I know everybody loves their Teslas, their Tessie's, but the lithium batteries. The largest lithium mines in the world are in Afghanistan. [Niloo: Right] So, okay, so we'll end on that!
Niloo: No- let’s not end on that! Can we end on a positive note?
Niki: We're, we’re not going to end on how your solar panels and your Tesla actually, this [Niloo: laughs] you know, reliant on, sort of, yes. Okay! We'll end on something else. What are you optimistic about?
Niloo: Well, first of all, I have ultimate faith in the indomitable human spirit. [chuckles] And as hard as these problems are, they've come at us super fast. As we shine a light on them, which we have to do, really smart people will, will start engineering solutions. I have faith in humanity. I have faith in democracy. I do think we're on a precipice and time's not on our side.
But if enough people wake up and care about this, we can solve the problem. These aren't, y’know, we're not trying to reinvent the laws of physics here. Right? [Niki: Right!] There are solutions to each of these problems. It's just about the willpower to enact them and having both legislative willpower and business willpower to do the right thing.
And our businesses have to do the right thing too. It's just, the time to just create products without thinking about the security ramifications is over. We have to think about security. We have to think about vulnerable populations when we design technology, right? Not just about, y’know, the top 1% and what their use of the technology is going to be but as it goes to the rest of the world, how we can make sure it's not used against them and that it's used for positive outcomes. And you know, and I, and I, do think that the new generation of entrepreneurs is thinking that way. So again, we just need to keep shining a light on it. We need to wake America up [Niki: mm-hmm] to the reality of this strategic competition that's taking place in cyberspace, and that we really do have adversaries there.
You know, people talk about you know, you need to wait for a cyber Pearl Harbor. Well, it's actually happening from my perspective, we have a distributed cyber Pearl Harbor happening. There's so much coming at us from so many dimensions. It's time to wake up. [Niki: Yep] And take action.
Niki: So, we will end on Niloo sending out the Bat signal [Niloo: laughs] and you've walked, you've walked the talk. So, you left a cushy venture capital LA lifestyle to move to Washington, to work on these issues and work a lot harder on, with probably less pay, and so you've done it. And now you're sending out a bat signal. We need more people to come and work on this.
Niloo: D.C.’s great. Come on over. I–
Niki: I love DC. I do. I think it's a great city. Come join us. [Niloo: Exactly!] Thank you so much for coming on today.
Niloo: Thank you for having me. It was fun.
Niki: Next week I’ll be joined in the studio by disinformation campaign expert Camille François who will explain what the heck is a troll farm, how do they recruit, and how do the operate. Be sure to follow Tech’ed Up wherever you get your podcasts. New episodes come out every Thursday and video content is available on YouTube. The link is in the show notes.