Cybersecurity: Ray Rothrock


Prepare, Protect, Respond

Fortnightly Magazine - November 1 2019

PUF: You have quite a distinguished background in finance, and on the subject of cybersecurity. Can you talk about that?

Ray Rothrock: I'm an old power engineer. I'm a nuclear engineer from the '70s. I got my undergraduate and graduate degrees in nuclear and went to work for Yankee Atomic. My plant was the Yankee Rowe plant, in Rowe, Massachusetts. In those days, computer codes ran on mainframes. I ran mostly 2-D modelling codes, but during this time we went to 3-D models. Very cool.

Then I moved to California. I decided that computers were the future. Three Mile Island had happened, the industry was laying people off, and it was unclear how it was going to play out.

I stayed in the industry a little longer, but ultimately wound up at Sun Microsystems in California as an application engineer, and Sun was backed by venture capital. There I met the venture capitalist who had backed Sun. I helped write the S-1, and they, and my fiancée, said, you should get an MBA and get in the venture capitalist business, so I did.

In '88 I graduated from Harvard Business School. I went to HBS with the intention of getting into the venture capitalist world. In '88 Venrock picked me up as a young associate. Venrock is the Rockefeller family high tech venture capital arm.

Lawrence Rockefeller, who was living then, was our founder. We are one of the older VC firms. When I got there in '88, it was about computers, networking, and healthcare.

When the Internet took over in the mid-nineties, I wrote a business plan for Venrock saying, we need to go do these things: cybersecurity and directories. Over the next twenty-five years, I led fifty-three investments. We were an early stage investor, so we often did deals that had no revenue but talented people and a good idea. Fifteen of the fifty-three were in cybersecurity.

PUF: Even at that early stage, cybersecurity was on the radar screen?

Ray Rothrock: Yes. Even at Sun we had firewalls for gate control in and out of the network. When the Internet happened, we went from sixty, to six thousand, to six million nodes on the Internet in a matter of years. The concept of having a gate, a control point, the WAN port if you will, as your access to the Internet was essential. It's like the door on your house; you need to have a lock and know who's going and coming.

Firewalls exploded on the scene in '92. There were a dozen companies, and the one I picked to invest in was called Check Point Software based out of Tel Aviv, Israel. Check Point did well, went public and it's still around today worth about twenty billion dollars. I remain on the board of directors.

Ultimately as cyber became crucial to our economy and to our world since the digital revolution was underway, I continued my leadership in the industry. In 2012, I was elected chairman of the National Venture Capital Association in Washington. I spent a lot of time on venture policy, and energy and healthcare.

PUF: You retired, but you seem fairly active with RedSeal. So, did you unretire?

Ray Rothrock: I retired as a professional venture capitalist, meaning I was no longer a partner at Venrock. We had recruited a bunch of new people, there was new stuff happening and frankly I wanted to spend a little more time outside of the day-to-day of investing. But RedSeal was one of my investments in 2004 when I was at Venrock. It was doing fine when I left, but it hit a soft patch, which sometimes happens.

The board called me and said, hey Ray, you were the series A guy here, help us understand if this is worth saving. So, I went in and spent a week. About the same time, literally in parallel with trying to figure out if RedSeal was worth saving, the Target attack was revealed.

The implication of that Target attack was beginning to be written about in the business press. One of the hallmarks of a good investor is good pattern recognition. If you like the pattern, you put a marker out in the future, you bet on it, and if you're lucky, the market catches up with you and you're a winner. In this case, for Target, the question was asked, how in the world did this happen? What pattern was happening?

Here's Target, a Fortune 50 company. It had all the engineers, a big budget, and all of the products several of us invested in. It was a world class organization with great cyber. Yet it had a breach that made headlines across the world with forty million records stolen.

Their stock price got hammered. The management team got fired by the board. In my endeavor to understand what had happened, because I was just as confused as everybody else, it became crystal clear that the malware was already in the network.

The bad guys had figured out how to get in. That starts it. So, if you start with that presumption that the malware is already in your network, we'll talk about how it got there, but if it's already in your network, what are you going to do about it? Your prevention didn't work, and your detection didn't work.

I went to RedSeal because I knew what its technology was capable of. It could become a platform to do this internal assessment and assist with response to an attack. Let's look at where the connections are, where the vulnerabilities are, how the malware can move around, and so on. The board said, great, you're the CEO. My wife said yes to a short gig of two years and here I am five years later.

PUF: It sounds like a main job you do, is this scoring or rating of resilience. Do you have a sense of how the energy sector and utilities are doing? The threat seems to be increasing and what are the priorities for that?

Ray Rothrock: One of the observations that I made in 2016 was, no one was quantifying the threat. No one was quantifying the risk. No one was measuring what the situation is. So, I asked our CTO to come up with measurements. There were some out there, at NERC, but they weren't embedded in software. They weren't able to score automatically.

McKinsey had published a book called, "Beyond Cybersecurity, Protecting Your Digital Business," which was motivational for me. It talked about scoring and remediation. If I can measure it, then I can tell you what's wrong, what's broken, what needs to be improved, and then I can prioritize your risks.

That was a big deal. No one could do that in 2016. Now there are several companies that do it, and it's important. Why? Here's a real-world case. A healthcare organization in my backyard has a modest network, with five hundred routers and a million endpoints. They had five million known measurable vulnerabilities in their network. This is typical. This customer isn't unusual. Where do you start?

When they ran our software, we gave them a run book of how to fix their network and how to make it better. By using this digital resilience score we've come up with, you can watch progress over time. So far, no data exfiltrations. Good for them. A well-run network. If you measure the time and money you invest, you can begin to assign some economic value to this increased resilience. The goal is to shrink the attack surface.

PUF: Given what you've been able to see through this, it seems like it makes the threat more transparent. Are you optimistic or pessimistic about how we're responding to increasing threats and how we can respond going forward?

Ray Rothrock: I'm optimistic because this concept of measuring and scoring your capabilities to either defend against the initial attack, or to recover from an attack, the resilience, is now a boardroom conversation. I have been invited, as a result of my book, "Digital Resilience," published last year, to speak a lot. Morgan Stanley had me as their keynote speaker at their CEO conference. There were five hundred CEOs in a room and I was telling them, you've got a problem and here's how to think about it.

Let's say you're in a room somewhere. That building was built with electrical codes and building codes. If you're in California like me, you've got earthquake codes. 

So, the building was built with compliance requirements, and it was inspected as it was being built. The room I'm in has sprinkler systems. Why are there sprinklers in the room? Do I expect the room I'm sitting in to catch on fire?

Would I be sitting here if I thought it was going to catch on fire? No, I wouldn't and you wouldn't either. But we've got a sprinkler system. It's checked every year and tested by the fire department.

We can't predict everything. You don't know what the threat is. I don't know if someone's going to walk in here with a fire-bomb or set my garbage can on fire. I don't know what the threat is, but I know if it's a fire this room will put the fire out. That's the thinking that needs to be used in our digital industry, businesses, and utilities.

PUF: What would you recommend for the leaders of utilities that can have vast operations, maybe across multiple states, and also for regulators? What kinds of questions should they be asking of their organization to assess, are we doing the right things? 

Ray Rothrock: Some of these questions have already been asked. A key one is about segmentation, putting things in defined spaces. Segmenting is what we've done since man lived in caves. You're in a room with a door, and a house has doors or a building has doors. Some of these doors are fire doors. They lock and shut. Some of the doors require you to badge an ID so that it knows who went through that door. That's huge.

NERC CIP requires segmentation. It doesn't tell you how to segment. That's for you, the business owner, or operator. You know what's important about your business, or you should. Another question is what matters to us, and what's important to us?

Then, have we digitally segmented the business so that, if a fire starts in compartment A, it doesn't get to compartment B? You put those dividers or firewalls, or routers, with what's called access control information.

NERC CIP requires you, whatever segmentation you pick, to be able to prove it. That's where technology can help, because no human being can test these routers. There are routers and firewalls with hundreds of thousands of rules. No human can read that and understand it. It takes technology. It takes automation. But you can set them up room by room and segment and test.

What's important to an organization like a utility company? It's the access control room. Maybe your alarm system is important. The servers have all this control, all this firewalling. But what if the power supplies do not? The malware can get into a data center and walk along the power supplies. You've got to think like the bad guy, and then you've got to do more. Segmentation is a strategy. And it has served us very well.

PUF: This is an industry that needs to be resilient going forward. The threat keeps evolving. What do you see as the future?

Ray Rothrock: Today, a leader, a CEO or senior management in most companies, is just not cyber savvy. It's no fault of their own, because they didn't have to be. Well they need to get smart on cyber today.

The government needs to put some teeth into these compliance requirements. The government should be able to do that. You're a company, do you have auditors? Of course, you do. Do they come in once a year and look at your books, make sure everything's good? Yes, they do.

Why don't we have that in our digital world? Our life is so dependent on networks. We have to treat them as if they're our bank account, but we don't. We assume everything's good. There are a lot of simple things that people can do. You can be trained on phishing attacks, and dual factor authentication. But at the end of the day, leadership and government has to take it seriously.

I don't think the federal government's in a position to do much. This is a state issue. In California we have earthquakes, and in Texas we have floods and hurricanes. In New York, we had some floods. The utility already has the mentality of, how can we stay online?

Brien Sheahan, Illinois Commerce Commission: The Regulatory Commission is sort of like the Board of Directors, but the response we often get when we ask questions about cyber is, well, that's classified, and so there's this asymmetry in terms of the information we need, but can't necessarily get, so what should we be thinking about?

Ray Rothrock: That's a good one, and, the word asymmetry is the problem. When I was a practicing venture capitalist, I'd have a couple of meetings a year with all my portfolio companies. I tried to invite them to talk about their cyber problems, but their general counsels would never let them.

No one will talk about it because there's a liability issue. But it turns out we have this thing, called Safe Harbor Law and all kinds of ways that we can shield institutions. We can give them cover to come and talk. The City of Los Angeles opened up a citywide response center, where they anonymously collect threat information and other kinds of network data, and they share it among the members. Maybe some forty companies are part of it. You can become a broker of that sharing. It can be done anonymously and probably would have to be. 

Second, we've got to get some reporting, you've got to get some measurements. You cannot manage what you do not measure. There are things you can measure that they may not like, but they'll provide, training information, incidents information. Why don't you report on cyber attacks? Everybody needs to know this when you're under attack. Have you responded? There are certain things I believe are transparent enough and not threatening enough to get out there. But unless you take that step of demanding some measurement and reporting, I don't think you'd get there.

Brien Sheahan: Regarding NERC CIP, which applies to the transmission assets but doesn't necessarily apply to distribution assets, how do you think about applying something like NERC CIP or some kind of best practices or standards to distribution utilities?

Ray Rothrock: I think you should because they're all connected. A supply chain is only as good as the weakest link. Because if somebody gets attacked and there's malware inside, even a vendor, two or three organizations away from you, that malware can find you.


Cybersecurity Special Feature conversations: