Paul Rosenzweig On How Trump’s Policies Will Transform Silicon Valley

To some, President Trump’s travel ban is morally questionable and bad for business but according to cybersecurity expert Paul Rosenzweig, there are bigger problems lurking, especially for the tech industry.

Rosenzweig, founder of Red Branch Consulting, a homeland security consultancy, and former policy wonk in the Department of Homeland Security, says the bigger risk is in the ending of premium processing for H-1B visas – which will slow innovation in Silicon Valley. Until now, companies could pay to have a visa for a highly skilled worker processed in just 15 days, rather than wait the typical four to six months. “That’s going to put a significant crimp in the development cycle, because there just aren’t going to be the horses to do it,” Rosenzweig said during an interview for the A Step Ahead podcast.

Another problem weighing on Rosenzweig is the recent WikiLeaks CIA bombshell that showed that the CIA, as well as the Russian and Chinese governments, among others, are working to exploit vulnerabilities in consumer products. That means hardware and software development in the Valley will have to shift focus. Developers will have to use what Rosenzweig calls “defensive developing,” with the expectation that products will be placed under assault.

“It’s a sea change,” Rosenzweig says. “The product cycle has been all about the rush to market and functionality.”

Like what you hear? Subscribe to A Step Ahead on iTunes.

A Step Ahead: Paul Rosenzweig

Cyber security is on everyone’s mind these days with the release of the news from WikiLeaks about the CIA hacking. Today on A Step Ahead, we spend time talking to an expert who’s worked in the private sector, but also with the Department of Homeland Security post 9/11. He understands the issues and the implications for Silicon Valley. Thanks for tuning in.

Welcome to the A Step Ahead podcast. I’m Mike Montgomery, the Executive Director of CALinnovates. Today I am joined by cyber security expert Paul Rosenzweig, who is the founder of Red Branch Consulting and a contributor at the Lawfare Blog. Paul, thanks for joining us today.

Paul Rosenzweig: Thanks a lot for having me, Mike. It’s great to be here.

Absolutely. Let’s kick this off with some non-controversial issues, like for instance the travel ban. Silicon Valley is probably safe to say about 99.9% against the travel ban. What are your thought on the ban and its affect on innovation?

Answering the second part of that first, as to the affect on innovation, I think the ban is less likely to be significant than something else that happened in the last week or so, which was the end of premium processing of H1B visas. H1B visas are the visas that are extended to experts, things like computer engineers from India, for example. That is the source of much of the talent, not all of it, but a lot of the talent that resides in Silicon Valley, and expedited processing that would bring somebody in in 15 days instead of four months or six months…that’s gone away now as part of revamping the vetting process. That’s going to put a significant crimp in the development cycles in the valley, because they just won’t have the horses to do it.

As to the actual ban itself, the one that’s targeted at six Arab countries now is not going to have a real effect on innovation. I’m sure there were a few engineers from those countries who can’t get here now, but the major effect there is going to be on collateral effects on American business abroad and American image abroad. It’s much harder to sell your product when people don’t like America. People like America a lot less when we’re being mean to the rest of the world. There you go.

Right. Paul Rosenzweig is joining us today, you have standing on this, because you worked at the Department of Homeland Security post 9/11. You understand the politics in the countries that we’re talking about in great depth, right? When you look at this travel ban versus what America has been since its founding, which has been a place of openness and inclusion, and you’re looking at it through a Silicon Valley perspective—which is that different insights and abilities to take risk have driven the innovation cycle, that message that’s being sent out to the rest of the world is not very positive. Is that right?

I think that’s right. As a homeland security guy, I’m all for valuable security, but this is painting with a broad brush. My idea of security is individuated concern and suspicion, developing information about particular people so that we know that Mike has traveled to the FATA and spent six months there. We don’t know what he did, but we can assume he took training. Now he’s back here, and his Facebook posts are all jihad this and jihad that. That’s a good reason to be worried about Mike. This is all hypothetical, by the way, with the hopes…

Thank you. Thank you, Paul. NSA, if you’re listening, this is all hypothetical.

Right. That’s the way to do security. The way to not do security is to pick essentially six countries and paint with a broad brush and tar everybody that wants to come here from there as if they were terrorists, especially when the six countries we’ve picked are not the ones that the greatest terrorist threats originate from. Notable by their absence from the list are Pakistan, Saudi Arabia, where 11 of the 19 9/11 terrorists came from. We have not had a significant influx of terrorists from Yemen. In fact, the Department of Homeland Security’s intelligence analysis unit put out a report that was disavowed by the Trump administration in which it said basically there’s no correlation between these geographic regions and terrorist threats.

What’s driving the creation of these lists? Who’s on it? Who’s off? What’s the thought process there?

It’s hard for me to say, obviously. If I knew president Trump’s thought processes precisely, I’d be making a lot more money than I am right now. They’re small countries that we can essentially bully. We didn’t pick on Saudi Arabia because we need their oil. We didn’t pick on Pakistan, because we need their help in fighting Al Qaeda and other insurgents in the FATA and in Afghanistan. What we did do is we picked on either people we really don’t like at all, like Iran, or people who can’t respond very sensibly like Yemen. That’s my guess.

Yeah. Okay. That probably leaves out the idea of homegrown terrorists as well, correct?

Oh yeah, right. Leave aside the fact that 80% of the attacks that we’ve seen lately in the US are people who are here legally or have been here for years or were born here and self-radicalized or internet radicalized.

Yeah. All of this does have an effect on American society. I know that I think the general feeling in California is that focus and productivity has probably been a little bit down since inauguration. Personal safety fears are up. That has an economic effect on the country as well.

I think that’s right. The psychological effect I’m sure in places that didn’t vote for Trump, people are kind of like me, confused and depressed. On the other hand, we do have to recognize that 60 million of our fellow citizens voted for the man, 61 million. That’s a pretty big number of people who are happy. That reflects their concerns, many of which are tied to this immigration ban not in any real sense of homeland security threats, but in a more broad based sense of kind of loss of identity, loss of jobs, that sort of thing. Again, I can’t speak for them, but their concerns are not any less real simply because you and I can’t relate to them as well as we might.

Got it. Let’s pivot here to talking about the news that broke earlier this week from WikiLeaks regarding the CIA’s programs. Can you tell us for our listeners on A Step Ahead what they should know, what kind of the general synopsis of the issue is? Why is this a big deal? Why did this come out, and what should we know?

It’s a big deal for two reasons. The narrow technical one is that it demonstrates that the CIA, and by inference, lots of other nations are visibly engaged in finding vulnerabilities in consumer products to the advantage of governments. I have no doubt that anything that the CIA learned, probably the Russians and the Chinese learned, plus a number of others that they’ve learned that we haven’t found ourselves yet. The significance there is really that people who are developing hardware and software in the valley are increasingly going to have to engage in what I call defensive development, that is developing products, software, hardware, applications, whatever, with the expectation that outsiders will place them under assault. That’s a sea change change. Product cycles right now are all about rush to market, functionality, minimum functionality sorts of things. Now that may have to change some.

The second broader piece of this is simply a reflection of the fact that American interests, or perhaps more broadly, western interests, are really under assault right now. WikiLeaks is engaged in program of trying to tear down the western governmental system, whether it’s because they’re anarchists or because they’re in the pockets of the Russians I’ll leave for others to decide, but we’re not responding very well. We have not found a way of keeping secrets. We have not found a way of publicly justifying what governments do. Maybe some of your listeners think that it’s unjustifiable, and they’re rooting WikiLeaks on. For me, at least, I think that eroding that kind of governmental trust is going to be bad across the board for all of us.

The idea of information sharing has been one that’s been bandied about, and it seems that the government is in favor of tech companies sharing information. Does it appear to you that this WikiLeaks leak will…you talk about eroding trust. Will it erode trust between private entities and government agencies?

I think that’s inevitable. The WikiLeaks leak, the fact that president Trump has no real friends in the valley, except for Peter Thiel. I don’t know if you saw today, but he named his new cyber security advisor, the national cyber security advisor is a man who used to be head of the Tailored Access Office at the NSA, so a guy whose main job was breaking into systems is now the head of cyber security. That’s not going to play very well in the valley, at least I wouldn’t think it would. I think we’re in for a difficult patch of time where there’s going to be increasingly greater tension between tech developers in California and Washington policy makers.

You don’t like the phrase cyber war. You have a different phrase for it, right? What do you call it?

I prefer conflict, cyber conflict, cyber context.

Cyber conflict.

The reason is simply that if it’s war, that means that it’s also legal to add bombs and tanks and send them in as well. I sort of tend to think that we should limit that description to real incidents where people are getting shot at. If a bunch of baby electrons are dying, that’s not quite the same thing.

I got it. So a virus is not akin to a drone blast, per se.

Not unless the virus blows up the generator at the dam by causing it to overheat or something like that.


That’s possible, right?

Yeah. Is cyber conflict the next attack plane? If so, what does that look like for the innovation community?

Oh, I think that’s really what we’re experiencing. The CIA that we were just discussing, the information operations that are being run by Russia in an effort to influence the American election, now the French and the German elect, and the Czech elections as well. Those are all part and parcel of what I call conflict. I don’t want to minimize them. They’re extremely serious and significant incidents. You might even think that they’re more important, because eroding trust in democracy is a lot worse than blowing up a dam in a lot of ways. That’s the plane at which conflict is happening now. It’s much more shadowy. It’s much more difficult to attribute things. It’s got a lot of deniability. One of my favorite things out of the CIA hack, not really favorite in the sense of I like it is that Sean Hannity is now saying that he thinks that this proves that the CIA are the ones who hacked the Democratic National Committee and tried to frame the Russians.

Which is possible.

Let’s start with it would be vastly illegal, because the CIA is not chartered to examine the conduct of any American, much less political opponent, politicians. It’s highly improbable, since of course it means that the Obama CIA was trying to hack Hillary Clinton, Obama’s hand-chosen successor. Then of course it’s nonsensical, because they then released it to ensure the election of Donald Trump, who they apparently hate now. They were working to elect Donald Trump? It makes no sense at all, but there’s enough uncertainty in this domain that some conspiracy theorists on the far right are going to give this credence.

This sounds almost silly to even ask you this question, but can there be ethics for nations around hacking each other?

There might be. The development we call the norms rather than ethics, norms of behavior that governments would abide by, we try and develop them, and I could imagine a few of them maybe taking hold, for example, not destroying the domain name system so that all look-ups couldn’t work. That would be kind of like critical infrastructure for the world that governments might get around to declaring off limits. The major problem with this is not the inability to identify norms with other governments, because at bottom, the Chinese and the Russians are rational. They’re not into blowing up the world.

The problem is that cyber is a democratizing instrument of power so that the norms would also have to be ones that you would be confident that all the small actors, the non-state actors, like the WikiLeaks’s and the Anonymous’s and the LulzSec’s and the Al Qaeda’s and the Earth Liberatin Front’s would also honor. Fundamentally, many of those non-state actors are not rational in the same sense that the nation states are rational. They might just decide that destroying the global financial system would be great, because we could go back to the barter economy when the means of production were in the hands of the working man. I’ve just made that up.

Isn’t that what Mr. Robot tried to do?

Yeah, exactly. You could sort of imagine somebody like that. Imagine a real Mr. Robot with a lot of capability, and ask yourself would he ever abide by norms, even if the US, China, Russia, Germany, Israel, France, Iran, Saudi Arabia, and South Africa agreed to them? The answer is, well, no.

That seems like that’s why it kind of almost sounds like a silly question, because why would you agree to ground rules if this is cyber, if you even escalate it, just for a second escalate it to warfare, why should there be rules? That makes it difficult.

That makes it very, very difficult.

You’re listening to the A Step Ahead podcast. Mike Montgomery here with the founder of Red Branch Consulting, Paul Rosenzweig who is one of the leading cyber security experts in the entire world. We’re lucky to have you on today, Paul. We really are. We’re talking about a guy who is with the Department of Homeland Security, has seen and heard and experienced things that the rest of us will hopefully never have to see or experience, but your role has been to keep people safe, keep the country safe, to keep us safe and secure. There’s this phrase that keeps coming up called the vulnerabilities equities process, the VEP. What is that, and why should Silicon Valley know what that means?

That’s a great question. Silicon Valley knows what vulnerabilities are. There are zero day vulnerabilities in new operating systems or new attack vectors through new applications, all that sort of thing. Sometimes those vulnerabilities are discovered not by malicious actors in Russia, but by the United States government. The question that the vulnerabilities equities process asks is should the US government hoard those vulnerabilities and use them for its own purposes in foreign intelligence, or should it disclose those vulnerabilities to the manufacturers, the tech industry in the valley so that the valley can patch those holes?

Almost all of the CIA’s vulnerability attacks that we just learned about are ones that might have been disclosed back to the original hardware or software manufacturer in the first instance. If they had done that, then the manufacturer might have patched that, in which case the CIA would not have been able to use them to spy on the Russians, for example. The equities process is kind of weighing that in the balance, deciding which ones to disclose back to the manufacturers, which ones to save for a rainy day. According to the Obama White House, about 90% of what we discover we disclose back to the balance. Of course, the flip of that means that there’s 10% we keep.

That 10% is a pretty heavy thumb on the scale, though.

Well, it depends on your viewpoint on how good the government is at measuring that, those equities, whether or not there’s greater utility in them. A famous example is the FBI famously wanted into Apple’s iPhone about a year and a half ago. Apple said no. The FBI bought a vulnerability from somebody, the press says it was an Israeli hacker, and used it to break into the phone, at which point Apple said, “Could you tell us about that so we can fix it and close it up?” The FBI politely said, “Go pound sand.” Actually, they didn’t quite say that, but they said, “You wouldn’t help us, dudes. Yeah, we’re not helping you.” That vulnerability will age out, because it was in the iPhone 4 and 5, and we’re up to the 6 now. It clearly is not going to be a long-term value to the FBI, but that was kind of the equity process that the FBI went through. One of the pieces of the equity process was, “You’re not helping us. Why would we help you?” Which seems a little childish, but also seems understandable.

I guess so. When you think about the vulnerabilities that could be patched by US companies, in some instances these vulnerabilities are threatening to the US economy and US productivity. It seems, in some instances, that the CIA got the espionage part of this right, but perhaps they got a lot of the rest of it wrong. Do you agree with that or not?

I think that’s quite plausible. I certainly know that that was true with a lot of the vulnerabilities that Snowden was famous for releasing. If I were the valley and I had one ask about the vulnerabilities equities process, it would be to make sure that somebody with their interest in mind is at the table pitching. They want in themselves, but they’re never going to get in, because it’s a government thing. It should be the Department of Commerce, NCIA, Office of Science and Technology Policy, there’s a whole bunch of people who are on the technology innovation development side who need to be heard in this process, whose voices need to be part of the discussion.

Are you somebody who can help these companies be heard?

Yes. Send them to me, Red Branch Consulting. Yeah. That’s what I try and do for a living. One of my great frustrations, frankly, with the valley, especially with the small entrepreneurial innovators is that they don’t understand enough about Washington, and they don’t think it matters to them. I get the focus. They’re about getting out version one of the greatest next thing, but the lack of insight into Washington and the lack of concern for it is unfortunately…I have a phrase. I will use it. You know what an alpha predator is?


Alpha predator, top of the food chain, the shark. Washington is the alpha predator in the policy world. The small entrepreneurs in the valley spend most of their time believing that Washington is irrelevant to them. Most of the time they’re right until they’re wrong, until Washington cuts off their computer engineers, or mandates backdoors and encryption, or puts together a vulnerability equity process that does not include the equities of small and medium size developers who are trying to break into the market and dearly would love to know about mistakes in their code so that they can make better a product. That’s what the valley is missing, I think.

Yeah, and I think you’re right. Some people get that. The problem is it’s almost like life insurance, right?

Exactly. Nobody wants it or even has insurance. If you’re 25, you don’t go with it, because you figure I’m invulnerable.


Then you die.

Exactly. I think that’s a really good point that you make. You got to have a seat at the table. Some of the challenge is a lot of these smaller companies, the startups, will ride the coattails of larger companies because they can’t afford it, or they don’t have the knowledge base to work with an advocacy group like CALinnovates or an advisory group like Red Branch Consulting. I think we do play a valuable role in bringing those voices to the table.

I think that’s essential, and frankly I get the idea of slipstreaming in the wake of the big boys, but the small innovator and big boys are not always on the same page. They may be sometimes, but encryption is a great example. The big boys don’t want encryption, but if they have to do it, they’ll just change the code when they can afford to. If you’re a small guy who’s been building encryption into the middle of your product and all of a sudden you get a mandate to put in a backdoor, that’s 12 months of runway that you just lost.

Yeah, which is life and death.

Yeah, and so you’re dead. For Microsoft, it’s a pain in the ass. For Apple, it’s a product hit. For your average next startup, it’s the end of life.

What can happen here? Can there be a lawful hacking regime with rules put in place by Congress?

I think there has to be. Whether there should be or not, I don’t know, but there has to be, because if not, there’s only going to be unlawful hacking. We need to find some way of building a system where people who want to be in a position to defend themselves can do so in a way that is lawful without becoming the wrong side of the law right away. That’s an essential part of the puzzle. It might not be necessary if we could find a way to clamp down on hacking altogether, but that’s just not going to happen, right?

Right. Paul, there’s a theory out there that it’s not just the CIA that’s doing work like this, but it’s also the NSA and the Department of Justice. If that is the case, why would the United States have three different agencies spending time and resources doing the same thing three times over?

That’s a great question, but I think that the answer is we believe in separation of functionality as a way of protecting liberty. The FBI operates domestically. The NSA and CIA operate overseas. We hope that we can constrain them to just operating overseas so that we never unleash them. The FBI is focused exclusively on criminal activity, and it’s subject to the restrictions of judges with warrants and probably cause requirements. The NSA and CIA, they don’t have rules. There’s no American law that makes it a crime to hack a Russian Samsung TV. In fact, that’s what we want them to do. We have more than $50 billion in budget to get them to be able to do that. Traditionally, the NSA has been focused on signals intelligence, so they were communications, and the CIA has been focused on personal individual human intelligence. Now with the development of bring your own device, small devices, those two are sort of converging. The CIA and the NSA are starting to have digital overlap. That needs to be worked out, but their separation is historically a valid one as well.

Okay. Then what’s the optimal path forward on cyber from the perspective of the innovation economy?

I think the first step is be informed. Don’t live in your little bubble. I’m about to start a monthly newsletter. If you want in, send me an email. Send it.

Sign me up.

Yeah, okay. I will.

Where can we send that? Where can we find you right now? Let’s talk about that.

Okay, it’s All one word. It’s Paul.Rosenzweig, R-O-S-E-N-Z-W-E-I-G @redbranchconsulting. Send me an email. Sign up. I’m shooting for monthly now, just bringing Washington to the valley. Right now it’s free. Eventually maybe someday I’ll charge for it, but we’ll see about that. It’s something I just started a little while ago for this very reason, that innovative people don’t know what’s happening.

Right. People want a path forward. They want to know that there is a tactical path forward for them. What does that generally look like? If you could pull out your paintbrush and kind of paint that with words here right now, how would you do that?

After awareness comes action. My action items I think would be engagement with Congress and the executive branch about the issues that are closest to them. If you are interested in encryption because a change in encryption law will destroy your company, what we talk about in the newsletter is there’s a comment period. Put your word in. Say this is what…talk to your congressmen. Write an op-ed for a local newspaper. Write an op-ed for one of the trade magazines that does this. Write an op-ed for the CALinnovates newsletter, right?

There you go.

Something like that. All of those things are eminently plausible and ways of going forward. The most important thing besides awareness and engagement is kind of organization. Right now, the entrepreneur community is diffuse. They don’t do this. They need to, frankly, join CALinnovates or something like that. Sorry, had to do the plug.

Thank you.

It’s true. If you’re a small entrepreneur, you don’t have the wherewithal to do all this yourself, but you need somebody who’s looking at what’s happening in Sacramento and what’s happening in Washington to give you an alert if there’s something that really needs your attention, tracks legislation for you, warns you that a regulation is coming that’s going to destroy your business model. This is how it is. The last step, of course, is eventually when you get big enough to afford it, put your money where your mouth is, and start buying ads, making political contributions, that sort of thing. Eventually that’s where you have to go.

Right. You and I have had a few conversations about agile methods and 18F. I think this is one of your favorite things to talk about lately. Can you tell us about agile methods and 18F and why that matters for the innovation community?

Sure. This is exactly one of the things that people on the west coast ought to be aware of is happening on the east coast. Most of your listeners probably know what agile methods are. They’re a quick agile method of software and hardware development that trots out new functionalities one at a time. We go from version 1.1.1 to 1.1.2. If 1.1.2 doesn’t work, we back up, and then we go to 1.1.3. It doesn’t have 1.2. It’s modular. It’s supple. It changes quickly. It’s short on documentation, long on deploying functionality quickly, and it’s absolutely not how Washington works. Washington works by something we call the waterfall method, where they sit up at the top and they spend two years thinking about their requirements, then they do two more years of design, two more years of development, two more years of implementation and testing, and then eight years later they trot out an entire program that can do everything, but is so out of date that nothing is left on it. Instead of saving the feedback and comments pain for later, they make sure that that’s in there, too, but which time the entire program is dead.

18F was an innovation of the Obama administration to bring Agile methods to software development in the federal government. They were started in the wake of the website disaster. President Obama sent up a flare to his friends in Silicon Valley and said, “Send me some people with chops here who know what they’re doing and bring them to Washington to help me fix that.” They fixed that, and they did some really good work on the Veteran’s Administration’s website and systems, the US Citizenship and Immigration services, which is in the process of digitizing all of its records that are still paper files from the 1800s. That’s a huge project, and it needs a lot of Agility in its development. They’re working on that. They did some work for FIMA in quicker responses to emergency measures. Great stuff, but along the way, what they did was they used their west coast methodology. They used off-the-shelf technology. They stinted on documentation, frankly.

The General Services Administration, which is the main provider of services through the government came in, and the inspector general just wrote a scathing report in which it said, “You’re using unauthorized software on federal systems.” That really sounds bad, doesn’t it? I wouldn’t want anybody to use unauthorized software on a federal system, because that might be insecure, except that it’s not. What they meant was that they were using common, off-the-shelf technology like Hootsuite and Pingdom, which half the websites in the world use to monitor their performances. That was what they were critiqued for.

Interesting. Let me ask you a quick question.

Yeah, so what’s…sure.

The CIA probably has a way in on many of those programs anyway, and other nation states do as well, right?

That’s true, but I don’t think there’s any evidence that Pingdom is less secure than an in-house developed web program.

It’s likely more secure, right?

Right, because it’s got 700,000 users in 22 countries, including Facebook and Spotify. I happened to look that up the other day. If there was a problem, these guys would have found it. Somebody would have reported it last year, and they’d have fixed it, right?


That’s how the real world of development works in California, and frankly in Silicon Valley and the Silicon Corridor in Boston and in Virginia. That’s not how the US government works. The US government is a no-defect, audit everything system that destroys you if you don’t check every box, but checking the box is not security. What is security is what works.

What’s the future of 18F?

In doubt right now, under assault by the GFA Inspector General. A couple of really bad press pieces in the DC Press, which we designed to take them down, more sophisticated people like me are trying to boost them up. This is a precise instance in which people from Silicon Valley who understand this ought to be calling back to anybody they know in Washington and saying, “Look, get real. This is good stuff. Don’t let the federal bureaucracy kill innovation with its rigid checklist methodologies, otherwise these federal IT systems are never going to be up to speed. They’re always going to be two generations behind and incapable of supporting innovative technology. This is precisely one of those things that people need to talk about.

You’re right, the idea of modernization is very important. Being antiquated is bad for the citizenry, it’s probably bad for security, and it’s not very efficient. I think from the sounds of it, we can get behind the 18F movement, and it sounds like something that should continue.

I think so. I have no dog in this fight. I don’t know anybody at 18F. I got a lot of nice notes from people recently because I wrote something about it, but it’s easy to see that if you understand how the valley works, but this is not how Washington works, but it should be.

Yeah, it should be. It seems like there’s a lot of debate about that right now on a number of issues across the country. I think that the products that are being developed and the platforms that are being developed in Silicon Valley affect the country and the world mostly in very positive ways. The thought process is there, and I think that the administration needs to consider the fact that a lot of these products and platforms and services are being developed by immigrants. To come full circle here, Paul, it seems a little bit short-sighted to slam the door when we, at least out here in California, believe that Silicon Valley is one of the strongest aspects of the U.S. economy. We need to do everything we can to help move that forward, whether that’s expedited processing of H1Bs or just simply more H1Bs rather than less or no expediting.

We need to supercharge the innovation economy. We need to supercharge the workforce. We probably need to work on educating the workforce better at a younger age so that we can fill more of those jobs. We should be inclusive. We should be welcoming, and we need to do everything we can at this point in time to support innovation. I think it all really ties together quite nicely with a bow. There is interplay between private sector and government. We get that, but when there are things like what the CIA has done that could affect companies and could affect startups, one vulnerability could ruin a startup. There’s no retribution. There’s nothing. You can’t go sue the CIA for not disclosing or putting this before the VEP. We’ve got a long ways to go, I think.

I agree completely. It really strikes me that at a very fundamental level there’s a lack of understanding of how innovation happens in Washington. That’s something that has to change, or it will never get it right.

Yeah. Those are words of wisdom from Paul Rosenzweig, the founder of Red Branch Consulting. You can also find him on the Lawfare Blog. You write quite often, I think. It looks like maybe even weekly, right?



Probably at least. Whenever something happens. Blogging is like that.

Yeah, and something seems to be happening pretty often these days. Paul, thanks for joining us on A Step Ahead. It’s been a pleasure to talk with you, and I hope that we can expect you back when other things happen in the cyber and the security world. Then we can work them out and talk them through and help our listeners understand what’s going on.

I would love to come back any time you invite me.


Thanks for having me on.

Absolutely. For our listeners, look up Red Branch Consulting and Paul Rosenzweig. He is a cyber security expert, and maybe he can be yours. Thanks for listening, everyone.