The Internet Might Kill Us All

My friend Ben Horowitz and I debated the tech bubble in The Economist. An abridged version of this post was the “closing” statement to Ben’s rebuttal comments. Part 1 is here and Part 2 here.  The full version is below.

It’s been fun debating the question, “Are we in a tech bubble?” with my colleague Ben Horowitz. Ben and his partner Marc Andreessen (the founder of Netscape and author of the first commercial web browser on the Internet) are the definition of Smart Money. Their firm, Andreessen/Horowtiz, has been prescient enough to invest in social networks, consumer and mobile applications and the cloud long before others. They understood the ubiquity, pervasiveness and ultimate profitability of these startups and doubled-down on their investments.

My closing arguments are below. I’ve followed them with a few observations about the Internet that may help frame the scope of the debate.

Are we in the beginnings of a tech bubble – yes.
Prices for both private and public tech valuations exceed any rational valuation to their current worth. In 5 to 10 years most of them will be worth a fraction of their IPO price.  A few will be worth much, much more.

Is this tech bubble as broad as the 1995-2000 bubble – no.
While labeled the “” bubble, valuations went crazy across a wide range of technology sectors including telecommunications, enterprise software and biotech, not just the Internet.

Are tech bubbles necessarily bad – no.
A bubble is simply the redistribution of wealth from Marks to the Smart Money and Promoters. I hypothesize that unlike bubbles in other sectors  – tulips, Florida land prices, housing, financial – tech bubbles create lasting value. They finance companies that invest in new technologies, new ideas and new products. And it appears that at least in Silicon Valley, a larger percentage of money made in the last tech bubble is recirculated back into investments into the next generation of tech startups.

While most of the social networks, cloud computing, web and mobile app companies we see today will fail, a few will literally remake our lives.

Here are two views how.

The Internet May Liberate Us
In the last year, we’ve seen Social Networks enable new forms of peaceful revolution. To date, the results of Twitter and Facebook are more visible on the Arab Street than Wall Street.

One of the most effective weapons in the Cold War was the mimeograph machine and the VCR. The ability to copy and disseminate banned ideas undermined repressive regimes from Poland to Iran to the Soviet Union.

In the 21st century, authoritarian governments still fear their own people talking to each other and asking questions. When governments shut down Google, Twitter, Facebook, et al, they are building the 21st century equivalent of the Berlin Wall. They are admitting to the world that the forces of oppression can’t stand up to 140 characters of the truth.

When these governments build “homegrown” versions of these apps, the Orwellian prophecy of the Ministry of the Truth lives in each distorted or missing search result. Absent war, these regimes eventually collapse under their own weight. We can help accelerate their demise by building tools which allow people in these denied areas access to the truth.

Yet the same set of tools that will free hundreds of millions of people may end their lives in minutes.

The Internet May Kill Us
The next war will more than likely occur via the Internet. It may be over in minutes. We may be watching the first skirmishes.

In the 20th century, the economies of first-world countries became dependent on a reliable supply of food, water, electricity, transportation and telephone. Part of waging war was destroying that physical infrastructure. (The Combined Bomber Offensive of Germany and occupied Europe during WWII was designed to do just that.)

In the last few years, most first world countries have become dependent on the Internet as one of those critical parts of our infrastructure. We use the net in four different ways: 1) to control the physical infrastructure we built in the 20th century (food, water, electricity, transportation and communications); 2) as the network for our military interconnecting all our warfighting assets, from the mundane of logistics to command and control systems, weapons systems and targeting systems; 3) as commercial assets that exist or can operate only if the net exists including communication tools (email, Facebook, Twitter, etc.) and corporate infrastructure (Cloud storage and apps); 4) for our banking and financial systems.

Every day hackers demonstrate how weak the security of our corporate and government resources are. Stealing millions of credit cards occurs on a regular basis. Yet all of these are simply crimes not acts of war.

The ultimate in asymmetric warfare
In the 20th century, the United States was continually unprepared for an adversary using asymmetric warfare — the Japanese attack on Pearl Harbor, Soviet Anthrax warheads on their ICBMs during the cold war, Vietnam and guerilla warfare, and the 9/11 attacks.

While hacker attacks against banks and commercial institutions make good press, the most troubling portents of the next war were the Stuxnet attack on the Iranian centrifuge facilities, the compromise of the RSA security system and the penetration of American defense contractors. These weren’t Lulz or Anonymous hackers, these were attacks by government military projects with thousands of programmers coordinating their efforts. All had a single goal in mind: to prepare to use the internet to destroy a country without physically killing its people.

Our financial systems (banks, stock market, credit cards, mortgages, etc.) exist as bits.  Your net worth and mine exists because there are financial records that tell us how many “dollars” (or Euros, Yen, etc.) we own. We don’t physically have all that money. It’s simply the sum of the bits in a variety of institutions.

An attack on the United States could begin with the destruction of all those financial records. (A financial institution that can’t stop criminal hackers would have no chance against a military attack to destroy the customer data in their systems. Because security is expensive, hard, and at times not user friendly, the financial services companies have fought any attempt to mandate hardened systems.) Logic bombs planted on those systems will delete all the backups once they’re brought on-line. All of it gone.  Forever.

At the same time, all cloud-based assets, all companies applications and customer data will be attacked and deleted. All of it gone.  Forever.

Major power generating turbines will be attacked the same way Stuxnet worked— over and under-speeding the turbines and rapidly cycling the switching systems until they burn out.  A major portion of our electrical generation capacity will be off-line until replacements can be built. (They are currently built in China.)

Our transportation infrastructure– air traffic control systems, airline reservations, package delivery companies– will be hacked and our GPS infrastructure will be taken down (hacked, jammed or physically attacked.)

While some of our own military systems are hardened, attackers will shut down the soft parts of the military logistics and communications systems. Since our defense contractors have been the targets of some of the latest hacks, our newest weapons systems may not work, or worse if used, may have been reprogrammed to destroy our own assets.

An attacker may try to mask its identity by making the attack appear to come from a different source. With our nation in an unprecedented economic collapse, our ability to retaliate militarily against a nuclear-armed opponent claiming innocence and threatening a response while we face them with unreliable weapons systems could make for a bad day. Our attacker might even offer economic assistance as part of the surrender terms.

These scenarios make the question, “Are we in a tech bubble?” seem a bit ironic.

It Doesn’t Have to Happen
During the Cold War the United States and the Soviet Union faced off with an arsenal of strategic and tactical nuclear weapons large enough to directly kill hundreds of millions of people and plunge the planet in a “Nuclear Winter,” which could have killed billions more. But we didn’t do it. Instead, today the McDonalds in plazas labeled “Revolutionary Square” has been the victory parade for democracy and capitalism.

It may be that we will survive the threat of a Net War like we did the Cold War and that the Internet turns out to be the birth of a new spring for us all.
Listen to the post here Download the Podcast here

15 Responses

  1. and here I thought this post was going to be about the Internet madness surrounding Rep Anthony Wiener’s underwear photos, but this was much more exciting! I can’t wait for the movie version to come out!

  2. […] a bubble of not, then it’s a bubble), (Update: Steve Blank has a great post on this question here). I don’t think it will end in as explosive a decompression as the last one, especially as the […]

  3. This internet-based disaster scenario reads like a great novel. I smell movie deal.

  4. You’ve done a good job explaining a scenario where knowing whether or not we are in a tech bubble seems silly, but I’m not sure that will convince people that we are in a tech bubble (but maybe that we shouldn’t be scared).

  5. At the start of Y2K, a 15 year old kid in Canada took out eBay, Amazon, Yahoo, CNN, Dell, and other industry giants “just for the lulz”, in the parlance of our times. The Internet was not safe for business, and even the largest global carriers struggled to handle the onslaught of DDoS attacks that were fashionable at the time.

    We started Arbor Networks just as the bubble burst, going into the telecom nuclear winter of the early decade (but eventually protecting 80% of all carriers and service providers worldwide, and over $100 million in annual revenue). This wasn’t rocket science (although we were a tech transfer company backed by years of DARPA research) – just coordinated plumbing at a scale never seen before (think of traffic lights at onramps to the 101 and you’ve mostly got the idea 🙂

    Today, the hardest problem in computer security isn’t resource-based denial of service. It’s account takeover, by attackers who have figured out that the easiest path through any door isn’t to pick the lock or break it down, but to simply copy a key or tailgate someone in. Users, not systems, are the new target, and no amount of education or training can defeat a well-executed con (e-mail from a trusted coworker containing an Office attachment, drive-by malware hosted on a major website or ad network, etc.).

    Google, Yahoo, Dow, Adobe, Juniper, RSA, BP, Exxon, Shell, Citibank, Sony, NASDAQ, and countless others have been seriously breached this way in the past year. Traditional perimeter security has been rendered totally impotent by the failure of endpoint security – if your attacker is indistinguishable from a legitimate user (because they’ve 0wned the user’s computer and can impersonate them digitally), it’s game over.

    We’ve always lived with some degree of infrastructure compromise on the Internet (and previously, X.25), but until an open black market emerged for the data gained by illicit access, it was mostly harmless. Zero day exploits are trading on the open market for hundreds of thousands of dollars, with various state actors now the major buyers. Popular open-source projects (arguably critical Internet infrastructure) including Fedora, Apache, MySQL, PHP, Sourceforge, GNU Savannah, BerliOS, WordPress, Atlassian, etc. have been compromised (and in some cases backdoored – DARPA, bring back the CHATS program!). And the so system rots from the inside.

    Bubble or not, anybody can get popped.

  6. It seems the threat is more subtle, though. China wouldn’t bring down America informational infrastucture because no one wants to exchange nukes. But what if it’s a kid from Peru? It’s important to remember, within all the promise of technology: The key to the gates of heaven, is also the key to the gates of hell.

  7. “A bubble is simply the redistribution of wealth from Marks to the Smart Money and Promoters.”
    It is also access to copious amounts of inexpensive capital for the few gazelles that emerge from the bubble, and sometimes the creation of assets (think dark fiber) that provide value to customers and financial return to the vulture investors who pick them up for pennies on the dollar after the fall.

  8. […] Read more at […]

  9. […] The Internet Might Kill Us All « Steve Blank (tags: internet interesting twitter philosophy bubble security) […]

  10. “A bubble is simply the redistribution of wealth from Marks to the Smart Money and Promoters. I hypothesize that unlike bubbles in other sectors  – tulips, Florida land prices, housing, financial – tech bubbles create lasting value.”

    This is pretty much true by definition, since it’s better for society to have Smart Money in charge of investing all that money.

    But this sounds a lot like “God made sheep to be fleeced,” and that similarity suggests these definitions could be challenged a little. Not everyone who gets rich in a bubble is either a smart investor or a good promoter. Some are swindlers, and some are just lucky. Opinions vary about the fraction of these elements, and I have no good numbers, but I know they’re higher than I like.

    And I don’t think it’s good for society to have the wealth of Marks (some of whom, conversely, are really just unlucky) redistributed to people who are lucky or unscrupulous.

    For me, the bottom line is that bubbles create less lasting value than steady, genuine growth… in tech, or in any other sector.

    . png

  11. Great post.

    Dug is absolutely right in saying that our present difficulties in computer security lie not with brute-force flooding of pipes (i.e., DDoS), but rather with targeted, strategic attacks on smaller subsets of systems (think Stux).

    However, I would disagree with the statement “users are the new target”. Indeed, it is far easier to gain access to resources by attacking the users who control those resources. But I think it is far more damaging (and therefore lucrative to the adversaries) to attack infrastructure systems on a wide-scale. People may be the initial entry point of the attack, but I still think the greater target is technology behind our infrastructure.

    Steve, you have addressed the very important point that much of our infrastructure (economic, transportation, military, …) is based on on solid systems operating securely and reliably. Let us call these critical systems. These are the ones that are vulnerable to crippling cyberattacks.

    I posit that our infrastructure should not be based on these systems at all.

    Any critical system should have no connection to the Internet. In fact, it should have no *concept* of the Internet. One might go so far as to say that any critical system should have no I/O with the rest of the world. (Recall that Stuxnet was thought to be propagated initially by USB.) This would help ensure that infrastructure-crippling cyberattacks do not propagate. Though preventing a system from communicating with the outside world will drastically reduce its value in controlling our infrastructure. This is the unfortunate nature of the security-versus-usability problem.

    How do we secure ourselves? Let us hope that we will simply enjoy a “new spring”.

  12. I read your posts religiously it seems, but I’d like to comment here for the first time that I too have gone down the security breach path and what it means to the future of human virtual existence and ironically the panic feeling seems to be synonymous with my reaction to a loss of physical existence. I reflect back on the first time I heard of the internet as a young adult and what comments/opinions were shared at the time, seems they were half right. As a species, humans have this innate ability to ‘insure’ our future existence through various means; medicine, home owners insurance, food supplements…etc. and as in the past, you’re exactly right, we’ll figure out a solution to this potential issue as well. Regardless if/when it occurs. Thanks for sharing your perspective and inner dialogue.

  13. […] While the 1999 bubble left the groundwork and hardware for Web 2.0 to build upon, the (potential) bubble of today will leave behind a vast network and cache of data for startups and entrepreneurs to innovate with. In retrospect, the amass of data is truly astounding. Facebook and Google+ records our photos, status updates, and social interactions with our multiple networks, Twitter captures our minute thoughts, Google captures our search histories, trackers such as FitBit, MyFitnessPal, and Ibwie amass data on our daily eating and exercising habits. The aforementioned does not even begin to discount the amount of data cread as infrastructure ranging from banking to the military become increasingly reliant on the Internet (see Steve Blank’s analysis that the internet is going to kill us all) […]

  14. […] at valuations we have never seen before. Back in June Steve Blank stated that we were seeing the beginning of a bubble but it was not necessarily a bad thing because we see investments in new technologies. Six months […]

  15. Deleting all customer records….

    I have to smile, as I worked in several corporate IT environments I got some experience how the actually look like.

    I doubt that there could be a logical bomb planted that destroys every record, because those IT systems are hugh, enormous complicated and interconnected, they are not secure by design they are secure or robust by unintended obfuscation.

    I do have another concern. As I studied computer science in the 90ties two fields of study was underdeveloped security and user interfaces. Both of them are costing productivity. Especially troubling for me is that the majority of developers does not have the right mindset for UI and security. Both of them are focused on interfaces, how systems are interacting with other systems and people.

    In other words the most developers are too introverted, that is my observation.

    It is difficult to make an insecure system secure, a secure system if the whole architecture of the system has not a security philosophy from the beginning, like Windows.


Leave a Reply

%d bloggers like this: