Alex Gounares (Founder and CEO of Polyverse) on the Fundamental Economics of Cybersecurity

Business Today (Grace Hong): Your career has spanned across leadership positions at a variety of technology companies. What have been the greatest changes you’ve observed in the tech landscape since the start of your career?

Alex Gounares: When I started my career, it was 1989. The number of changes since then is dramatic. I started at Los Alamos National Laboratory, and one of the computing systems I would program was a Cray supercomputer. In those days, those cost thirty million in 1989 dollars. Today, everyone carries around a cell phone, with more computing power than the biggest computer in existence when I started. It’s just amazing how Moore’s Law has come true and how we’ve been impacted.

BT: You’ve also been at Microsoft and AOL, which are two corporate tech companies. Can you talk about your work there?

AG: At Microsoft, I did a number of things; I was primarily an engineer. I worked on the typing code on Windows, so any place you typed in Windows—typing with text, copy and paste, drag and drop—that’s a lot of the code I worked on. A lot of times I worked on something that billions of people would use, and if you think about it, somebody had to write that code. That was a very rewarding part about working in the tech space because you’re writing code that’s being used by hundreds of millions of people. 

At the end of my tenure at Microsoft, I was Bill Gates’ technology advisor, and I worked with the CTO on Microsoft’s online services division. At AOL, I was CTO there, leading all of the engineering of the company.

BT: How did you shift to startups and eventually found your own? Why was the motivation to focus on cybersecurity versus any other industry or product?

AG: I’ve always been more of an entrepreneurial guy. I actually created my first startup while I was a student at Princeton. I can tell you that it is very hard to balance a startup with getting good grades, and the work at Princeton was quite demanding! I’ve always had that entrepreneurial gene throughout my life, and if anything, an aberration would’ve been my years at Microsoft. I worked on a lot of different things during my time there; it was definitely a good experience in my life. 

With respect to cybersecurity and the company I’m doing now, it was actually born out of the failure of my previous company. One of the things about being an entrepreneur is that you have to be willing to try new things and learn from old things. Sometimes, things don’t work; you may misjudge the market or miss the timing. For any number of reasons, you may fail to succeed. With my previous company, Concurix, we failed to get any meaningful revenue traction, even though the technology was quite compelling. As we were working on Concurix and realized there was trouble with its business, we asked our customers: “Why don’t you pay us?” or “What kind of products would you pay for?” There are lots of opportunities to learn how to fix a business if you ask. The one consistent thing we heard back was “What do you have in terms of security?” That was their top priority: cybersecurity, which is a huge and pressing concern. So we started working on the problem of cybersecurity, and out of that was born Polyverse.

 It’s one of those things where you shouldn’t be afraid to try something new and fail because oftentimes the best learnings come from when you fail. We would not have created Polyverse if we had not failed with Concurix.

BT: What are the greatest threats in the realm of cybersecurity?*

AG: Let me give you an unusual answer, based on economics. If you take a step back and you think about cybersecurity in a more fundamental manner, we live in a crazy world where people are using cyberattacks for everything from disrupting businesses to stealing data like in the Equifax breach to a cold cyberwar between nation-states. You can say data theft is the biggest issue, or privacy is the biggest issue, or protecting the US military access is the most important issue.

Those are all very significant issues, but when you get to the fundamentals, you have to ask the question: why are cyberattacks so pervasive? The answer is a combination of two sources. One, everything is getting computerized. Even your refrigerator these days, or your dishwasher, has a chip connecting it to the Internet. Some of these features are kind of handy, but all those connected devices mean that everything needs to be secure.

I mentioned cybersecurity is an economic problem. There’s a fundamental challenge in protecting all these computer systems, and that challenge is a monoculture. Imagine if every human had the same DNA. If we were all clones of each other as a species, we would have been wiped out ages ago. We would not have made it so far, but it’s our genetic diversity as a species that gives us resilience. We’ve had horrible things like the Black Plague, but it didn’t kill everybody because diversity gives us strength.

Now consider computers, there’s a lot of homogeneity. You’re either running Windows or Linux or Mac. There’s not a lot of different systems. As a cyberattacker, if I look at Windows and I find a bug, I could take over a billion computers. The break-one take-one-billion economics of cyberattacks greatly favor the attacker, and a result, you see an entire industry of companies that specialize in different aspects of creating cyberattacks and taking over computers. 

Until we solve those economics, we’re going to face a lot of challenges. It’s provable by Alan Turing’s Halting Problem theorem that every computer system will have bugs. If you have bugs, you are exploitable. We can make it more reliable, but we can’t eliminate every bug. The solution to cybersecurity is to know we cannot change the bugs, but can we change the payoff. How many computers can you take over with one exploit? If it’s break-once, run once for cyberattacks, we can change the game dramatically.

BT: How would you say Polyverse tackles the economics of cybersecurity?

AG: What we do is make every computer system unique at the binary level. We literally change the one’s and zero’s in the system, so it still operates the same and performs the same, and the legitimate user cannot tell the difference. However, all the underlying binary code has shifted around, so it’s unique for every system. By doing that, we’re essentially changing the DNA. For the attackers, they need to know very specific data about the system they’re trying to hack. They need to know exactly where that credit card information is if they’re trying to steal credit card information. If we move it into someplace different in every computer, attackers don’t know where to go. Now, the attackers need to individually hack every computer they’re going after. Instead of being able to create one attack to take over all computers, you’ve got to get a hold of a computer, analyze it, and spend sometimes millions of dollars to create an attack, and then you can take over the computer you just analyzed, but you can’t take over the next computer. Creating fundamental resilience to attacks in this manner is the core of what we do.

BT: I read about the Moving Target Defense system that is being used within Polyverse, so that’s quite interesting too.

AG: Exactly, everything I’ve just described is related to the concept Moving Target Defense; that’s the umbrella term in the industry for this approach. There’s a lot of great work going on in this space from a number of different companies.

 BT: In January, Polyverse donated its subscriptions to open source communities. In addition, Polyverse has supported making the Common Vulnerabilities and Exposures database more accessible to open source communities. How do you maintain your competitive edge while collaborating in the cybersecurity industry? Is it more necessary to have collaboration in this space due to the magnitude of the problem in cybersecurity, or is it important to prioritize competitiveness?

 AG: A bit of both, and I look at the landscape a bit differently than being composed of solely cooperation or competition. The simple reality is that cybersecurity as an overall topic is bigger than any one company. Polyverse can’t do it all by itself, and even Microsoft can’t do it all by itself because there are more technology pieces than any one individual company. By definition, there needs to be cooperation and compatibility across a wide number of companies. Yes, we compete, but what we really compete for is customers' attention. I can say choose Polyverse because we work incredibly well with other cybersecurity vendors, and we have great partners like MicroFocus, which is the world’s largest independent cybersecurity company. With Polyverse, we bring something to the market that is complementary and additive to what they do. As long as you have a product that creates value and makes the world a better place, then you have a business opportunity. We solve a major class of cyberattacks out there, and we do something unique that others don’t do. 

BT: How do you think cybersecurity companies work differently with private groups versus the federal government? What responsibility of cybersecurity should be tackled by the private vs public sector?

AG: I think there are two major roles in play here. It doesn’t matter whether you’re a Democrat or Republican; fundamentally, we all live in a democratic government with an economic system of capitalism—that's the foundation of America. With that foundational principle, by definition, we look to private industry to drive innovation and technological improvements and create the products and services we have today. That’s the definition - it’s privately driven, and it’s not a state-driven economy. 

That said, even in a democratic and capitalist society, the government plays a pivotal role. They’re essentially the rulemaker and create the rules and guidelines which we all operate.  If you want a good example, consider the concept of product liability. Right now, we have the legal concept of product liability. I assume you drove to university, and you were able to do that because the car that you drove had brakes, lights, and blinkers that worked. If the car were defective, the manufacturer would be sued. It doesn’t mean that all cars are perfect, but generally speaking, automobile manufacturers are held to certain standards and have to do a good job. If there is an issue, they have to go through a recall and that entire process.

The reason why we have that system in place is because we have laws written by the government such as product liability laws and the ability to do civil lawsuits. That judicial and regulatory framework put in place by the government not only helps drive innovation but provides for the greater good for automobile safety.

One of the greater questions we actively discuss with legislators and others is should we have the same thing for cybersecurity? The practical matter is that there is almost no liability for cybersecurity breaches, and software vendors can sell products even when they know of serious cybersecurity issues. They don’t get sued for it because there’s no law holding them accountable. What if you could sue these companies for cybersecurity liabilities? What would happen then? That’s one of the big questions that’s being debated now—should companies like Equifax be held accountable for cybersecurity? There’s a lot of pros and cons, and it’s very difficult to specify exactly what you want to have happen if you answer yes. We do want better security in our computer systems, but we also don’t want to stifle innovation.  The challenge is to find a framework that both encourages improved cybersecurity while encouraging innovation.

 BT: Is there any piece of advice you’d like to share with undergraduates?

Don’t be afraid to fail. Push yourself and try new things. Sometimes it’ll work, and sometimes it won’t. Sometimes you may succeed, and sometimes you may not succeed. The only time when you truly fail is when you don’t learn. Take the class that’s too hard; if you have a business idea, try it and see what happens. You might just make it or might lose a bunch of time, but you really have very little to lose.

*Asked by Benedict Neo of Inti International College Subang