Edward Amoroso: Hi! For those of you who are joining, we're getting ready to start in
a couple of minutes. We've got a
wonderful guest here, Randy Milch. We'll
give you another 30 seconds or so to hop
on. Looks like a number of people joining,
so once we see the rate level off then
we'll get started. Thanks for spending
some time with us today and we'll get
started shortly, thanks.
So Randy, I usually use the popcorn
algorithm for deciding when to start, I
watch the participants when it looks
like the popcorns popping a little bit
less frequently then we go ahead and get
started.
Looks like still a few people joining
but why don't we go ahead and get
started. We got a 30 minute period here
and I want people to have a chance to
get to know you and to learn from you.
Let me just intro by saying you've had an amazingly, distinguished career. I've long admired
your work and I love the fact that we
can work together now at NYU. You have so
many titles at NYU, I don't even know
where to start. But, you the co-chair of the
Center for Cybersecurity where I work,
essentially my boss there.
You and I both work really hard on the 
cybersecurity risk and strategy program,
that's something I know that you're very
passionate about and we spend a lot of
time on. You know, I think most people
also know that you spent many years over
at Verizon as the general counsel and
working public policy so that
certainly colors your your career. 
I want to thank you for taking a half an
hour and spending time with a lot of
students and prospective students here,
and I really appreciate making it some
time.
Randy: It's a, I hope you can
hear me, yeah, a real pleasure and it's
always a pleasure to do anything with
you because you bring such a huge swath
of information and knowledge to the
problem that I always end up learning of
boatloads so I'm very appreciative of the opportunity.
Edward: Well, we're gonna try and
learn from you today, see if we can pick
your brain on a bunch of different
things, but first our favorite thing to
start with is maybe have you tell us a
little bit about your yourself, maybe
your journey to some positions that
people could only dream to reach.
What were some of the things that got
you there? Tell us a little bit about your career and your journey.
You know, everyone's journey is a
little bit different and my own you're
looking at a guy, who
when he got out of college, was
absolutely positive he never wanted to
be a lawyer.
The only job I could find after the Reagan Revolution in 1980
was as a paralegal and about six months
into being a paralegal, I looked around
and saw lawyers earning ten times what I
was earning. I was earning the
princely sum of fourteen thousand
dollars a year, ten times what I was
earning and they certainly didn't seem
to have a have a coroner
on knowledge. I went to my boss and I
said, "what's with this pay disparity?"
He said you need the sheepskin buddy, if
you want to if you want to earn lawyer
money, you should go be a lawyer. So, I
went to law school, I was a litigator for
quite some time. I didn't private practice, became a partner at a
law firm and one day got a call from the
Venn Bell Atlantic. This was in 1993 and
thought, oh my god, I just landed this
huge client, my life is made.
Fortunately or unfortunately, the answer from Bell
Atlantic was "no, we want you to
litigate a case that's too important to
entrust to someone who's on the outside."
You have to quit your partnership and
come work in-house for us. Luckily, I have a very wise wife who
said there are issues you've always had
with being in private practice, and I do
have issues of private practice. It just
doesn't really make any sense as a
business model and instead go
in-house. It turned out to be the
great decision and you remember back in
those days 1993, it was just the dawn of
the deregulatory boom and somehow
ended up with that as a little bit of a lift under my wings.
Bell Atlantic became Verizon and I eventually became
general counsel and eventually cybersecurity fell into
my ambit because I was the guy who went
to the CEO in 2008 and said you know
we're we're being we're lucky and not
good.
We need to do something about this and the CEO did what CEOs
usually do which was simply to say, "you
brought it up you fix it," so that's how I
ended up with cybersecurity back in 2008,
when it was a little less sexy in the
outside world. It was sexy for those
people working it but it was a little
less sexy in the outside world back in
2008.
Edward: So, what was that what was the big
sort of trigger in 2008 that caused you
to go to the boss and say, "oh
we've got a an issue," was it one thing or
was it some growing number of things
that crossed some thread.
Randy: It was really growing number of things, you know, and
it's really important to listen to the people who work you with.
I had a lawyer, when I became general counsel
and he had been in and out of my group
at various times. He was the guy who I
entrusted and who had previously been
entrusted with negotiating the IT
contracts, right. The new massive
contracts that Verizon had with IBM and
all these massive IT contracts and he had a CS
degree and had a master's
in CS. He came to me said, "you
know, we just spent a billion dollars on
this contract and we have no security. We're inherently insecure.
I said, "really? We're not buying
security with the contract? I mean, we're
paying them so much money" and he said, "no, that's not the way it works".
So that was like [mind blown genture] okay.
I went on dive with him, for a month, where he schooled me on cyber security and what
was the problem and once I cracked the code,
I know just enough telecomm engineering
to be dangerous, because I've
litigated it for years during the
deregulatory days. I like to say that
I've been lied to by more engineers than
almost any person in the United States.
All the time. I was litigating how we got into
long-distance so we had to break apart
the network and put it back together and
give it to people and and the OS
associated with it. Once I
figured out what we were looking at and
how fractured we were, you know. Verizon
had a legacy landline business, we had a
growing exponentially wireless business,
which of course thought it was the cat's
meow on every issue. We had our
international business, right. We were
so disjointed, we had marketing that had
servers with marketing agencies. We had
salespeople that, every time someone
wanted a server, they called up the IT
department and the IT department would give
them a server and they'd stick it in a
closet somewhere. A company the size of
Verizon just figuring out what your landscape looks
like is a huge job so that's what
happened. When I figured it out, in
the sense of not as you would figure it
out, but as a lay person.
It just scared the hell out of me, so that's why I went to the CEO.
Edward: That makes perfect sense. Now I'm gonna ask you a question that you're
uniquely qualified to give some thoughts
on this but this kind of thing a lot of
people ponder and don't really
know how to do the nation-state.
Im pretty sure that when you first started looking at this and in a way
way you probably had the team explaining
and you probably knew already that
it wasn't just hackers but it was big scary nation states coming at a private company.
Now, everything you know about
the law, and certainly, Cyber, I mean you
and I work together, it's sort of that
intermingling of policy and law and cyber.
What's the deal with this? I mean just
about every other aspect of our world
like, if bombers came and dropped
go bombs on Verizon, you guys would be
screaming for the military to help and
they would come. Why is it and this
is an open-ended question, I don't know
the answer to this one, so I don't expect
that you have the answer in a box
somewhere, but I'm just curious when you
think about that, given your experience
in your vantage point. What's the right
thing for us to think about here when
nation-states are going after private companies?
Randy: Yeah, it's a very complicated
question as you would imagine so I tend
to break it down into a few steps, just
for ease of trying to keep track of it,
and trying to come up with a sort of a
systematic way to think about it.
You know, it's to everyone's benefit to
have a concept of when you call in the
military that is that is limited in some
respect right.
You don't want military action taken at every insult, at every minor thing
that might happens and so much of what
happens in the world
in the scheme of what a
nation-state would do to a private
company, there are lots of gradations
about what we're talking about here.
We're not talking about the equivalent
of dropping a bomb on a central office
and destroying property in lives all the
time so there's a wide variation.
It's in everyone's interest to sort of
take it take a deep breath and not call
everything an act of war, which would tend to get the juices
flowing and demand some set of
responses. It's everyone's benefit to
have a gray area, in other words, have an
area that's between some sort of a cyber
action, that would cripple multiple water
works and lead to death to a cyber action
where it could be simply espionage, right.
Espionage is not necessarily a bad thing,
it tends to let the party that's spying
on the other party gets some better
ideas about what their intentions are,
which frequently means you're not going
to go to war right. You have a
better idea what's happening, you can
respond in different ways. So, I tend to
offer a high bar on what is an act of war.
I tend to think that you know there's a lot of theft that goes on.
It's a very principal item that we have
of course, with the Chinese cyber state.
Cyber efforts is theft of IP. There are ways to combat that.
The truth of the matter is, the United States as in hugely
IP rich country that develops so much stuff,
where else are they going to go to
steal stuff if not come to us. We're the
ones who have it so I tend to sort of
think that we've got to have gradations.
I tend to sort of think that some of the
theory that's come about recently about
forward positioning on other folks
networks by the government is a probably
a good idea sort of filled a little bit
of that gap. You know, this is still
something very much in development. I
think,
and you probably share this
feeling,
the last thing a private company with massive networks wants to do is say call in the
government and say come help me. I mean that would send shivers down your spine.
As your running AT&Ts networks and the Secret Service shows up or
Homeland Security shows up and says
let me tell you how to do this. You wouldn't. No way!
Edward: That might require a
couple of packs of tommy's from them when
that happens but you know one of the
topics that our master
students debate all the time and that we
talk to them about are kind of the legal
consequences when these things happen
right. When there's like
a compliance framework that lays out
something
that might have you know say post attack
incident response requirements and there
could even be some punitive damages, if
you know if a lot of credentials are
lost. What do you think there, and again
this is giving people a little window
and the kinds of things that we talk
about with our students but it always
feels like for me as former CISO, I
always felt like we got beat up and
maybe even got fired when we were
involved in a fight that may not have
been fair from the beginning you know. It seems unfair somehow.
Randy: Of course, we both know
that life's unfair and it's particularly
unfair, which doesn't mean they shouldn't
become CISO because I think that they
have an unbelievable opportunity to
affect the way we deal with things.
It's very important job, that I
heartily recommend the best people go do
It's a common place in cybersecurity to say that a lot of our
regulators and we have a very weird regulatory scheme here in the United
States that we like to poke fun at and
whether it's the best one, it's probably
not the best one whether it's better
than others is a different question than
whether it's the best one. But, you know,
there's a common theme that the
regulator's, after a cyber event, what they really like to do
is go on the field of battle and
shoot the wounded. I mean
that's one way to think about what the
regulator's do and it's a little bit
what you're saying, you know,  the businesses get beat up
immensely after the fact, they're pretty
much forced to settle at very high
prices. Actual injury is of much
different concept. If you look
at actual injury from many breaches, the the really high-value
injury or someone's identity is stolen
and it's really difficult to get that
back and alike is a relatively small
percentage of what happens in most cases.
This whole question of the best way
for our whole regulatory scheme. I
like to think of regulatory as all of the rules of
general application, of specific
application ranging from lawsuits to
corporate rules to whatever all form
pressures on entities that will push
them one way or the other in their
cybersecurity posture.
The corporations are like any other entity, it's largely a corporate
problem in the United States but it's
also a government problem obviously
which has its own set of issues but
you've got to look at the incentives and
the incentives are hugely varied and
trying to figure out what the right
incentives are, to tell a company you
need to invest more in cybersecurity is
pretty difficult because there's lots of countervailing pressures
on companies that are important.
Randy: I'm gonna want to ask in a
couple minutes about your work at NYU
and what attracted you to academia but
before that I can't resist asking a
couple of questions about Washington.
More about the trends, like you've had
a broad perspective over a number of
different say administrations. Are the people there,
are they kind of getting it better or
they're attracting maybe better people
the government or any other trends. I
know you and I see a lot of federal
government employees coming to our
programs. It seems like a lot of them
recognizing the importance of cyber but,
I'm curious if you think maybe
whether you're optimistic that maybe the
folks that quote-unquote work
in positions Washington understand
cybersecurity and related policy issues
or if you think maybe it's getting worse.
I'm interested in what you say.
Randy: I might also be used to what you think.
I think, the from what I can tell, we have
been able to attract to the core cyber
positions, the core sort of policy
positions and the core sort of
investigatory regulatory positions in
DHS, in NSA and a few other
places. Good people, I admire those people they
work really hard and I think that
they by and large get it and they by and
large get it because many of them have had a lot varied experiences.
Part of the problem we face when we
talk about government and we talk about
regulation in particular is that
folks whose only job has been in the
government have a particular outlook
about the way the rest of the world is
supposed to react to government and
they have a relatively little
understanding of what makes the rest of
the economy tick right, as a general
matter but if you have people with
differing experiences, coming in  and going
out, that's very valuable, because I think
that they had needed to understand
object of their regulation.
What is it that's gonna make a company do
the right thing? So, other than
simply saying we're gonna fine the
bejesus out of you right, I mean that's
one way to get attention but it's usually not the best way to get
attention. I think as you go outward, every agency has
supposed to have its own cyber posture
right, its own CISO, those CISO don't
report to the head CISO of the government
they report into somebody. I always
pick on the Small Business
Administration. I don't know why I assume
that it's a great place with great
people but the notion that the CISO of a
small business administration, who
reports to the head of the Small
Business Administration is going to be
able to do a job that's the same as a
better Finance Agency that's going to
care about it a little more, I tend to
have my doubts. Organizational
structure and those things
are all very important and by the way
that was not a dig at the seaso of the
Small Business Administration Hoover all
I know is tremendous but I think you're
right I I sense that in surgical sort of
positions where you need someone at
sisse or at one of these agencies where
you've got an important capability
they seem better to me and they were ten
years ago 20 years ago they're very
capable better trained and you know
they're underpaid and overworked they
take a lot of grief so so I'm pretty
optimistic when I look at the people who
are experts but what worries me is I
think you still be a general malaise
amongst say members of Congress who
seemed still not to get it still a lot
of Luddite conversation you and I both
had the experience that often when you
pass through that trust gauntlet where
the staffers decide they're going to
trust you and you get access to that
senator or congressman and they want to
talk cyber you realize how little they
understand it's all quite shocking to me
and that's true that's true 2020 as it
was 20 years ago so I think we've got a
lot of work to do and maybe there brings
me to your your present career I mean is
that maybe one of the things that
attracted you to to come back to NYU to
to help train the next generation of
leaders because we don't train kids in
our program we train people who are
practitioners okay tell us about what
attracted you got Kadeem you so you know
it's interesting it because actually the
the the master's program that you and I
both work on that I think we both feel
very passionate about which is just just
as work I think really well to attract
professionals in for an additional
degree that they get over the course of
a year if you trace the origins back it
goes back to 2016 the year after I came
back to to NYU when I came back to NYU
only two thing I want to talk about two
things one of the cyber security and
moat is national security because my own
view is that a common law shouldn't
exist as a and everyone said oh you
tell us about telecom law I said I don't
want to talk about that it shouldn't
even exist so I was asked if I would
teach a cybersecurity course and I said
only if I can do it with a professor
from tandem because in the real world
lawyers don't solve cyber security
problems and engineers don't cybers sure
so I fix cybersecurity problems they fix
them together right if there's a crisis
the teams come together and my vision my
idea was if I can find someone attending
to teach this with me we could get
engineering students and law students in
the same class and teach them together
and make sure we try to raise the
literacy level for both and that's what
turned into the master's program so you
know I think that I think that getting
that training it's become sort of a
labor of love I really enjoy the
interaction we have you know we have
such talented people coming in that heck
they could teach the class right and and
our job sort of turns into funneling
their expertise in particular ways so
they make sure they explore all the
issues that they're going to cover right
so you know I think that it it really
was the attraction of being able to do
this together with both law and
engineering at the same time which by
the way is sort of the thing the secret
sauce that we have at NYU that you
really don't find many other places yeah
right I mean I've looked at the master's
programs the straight sort of masters of
cybersecurity programs from engineering
schools and I can't find one where
you're actually required and when you
get your masters in cyber you're
actually required to take a policy or
law course right so I'll tell you when I
first found out about the program Nasir
memin called and said we need somebody
to do the intro summer course last year
and and when I saw the student Nick's I
was terrified in the beginning Wow
is not the usual gearhead engineers that
I can get in front of and we can go
through stuff these are people who have
some pretty impressive positions and and
and it was an experience last yeah I'm
doing again this summer and I love it
because it I know that the conversations
in many cases are just as good as the
lectures sometimes I prepare a lecture
and I get through 20% of it because
they're so right you're staying
conversation that goes on and it's
really quite quite interesting so now
that you've been kind of embedded in all
of this I want to ask you just a general
question about education generally what
you and I and others have talked a lot
about like this idea continuous like
lifelong sort of learning how do what do
you think about when and I know anyway
you talked about this a lot this idea
that you and I when we went to school
you put four years in you popped out and
there's your education then you go to
law school I went and did my computer
science where you did that knee were
done that seemed the way you did it when
we did education then you went to got a
job you know that was it you did good
school it seems like the world has
changed hasn't it like it's it's not
this you do education then you do
something else there's this idea of
lifelong learning I'm curious what you
think about that whether if you were
back at Verizon you know I was back at
18 - yeah I have a feeling those would
be topics that would be pretty you know
top of mind and I'm curious what you
think now in your vantage point about
this idea of lifelong commitment to
learning yeah you know it's interesting
because I think we both had the
experience i know i did as a lawyer of
the requirement for continuing legal
education afford to keep your to keep
your skills up right and for years it
was a joke i mean close your eyes
totally roll your eyes yeah oh you go to
a conference somewhere and you you you'd
sitting that you sit in a panel or you
sit in the room for the more
then you're expected to go play golf or
something in the afternoon right and it
was it was it was it was ludicrous right
and then when I became responsible for
400 lawyers at Verizon and I and I BAC
saw what I you know I sort of from you
know I said okay now I'm really
responsible for this said we're not
doing this this way anymore you know
you're not going to you know no more
golf right it's not happening anymore so
I do think that I do think that the
thing that's great is the the the
business that has grown up around being
able to allow you to continually learn
right these boxes that we're talking
into are the most spectacular of
learning tool if it's done well right
your Coursera courses the stuff we're
doing I mean they're so easy to learn
from and I think that that it's it's the
synergy you get because this has turned
out to be right now and there's plenty
of crap online right there's plenty of
stuff that that is if it's hard to
understand it's not taught well it
assumes stuff that people don't know and
all sorts of things but the good stuff
online is so good is so clear is such a
great way to you know improve your
skills that I'm all for it I think that
that it's an opportunity that everyone
ought to be taking advantage of that's
good we've got some questions here I'm
gonna pass along to you but I'm kid is
asking it is a great question it's
asking for those of us who are engineers
count me one of them what can we do to
help lawyers better understand
cybersecurity there's some things we
should be doing and I'll sort of upend
my own point do you think we should be
changing the way we describe things or
do you think maybe we should do
something different what do you think I
think that it mostly is about
honest-to-goodness it's about intention
more than anything else because I can't
tell you the number of times in my
experience as a working lawyer with
engineers if if if the if the
near-field threatened in the situation
you immediately got into engineering
gobbledygook and there was no intention
to try to help same thing was true the
other way by the way if the lawyer felt
threatened in the situation all of a
sudden it was lawyer gobbledygook and
nothing nothing succeeded so it's really
the most important thing that an
engineer could do is want to help get
tool you want to help be a lawyer get to
a place right get to understand get to a
place and be incredibly open and honest
and be willing to say the same thing
three times because the first two times
didn't make any sense to the lawyer in
my experience IDI having mixed classes
of engineers and lawyers in the class
it's a lot easier to teach an engineer
about law and policy than it is to teach
it and a lawyer about engineering simply
because most of the engineers I've met
are very smart
they're very ordered they have a you
know they they they absorb the rules
they they try to they go logically along
which is about 80% of being a lawyer the
other side the lawyers a lot of them
became lawyers because they were scared
of math right so they tend to they tend
to freeze up when someone starts you
know leading them through the logic tree
that you need to do for for for some
aspects of cyber so I think that I think
that engineers actually in many ways can
contribute a lot of this because you
know the only thing they're gonna lack
in the legal training is they're not
going to get the ability they're not
going to get legal judgment right in
order to get legal judgment you have to
make a lot of legal mistakes and learn
from them and you're just not going to
have that that process so I think the
engineers can be a great great effort if
what they believe they need to do is
help the lawyers along so that so that
the lawyers instead of being dogmatic
about the but the legal rule is get the
benefit of the technology to understand
how to move everyone forward and that's
the that's the critical item you know
Daniel is asking should there a good way
for lawyers to become less fearful of
the technology I think our program is
one example of that I think
education probably is not a terrible
idea for working with her you know I
think it's a great I think I think that
you know there's lots of stuff out there
about cyber it's some of its very
repetitive and some of its really about
privacy which is different than cyber in
my view but there are great classes out
there are masters course there's stuff
online that is that is very clear you
know starting to get the grounding of
how a computer works and that stuff like
that is it's critical how networks work
there's you don't need to you don't need
to do all the math in order to get a
reasonable working knowledge about what
you're talking about right you never be
an engineer but understanding how
networks work and how the protocols work
it sort of tells you right away oh my
god we have a problem here that's
embedded in the internet we better think
about it as you know we better move
along and think about it some other way
so I think that I think that going
online and looking for things like your
Coursera courses or our master's degree
course really will help a lawyer gain
literacy that will make them a much more
useful partner to the engineers in the
company and the other folks in the
company as they try to struggle with the
incredible question of how much money
are we going to spend on cybersecurity
which is the tough question well I'll
tell you what
Randi I think I could sit for four hours
and listen to you we should probably get
to your own podcast here and that's your
share but I on behalf of all of us
listening all the participants I want to
thank you for you know answering some
tricky questions and you're a couple of
those questions I think we answered
maybe better than I've ever heard before
certainly the gray area I love that
concept that is right on the money so I
hope that for those of you listening I
know there are a lot of prospective
students here I hope they'll consider
our program to them you we'd love to
have you
Randi I think you and I both you know
northeasterners I think things there's
some nice advantages to New York City
and Brooklyn into the Northeast I hope
people
bye and visit us and stop by and say
hello to you as well
that would be a pleasure and EDD thank
you very much for having me on anytime
you want to talk I'm here for you well
we're gonna do another batch later in
the year we'll probably bring you back
for part two I think there's so much
more to talk about great have a good one
everyone say say thanks everyone
we'll see you later
