(upbeat music) - [Interviewer] If you were to start from scratch, rebuilding someone's data security protocol, what are some things that you feel absolutely need to be in place? - So one of the things that we're working on right now is what does it look like to actually build these systems knowing that somebody is always trying to break in or attack? These systems were designed from a premise of almost utopia, of like, people are all good, the intent is good.
It wasn't really thought about like, well, how's a bad person going to abuse this? How are people gonna break it? So we have to rethink that paradigm. One of the things that is in there is this question of when you're building one of these products, of actually going through what's called a red teaming exercise, which is saying, okay, let's pretend we're the bad guys and let's see what happens. There's a version of this that companies do right now, which is called bug bounty programs, and a bug bounty program is you say, hey, let's invite people to come in and attack us, and if they can break in, we give them a bit of money for their efforts.
So, we set up a version of this, by the way, at the Pentagon, and we asked, hey, let's go get some of the best hackers out there. If you want to come and try to attack the Pentagon, come on at it, see if you can hack the Pentagon. The program was literally called Hack the Pentagon. To which you can imagine what the lawyers first said, is you want to hack the Pentagon, and you want to invite the world to hack the Pentagon? We said yes, and so the first answer was like, well, if you invite these people to hack the Pentagon, then the bad guys are gonna go figure out how to hack the Pentagon.
Well, the answer obviously is they already know. So we got this program off the ground with Secretary Carter, and guess how long it took for the first vulnerability to be filed? Minutes, about 13, 17 minutes. Well, one of the people who filed six vulnerabilities was this kid who literally was taking a break from studying for his AP, his advanced placement computer science exam, took a break, and was like, hey, I wonder if I could break into the Pentagon.
And found six holes. So how does this happen? Well, you have one system talking to the other system, updates, you've got these layers and layers. Some systems are really old, some are new. They don't necessarily know how to talk, so you've got this patchwork, and that patchwork is invisible. It's sort of hidden in digital layers. And so the only way we know right now is to invite people in to say, hey, look, did you find something? And this is a paradigm that's taking off.
But there's a broader point in what you're saying, is we don't even know what data we're giving up. You know, in the terms of service, you get this long, giant legalese. It's not really helping you explain. You don't get to say well, maybe this, maybe not that. We haven't had that discussion of what appropriate use is. We're starting to, because rules are being put in place by certain countries. The EU has what's called GDPR, California has just passed a ruling, but more of that's happening, but that's a discussion that is coming pretty late in the process.