Cyber Security is a C-Suite Problem, including the CEO

It is more important than ever for the C-suite (most importantly the CEO to understand) and build an information security culture to protect customers and shareholders. To put it more bluntly, it’s more than just an audit of the IT department you conduct once a year. As you read this sentence, customers of Marriott Hotel Group are still recovering from a 300 million user account breach which may have also included passport information. The data aggregation firm Exactis left 340 million records exposed on a publicly available server. In 2016, the Mirai botnet attacked Deutsche Telekom’s routers. At one point, Reuters reported 4.5 percent of DT’s fixed line customers did not have service. You are probably wondering why Cypress River Advisors, a strategy firm, would raise this issue.  Traditionally, the boardroom has treated information security as the domain of the CTO, the problem is:

Cybersecurity is a CEO problem not just a CIO/CTO problem. So what to do about it?

Accept the Reality

We are all affected by asymmetric warfare techniques by governments and hackers seeking economic gain. Our financial livelihoods and futures are all connected whether we want to be or not. Outsourcing information security may shift some of the liability but at the end of the day, customers will hold you and your brand accountable.

The Basics: the CIA Triad

As markets evolve so does corporate business strategy.  The same must apply to a companies information security posture. Except now, it needs to be factored into your business strategy.  You want to leverage cloud computing resources? Check and balances need to be put into place to ensure updates don’t break the CIA Triad. The CIA (confidentialityintegrity and availability) triad, guides management thinking about the deployment and operation of new services. As more product and services incorporation cloud-based or the internet of things, so must your business planning, operations and partnership arrangements. The CIA triad also defines the customer relationship.  The consumer, regardless of the terms of service, has an implicit expectation that their data to be always safe and secure.

Threat Models

Today, the attack surfaces stretch far beyond the firewall and anti-virus software. Mobile devices, cloud infrastructure, messaging platforms, your Internet of Things, even your IP-based security cameras are in play as well. Anything that is connected to the internet is fair-game, that also includes: you and your employees.

Consider the Target compromise. Hackers breached an external vendor that supported Target’s HVAC system via a phishing attack. Phishing is still one of the most popular means to social engineer the weakest link in an organization: humans. People make mistakes. It is in our nature. Using stolen credentials, they gained access to Target’s web systems which were in turn connected to a point-of-sale system. Whoops! Target is now on the hook $250 million dollars of hack-related expenses.

In a related vein, Consider a nightmare scenario. It is not uncommon for a management team to use WhatsApp to communicate with other team members. Breach one messaging account, breach all in the chain. WhatsApp and other social networking messaging software rely on SMS 2-Factor authentication. Last year, NIST, the National Institute of Standards and Technology, the body that creates national-level guidelines, considers SMS based authentication no longer effective. (I’d provide you the NIST link but apparently due to the shutdown their website is also down. Here is a TechCrunch article that covers the issue.)

Accept the reality your adversary can and will be creative.

Operational Business Practices

Ask your dev team, it is incredibly hard to build in security after the fact. In October 2016, the Mirai botnet attacked the Oracle subsidiary: DYN. Poorly secured IoT devices, specifically DVRs and IP cameras made by an OEM supplierdisrupted affected internet services on the eastern seaboard of the US.  Companies white labeling or incorporating XiongMai Tech’s hardware and software products definitely felt the impact at the bottom line.

My personal nightmare scenario is a product using biometric security is rushed to market, but the software wasn’t appropriately implemented. Why does that scare me?  If someone can successfully hack the endpoint device and recover their biometrics, they have keys to the kingdom.  You can’t revoke your fingerprint unless you cut your finger deep enough to scar it.  Perish the thought if your voice or eye was used as a biometric authentication factor.

Instilling Culture

How do you solve this problem? It isn’t with more tech.

Information security is fundamentally a people problem. It is not just a software configuration or hardware design issue. Humans are infinitely easier to hack and doesn’t require any tech.  Kevin Mitnick used social engineering to hack people for years till he got caught.

It is impossible to relegate all infosec responsibilities to just the CIO/CTO.  Information security connects to all aspects of any organization delivering services via the Internet. Implementing ISO certification or PCI-DSS checklists or purchasing a next-generation firewall isn’t enough.

Complete executive sponsorship is critical. It can’t be a witch hunt, it must be incentivized, it must be cultivated, and it must be maintained like any corporate culture.

It is about establishing a company culture and process that cuts across all business operations from the design of your product to your vendors.  The truth of the matter is this: if it isn’t a little painful, then you probably aren’t doing enough.  Information security takes practice, training, and maintenance to implement right.  Your consumers are creating all kinds of data.  You may not be even monetizing it.  But if you improperly handle it and lose it, you surely will feel it your brand equity and the bottom line.

If you want to know more

I recommend you take a half hour to watch Morgan Marquis-Boire, talk about data contraception.  Morgan is a well-known security researcher and is the fellow responsible for protecting journalists at First Look Media. With the number of journalists murdered in 2018, I hope you understand that proper information security is also a life or death matter.

Please contact any one of us at Cypress River Advisors. We ready to help you in the C-suite come up with a strategy that works for your organization. There are a number of industry groups that are attempting to tackle the issue from different perspectives.  From the standards perspective, look to NIST (when the shut down is over), and the Open Connectivity Foundation standards here.  Samsung, Intel, Microsoft, Qualcomm, and a few others participate.  From the mobile wireless perspective, the GSMA released their IoT Security Guidelines and self-assessment.  Consider CISA or CISSP training for the management team and your staff. (I am a CISSP from the early days of the Internet.)  Both programs provide training programs for everyone from the c-suite down to your vendors.  

The New Economics of Space

During mid-to-late January, Space X will launch the Crew Dragon Spacecraft on a test flight to the ISS. Space used to be the exclusive domain of nation states and the likes of NASA, not anymore. Today, the launch cadence of rockets traveling to space is now every other week. What does this mean for the space business and other industries?

The space services business is a 330 billion dollar business where the use of commercial-off-the-shelf parts, miniaturization, and new players bring cost-saving such that high schools can send a payload into space. Why is this launch so significant? It is no longer about satellite payloads but delivering people not by NASA but a private business.

The cost of getting into space

According to NASA, it cost the American taxpayer on average 450 million dollars to send the space shuttle into orbit. For corporations sending broadcast and telecom satellites, depending on the payload and orbit desired, it is roughly one third to two thirds the cost of the space shuttle.

Traditionally (again depending on your payload and orbit), launch costs account for 35-40% of overall budget. But that is just sending your payload into space.

Satellites builds must handle the huge g-load and shake during the first 8 minutes of launch. This is no small engineering feat.  Consequently, satellite build costs account for 50% of the operating budget. There is also a lengthy approval process when acquiring spectrum. No spectrum. No satellite. This adds another five to six percent to the over cost. Lastly but not least, insurance costs can equal 10% of overall costs, depending on the failure rate of your launch provider.


Space X and a new generation of launch providers

Elon Musk’s goal of re-selling used rockets at a discount has led the launch industry to re-examine its one-time use rocket manufacturing process and its adherence to the cost-plus business model. A thirty percent discount on a 50 million dollar rocket appears is attractive. From a capital intensity perspective for SpaceX, launch vehicle reuse also attractive, provided continue to manage the risk levels associated with refurbishment, their designs are modular enough to incorporate new technologies to improve performance, notwithstanding the insurance costs.

The re-use of rockets means the launch cadence increases at a lower capital cost. Lower costs is good for any industry that relies on satellite communications or remote sensing. SpaceX has become an effective disruptor to the likes of ROSCOM and ULA. With the Falcon Heavy, Space X will reportedly deliver satellites into space at nearly a third of ULA’s costs (look at “Unit Costs” on page 109 of the DoD FY 2018 Air Force budget).

SpaceX isn’t the only new satellite launch player. There are quite a few on the small satellite side. Rocket Labs in New Zealand delivered their first commercial payload of six small sats in November of 2018. But that is not where the money is at.

The new economy

As we previously alluded, delivering additional sensing capability into space means the enabling new services. We asked Chris Stott, CEO of Mansat and Chairman Emeritus of the Space and Satellite Professionals:

Just as 4G enabled the gig-economy, remote sensing from providers like Planet can provide near real-time geospatial data to farmers, hedge funds and insurances companies need. Three to five-meter resolution imagery can be used to monitor crop health and variations for an agribusiness. A commodities firm can use the same data can consequently predict futures, and so on. With the expectation that the large constellations will be in place within the next ten years, satellite operators will likely become the new telecom operators delivering services directly to you.

Cyber warfare versus Mr. Robot

If you want a sense of what cyber warfare looks like, watch how hackers take over the grid in Ukraine.

Your business is collateral damage. Warfare is not just waged with guns and bombs anymore. It is getting into critical infrastructure, key business services and making civilian life as inconvenient as possible. Your business sits on that battlefield where there are no borders.  Keeping your business out of these shenanigans means being prepared and manage risk. That means having an honest conversation about your technological and people vulnerabilities. Endpoint and cloud security are not just the responsibility of your CIO and CTO, it is a CEO and Board responsibility.

Cyberwarfare isn’t executed by script kiddies, these are asymmetric warfare tools used by nation states.

There are no magic bullets. There is no single solution. It is a constantly changing game. You need to invest in people and technology. This is how you enable defense-in-depth. It is hardware, software, processes, and people ensure you have the ability to mitigate and recover quickly.

Cypress River's Approach to Sustainability

For the last ten years, Cypress River Advisors has navigated the complex market environments on behalf of our global clients. Change is a constant, also air pollution. Asia is the design, development and production center for the world. As the world factory, pollution has become the norm. More than 80 percent of the people living in urban areas are exposed to air pollution that exceeds WHO limits. We understand this on a very personal basis because Cypress River Advisors employees live and breathe in these megacities. We went to experts like John Spengler, a member of the original Six City Study, at Harvard School of Public Health to understand the health impact.

Our work in financial technology and communications value chain has given us a first-hand understanding of the massive amounts of electricity and infrastructure required to enable the communications and computing. At a macro level, the findings from our research are sobering:  Fossil fuels produce eighty percent of the world's energy. The share of fossil fuels is expected to increase globally. Needless to say our energy chocies impact on the health of our children, environment, and climate. 

As a consequence, over the last several years Cypress River supports research and development of real-time open-source air and water quality monitoring networks at UC Berkeley, Harvard, University of Michigan, and Taiwan’s Academia Sinica. Our goal is to accelerate the growth of high-density real-time sensing networks to guide timely decision-making on air quality at home and on bad air-quality days.

We also recognize mobility and computing in general unquestionably leaves a footprint on the environment. As a result, we have worked with the insurance and mobile recycling industry to embed recycling and reuse of mobile devices as part of a carrier service offering. This not only generates billions in revenue but enables sustainability at scale. Extending the life of mobile devices will help minimize the impact of mining in a world where we will see 20.4 billion IoT devices in 2020.

For a business to thrive in today’s market, its operations must be sustainable. Sustainable does not mean less profitable. Cypress River’s work on the hardware supply chain has seen energy storage as a new source of revenue not only for mobility but at utility scale. Here’s a clip from our interview with Dan Kammen, former White House science advisor.

As we look toward 2019, Cypress River Advisors will continue to work with our clients to create new value sustainably. We work hand-in-hand with the leadership to adapt and refine their market strategy and processes. It is vital that sustainability is included as a business requirement. Why?

Sick customers do not have disposable incomes.

Those of you who have worked with Cypress River know: we want our clients to thrive not just survive. That is the only path to long-term profitability.




Next Generation Lithium-Ion Batteries

Lithium-ion technologies are the most widely used electrochemical energy storage technology today. Last year, it received the bulk of industry’s applied research essentially focused on driving incremental improvements. Venture capital, on the other hand, invested over a half billion dollars into exploring solutions which addressed lithium-ion’s challenges through new chemistries or new technology paths to solve our global energy storage problem. Over the last few months, we have received inquiries on the market progress of those portfolio companies. Through these conversations, we noted an inconsistent understanding of battery technologies and the challenges that the industry faces.

To address this, Cypress River Advisors sat down with William Chueh, a leading material science and engineering researcher at Stanford University and his team of Ph.D.’s who are tackling the question: "How to build a better battery?” While there are many different kinds of energy storage systems, the rise of mobile devices has made lithium-ion the incumbent technology today for consumer electronics and electric vehicles. It serves as one of the major benchmarks for which all battery technologies are compared to today. We hope that this article and its related videos will give industry observers an initial overall sense of the challenges ahead with different technologies.

The ideal battery

Batteries have been around since the time of Benjamin Franklin. A smartphone battery now packs more power than the single use electrochemical cells that were once the size of milk jugs). Today, batteries are essential to our modern lifestyles. They power our phones, cars and even homes.

An electrochemical battery is fairly simple in construction. It is composed of a cathode (positive end), an anode (negative end), an electrolyte that serves as a medium to conduct ions and a separator which isolates the electrodes but allows the movement of ions. But what are the characteristics of an ideal battery?

  • High capacity and stable energy output over a long run time

  • High power to run power tools or an electric vehicle motor in the smallest and lightest form factor possible

  • Fast and consistent recharging times

  • Long life and durability

  • Safe usage under wide operating conditions with respect to temperature and humidity

  • Low toxicity during manufacturing and at end of life

  • Affordable source materials and manufacturing process

Unfortunately, no single chemistry delivers all the above desired characteristics simultaneously. The lead-acid battery in your car is impractical for mobile phones but practical to be the starter for your Mustang because it can survive a wide range of temperatures, also lead-acid batteries are the ubiquitous cheap incumbent. Other chemistries, like the vanadium flow battery, is perfect for grid applications because it can store power over a long period of time. But its strength is also its weakness, to store large amounts of stable power, you also need tanks the size of a car. What about the batteries that power our smartphones, tablets and our electric vehicles? (Click herefor a recent history of the rechargeable battery.) Lithium-ion (Li-ion) batteries are relatively lightweight, can be recharged thousands of times to power your phone perfect for mobile applications, but when damaged can result in fires. At the end of the day, batteries are optimized to the applications.

Today’s industry focus: lithium-ion. But are there other options?

The bulk of today’s commercial research is largely focused on lithium-ion technologies.  It is important to note, there are several variants of Li-ion technology. As we mentioned above, there are many energy storage options available. Several different types of energy storage technology are receiving venture capital attention, i.e. flow batteries, silicon cathodes, sodium sulfide, advanced lead acid, liquid metal batteries and so on. Battery innovators not only developing new chemistries but also the material structure of the different parts of the battery.

If lithium-ion so popular, why are venture capitalists interested in new battery types?  There are several reasons.  The incorporation of renewables into the grid requires a new generation of scalable long-duration batteries to capture surplus power produced during peak periods. Batteries will be key to enabling grid integration and enabling the time shifting of electricity delivery, eliminating the need for inefficient and polluting peaker plants. Also given the recent incidents of lithium-ion batteries in consumer devices (and aircraft), the industry has a significant incentive to explore safer chemistries and battery structures.  In a separate article, we will discuss the differences in approach these startups are taking.  From the point-of-view of Cypress River Advisors, these are key drivers creating disruption in the battery industry long mired in incremental improvements for decades.

The challenges in the chemistry

What are the challenges in battery chemistry? Ideally, you want a battery that has high coulombic efficiency, in plain English: all the charge put into a battery comes out (subject to resistive losses). You also want stable power output that performs well over a wide range of operating conditions (temperature and humidity).  You also want a rechargeable battery that you can cycle over and over. Each new chemistry has its own limitations, the chemistry also informs the kind of packaging and safety requirements for safe operation. All these factors are interrelated and inter-dependent. Needless to say, these are challenging research problems. Let us examine at a few of the technical challenges the industry needs to solve.

Energy and Power Density

Energy density is the amount of energy stored in a battery. Increasing the energy density means you get more energy for a given battery size. For example, an electric vehicle can travel farther without increasing the weight. Higher energy density is particularly critical for connected devices where the size of the battery is constrained by the consumer demand for sleeker and thinner designs.

If you increase the battery’s energy density — less of those are needed for a given amount of energy when you can increase the energy density of the battery. So, increasing the energy density of the battery is one of the best ways to decrease cost. The most expensive components of a lithium-ion battery now come from the non-active materials—the current collectors, separators. If you increase the battery’s energy density — less of those are needed for a given amount of energy when you can increase the energy density of the battery. Take the cathode, for example, both consumer devices (lithium-cobalt oxide) and larger devices like a Tesla electric vehicle (nickel-cobalt-aluminum) use: cobalt. In 2016, cobalt per pound was $10.88 USD. At the time of writing this article, the price of cobalt has nearly doubled having around $25 USD per pound. This is all before processing and manufacturing.

That being said, researchers at UC Berkeley and Carnegie Mellon note that costs of lithium-ion batteries continue to decline, despite volatile cobalt and lithium prices. The diversity of material constituents in emerging battery technologies appears to serve as a buffer to material price shocks. Efficient assembly of battery cells and packs and technological learning may be driving costs even lower. It is possible large battery companies like LG and Panasonic cross-subsidize their battery research and development, yet the extent of cross-subsidization remains uncertain. Policy incentives in China to accelerate electric vehicle growth drive demand and subsidize manufacturing costs. The level of subsidies in China and cross-subsidization between companies remains an area of uncertainty leaving the possibility that true costs are not reflected. All things considered, when building a better battery, improving technology performance through energy density can deliver better returns than addressing dynamic lithium or cobalt prices alone.

There is a drawback when increasing energy density. Almost always, as you increase energy density the battery lifetime goes down. On a cell level, increasing the energy density means higher active material fractions. This means that the other components of the cell that help the battery to function, such as the binder and conductive additives, is decreased. On a materials level, increasing the energy density often means squeezing out more reactivity from materials, which pushes them to conditions that are less stable. If you want a rechargeable battery, you need reversibility and stability. So, as you can see there are some serious trade-offs that a battery designer needs to be balanced.

One promising area of research is over-lithiated metal oxide batteries. Here researchers are trying to solve the voltage fade issue. Another chemistry being explored is lithium-sulfur batteries, however, the “polysulfide shuttle problem” (need link) can cause self-discharge, low charging efficiencies, and irreversible capacity losses. Needless to say, battery chemistry is complex, not just for the main reaction but also side reactions. Each new chemistry has a whole host of other issues to address which we will discuss in the next section.

Side Reactions

What are side-reactions? These are secondary chemical reactions that occur at the same time as the main reaction that produces electricity. Batteries perform differently under different application and operating conditions. In hot environments, lithium-ion batteries in EVs need to be properly cooled. Otherwise, battery life and driving range are irreversibly affected. In these batteries, unwanted side reactions degrade the battery performance. The graphite anode becomes plated with a non-reactive film of solid electrolyte interphase (SEI) which negatively impacts long-term battery performance. While the graphite beneath can still charge/discharge, the SEI creates more resistance to this process, which decreases battery performance. Furthermore, the lithium that is trapped in the SEI decreases the available lithium for the battery, decreasing battery capacity.The science underlying the how the type of graphite, electrolyte composition, chemical conditions affects the formation and growth of films is still not well understood.

Gas Evolution

Side reactions can also result in gas building up in a battery packaging.  Hydrogen gas can build up) when the battery is overheated, overcharged or drained of charge for too long. These gasses can react explosively with a flammable electrolyte. Even during the normal course of a battery being charged and discharged, the movement of ions also can result in electrolyte breakdown, building up carbon dioxide gas inside the battery.  Overcharging can damage the separator, leading to sudden discharge. It is important to note that subtle defects during the manufacturing process may be exacerbated.  Over time, as pressure builds up, the structural integrity of the battery package is compromised.  Pouch cells are especially vulnerable since they do not have hard structural elements.

Structural Changes

As a battery cycle through charge and discharge, the particles in the battery can break apart due to the stresses. If a particle fractures, then it could become disconnected from the current collectors, which are usually a carbon additives. If that happens, these particles become disconnected from the battery resulting in lost capacity.

A number of companies are experimenting with nanotechnology to build electrodes that exhibit better mechanical compliance.  There is, of course, a downside.  The higher surface available for reactions also means parasitic reactions are also more likely.  With respect to packing, how much nanomaterial you pack into a given space also has an impact on performance.

Dendrites & Lithium Plating

In a Li-on battery, lithium ions are intercalated, i.e. inserted, in a metal oxide lattice. The intercalation and de-intercalation process, the movement of ions during charging and draining, can cause the battery package to expand and contract as we previously discussed. This is undesirable because it can lead to compromises in the packaging.  More importantly, lithium may also not properly go back into its lattice but instead form dendrites.  If a cell charges too quickly, these dendrites get bigger and may pierce the separator leading to a short circuit.  As we mentioned earlier, lithium may also plate the graphite anode instead of properly suspend itself back in the lattice.

Safety

All these above factors also impact the safety of batteries.  Batteries work by combining of simultaneous electrochemical reactions and physical safety measures. They have to work together to deliver: high energy density in a safe rechargeable package. The flammability of the organic electrolyte is always a concern in the consumer and transportation markets. It’s a major reason why many groups are investigating solid state batteries. Solid state batteries replace the organic solvent with a solid electrolyte, eliminating the risk of significant heat or gas buildup. Again, this approach is not without its challenges, now the lithium must be transported through a solid and the electrical resistance is a tough problem to solve. On top of this, researchers need to figure out how to create a cost-effective deposition/synthesis methods.

You could comment on the difficulties of solid state batteries. Now the Li must be transported through solid phases, rather than the liquid electrolyte, and the resistance from transport is a tough problem. Furthermore, cost-effective deposition/synthesis is another issue.

The challenges in performing research

As we alluded to earlier, even the particle size of the components can impact the battery performance. By now, you can see the interplay of physics and chemistry is complicated.  Batteries are an assemblage of composite materials. Both anode and cathode are porous composite materials (containing active material, binder, and conductive additives). Component materials may be contaminated during the manufacturing process leading to unexpected side reactions. Particle size and shape can also add to the variability. Furthermore, the reactions in the battery do not occur uniformly throughout the electrodes.  In the SEI example from above, the passivating layer is extremely fragile. It is formed in situduring the first charge and discharge cycle. But if you try to open the battery and perform tests, it changes or falls apart.  That makes it that much more difficult for a researcher to identify a solution.

So how can you observe the changes in a battery in situ?  Will Chueh’s material sciences group at Stanford have gone so far as to use synchrotron-based x-ray techniques at Stanford SLAC and Berkeley National Labs Advanced Light Source to observe these changes to nanoparticles in battery components.  As you can imagine, obtaining access to X-ray microscopes and performing these experiments is not easy.  Only a few academic groups and large corporations have the ability to conduct these types of tests.

Another challenging aspect of research is simulating long cycle times.  For example, your smartphone battery is expected to last several years which is equivalent to at best a thousand cycles.  To make sure a new type of battery will perform to specification is time-consuming, to say the least.  So companies and researchers use specialized test equipment to simulate various conditions found around the world.  To hasten the test process, they test banks of batteries at elevated temperatures and compare that against room temperature control. Even compared with normal cycling, running accelerated tests are still time-consuming. Simulating real performance under a variety of heat and moisture stressors also remains a serious challenge for batteries used in vehicles or for grid-scale applications.

The reality of the energy business


Building a better battery takes more than assembling different chemistries and reading out the voltages. A wide range of factors impacts a battery’s performance and lifetime. Researchers need a way to understand the reactivity at different specific places in the battery.  If you want to understand what is fundamentally happening to the materials in the battery, you need more sophisticated tests to drive the science forward.

Moreover, the reality of the energy business is dependent on one thing: cost.  As Professor Chueh notes, “What battery technologies we use for a given application will depend on the cost structure of the specific technology produced, stored and utilized.”  It doesn’t matter whether the power source is renewable or not, the challenge scientist face is to develop technologies that are competitive in the market