Address to the Advance Research Projects Agency - Graduate Student Program

July 8, 2019, ARPA-E

My name is Jason Wang, I am a partner at Cypress River Advisors, a Silicon Valley advisory firm. Cypress River Advisors is proud to co-sponsor the ARPA-E Student Program.

First, I want to thank all the ARPA-E program directors and ARPA-E Fellows for taking the time out of this conference’s mad schedule to be here. I would have never have thought I would have the honor of Rachel Slaybaugh kicking off our lunch today.  To the grad students in the room, I encourage you to spend as much time as possible with these men and women who are the lifeblood of the ARPA-E program.  I am grateful for all that I have learned from them and their service to this country.  So let’s give them a round of applause.  

So, you may be wondering why “a bunch of dudes” from Silicon Valley is sponsoring YOU at America’s premier energy conference. 

The reason is simple.

Our energy choices affect the health of every single one of us on this planet. Pollution knows no borders. Like Rachel, we deeply recognize the value of having clean energy, fresh air and clean water.  I have a six month old baby. I want to leave the planet in a better place for her.

These resources directly impact humanity, and consequently any business. Without fresh air and water, our employees will get sick —destroying the very foundation of our knowledge economy. And sick customers, mean our fundamental source of long-term revenue is threatened.  As an proud American, we need clean energy to drive our economy, and our most important resource: our people.  I want to see America not just survive but thrive. 

To see it differently is to avoid facing the facts. Unfortunately, many people are doing just that. Science and the scientific method are under attack. One method to fight back is for the clean energy community to communicate better. We need to communicate how our research benefits the American people. We need to communicate with those who disagree with us in a way where we can find common ground.

I hope many of you will go on to contribute your technical talents to create clean energy solutions. Clear communication is the biggest skill you will need in attracting and sustaining support for your ideas. At Cypress River Advisors, I have seen firsthand that the biggest problem for startup companies is the failure to make complexity understandable. The Valley of Death between first idea and first revenue is very very wide, more so in clean tech than in other fields. 

The reason?  Investors do not have time to process complexity — you must do that for them. By clearly articulating the value proposition supported by the science. This is my best advice: tell the story why your research is scalable in the context of how it can help the American people, and for them as an individual. There is one more thing: investors and the public need to feel the the same joy of discovery as you do.

In addition to sponsoring all of you to attend this conference, I have also invited a speaker today who is an expert in science communication. Destin Sandlin is the host of the YouTube channel Smarter Every Day. I love his work because you can see and feel the joy of discovery.

He takes complex science concepts like laminar flow and the Schlieren Effect and makes them not only easy to understand but extremely enjoyable for a broad audience — of nearly 7 million subscribers. So it is my honor to have him here to share his expertise and advice with you. Let’s welcome Destin come to the stage.

Libra - Facebook's cryptocurrency

Facebook today announced Libra, a cryptocurrency that put Bitcoin and Ether on notice.  This is Facebook's latest foray into the financial services sector.  It is also an attempt to diversify the company's revenue streams away from advertising.  Undoubtedly, today Youtube and Facebook Watch will be awash with influencers shilling the same story: FaceBook shareholders will "get rich!" However, that remains to be seen. 

Note: the following comments are based on a preliminary review only.

Facebook is notably launching with existing players in the payments side of the financial services market like Visa and Mastercard.  Even Stripe and PayPal are along for the ride. Unfortunately, or fortunately, depending on your position on the value chain, there are no banks. Facebook's 2.3 billion monthly active users and WhatsApp 1.5 billion users is a formidable customer base to challenge the central banks for ascendancy.  

Assembled under the Libra Association, Facebook is positioned to lead the consortium that will manage the Libra Blockchain, Libra Currency and ostensibly the programming language Move. Calibra, the wallet will be maintained by Facebook and will undoubtedly be part of WhatsApp and Messenger. (If this feels like Facebook is copying the innovative "Swiss army knife" operating models of China's messenger apps, you are not wrong.) Will they offer smart contract capabilities like Ether, you ask? They reportedly will. 


Over the last several years, Bitcoin and Ether evangelists have turned blockchain into a religion rather than a trusted financial services product. Even with the counterfeit transaction volumes discovered at the exchanges, raise detailed questions, you were labeled an unbeliever.  Frankly, it a rather cultist way to bridge the startup Valley of Death, but let's think about the implications.

Fragmentation - We see continued fragmentation in the cryptocurrency world.  What interoperability is already available is unclear.   Unlike Bitcoin and Ethereum, Libra will be a permissioned blockchain meaning that only a small list of approved companies can run a node.  This means, for now, Libra is not decentralized. Consequently, transaction processing should be faster.  Depending on the success of Libra, the transition to permissioned to permission-less will be interesting.

Privacy and Security - With respect concerns about privacy and security in the wake of Facebook's previous lapses. With any financial product, there is a KYC process, i.e. Know Your Customer.  This means that users will need to provide government-issued ID before using the service.  How that process will be managed and maintained is also unclear.  Despite Facebook's pledge, Facebook currently drives the development process.  

Regulations - Financial services are governed by the laws in the particular jurisdiction the Libra is operating in.  As such, there are licenses and compliance factors which Facebook will have to bear. This will translate into fee percentages users will pay for using the Libra.  These costs are not unlike those paid for by other multi-national bank operating in various countries. That being said, crypto-currencies have a much higher bar to be legal in a country.  They are fundamentally in opposition to the fiat currency of a nation state. Nation-state treasuries make money from printing money. Governments manage financial crises through the contraction and expansion of the money supply.  So consumers will have to ask the question: In Who do you Trust?   

Cyber Security is a C-Suite Problem, including the CEO

It is more important than ever for the C-suite (most importantly the CEO to understand) and build an information security culture to protect customers and shareholders. To put it more bluntly, it’s more than just an audit of the IT department you conduct once a year. As you read this sentence, customers of Marriott Hotel Group are still recovering from a 300 million user account breach which may have also included passport information. The data aggregation firm Exactis left 340 million records exposed on a publicly available server. In 2016, the Mirai botnet attacked Deutsche Telekom’s routers. At one point, Reuters reported 4.5 percent of DT’s fixed line customers did not have service. You are probably wondering why Cypress River Advisors, a strategy firm, would raise this issue.  Traditionally, the boardroom has treated information security as the domain of the CTO, the problem is:

Cybersecurity is a CEO problem not just a CIO/CTO problem. So what to do about it?

Accept the Reality

We are all affected by asymmetric warfare techniques by governments and hackers seeking economic gain. Our financial livelihoods and futures are all connected whether we want to be or not. Outsourcing information security may shift some of the liability but at the end of the day, customers will hold you and your brand accountable.

The Basics: the CIA Triad

As markets evolve so does corporate business strategy.  The same must apply to a companies information security posture. Except now, it needs to be factored into your business strategy.  You want to leverage cloud computing resources? Check and balances need to be put into place to ensure updates don’t break the CIA Triad. The CIA (confidentialityintegrity and availability) triad, guides management thinking about the deployment and operation of new services. As more product and services incorporation cloud-based or the internet of things, so must your business planning, operations and partnership arrangements. The CIA triad also defines the customer relationship.  The consumer, regardless of the terms of service, has an implicit expectation that their data to be always safe and secure.

Threat Models

Today, the attack surfaces stretch far beyond the firewall and anti-virus software. Mobile devices, cloud infrastructure, messaging platforms, your Internet of Things, even your IP-based security cameras are in play as well. Anything that is connected to the internet is fair-game, that also includes: you and your employees.

Consider the Target compromise. Hackers breached an external vendor that supported Target’s HVAC system via a phishing attack. Phishing is still one of the most popular means to social engineer the weakest link in an organization: humans. People make mistakes. It is in our nature. Using stolen credentials, they gained access to Target’s web systems which were in turn connected to a point-of-sale system. Whoops! Target is now on the hook $250 million dollars of hack-related expenses.

In a related vein, Consider a nightmare scenario. It is not uncommon for a management team to use WhatsApp to communicate with other team members. Breach one messaging account, breach all in the chain. WhatsApp and other social networking messaging software rely on SMS 2-Factor authentication. Last year, NIST, the National Institute of Standards and Technology, the body that creates national-level guidelines, considers SMS based authentication no longer effective. (I’d provide you the NIST link but apparently due to the shutdown their website is also down. Here is a TechCrunch article that covers the issue.)

Accept the reality your adversary can and will be creative.

Operational Business Practices

Ask your dev team, it is incredibly hard to build in security after the fact. In October 2016, the Mirai botnet attacked the Oracle subsidiary: DYN. Poorly secured IoT devices, specifically DVRs and IP cameras made by an OEM supplierdisrupted affected internet services on the eastern seaboard of the US.  Companies white labeling or incorporating XiongMai Tech’s hardware and software products definitely felt the impact at the bottom line.

My personal nightmare scenario is a product using biometric security is rushed to market, but the software wasn’t appropriately implemented. Why does that scare me?  If someone can successfully hack the endpoint device and recover their biometrics, they have keys to the kingdom.  You can’t revoke your fingerprint unless you cut your finger deep enough to scar it.  Perish the thought if your voice or eye was used as a biometric authentication factor.

Instilling Culture

How do you solve this problem? It isn’t with more tech.

Information security is fundamentally a people problem. It is not just a software configuration or hardware design issue. Humans are infinitely easier to hack and doesn’t require any tech.  Kevin Mitnick used social engineering to hack people for years till he got caught.

It is impossible to relegate all infosec responsibilities to just the CIO/CTO.  Information security connects to all aspects of any organization delivering services via the Internet. Implementing ISO certification or PCI-DSS checklists or purchasing a next-generation firewall isn’t enough.

Complete executive sponsorship is critical. It can’t be a witch hunt, it must be incentivized, it must be cultivated, and it must be maintained like any corporate culture.

It is about establishing a company culture and process that cuts across all business operations from the design of your product to your vendors.  The truth of the matter is this: if it isn’t a little painful, then you probably aren’t doing enough.  Information security takes practice, training, and maintenance to implement right.  Your consumers are creating all kinds of data.  You may not be even monetizing it.  But if you improperly handle it and lose it, you surely will feel it your brand equity and the bottom line.

If you want to know more

I recommend you take a half hour to watch Morgan Marquis-Boire, talk about data contraception.  Morgan is a well-known security researcher and is the fellow responsible for protecting journalists at First Look Media. With the number of journalists murdered in 2018, I hope you understand that proper information security is also a life or death matter.

Please contact any one of us at Cypress River Advisors. We ready to help you in the C-suite come up with a strategy that works for your organization. There are a number of industry groups that are attempting to tackle the issue from different perspectives.  From the standards perspective, look to NIST (when the shut down is over), and the Open Connectivity Foundation standards here.  Samsung, Intel, Microsoft, Qualcomm, and a few others participate.  From the mobile wireless perspective, the GSMA released their IoT Security Guidelines and self-assessment.  Consider CISA or CISSP training for the management team and your staff. (I am a CISSP from the early days of the Internet.)  Both programs provide training programs for everyone from the c-suite down to your vendors.  

The New Economics of Space

During mid-to-late January, Space X will launch the Crew Dragon Spacecraft on a test flight to the ISS. Space used to be the exclusive domain of nation states and the likes of NASA, not anymore. Today, the launch cadence of rockets traveling to space is now every other week. What does this mean for the space business and other industries?

The space services business is a 330 billion dollar business where the use of commercial-off-the-shelf parts, miniaturization, and new players bring cost-saving such that high schools can send a payload into space. Why is this launch so significant? It is no longer about satellite payloads but delivering people not by NASA but a private business.

The cost of getting into space

According to NASA, it cost the American taxpayer on average 450 million dollars to send the space shuttle into orbit. For corporations sending broadcast and telecom satellites, depending on the payload and orbit desired, it is roughly one third to two thirds the cost of the space shuttle.

Traditionally (again depending on your payload and orbit), launch costs account for 35-40% of overall budget. But that is just sending your payload into space.

Satellites builds must handle the huge g-load and shake during the first 8 minutes of launch. This is no small engineering feat.  Consequently, satellite build costs account for 50% of the operating budget. There is also a lengthy approval process when acquiring spectrum. No spectrum. No satellite. This adds another five to six percent to the over cost. Lastly but not least, insurance costs can equal 10% of overall costs, depending on the failure rate of your launch provider.

Space X and a new generation of launch providers

Elon Musk’s goal of re-selling used rockets at a discount has led the launch industry to re-examine its one-time use rocket manufacturing process and its adherence to the cost-plus business model. A thirty percent discount on a 50 million dollar rocket appears is attractive. From a capital intensity perspective for SpaceX, launch vehicle reuse also attractive, provided continue to manage the risk levels associated with refurbishment, their designs are modular enough to incorporate new technologies to improve performance, notwithstanding the insurance costs.

The re-use of rockets means the launch cadence increases at a lower capital cost. Lower costs is good for any industry that relies on satellite communications or remote sensing. SpaceX has become an effective disruptor to the likes of ROSCOM and ULA. With the Falcon Heavy, Space X will reportedly deliver satellites into space at nearly a third of ULA’s costs (look at “Unit Costs” on page 109 of the DoD FY 2018 Air Force budget).

SpaceX isn’t the only new satellite launch player. There are quite a few on the small satellite side. Rocket Labs in New Zealand delivered their first commercial payload of six small sats in November of 2018. But that is not where the money is at.

The new economy

As we previously alluded, delivering additional sensing capability into space means the enabling new services. We asked Chris Stott, CEO of Mansat and Chairman Emeritus of the Space and Satellite Professionals:

Just as 4G enabled the gig-economy, remote sensing from providers like Planet can provide near real-time geospatial data to farmers, hedge funds and insurances companies need. Three to five-meter resolution imagery can be used to monitor crop health and variations for an agribusiness. A commodities firm can use the same data can consequently predict futures, and so on. With the expectation that the large constellations will be in place within the next ten years, satellite operators will likely become the new telecom operators delivering services directly to you.

Cyber warfare versus Mr. Robot

If you want a sense of what cyber warfare looks like, watch how hackers take over the grid in Ukraine.

Your business is collateral damage. Warfare is not just waged with guns and bombs anymore. It is getting into critical infrastructure, key business services and making civilian life as inconvenient as possible. Your business sits on that battlefield where there are no borders.  Keeping your business out of these shenanigans means being prepared and manage risk. That means having an honest conversation about your technological and people vulnerabilities. Endpoint and cloud security are not just the responsibility of your CIO and CTO, it is a CEO and Board responsibility.

Cyberwarfare isn’t executed by script kiddies, these are asymmetric warfare tools used by nation states.

There are no magic bullets. There is no single solution. It is a constantly changing game. You need to invest in people and technology. This is how you enable defense-in-depth. It is hardware, software, processes, and people ensure you have the ability to mitigate and recover quickly.