A former member of elite hacker group w00w00, Dug Song co-founded Duo Security in 2010 with Jon Oberheide, specialising in multi-factor authentication.
Cisco acquired Duo for $2.35bn in 2018. We talked to Song about how he set out to democratise cybersecurity, the current threat environment and his signature skateboarding trick.
Berenice Baker: How did you start your career in IT and find your niche in security?
Dug Song: I started using computers when I was eight, helping out doing data entry at my father’s liquor store. We realised that working from home you need some kind of connectivity – modems, pre-internet – and that’s how I got into security through accessing BBS and so forth.
That process meant when I went to the University of Michigan as a freshman I ended up working for the university as a security administrator. I was part of a hacking crew called w00w00, carrying out research to find vulnerabilities. We wrote software that we published for free – offensive tech to demonstrate hacks.
It turns out that was an interesting group to be a part of – some of the members included the founder of Napster [Shawn Fanning, who also became the first president of Facebook] and the founder of WhatsApp [Jan Koum].
How did you and Jon Oberheide come to co-found Duo Security?
We had no intent at the beginning to set up a company at all. I’d been working in the industry after college for some time, and the first company I worked with was a security consultancy working for banks and casinos. There were just five people – it was difficult to scale up when selling time.
We did build a product; my girlfriend at the time, now my wife, built a product that could be used repeatedly. I never looked back; I decided that software was the way ahead. But the thing I encountered immediately and became demoralised by was that security is something of a ‘lemon market’ like the used car market. You buy a used car and you don’t know if it’s a lemon until it’s too late.
The customer experience is you buy a box – a piece of software – and the vendor says: “See? Nothing happens,” and they think, what did I just buy? I struggled with that. And that’s really the challenge of security, it’s hard to disprove. I quit and decided to do something better with my time.
I joined a Zurich-based TV company using technology like Napster, but I didn’t think piracy was a good business model! The company delivered TV over a peer-to-peer network – truly disruptive technology. It was a great method for communication, but YouTube came out at the same time so we had zero chance of success! Netflix followed in 10 years.
The reason I went back into security was because I saw a shift in how cybersecurity was being beaten by hackers who quickly figured out that the soft underbelly was users. They were no longer finding clever exploits; instead, they turned to phishing and targeted emails. It’s an asymmetric tactic – it costs nothing to send emails to millions of people to get them to hand over their passwords to access their computers.
When the hackers have access to passwords, all that investment in security goes out of the window. That kind of challenge exists at the intersection of people and technology.
So how do you solve the problem of defending against those kinds of attacks and make security usable, not just about the technology solutions? It’s looking at the procedures the user is going through, who your users are and granting appropriate access to the applications they need so they can do their job, even if you don’t have security people or budgets.
3 Things That Will Change the World Today
We started with the single notion that we would democratise security and look at how to make it possible for any organisation to defend themselves, be they big or small, if they’re highly knowledgeable about IT security or know nothing about it
We realised that what the banks see today everyone else experiences in the future. We asked banks what are the biggest problems you’re facing today? These will become the issues for everyone else in the next five to ten years. They answered user-targeted attacks and account takeover.
We found other organisations that also have those problems. Hospital clinical staff and doctors would sometime use five different systems a day – how would they remember their passwords? We replaced token-based keychain devices with two-factor authentication via a phone, and that’s how we came to found Duo.
Cisco acquired Duo for $2.35bn in 2018. How does that partnership work?
Duo has a great alignment with Cisco’s missions and values, and the transformation of their business represents an opportunity for us to help transform the entire industry. Cisco is a networking company – 80% of companies have a Cisco internet router, it invented the router and pioneered internet protocol (IP) switching technologies. As a company, its mission has evolved from connecting things to connecting people.
What we have contributed to Cisco is a forward-thinking vision of security. A great number of companies contributed, we just helped to synthesise security trust. Our mission is to democratise security and do it in a way that is very different, based on trust and human-defined, and we’re very excited to do it with Cisco.
You’ve said you believe too much money is thrown at cybersecurity and yet threats aren’t being fought in the most cost-efficient way. Why is this and what can be done about it?
We keep spending more money on security, yet breaches persist. The issue is that security is hard to measure. It’s hard to disprove a negative – the absence of attacks doesn’t mean you’re not at risk – you could be lucky.
It’s like healthcare: you can do all these things that might have an effect, but often it’s hard to tell what’s effective.
What’s important is getting the basics right, such as knowing what you have on and off your network, practising good security hygiene, and managing identity, among other areas.
You talked about how cybersecurity threats have evolved since you founded Duo. How do you expect them to change over the next 10 years?
Arguably, security is getting much better, with more safety being built by default right into the things we use daily, such as our phones and tablets, and cloud services. As security becomes increasingly built-in, rather than bolted on, threats will continue to shift to what is softer and squishier – the user.
Humans don’t evolve as quickly as technology, thus, a lot of those threats will continue to target people, rather than infrastructure. In today’s age of hyper-connectedness, organisations are no longer monoliths, but ecosystems of users, partners, vendors, etc.
Thus, threats will increasingly target third parties that organisations rely on, or partner with. Many of today’s breaches have been caused by risks outside of the organisation’s control, but in the scope of their dependency. Attackers will be going further and further up the supply chain and technology stack, targeting partners and vendors that organisations use.
What would be your message to Verdict readers about cybersecurity?
The true enemy of security is complexity. The most important thing we can do to stay safe is simplify and get the basics right.
To protect their users and data, organisations need to ensure they practice basic security fundamentals, which includes data encryption and backup, timely patching of software, utilising password managers, multi-factor authentication and overall device hygiene such as ensuring browsers and operating systems are up-to-date.
Think of it like washing your hands to prevent the spread of disease rather than needing a hazmat suit.
I hear you’re a skateboarding aficionado. What’s your signature trick?
The Natas Spin, invented by Lithuanian skateboarder Natas Kaupas.