Call to Action

For decades, the technology industry has shipped products with known defects and faced no consequences. When those defects are exploited, the cost falls on customers, hospitals, governments, and citizens — never on the companies that created the problem.

When a car's brakes fail, we don't blame the driver for not installing a brake patch. We hold the manufacturer liable. The fact that the industry has normalized a monthly "Patch Tuesday" — treating routine product defects as an acceptable cost of doing business — is evidence of how deeply we've internalized the idea that broken software is normal.

“We don't have a cybersecurity problem. We have a software quality problem. We have a multi-billion dollar cybersecurity industry because for decades, technology vendors have been allowed to create defective, insecure software.”

— Jen Easterly, former Director, CISA

“No industry in the past 150 years has improved safety or security without being forced to by the government. Planes, cars, pharmaceuticals, food safety — all of them.”

— Bruce Schneier, Harvard Kennedy School

The conventional wisdom is "shift left" — move security earlier in the software development process. Phil Venables, who served as Google Cloud's first CISO after 17 years leading security at Goldman Sachs, argues this doesn't go far enough.

The real answer is shift down: push security controls into the platforms, frameworks, and infrastructure themselves — so that every developer, every application, and every workload inherits a higher degree of protection automatically, without having to think about it.

When Google Cloud shipped default-on security controls — even breaking changes — 99.5% of customers kept them on. People want secure defaults. They just don't want to build them from scratch.

“The big thing we're seeing now is a push to shift down — to push security controls into the application frameworks, the cloud platforms, everything else — so that when you're developing software, you're inheriting a higher degree of standard control from the environment.”

— Phil Venables, former CISO, Google Cloud · PCAST Member

“Focus on buying secure products, not just security products.”

— Phil Venables

The "find it, fix it, patch it" model was designed for a world where exploitation took months. That world is gone. When the median exploit arrives in hours, scheduling fixes for next Tuesday isn't risk management. It's hope.

Sounil Yu, the creator of the DIE Triad, proposes inverting the entire paradigm. Instead of protecting long-lived, irreplaceable systems (the old model), build systems that are disposable by design: - Distributed — no single point of failure. A compromise in one node doesn't cascade. - Immutable — nothing can be modified after deployment. If it can't be changed, it can't be corrupted. - Ephemeral — short-lived by design. Systems that exist for minutes give attackers nothing to steal and nowhere to hide.

Google has operated this way for years. Heather Adkins, Google's VP of Security Engineering, describes the philosophy:

“Vulnerabilities age like milk. Attacker skills age like wine. The combination means the likelihood of exploitation permanently increases over time — and this is outside our control. What is inside our control is impact.”

— Sounil Yu, Creator of the DIE Triad

“At Google, we try to be able to rebuild any machine in a couple of hours. Even if somebody clicked a link and bypassed all the malware protections — we just reinstall that system immediately. You just get rid of the machine and move on with life.”

— Heather Adkins, VP Security Engineering, Google

Approximately 70% of all critical security vulnerabilities in large C and C++ codebases are "memory-safety" bugs — a class of flaw where software mishandles computer memory, allowing attackers to hijack it. Buffer overflows. Use-after-free errors. Out-of-bounds reads. The same category of bug, causing the same category of catastrophe, for thirty-five years.

The White House named this directly in a landmark 2024 report: the Morris worm of 1988, Heartbleed in 2014, the Blastpass attack chain in 2023 — all rooted in memory-safety failures. Modern programming languages like Rust eliminate these flaws by design, making them structurally impossible.

Microsoft is already converting: 36,000 lines of the Windows kernel and 152,000 lines of its text-rendering engine rewritten in Rust. But across the industry, an estimated 20–40 billion lines of memory-unsafe code remain in production.

“It's time to halt starting any new projects in C/C++ and use Rust for those scenarios where a non-GC language is required. The industry should declare those languages as deprecated.”

— Mark Russinovich, CTO, Microsoft Azure

The real asymmetry isn't speed — it's access. Attackers share everything: exploit kits are open-source, offensive AI tools are forked and improved on GitHub, attack techniques are documented by thousands of contributors operating as a decentralized R&D lab. Defenders operate in the opposite model. Enterprise AI defense is locked behind six-figure vendor contracts. Threat intelligence is hoarded as competitive advantage. The best detection logic lives inside proprietary black boxes that only Fortune 500 SOCs can afford.

Daniel Miessler, creator of Fabric — the open-source AI framework with over 39,000 GitHub stars — argues that defenders actually have a structural data advantage: they sit inside the network, with direct access to logs, codebases, and user behavior. But that advantage is worthless if the AI tools to exploit it remain gated behind vendor walls. Loris Degioanni, creator of Wireshark and Falco — two of the most widely deployed open-source security tools in history — has spent two decades proving the alternative works.

“It's the attacker's AI stack against the defender's AI stack. That is the competition. And attackers will have the advantage for 3–5 years.”

— Daniel Miessler, Creator of Fabric

“We are fighting a war with the bad guys. We can only hope to win this war if we fight it together. Open source is the only approach with the agility and broad reach to meet modern security concerns.”

— Loris Degioanni, Creator of Wireshark & Falco (Sysdig)

Here is the paradox: for the first time in thirty years, defenders may actually have the advantage. AI-powered defense can process threat intelligence, detect anomalies, and respond to intrusions faster than any human analyst — and faster than most attackers. But that advantage is being regulated away. The EU AI Act mandates human-in-the-loop oversight for high-risk systems. DORA requires audit trails designed for quarterly review. NIS2 adds compliance layers that assume threats move at human speed. Every requirement that adds latency to defensive response is a gift to the attacker. In July 2025, 49 European business leaders — including Airbus, Siemens, ASML, and Mistral AI — sent a “Stop the Clock” letter to the European Commission, warning that unclear risk categorization was freezing AI adoption. Attackers sent no such letter. They deployed immediately.

The answer is not to abandon regulation — it is to redesign it for machine-speed defense. Safe harbors for autonomous defensive AI. Pre-authorized response playbooks. Real-time compliance verification instead of quarterly audits. Regulatory frameworks that treat AI-powered defense as critical infrastructure, not as a risk to be managed.

“Defenders have the same tools. Better tools, in most cases. But we’re the only ones filling out forms first.”

— Rob T. Lee, Chief AI Officer, SANS Institute

The people who understand how systems break — the security researchers, the ethical hackers, the competition winners — are almost entirely disconnected from the people who write policy, allocate budgets, and govern critical infrastructure.

Jeff Moss built the two largest venues in the world where offense and defense meet: DEF CON and Black Hat. For three decades, the smartest attackers and defenders on the planet have gathered in those rooms.

“The hacker community has been the canary in the coal mine for 30 years. We see the attacks before they hit the headlines. The problem is that the people making the big decisions — the boards, the regulators, the heads of state — aren't listening to the canary.”

— Jeff Moss, Founder, DEF CON & Black Hat

In 2010, John Kindervag, then a principal analyst at Forrester Research, published a paper that proposed a radical idea: stop trusting anything inside the network. No implicit trust based on location, IP address, or network segment. Every access request must be verified, every time.

He called it Zero Trust. The industry ignored it for a decade. Then came the SolarWinds attack in 2020 — where nation-state attackers lived inside trusted networks for months, moving laterally because every system trusted every other system. Suddenly Zero Trust wasn't theoretical. It was the only architecture that would have caught the intrusion.

In a world where exploits arrive in minutes and attackers are inside before you know it, the perimeter is meaningless. Zero Trust assumes breach and verifies continuously. It is the architectural foundation for surviving the collapse of the vulnerability window.

“Trust is a vulnerability. The reason we have so many breaches is because we've built trust into our networks, and attackers exploit that trust.”

— John Kindervag, Creator of Zero Trust

Dmitri Alperovitch, the co-founder of CrowdStrike and chairman of the Silverado Policy Accelerator, argues that treating cyberattacks as a technical problem with a technical fix misses the point entirely:

“Vulnerability to cyberattacks is not a technical problem that hardened defenses can fix. Cyberattacks are a symptom, not a disease. The underlying conditions are broader geopolitical problems that demand geopolitical solutions.”

— Dmitri Alperovitch, Co-founder, CrowdStrike

Craig Newmark, the founder of Craigslist, has committed over $100 million to what he calls "Cyber Civil Defense" — the largest individual philanthropic investment in U.S. cybersecurity.

Small organizations — hospitals, local governments, schools, nonprofits — face the same nation-state threats as Fortune 500 companies, with a fraction of the resources.

“The country is under attack. America's community organizations are on the frontlines of a cyberwar waged against our nation. This is a fight to protect our way of life.”

— Craig Newmark

The Ten Demands

1. 1.Vendor liability — make insecurity expensive for the people who create it
2. 2.Security by default — build it into the platform, the framework, the infrastructure
3. 3.Disposable architecture — build to rebuild, not to patch
4. 4.Memory-safe languages — mandate them for new critical infrastructure
5. 5.Open-source the defense — make AI security tools free and accessible to every defender
6. 6.Regulation for machine speed — redesign compliance so defenders can use AI without handcuffs
7. 7.Technical intelligence in policy — embed hackers in the rooms where decisions are made
8. 8.Zero Trust — eliminate implicit trust from every system
9. 9.Geopolitical accountability — treat cyber as statecraft
10. 10.Philanthropic mobilization — fund the defense of civil society