Michigan Engineering News
Written by Colin Barras and Josh Walker In August 2018, technology giant Cisco Systems Inc. announced that it had agreed to pay $2.35 billion for the Ann Arbor-based startup Duo Security. The acquisition was reported to be the biggest of its kind in Michigan history. But even before the announcement, Duo had been breaking state records.…
Written by Colin Barras and Josh Walker
In August 2018, technology giant Cisco Systems Inc. announced that it had agreed to pay $2.35 billion for the Ann Arbor-based startup Duo Security. The acquisition was reported to be the biggest of its kind in Michigan history. But even before the announcement, Duo had been breaking state records. The technology company was founded just nine years ago, and by late-2017 it had raised more in a single venture capitalist funding round than any firm in the state’s history.
For Duo co-founders Dug Song (BS, ’97) and Jon Oberheide (BS CS ’06, MSE CSE ’08, PhD ’12), the Cisco acquisition is just the latest step in a journey they have been on together since first hooking up at software security company Arbor Networks, a U-M Computer Science and Engineering spinout founded in 2000.
As the dust settles on the Cisco acquisition, we caught up with Song and Oberheide to talk about Duo, Ann Arbor’s thriving startup scene—and their ambitions to clean up the computer security industry.
The interview has been edited and condensed for clarity.
Right at the top we want to say congratulations. It’s a major achievement to take a company from modest means to multi-billion-dollar status in under a decade. Do you see the acquisition by Cisco as a moment to celebrate? Or is it bittersweet because you lose a bit of control?
Oberheide: I think it’s a celebration. It’s been a big build to get to this milestone, but at the same time the deal is officially closed now. We’re a part of Cisco, and we’re just continuing to operate in the same way we did before. For a lot of the employee base it’s still business as usual. We wanted to come on board with Cisco because that would not only help us keep doing what we do really well, but also accelerate our growth and allow us to reach more organizations.
Song: It’s an opportunity for us to celebrate. I do think, very frankly, there is a shift. We’re becoming part of a large organization. But that’s exciting: We were built to help protect organizations of all sizes and of any kind. So, we can help leverage Cisco’s giant platform to do what we want—which is to do this at scale.
Oberheide: Duo’s always grown at an exponential rate. And Cisco actually allows us to continue that exponential trajectory.
So you gain more than you lose by becoming part of this bigger entity?
Song: There’s always an emotional impact. It’s kind of like graduating U-M: Once a Wolverine, always a Wolverine. I think in general we all go on to do bigger things post our college careers, and this feels a little bit like that. Duo’s graduated into this massive opportunity.
Long before Duo, long before Arbor Networks, you both seem to have had a pretty strong security focus. So why has security been your passion for so long? What’s the drive?
Song: I don’t know about Jon, but I’m not really very good at anything else. It’s all I know how to do. Ever since I’ve been on computers, half my interest was in security. Part of it is I grew up in the shadow of the NSA [the National Security Agency, based in Maryland]. I got into computers through these bulletin board systems where we were all talking and learning about security from each other. I just like the culture of it. Security is a little counter-cultural. And most of my hobbies tend to be somewhat transgressive. Growing up it was either punk rock, graffiti, skateboarding or hacking.
Oberheide: It was the same for me. I’m fortunate that cybersecurity is a geopolitical problem now and there’s a massive, growing industry around it—because that’s what I always knew I wanted to do. If computers didn’t exist I’d probably be doing something in physical security. It’s understanding how things work, and understanding how the people who designed the systems didn’t think about potential flaws. So, it really is a kind of subversive curiosity—to poke holes in systems in order to find the vulnerabilities. Plus, I had a business in high school, so I always knew I wanted to build a company.
Cybersecurity is really a kind of subversive curiosity—to poke holes in systems in order to find the vulnerabilities.
Jon Oberheide
Picking up on what you said about curiosity—that comes into the story of how you two actually met in the first place, right?
Oberheide: Yes—so, I had a company in high school that did web hosting. We’d drive to Ann Arbor and sit in Starbucks: Use the Wi-Fi, sip on coffee, talk business and send out our email campaigns. We saw the Arbor Networks access point and we thought, why not get on there and poke around? See if we can find any interesting systems? We couldn’t get a good signal so we crept up the back stairwell of the Starbucks building to try to get a stronger connection. And Dug walks out of the door. So, we’re high school hackers, probably in hoodies, crouched with our laptops in the stairwell. And we knew Dug because of the network security tooling that he’d written, and his involvement in the open security community. And of course we’d heard of Arbor. He gave us a sideways glance and walked past us. That was the first time we unofficially met.
Song: You know, hackers trade in information. So, when they meet for the first time they’re not really meeting for the first time—they already know a bunch of stuff about each other. That first episode was a confirmation for me that Jon was an interesting and bright hacker. Because actually, that Wi-Fi network he was on was our honeypot network—a kind of false wireless network to capture anyone who might be interesting. We were fortunate that Jon fell in that trap.
Jon, from around that time there’s a story of you as a student at U-M saying to the university authorities, “I’ve found flaws in your security.” But the reaction was hostile. Can you understand why attitudes at that point led to that hostility—and how things have changed now?
Oberheide: I think in the earlier days that was a common reaction to security in general. People discovering issues or vulnerabilities, informing someone, and then having that reaction: “Why did you do this? Why are you publicizing this?” But now people get paid to report vulnerabilities. Companies will set up programs, invite people to come and hack their systems – and pay them for it. Organizations are embracing that research that people are providing.
Song: In fact, the computer engineering network on campus was the reason I came to Michigan. I didn’t apply to any other schools outside the East Coast. Michigan had a network that looked like NASA Ames. U-M has done so much in this area—it’s given us so much because of that history of investing and building out the learning environment for its students.
Oberheide: I think you see the subversive culture is still alive in the computer science department. The hot tub that was placed on the roof a couple of years ago – that spirit still lives on.
Jon, you had the skills after your undergraduate work to go into industry, but you went back to U-M to pursue a PhD in engineering. Why did you do that?
Oberheide: I had this decision to make when I was a senior: Do I go into grad school and pursue a PhD under Farnam Jahanian—my advisor, and chair of the department at the time—or do I go work for Arbor, for Farnam who is the CEO and chair? Either way I was going to work with and for Farnam—and with or for Dug and the other Arbor Network researchers.
But I did decide to stay at the university and pursue that program, partially because that’s what I loved doing: research. The university was the best environment for me to grow my career, to grow my personal brand. To do the research that I thought was interesting to me, but also important to the world.
In fact, the university—particularly that research group and some of the adjacent research groups—turned into more of a startup incubator than a program that would churn out faculty. For instance, Sushant [Sinha, CSE PhD ’09]—who is an expert in antispam and cybersecurity—ended up building an Indian law search engine when he finished his PhD. And my closest colleague—Evan Cooke (CSE MSE ’04, PhD ’07)—was an expert in early botnets and cybersecurity. He said, “I’ve finished my thesis, I’m going to start a telephony company in the San Francisco Bay Area.” That turned into Twilio [a company that provides businesses with communications-managing software, and that now has a revenue in the hundreds of millions of dollars]. I told him it was a terrible idea, but that’s worked out well for him! That was the orientation of the program. Explore new topics, but do it in a practical way.
It sounds like it was really important for the success of Duo that it wasn’t founded in isolation, but that it was instead tied into this big community.
Song: Hackers are network thinkers, and if you think of U-M’s place in the world—it’s the hub of a giant network. We have one of the largest alumni networks. It’s at a crossroads of a ton of brains and talent. That creates a massive opportunity for folks in that network to draw upon. And there’s a focus on interdisciplinary research. I was in the Residential College so I actually did computer science through the LSA [College of Literature, Science and the Arts], which is funny to me.
Oberheide: So did I, for undergrad. That was awesome, the breadth of programs.
Song: Taking classes on the theory of revolution, or on Slavic film. I mean, we have film directors here at Duo. We think of ourselves as driving a movement, a revolution in terms of how security can and should be done. There’s the whole Steve Jobs trope: Creativity isn’t coming up with a brand new idea, it’s smashing together ideas from disparate domains to form a hybrid. I think that’s very true and I think it’s something U-M does particularly well.
Oberheide: I don’t know the stats, but so many of our first hires were U-M alumni, Arbor alumni. They were part of that network of people we’d worked with in some way before.
Song: It’s just a great community. For instance, there’s a super-early stage startup community represented by the Ann Arbor New Tech Meetup. About 6,000 members meet every month, as they have done for the last eight years. We started in a physical hub—the Tech Brewery—around some of that community. There were a bunch of other companies there. Some of them were succeeding, some of them were failing, and then some of them were recombining.
Folks like Craig Labovitz were there. Sorry, Doctor Craig Labovitz. If you’ve done it you’ve earned it, right? He’s part of the team that built the NSFNET [in the mid-1980s], which truly was the first commercial backbone for the internet. That was built right here, as a project with the State of Michigan, ANS, IBM and MCI. I don’t think we get much credit for that. Craig started a company called Deepfield Networks alongside us. He was on the next table at the Tech Brewery. That’s how tightly knit this community is, and how easy it is to find folks. That’s truly what makes this space special.
Going back to 2009/10 and the founding of Duo: We get the impression that big companies understood the importance of security at that point. Smaller companies, though—they might have appreciated the need, but it sounds like they couldn’t afford to implement those solutions. Duo was about helping those smaller organizations?
Oberheide: The “what” we were doing wasn’t new. You might have been at U-M when they had the M-tokens—the RSA fobs that read out six digits? That technology was invented in 1985 and it really hadn’t changed. That was the standard for doing multi-factor authorization. We looked at that and said, “That’s the right solution. But how it’s executed, how it’s implemented, how it’s delivered to the end user is completely wrong.”
You’re correct that smaller organizations weren’t equipped to be able to provide those solutions to their users, and attackers going downstream were taking advantage of that. They were going after small and medium-sized businesses. But even the big guys like U-M—they’d deploy those tokens, but only to small populations of users. So, when we talk about democratizing security it’s not only bringing it to more organizations, but also bringing it to more users within large organizations.
Song: Security was never applied evenly. There were so many exposed attack surfaces. The internet, email and social media expose everybody.
Oberheide: In our early conversations, customers were saying, “We’re not going to expand our security technology further, and we’re actually thinking of just taking it out. It’s so painful to use.” We thought this was really the exact opposite of what needs to happen in the security industry.
Song: So, the problem we were actually solving was not a problem in security but a problem of security, and its non-consumption. Too many folks just couldn’t approach it. Apple wasn’t the first company to invent the MP3 player, or the computer, or the phone. But they basically own that today because they took a very different approach, and made products that are universally accessible and truly a joy to use. We’ve had that same goal. Everyone thinks security and usability are diametrically opposed—that security is about saying “no” and usability is about saying “yes.” But we think that both security and usability engineering are two sides of the same coin. They’re about making sure that only the right things happen.
Oberheide: It’s a very negative industry. It can seem like it’s not a matter of if you’re going to get breached, but when. We wanted to build not only a different product, but a different company to address our customers. It really was, for a lot of organizations, a breath of fresh air.
Song: We reject the cynicism of our industry. In fact, I tried to leave this industry once. In part it was a reaction to the fact that security became a lemon market. I got really disillusioned. The vendor sells you a box, you put it in your network, it sits there, does nothing, and the vendor says, “See? You’re more secure. Nothing’s happening.” And of course, think of the customer: “Well, nothing was happening before we put the damn box there. What did I really buy here?”
But when we started to see the user-targeted hacks against small organizations, and when we realized most organizations around the world were pretty much defenseless, we knew that we had to do something. We threw our hat back in and got involved in the fight.
Everyone thinks security is about saying ‘no’ and usability is about saying ‘yes.’ But we think that both security and usability engineering are two sides of the same coin.
Dug Song
Where do you think the next battlefield might be for you guys? I mean, you recognized in 2009/2010 that the hacking community had changed its strategy. Are they changing again?
Song: Well, hackers always do. But those kinds of things are tactical. I think the thing I’m particularly excited about—the fight we are going to pursue now we’ve linked up with Cisco—is to basically fix this industry. Consider this: There are no security vendors out there who have even a double-digit market share. That’s how fragmented this industry is. There are thousands of vendors out there and a customer has to figure out what they’re looking at. They’re just being assaulted with all this crazy messaging. Our goal in working with Cisco is to clean it up and really do our best to lead and set a different kind of example. That’s something we’re very excited about.
Early on Duo was categorized as the underdog and a punk company. Is it still?
Song: I think it’s stage specific. I think of startups as the punk rock of business.
Oberheide: But there’s still that same mentality. There’s always bigger fish to fry. There’s that much larger opportunity to go after in the security industry: Not just creating commercial success for Duo and Cisco, but really changing the way people think about their security programs. I think that’s the bigger battlefield.
Song: That larger opportunity for industry-wide disruption is actually even beyond just security. Cisco has been for decades one of the world’s most ethical companies—it’s truly set a different standard for technology. We see a massive opportunity to have an impact there. As a small company, people always called out that Duo was different. We behaved differently. We’re top-rated in terms of loyalty and satisfaction. If you consider even the demographics of what Duo looks like, most of our team doesn’t come from security. Nearly 40 percent of our team are women and underrepresented minorities.
Oberheide: It’s exciting to see this next batch of security companies starting up and saying, “We want to follow Duo’s blueprint. Not just in terms of the success and growth of the company, but in terms of how we operate.” That’s what we set out to do: To change the security industry.
A final question: There’s been a lot of media attention especially after the acquisition. Dug, we’ve read that you’re sticking with the company and Ann Arbor. Jon?
Oberheide: We’re here for the longrun and are looking forward to further accelerating our business with Cisco. I’m in the same role – CTO at Duo.
Song: We’re committed to Duo and Ann Arbor. U-M has had a great history in Ann Arbor, but I do think in many ways it has been a history of town and gown—almost like toddlers in parallel play growing up together, but not interacting as much as they probably could and should have. But the outgrowth now with respect to commerce and economic development—it’s having an impact. I think that’s something that we are committed to. There’s so much talent and opportunity in this state and in this region. We’re proud to be part of that story.