As government grapples with the biggest security challenge on the planet, it's willing to invest time and money to get it right.
It’s a common trope that government has a lot to learn from Silicon Valley when it comes to technology. But in cybersecurity, Washington is leading the way in many respects.
When federal leaders and lawmakers praise industry’s tech savvy, they're usually talking about innovation, flexibility and speed to market. IT companies aren't burdened by a labyrinthine acquisition process. They can shift quickly when customers want something different, abandon failing efforts and push products out at the lowest cost.
Former Pentagon Chief Information Officer Terry Halvorsen told lawmakers in May he’d vastly prefer to buy commercial tech products than products custom-built for government. Halvorsen’s old boss, former Defense Secretary Ash Carter, launched a Silicon Valley outpost to improve partnerships with top tech entrepreneurs in 2015, which later branched out to Boston and Austin, Texas. Carter’s successor, Defense Secretary James Mattis, praised that center earlier this month, predicting it would “grow in its influence and its impact on the Department of Defense.”
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Government will never move as quickly as industry. But in the cybersecurity arena, the cadre of large and small companies serving federal agencies have their own comparative advantage.
The federal government faces the greatest cybersecurity challenge on the planet: hundreds of thousands of potentially vulnerable endpoints—from phones and laptops to fighter planes and satellite systems. A who’s who of advanced nation state-backed hacking groups are constantly trying to penetrate those endpoints. And government is typically willing to invest both time and money to get security right.
“From a commercial perspective, entering the government market is highly desirable,” said Ralph Kahn, vice president for federal at Tanium, a San Francisco Bay area cybersecurity company that has grown a substantial federal business since its 2007 launch.
While Tanium maintains many private sector customers, the company has inked cyber contracts with the Air Force and civilian agencies including the Social Security Administration since 2014. The company also won a $12 million contract last year with DIUx, the Pentagon’s Silicon Valley outpost, to help DOD visualize traffic on its networks.
“Working with the government, you get to solve really complex problems and you have a customer with more patience than a commercial entity,” Kahn said. “The government will give itself three to four years to solve very hard problems.”
Washington’s Cyber Boom
Cybersecurity is booming in the Washington area, led mostly by major contractors that serve the government and startups launched by former federal employees and contractors.
There are more than 77,000 filled cybersecurity jobs in the metro area that encompasses Washington and Northern Virginia and another 44,600 job openings, according to a tally maintained by the Commerce Department’s National Institute of Cybersecurity Education, the Computing Technology Industry Association and the analytics firm Burning Glass Technologies.
There are another 18,700 filled cyber jobs and 8,900 job openings in the Baltimore metro area, the tally shows.
The Silicon Valley area between San Jose and Santa Clara, Calif., by contrast, shows just about 13,000 filled cyber jobs and 4,700 openings. There are another 16,600 filled jobs and 8,400 openings in the nearby San Francisco metro area.
The products and services produced by the Washington-area workers aren’t just staying inside government.
Raytheon, a major federal contractor, spent nearly $2 billion in 2015 on a joint venture called Forcepoint to leverage the company’s history working on cybersecurity for the military, intelligence agencies and the Homeland Security Department to build a customer base among financial firms and other industry sectors.
The company routinely moves intellectual property between its government and industry-focused divisions so each can benefit from the other’s work, Michael Daly, chief technology officer of Raytheon’s government cybersecurity business, said. Forcepoint’s net sales grew to more than $550 million in 2016, according to Securities and Exchange Commission filings, up from $328 million the year before.
Other top government cybersecurity contractors also have extensive private sector businesses, including Lockheed Martin, which markets its Cyber Kill Chain system and LM Wisdom tools to industry sectors, including retail and banking. Similarly, Unisys has sold its Stealth tool, which conceals targets from cyber attackers, to both the Defense Department and to industry customers in the financial, transportation and energy sectors.
Government as Launching Pad
Just as importantly, government is a driver for myriad small- and medium-sized cyber firms in the D.C. area that serve a mix of public and private sector customers.
Some of these companies have been built through technology transfer programs at Defense and Homeland Security. In other cases, they were launched by veterans of the Pentagon and intelligence community who’ve honed their cyber skills protecting government networks.
“Silicon Valley isn’t better at making cybersecurity, they’re better at productizing it,” said Tom Kellermann, a former chief cybersecurity officer at Trend Micro. “I think the best cyber talent in the world is between Baltimore and Reston,” he said.
In 2016, Kellermann launched Strategic Cyber Ventures, a venture capital firm that invests in early-stage cybersecurity companies, many of them in the D.C. area and launched by government cyber veterans.
These young companies are attractive to private sector customers, in part, because their leaders have experience defending the most complex, vital and targeted networks on earth, Kellermann said.
Many company leaders have also helped the Pentagon and intelligence agencies develop advanced network protection tools and are deeply familiar with the tactics of nation state-backed hackers.
While they can’t rely on classified information or directly copy government’s intellectual property, Kellermann said, they can often use this knowledge base to develop products and services that beat out what a company with only industry experience could produce.
Raytheon’s Forcepoint industry cybersecurity division benefits substantially from information shared by the company’s government cyber divisions, Forcepoint Security Technologies Director Bob Hansmann said.
The company’s government cyber defenders can’t share classified threat information with colleagues that lack security clearances, but they can share broad details about attacker behavior that are valuable to industry, Hansmann said. They can also give colleagues a heads up about threats currently faced by government that could soon be used to target Forcepoint customers in the financial sector or other industries, he said.
Success at Scale
Doing government work can be a boon in winning private sector customers, cyber industry leaders told Nextgov. Some of that is due to government's size and scale.
“If you can solve problems at DOD scale and if you can do that efficiently, then when you’re tackling large enterprise customers on the commercial side you really have an advantage,” said Amit Yoran, CEO of the cybersecurity firm Tenable and a former DHS cybersecurity official. Tenable has historically done about 15 percent of its business with government, including DOD, and the rest with the private sector.
Government also simply has more experience in some aspects of security, which gives a leg up to the companies that serve it, industry leaders said. Because of the necessity of protecting classified and sensitive information, for example, government has a long history of segmenting networks so information doesn’t flow between them, Raytheon’s Michael Daly said.
Government also has more experience protecting against insider threats, which were a concern long before the blockbuster leaks by Chelsea Manning in 2010 and Edward Snowden in 2013.
Ron Gula, who runs a cyber venture capital firm, is currently working with four early stage companies that focus on insider threat protection. Gula worked on network security and co-founded Tenable before leaving the company to focus on venture capital investing.
Like Kellerman’s firm, Gula Tech Adventures works primarily with government-linked companies. Another advantage for these companies is their intimate familiarity with government-spawned rules, controls and best practices, such as Federal Information Processing Standards and the Commerce Department’s cybersecurity framework, Gula said.
Because of oversight by Congress and internal watchdogs, the government also has an advantage in the sort of auditing and monitoring that can turn up gaps and errors in cyber protections, he said.
“The government isn’t behind in cybersecurity,” Gula said. “Their approach is different because there’s much more at stake.”
Editor's Note: This article was updated Aug. 24 to correct the percentage of Tenable's businesses that focus on government work and Michael Daly's title.