Washington, not Silicon Valley, Leads the way in Cybersecurity

It’s a common trope that government has a lot to learn from Silicon Valley when it comes to technology. But in cybersecurity, Washington is leading the way in many respects.

When federal leaders and lawmakers praise industry’s tech savvy, they're usually talking about innovation, flexibility, and speed to market. IT companies aren't burdened by a labyrinthine acquisition process. They can shift quickly when customers want something different, abandon failing efforts and push products out at the lowest cost.

Former Pentagon Chief Information Officer Terry Halvorsen told lawmakers in May he’d vastly prefer to buy commercial tech products than products custom-built for government. Halvorsen’s old boss, former Defense Secretary Ash Carter, launched a Silicon Valley outpost to improve partnerships with top tech entrepreneurs in 2015, which later branched out to Boston and Austin, Texas. Carter’s successor, Defense Secretary James Mattis, praised that center earlier this month, predicting it would “grow in its influence and its impact on the Department of Defense.”

Government will never move as quickly as industry. But in the cybersecurity arena, the cadre of large and small companies serving federal agencies have their own comparative advantage.

The federal government faces the greatest cybersecurity challenge on the planet: hundreds of thousands of potentially vulnerable endpoints—from phones and laptops to fighter planes and satellite systems. A who’s who of advanced nation state-backed hacking groups are constantly trying to penetrate those endpoints. And government is typically willing to invest both time and money to get security right.

“From a commercial perspective, entering the government market is highly desirable,” said Ralph Kahn, vice president for federal at Tanium, a San Francisco Bay area cybersecurity company that has grown a substantial federal business since its 2007 launch.

While Tanium maintains many private sector customers, the company has inked cyber contracts with the Air Force and civilian agencies including the Social Security Administration since 2014. The company also won a $12 million contract last year with DIUx, the Pentagon’s Silicon Valley outpost, to help DOD visualize traffic on its networks.

Washington’s Cyber Boom Cybersecurity is booming in the Washington area, led mostly by major contractors that serve the government and startups launched by former federal employees and contractors.

There are more than 77,000 filled cybersecurity jobs in the metro area that encompasses Washington and Northern Virginia and another 44,600 job openings, according to atally maintained by the Commerce Department’s National Institute of Cybersecurity Education, the Computing Technology Industry Association and the analytics firm Burning Glass Technologies.

The products and services produced by the Washington-area workers aren’t just staying inside government.

Raytheon, a major federal contractor, spent nearly $2 billion in 2015 on a joint venture called Forcepoint to leverage the company’s history working on cybersecurity for the military, intelligence agencies and the Homeland Security Department to build a customer base among financial firms and other industry sectors.

The company routinely moves intellectual property between its government and industry-focused divisions so each can benefit from the other’s work, Michael Daly, chief technology officer of Raytheon’s government cybersecurity business, said. Forcepoint’s net sales grew to more than $550 million in 2016, according to Securities and Exchange Commission filings, up from $328 million the year before.

Other top government cybersecurity contractors also have extensive private sector businesses, including Lockheed Martin, which markets its Cyber Kill Chain system and LM Wisdom tools to industry sectors, including retail and banking. Similarly, Unisys has sold its Stealth tool, which conceals targets from cyber attackers, to both the Defense Department and to industry customers in the financial, transportation and energy sectors.

Government as Launching Pad

Just as importantly, government is a driver for myriad small- and medium-sized cyber firms in the D.C. area that serve a mix of public and private sector customers.

Some of these companies have been built through technology transfer programs at Defense and Homeland Security. In other cases, they were launched by veterans of the Pentagon and intelligence community who’ve honed their cyber skills protecting government networks.

“Silicon Valley isn’t better at making cybersecurity, they’re better at productizing it,” said Tom Kellermann, a former chief cybersecurity officer at Trend Micro. “I think the best cyber talent in the world is between Baltimore and Reston,” he said.

In 2016, Kellermann launched Strategic Cyber Ventures, a venture capital firm that invests in early-stage cybersecurity companies, many of them in the D.C. area and launched by government cyber veterans. These young companies are attractive to private sector customers, in part, because their leaders have experience defending the most complex, vital and targeted networks on earth, Kellermann said.

Many company leaders have also helped the Pentagon and intelligence agencies develop advanced network protection tools and are deeply familiar with the tactics of nation state-backed hackers.

While they can’t rely on classified information or directly copy government’s intellectual property, Kellermann said, they can often use this knowledge base to develop products and services that beat out what a company with only industry experience could produce.

Success at Scale - Doing government work can be a boon in winning private sector customers, cyber industry leaders told Nextgov. Some of that is due to government's size and scale.

“If you can solve problems at DOD scale and if you can do that efficiently, then when you’re tackling large enterprise customers on the commercial side you really have an advantage,” said Amit Yoran, CEO of the cybersecurity firm Tenable and a former DHS cybersecurity official. Tenable has historically done about 15 percent of its business with government, including DOD, and the rest with the private sector.

Government also simply has more experience in some aspects of security, which gives a leg up to the companies that serve it, industry leaders said. Because of the necessity of protecting classified and sensitive information, for example, government has a long history of segmenting networks so information doesn’t flow between them, Raytheon’s Michael Daly said.