Cybersecurity: An emerging industry

We trust so much important information to the global network that connects us all, information about ourselves, our companies and the security of our country. And every minute, someone, somewhere, is trying to steal it.

If were lucky, all theyre after is a password or a credit card number or two. If were unlucky, they want to steal thousands of credit cards or proprietary corporate data or critical national security information.

There are always new threats, there are always new bad guys, says Lars Harvey, cofounder and chief executive officer of Internet Identity, a Tacoma-based developer of products and services to help organizations protect themselves from cyberthreats and bad guys. There are always valuable things to protect, whether its personal information or its intellectual property, the latest inventions [or] plans for how we defend ourselves against nuclear attack.

Threat and challengebut also opportunity?

There just might be one for the Puget Sound region in the form of creating a globally recognized hub, or cluster, of experts, expertise, institutions and companies specializing in the art and science of detecting and thwarting attacks on, thefts from and damage to computer networks and databases.

The cluster concept is hardly new in economic development circles, and this region has been through waves of ideas about creating and building them, from dreams of creating a biotechnology hub to the current lust for green energy and clean tech.

A cybersecurity cluster based in the Puget Sound area has multiple attractions, starting with the fact that it doesnt have to be invented from scratch. Weve got a lot of raw material to make it happen, says Brice Barrett, executive director of the Pacific Northwest Defense Coalition, an organization based in Poulsbo and Portland dedicated to helping businesses in the Northwest land defense contracts.

Already present are big companiesBoeing in aerospace and defense, Microsoft in computer software, Amazon in retailingthat have considerable experience with cybersecurity to maintain the reliability and security of their own systems, not to mention a wealth of defense installations and contractors with more than a passing interest in keeping cyberthieves, snoops, hackers and vandals at bay. Boeing, in fact, has branched out from an internal focus on cybersecurity to offer services to government agencies and corporations. While that businessCyber and Information Solutionsis based in Arlington, Va., the company says it has personnel in Seattle focusing on cybersecurity.

This region also has several independent firms, including Internet Identity, formed in 1996 to help companies protect their websites against attacks; WatchGuard Technologies, a Seattle business that offers network security solutions; and IOActive, a computer security company with offices in Seattle and London.

Backing up those companies are research organizations focusing on cybersecurity. The University of Washingtons Center for Information Assurance and Cybersecurity (ciac.ischool.washington.edu) focuses, per its website, on equipping specially educated professionals, conducting innovative research through broad collaborations, and providing educational outreach to raise public awareness of information assurance. One of its partners in that endeavor is the Pacific Northwest National Laboratory at Richland, which is concentrating some of its research power on cybersecurity. Cyber- networks are a strategic national asset, the laboratory says on its website (pnl.gov). More advanced detection, proactive measures and adaptive defense methods are needed that protect cyber systems as opposed to the traditional catch n patch or quick fix approach.

So, do we already have a cluster?

Internet Identitys Harvey answers the question with one of his own: Do we have a cluster that actually works as a cluster? We dont have that. Weve got a lot of pieces, though. If we manage to pull them all together, then maybe we have a cluster.

Those pieces include the wealth of engineering talent at Boeing, Microsoft, Amazon and firms headquartered elsewhere that have offices here. The way you get a cluster is people spin out of these bigger companies and create their smaller companies, Harvey says.

Adds Barrett, Theres always a huge amount of entrepreneurial talent that leaves those firms to start their own businesses. This is the kind of thing where we have serious coding and software management talent waiting in the wings to do some pretty interesting things.

This region also has a healthy base of venture and corporate capital to support those ventures.

If you look at the history of these hubs, you need a winner, Harvey explains. One of your companies has to grow big and start spinning people out, and thats where it comes from. Such growth is what happened with Microsoft in the realm of applications software. Those people all know each other and talk to each other. Thats the part thats missing right now. You dont have that shared mission or shared experience.

Whats also missing is a big commitment from what is likely to be the biggest customer for cybersecurity products and services: the federal government. Were on the tip of the iceberg because our customer is just now figuring out what it wants, says Barrett.

Cybersecurity is a huge growth area if youre dealing with government, Harvey says. It may be the one thing that comes out of this budget brouhaha getting more money. Its a big growth area for government. Its a big growth area for defense spending, because thats in a sense where the conflicts are moving.

Developing a cybersecurity cluster doesnt require huge investments of capital, a situation that is both good and bad. Cybersecurity doesnt have to be locked in any particular spot, says Scott Hamilton, a noted local aerospace analyst and consultant who is a proponent of the region, particularly its aerospace and defense companies, getting into the sector. Its very portable. Simplistically, its a call center.

It will, however, require experience and patience in dealing with the complexities of big-ticket federal projects. There are still plenty of ways to burn money, Barrett says. You always have inherent problems with government programs and requirements creep. But for those entrepreneurs who can ride the roller coaster and build a good product, Barrett says hes pretty happy about the potential for an eventual acquisition. (The Northwest has already seen one example of success in the case of WatchGuard, which was launched in 1996, went public in 1999 and was taken private in 2006).

Hamilton has lobbied for cybersecurity as an option for companies concerned about the long-term prospects of Boeings commercial aviation operations in the Northwest. The state needs to look beyond the tube-and-wing Boeing Company, says Hamilton, who did a study for the state Department of Commerce on the sectors potential.

We need funded federal initiatives, Barrett says. I think theyre coming. Having a good state-level commitment is critical. Hamilton adds that the state needs to make sure its universities continue producing the trained engineers a cybersecurity cluster will require.

To illustrate how the sector could grow, both he and Barrett cite Insitu, a developer of unmanned aircraft started in the Columbia Gorge town of Bingen in 1994. Since then, the industry has been consolidated by the major defense contractors; in 2008, Boeing bought Insitu, which now has 700 employees and several hundred million dollars of revenue a year.

The cybersecurity market, Barrett says, is about where the market for unmanned aircraft like Insitus was 10 years ago.

But cybersecurity could develop in a hurry because of the increasing dependence on networks and the increasing threat to them. The growth of cloud computing and storage servicesAmazon and Microsoft are among the biggest players in that segmentwill require more security. So will expansion of a managed smart electric grid, a particularly sensitive subject in the Northwest, with the network of hydroelectric dams on the Columbia and Snake rivers and the Bonneville Power Administration operating a regional transmission system. If you have a hack attack on the power grid, Hamilton observes, our economy would be devastated.

A lot of the potential, though, has already been built in. In the pell-mell race to get everyone connected during the past two decades, Harvey points out, Theres not a lot of time to lock it all down. Weve got this huge network thats been built up in 15 years. There are plenty of holes and there are holes at the most basic level of the infrastructure. There are holes in application software thats built every day. Theres plenty of opportunity for the bad guys, which means there are threats that have to be defended against.

All of which means there should be plenty of work to keep cybersecurity startups busy for years to come.

You just have to look at the physical world, says Harvey. The security business is a good one.

Need more proof that the Puget Sound region isnt a good place for hackers to set up shop?

In April, an eight-person team from the University of Washington was crowned champion of the National Collegiate Cyber Defense Competition,

in which nine college teams from across the country pretended to be the IT department of a pharmaceutical company. Their mission: fight off repeated cyberattacks while keeping the companys systems up and running.

The UW team operates under the umbrella of the Center for Information Assurance and Cybersecurity, with leadership provided by research associate professor Barbara Endicott-Popovsky.

John Levesque