We trust so much important information to the global network that connects us all, information about ourselves, our companies and the security of our country. And every minute, someone, somewhere, is trying to steal it.
If we’re lucky, all they’re after is a password or a credit card number or two. If we’re unlucky, they want to steal thousands of credit cards or proprietary corporate data or critical national security information.
“There are always new threats, there are always new bad guys,” says Lars Harvey, cofounder and chief executive officer of Internet Identity, a Tacoma-based developer of products and services to help organizations protect themselves from cyberthreats and bad guys. “There are always valuable things to protect, whether it’s personal information or it’s intellectual property, the latest inventions [or] plans for how we defend ourselves against nuclear attack.”
Threat and challenge—but also opportunity?
There just might be one for the Puget Sound region in the form of creating a globally recognized hub, or cluster, of experts, expertise, institutions and companies specializing in the art and science of detecting and thwarting attacks on, thefts from and damage to computer networks and databases.
The cluster concept is hardly new in economic development circles, and this region has been through waves of ideas about creating and building them, from dreams of creating a biotechnology hub to the current lust for green energy and clean tech.
A cybersecurity cluster based in the Puget Sound area has multiple attractions, starting with the fact that it doesn’t have to be invented from scratch. “We’ve got a lot of raw material to make it happen,” says Brice Barrett, executive director of the Pacific Northwest Defense Coalition, an organization based in Poulsbo and Portland dedicated to helping businesses in the Northwest land defense contracts.
Already present are big companies—Boeing in aerospace and defense, Microsoft in computer software, Amazon in retailing—that have considerable experience with cybersecurity to maintain the reliability and security of their own systems, not to mention a wealth of defense installations and contractors with more than a passing interest in keeping cyberthieves, snoops, hackers and vandals at bay. Boeing, in fact, has branched out from an internal focus on cybersecurity to offer services to government agencies and corporations. While that business—Cyber and Information Solutions—is based in Arlington, Va., the company says it has personnel in Seattle focusing on cybersecurity.
This region also has several independent firms, including Internet Identity, formed in 1996 to help companies protect their websites against attacks; WatchGuard Technologies, a Seattle business that offers network security solutions; and IOActive, a computer security company with offices in Seattle and London.
Backing up those companies are research organizations focusing on cybersecurity. The University of Washington’s Center for Information Assurance and Cybersecurity (ciac.ischool.washington.edu) focuses, per its website, on “equipping specially educated professionals, conducting innovative research through broad collaborations, and providing educational outreach to raise public awareness of information assurance.” One of its partners in that endeavor is the Pacific Northwest National Laboratory at Richland, which is concentrating some of its research power on cybersecurity. “Cyber- networks are a strategic national asset,” the laboratory says on its website (pnl.gov). “More advanced detection, proactive measures and adaptive defense methods are needed that protect cyber systems as opposed to the traditional ‘catch ’n’ patch’ or quick fix approach.”
So, do we already have a cluster?
Internet Identity’s Harvey answers the question with one of his own: “Do we have a cluster that actually works as a cluster? We don’t have that. We’ve got a lot of pieces, though. If we manage to pull them all together, then maybe we have a cluster.”
Those pieces include the wealth of engineering talent at Boeing, Microsoft, Amazon and firms headquartered elsewhere that have offices here. “The way you get a cluster is people spin out of these bigger companies and create their smaller companies,” Harvey says.
Adds Barrett, “There’s always a huge amount of entrepreneurial talent that leaves those firms to start their own businesses. This is the kind of thing where we have serious coding and software management talent waiting in the wings to do some pretty interesting things.”
This region also has a healthy base of venture and corporate capital to support those ventures.
“If you look at the history of these hubs, you need a winner,” Harvey explains. “One of your companies has to grow big and start spinning people out, and that’s where it comes from.” Such growth is what happened with Microsoft in the realm of applications software. “Those people all know each other and talk to each other. That’s the part that’s missing right now. You don’t have that shared mission or shared experience.”
What’s also missing is a big commitment from what is likely to be the biggest customer for cybersecurity products and services: the federal government. “We’re on the tip of the iceberg because our customer is just now figuring out what it wants,” says Barrett.
“Cybersecurity is a huge growth area if you’re dealing with government,” Harvey says. “It may be the one thing that comes out of this budget brouhaha getting more money. It’s a big growth area for government. It’s a big growth area for defense spending, because that’s in a sense where the conflicts are moving.”
Developing a cybersecurity cluster doesn’t require huge investments of capital, a situation that is both good and bad. “Cybersecurity doesn’t have to be locked in any particular spot,” says Scott Hamilton, a noted local aerospace analyst and consultant who is a proponent of the region, particularly its aerospace and defense companies, getting into the sector. “It’s very portable. Simplistically, it’s a call center.”
It will, however, require experience and patience in dealing with the complexities of big-ticket federal projects. “There are still plenty of ways to burn money,” Barrett says. “You always have inherent problems with government programs and requirements creep.” But for those entrepreneurs who can ride the roller coaster and build a good product, Barrett says he’s “pretty happy about the potential” for an eventual acquisition. (The Northwest has already seen one example of success in the case of WatchGuard, which was launched in 1996, went public in 1999 and was taken private in 2006).
Hamilton has lobbied for cybersecurity as an option for companies concerned about the long-term prospects of Boeing’s commercial aviation operations in the Northwest. “The state needs to look beyond the tube-and-wing Boeing Company,” says Hamilton, who did a study for the state Department of Commerce on the sector’s potential.
“We need funded federal initiatives,” Barrett says. “I think they’re coming. Having a good state-level commitment is critical.” Hamilton adds that the state needs to make sure its universities continue producing the trained engineers a cybersecurity cluster will require.
To illustrate how the sector could grow, both he and Barrett cite Insitu, a developer of unmanned aircraft started in the Columbia Gorge town of Bingen in 1994. Since then, the industry has been consolidated by the major defense contractors; in 2008, Boeing bought Insitu, which now has 700 employees and several hundred million dollars of revenue a year.
The cybersecurity market, Barrett says, is about where the market for unmanned aircraft like Insitu’s was 10 years ago.
But cybersecurity could develop in a hurry because of the increasing dependence on networks and the increasing threat to them. The growth of cloud computing and storage services—Amazon and Microsoft are among the biggest players in that segment—will require more security. So will expansion of a managed “smart” electric grid, a particularly sensitive subject in the Northwest, with the network of hydroelectric dams on the Columbia and Snake rivers and the Bonneville Power Administration operating a regional transmission system. “If you have a hack attack on the power grid,” Hamilton observes, “our economy would be devastated.”
A lot of the potential, though, has already been built in. In the pell-mell race to get everyone connected during the past two decades, Harvey points out, “There’s not a lot of time to lock it all down. We’ve got this huge network that’s been built up in 15 years. There are plenty of holes and there are holes at the most basic level of the infrastructure. There are holes in application software that’s built every day. There’s plenty of opportunity for the bad guys, which means there are threats that have to be defended against.”
All of which means there should be plenty of work to keep cybersecurity startups busy for years to come.
“You just have to look at the physical world,” says Harvey. “The security business is a good one.”
Need more proof that the Puget Sound region isn’t a good place for hackers to set up shop?
In April, an eight-person team from the University of Washington was crowned champion of the National Collegiate Cyber Defense Competition,
in which nine college teams from across the country pretended to be the IT department of a pharmaceutical company. Their mission: fight off repeated cyberattacks while keeping the company’s systems up and running.
The UW team operates under the umbrella of the Center for Information Assurance and Cybersecurity, with leadership provided by research associate professor Barbara Endicott-Popovsky.