It’s scary world out there, which is precisely why I was on the phone making appointments with cybersecurity companies in the larger Washington, D.C., area last month.
The region around our nation’s capital truly is fast becoming the Silicon Valley of security and there are two primary reasons for this: 1) That’s where the money is and 2) That’s where the money is.
And when I say money, I am referring to contracts the federal government pays to cybersecurity companies to presumably make us all the more secure. (Although recent news reports on this topic are far from comforting.)
Geography plays a key role as it gives companies near the Beltway an advantage as they are within a few miles of the government customers paying them.
These government customers include the Central Intelligence Agency and the Pentagon in Northern Virginia; the Federal Bureau of Investigation and Department of Homeland Security in the District of Columbia; and Fort Meade and the Defense Information Systems Agency in Maryland.
So as with horseshoes, hand grenades and business, proximity matters, a truism with corporate site selection if there ever was one. (And you can quote me on that.)
Back in 2000, the federal government spent less than $1 billion on cybersecurity. For 2015, that number will be about $15 billion and more is sure to be spent in future.
All this is why the Washington area posted more than 23,400 cybersecurity jobs last year – dramatically more than any other region, including in the Bay Area.
I think you can see why I was making appointments with cybersecurity firms in the Washington, D.C., region. Things are booming there and we would like to help companies and economic development organizations if we can be of help.
Created by a Boom Time
Last week, cybersecurity stocks surged to an all-time high. Goldman Sachs sees that trend continuing as the investment bank noted that last year “3,014 data breach incidents took place worldwide, exposing 1.1 billion records,” up 25 percent year over year.
In 2011, the global cybersecurity market hit $67 billion. It is projected to grow to as high as $156 billion by 2019, according to Markets and Markets, a Dallas-based research firm.
According to New York City-based CB Insights, in the past five years, $7.3 billion has been invested into 1,208 private cybersecurity startups.
I Was One of the 56 Million
I think may have mentioned in a blog late last year that my credit union sent me a new debit card, because I had shopped at Home Depot. The year before, my wife was sent a new credit card because she had shopped at Target.
Both retailers had been hacked, hence the new cards sent to us and a spate of bad publicity for the two companies.
Home Depot reported that hackers got into its systems by stealing a password from a vendor, opening a tiny hole that grew into the biggest retail-credit-card breach on record. About 56 million credit-card accounts were compromised, Home Depot said, with 53 million customer email addresses also being stolen.
The hack attack on Home Depot happened in April 2014, but company discovered it, or at least a reported it, in November 2014. Not exactly a confidence builder, athough they do have some great wood screws.
Meeting Industry Standards is Not Good Enough
Computer-security experts say that many retailers will not isolate sensitive parts of their networks from those that are more accessible to outsiders. It is usually after they have fallen prey to hackers that the companies address these “segmentation” issues.
Too often, however, they focus on meeting certain industry standards designed to detect known threats rather than anticipating the fluid, fast-moving tactics of hackers, which means they will be vulnerable again given time.
A recent Verizon cybersecurity report says most retailers bulk up IT security just in time for their payment card industry inspection, but then only 29 percent keep it up afterward.
“Officially they remain compliant, but only two or three weeks a year,” said Rodolphe Simonetti, a consultant with Verizon, in an interview with CNN Money.
According to the Verizon report, only 33 percent of companies regularly tested their computer networks for holes properly in 2014.
We All Pay
A new survey by the Ponemon Institute, a security research center, and IBM found that the average cost of a computer breach at large companies was $3.79 million globally. But for U.S.-based companies, the average cost was much higher at $6.5 million.
According to a report by USA TODAY, the survey included 350 companies in 11 countries that had experienced a data breach, mostly in 2014 — 62 of those companies were U.S.-based. The global cost has risen 23 percent since 2013, but only 11 percent in the U.S. That puts the average cost per lost or stolen record at $217 in the U.S. and $154 globally.
You can bet that we are all paying for that with increased prices for goods and services.
Target U.S. Government
Now you might think with all the hired cybersecurity guns at its disposal that the federal government would have its defense shields up and ready to thwart just about any cyberattack lodged against it.
But you would be wrong. In the past few months, hackers have breached security systems for the White House, the State Department, the Internal Revenue Service and the Office of Personnel Management.
An embarrassed Obama administration has given all government agencies a Dec. 31, 2016 deadline to encrypt their websites. So far, only 41 percent of federal domains are encrypted, according to government figures.
Now it is one thing for a retailer to get hacked, but quite another when it is the federal government. Because here is where national security is at stake, which is another reason why a cluster of cybersecurity firms are clustered in and around Washington.
A report from the U.S. Department of Homeland Security found federal agencies come under cyberattack hundreds of times a day and thousands of times a year.
You have probably heard by now that the IRS says that it was hacked with 100,000 Americans’ tax data compromised. Let me tell you, in the wrong hands, tax records can be much more dangerous and prone to extortion than credit card receipts.
But the Office of Personnel Management make take the cake in terms of sheer ineptness. Its security system is believed to have been compromised more than a year after it began and was discovered only when OPM was updating its security infrastructure.
Hackers didn’t just steal birthdays, email addresses and health information from the OPM, which is bad enough. They also got security clearance information on at least 4 million federal employees, including a database of federal employees who sought security clearances.
They Got What?
By gaining access to SF-86 security clearance forms, which are used to conduct background checks on Americans seeking access to classified government information, the hackers have information that could easily be leveraged in exchange for legislative favors.
The 127-page security clearance forms have details on the applicants’ family members, friends, former friends, potential enemies, angry neighbors, jilted ex-lovers.
In short, this is the stuff of blackmail. So it is not a stretch to believe that the hackers, armed with this very personal information, will attempt to recruit spies and ultimately seek access to weapons plans and industrial secrets.
The Fifth Domain
Virtually every major attack has been attributed to Chinese and Russian hackers acting on behalf of their governments.
And what they are trying to do is steal proprietary information ranging from blueprints to software applications to private employee information to chemical formulas from government and industry.
The Economist describes cyberspace as “the fifth domain of warfare”, which is why the Pentagon is so involved. This is the new war, which in turn has created a growing war-time cybersecurity industry.
And while the greater Washington, D.C., area has distinct advantages, communities across the nation, particularly those near military installations, are investing in cybersecurity measures and infrastructure as they recognize the possibilities posed by this burgeoning industry.
With as many as 300,000 cybersecurity jobs in the United States going unfilled last year alone, according to security company Symantec, academic programs are being crafted to win research grants and generate the next generation of highly skilled workers poised to make six-figure salaries and stay local.
That is precisely the intent with the creation of the Center for Cybersecurity at the University of West Florida in Pensacola.
Other regions around the country are making big plays for the emerging cybersecurity industry, including the Seattle-Tacoma in Washington state and San Antonio, to name a few.
The cyber boom is real and is growing because we have a bunch of cyber outlaws on the loose. How, if and when we bring them to heel should be a matter of time. But we need to fight fire with fire. I vote Texas Rangers.
I’ll see you down the road.
Dean Barber is the president/CEO of Barber Business Advisors, LLC, a location advisory and economic development consulting firm based in Plano, Texas. He can be reached at firstname.lastname@example.org or at 972-767-9518. If you liked what you read here, invite him to speak at your next meeting.