A Tepid Attack From Silicon Valley
October / November 2009
Volume 7 Number 5
Every now and then, a big idea sweeps through the security industry. In 1987, the first antivirus software was launched, spawning an industry of giant software vendors such as Symantec and McAfee. They tackled the seemingly impossible job of cleaning viruses off PCs as hackers took to distributing their wares on the web. After the terrorist attacks of 9/11, a renewed focus on security led to all sorts of startups and investments.
But as the innovations slow down and the industry matures into big players, interest in security wanes. We're now at the stage where big security software vendors are so big now that the idea of launching a security software startup isn't so attractive anymore.
That doesn't mean the innovations and startups will cease. Oliver Friedrichs, a former Symantec research executive, recently launched Immunet, an antivirus software that takes advantage of the group intelligence made possible by the web.
Friedrichs left Symantec a year ago to start the Palo Alto, Calif.-based startup. His idea was to move fast on something the big vendors hadn't addressed: how to take advantage of the internet cloud—€”or big banks of servers in web data centers—€”to fight off the dramatic increase in malware. While spam and viruses are growing like weeds, antivirus software catches fewer than 50 percent of the newest threats.
Friedrichs felt that he could tap community-based trust networks and collective intelligence to turn the tables. Every time someone encounters a questionable file or web site, the software checks with the cloud-based database. If most people say the file is legitimate, then the user can proceed. If it's known malware, then the user is warned.
Others have also jumped on this idea of crowdsourcing, or using the power of numbers on the internet to solve problems that no single person can tackle. Symantec is asking its users to opt into a community network where they share information about being attacked and allow Symantec to report the incident to authorities. The crowd of users is thus enlisted in helping to track down criminal hackers.
This big idea is spreading through the security ecosystem now. That's a good thing. But the ecosystem itself isn't in a state of balance. At the recent Black Hat and Defcon security conferences in Las Vegas, more than 12,000 security professionals and hackers were out in force. It was like a mini boom amid the recession-hit economic morass.
But the venture capitalists who attended the security events were not optimistic about the ability to make a killing on security startups. In spite of the rising threats, there aren't that many security startups raising money. VC investment into security software firms has steadily fallen from $893 million into 122 deals in 2004 to $564 million in 86 deals in 2008. In the first six months of 2009, VCs have put $94 million into 19 deals, according to the National Venture Capital Association. The last major security software IPO was ArcSight, which raised $50 million in February, 2008.
One reason is that the recession has taken its toll on the natural customers of security startups. Financial services firms have been hit hard. Banks and trading firms need ironclad security and are willing to pay for it. But they pretty much shut down on expansions in the past year. Now the security ecosystem—€”which includes the government, big corporations, investors, venture capitalists and entrepreneurs—€”is in jeopardy.
Meanwhile, criminal hackers are enjoying a boom. Spam, which is commonly linked to cybercrime, now accounts for 92 percent of all email. The fundamental flaws of the internet are still vulnerable to attack. Users are putting too much trust in the safety of social networks, which have become an excellent means for spreading malware worldwide. Symantec now blocks more than 245 million malicious code attacks each month. It's easier to fool users by redirecting them from good sites to bad sites. Government infrastructure such as the air traffic control system is pathetically vulnerable. The power of organized cybercrime in places such as Russia is truly frightening, McAfee executive Dmitri Alperovitch reported at Black Hat.
After 9/11, a theory arose. It held that even in hard times, companies can't afford to cut corners on security. But that theory hasn't really panned out in reality, as many of the startups funded after 9/11 went bust. The disappointment with the first round of post 9/11 funding has probably made VCs reluctant to pour a lot more money into the category, said Pascal Levensohn, managing director at Levensohn Venture Partners.
"Companies like Intel and Symantec went public on a fairly small amount of money," said Levensohn. "We are at risk of losing a whole generation of these companies. There is continuing demand for security, but a declining appetite for risk."
In security circles, compliance rules tend to drive sales. If better security technology is recommended, it often falls on deaf ears in the CEO suite. But if it's required by law, then that's another story, said Mark McGovern, head of the digital identity and security practice at In-Q-Tel, the CIA's investment arm. In-Q-Tel has about 10 security startups in its portfolio.
With big security vendors like McAfee and Symantec dominating the landscape, the space available for startups is smaller. McGovern said that startups are often creating new features or widgets that will eventually be acquired and integrated into a larger software suite. On the hardware side, a lot of startups create an appliance to filter the network for a particular kind of problem. That kind of appliance becomes part of a larger firewall against attacks.
But Levensohn seems to think there's still room for innovators. As the internet infiltrates all sorts of gadgets that were once off the grid, those devices need better security. Levensohn said that providing security for energy-related infrastructure will become a good opportunity. At Black Hat, security experts warned that it was easy to compromise the security of smart meters and smart thermostats that send data to the utility company.
Levensohn also says his firm is looking into areas such as securing the supply chain for manufacturers and is on the prowl for companies that could be combined to create a stronger company. He also wants the government to put its money where its mouth is and offer more support for startups. For instance, he wants the government to allow more pilot projects at government agencies. By peeling away the red tape that makes the agencies too cautious, the government could start to get new technology early from startups, rather than waiting for a big, established company to offer it later on.
Robert Lentz, the deputy secretary of defense for cyber matters, who spoke at the security conferences, agrees that the security ecosystem is at risk and that the country needs to marshal the same kind of enthusiasm for cybersecurity as it has for cleantech. He rattled off a long list of areas where the government needs better technology. On the high level, he believes that the entire internet infrastructure should move to the more secure DNSSEC and IPv6 technologies—€” both of which are better and more secure ways to anchor the internet. He also believes that we'll get a big payoff from investments in automating security, reducing anonymity, better biometrics, instant damage assessments, and better consumer awareness of the risks of unsafe computing.
If startups come up with solutions for these problems, big or small, they may become acquisition targets. IBM just bought security software firm Ounce Labs. So that means there are other kinds of players out there besides just Symantec and McAfee.
The scary thing is that cybercrime is racing ahead of the government's ability to catch criminals, said Peter Guerra, an analyst at Booz Allen Hamilton who gave a presentation on the cybercrime economy at Black Hat. In a three-year-long investigation of the Russian mafia, the FBI was able to arrest 56 individuals and recover 100,000 stolen credit cards. But that was just the tip of the iceberg, said McAfee's Alperovitch. It's only getting worse as the recession creates more incentives for the bad guys and funding for the good guys dries up.
During the recession, the price for hacking tools and the cost of renting botnets, or pools of compromised computers, has gone way down. The average price to buy a stolen credit card number or bank account password has plummeted, partly because so many are available, said Vincent Weafer, vice president of Symantec Security Response. It's far easier to commit cybercrimes, and computer-oriented talent is having a hard time finding jobs, so the allure of cybercrime is higher, Guerra said.
To counter the bad guys, there's plenty of need for talent at all of the companies and government bodies that need to do security research. That's why some federal agencies are contemplating giving away a big monetary prize to those who compete best in a cybersecurity competition. Turning would-be criminal hackers into agents for the government would help blunt the cybercrime problem.
As the Immunet launch suggests, there are still startups with promise. Symantec and others are investing $20 million in Lifelock.com, the company that protects consumers against identity theft. Becky Base, a partner at Trident Capital, talks with dozens of them a year, resulting in one or two investments. But nobody is really looking at security as a get-rich industry.
"If you aren't in it for the passion, forget about it," she said. "If you're in it for the bucks, don't bother."
Dean Takahashi reports from Silicon Valley for Innovation.
Copyright © 2012 | Innovation America