09 December 2016

The U.S. Government – Where Cybersecurity Startups Are Born?

Anne-Marie Chun

“So, to stay ahead of all these challenges, to stay the best, I’ve been pushing… [us] to think outside our… box and invest aggressively in innovation of all kinds, technological, organizational, operational, and in the talent…”

…said a Silicon Valley CEO? Think again.

Actually, this quote doesn’t come from Silicon Valley at all. It doesn’t even come from the private sector. Who said it? None other than the United States Secretary of Defense Ash Carter, talking about how he pushes the Pentagon to think outside the five-sided box.

Many consider Silicon Valley to be the innovation capital of the world. The Valley leads rankings as the top ecosystem for startups and innovation based on criteria such as talent, capital, and market reach.

Often overlooked, however, is the talent, capital, and market reach of the U.S. Government. Consider this – the US Government spends over $100B to educate and train its talent every year. Recently, the US government has been launching campaigns to encourage Silicon Valley nerds to serve their country through initiatives like Defense Innovation Unit Experimental (DIUx), the Defense Digital Service, and Hack the Pentagon (the program Synack is particularly excited to be leading). The government also promises the unique excitement of working on the nation’s toughest problems, service to one’s country, and college scholarships, among other incentives.

When it comes to capital, the government is well-equipped. In FY17 alone, the government plans to spend $82B on IT, approximately $19B of which will be dedicated to Development, Modernization & Enhancements. In comparison, Alphabet spent only $12B in R&D in 2015.

Furthermore, with one of the largest single technology budgets in the world, any innovation developed in the government has the potential to scale across hundreds of agencies. A number of innovations, like the internet and GPS, have proven valuable not only within the government “market,” but also within the commercial market.

With a prime environment for innovation through talent recruitment and development, access to capital, and “market reach”, it is no surprise that the government fosters an environment similar to that of an incubator. When solving problems like “how can we network and communicate with people around the world?” and “how do we keep American citizens safe?”, big ideas are bound to emerge.

It is no coincidence that Synack’s co-founders, Jay Kaplan and Mark Kuhr, came up with the idea for Synack while at the NSA. While they were spending their days perfecting their tradecraft to secure America’s IT environment, they witnessed the commercial sector struggling to defend against a growing and evolving cyber adversary. They realized that they could leverage the best-in-breed cybersecurity practices of one of the government’s top security agencies to help make commercial companies more secure.

Several years after Synack’s founding, we have come full circle. We are now using our industry-leading platform and best practices from the commercial sector to make government systems more secure. Last month, Synack launched its Synack Government line of business, dedicated to serving the mission-critical needs of government customers.

Ironic? Maybe, but not surprising. In fact, we see this as the ultimate validation that sophisticated government solutions can do a lot of good for the commercial sector, and experience from the commercial sector can provide a new perspective on persistent government problems. There is an inherent feedback loop between commercial and government innovation. In many cases, the two sectors are innovating to solve the same problems, and their respective solutions can help both the public and private sectors.

It is for this very reason that Silicon Valley was born. Before there were mobile apps and SaaS, Silicon Valley was a research hub dedicated to the co-development of critical technologies with the US government and research bodies, such as NASA. As Secretary Carter explains,

“One of my core goals as Secretary of Defense has been to build and in some cases rebuild the bridges between our national security endeavor at the Pentagon and America’s wonderfully innovative and open technology community. That’s important because we’ve had a long history of partnership, working together to develop and advance technologies like the internet, GPS, and before that satellite communication and the jet engine.”

When it comes to cybersecurity, coordination between the public and private sector is critical. The adversaries are attacking both the public and private sectors, and when trying to truly understand your adversary, collaboration provides efficiencies of scale. By sharing best practices on both the defensive side and the incident response side, both commercial and government entities can multiply the effectiveness of their programs. Furthermore, with a major talent gap in the security industry, the public and private sectors can improve the talent at their respective organizations by sharing “crowdsourced ethical hackers,” as we call them at Synack.

Synack is not the only company that has spun out of the NSA. Virtu, Area 1 Security, Sqrrl, and Morta Security are just a few of the other security startups with roots at the NSA, not to mention head honcho Gen. Keith Alexander’s own IronNet Cybersecurity. And this is by no means a new phenomenon, according to Stewart Baker, the NSA’s lead lawyer in the 1990s. As he told Forbes, there has been a “reasonable stream of people leaving the agency because of an entrepreneurial itch” for decades.

There are certainly advantages to understanding both the commercial and government sectors and being able to speak both languages. Addressing a room full of government officials recently, Synack Co-Founder, Mark Kuhr, wore two hats: that of a seasoned government cybersecurity analyst and that of a Silicon Valley innovator. What he said to the audience packed a punch for both government and commercial executives alike: “You have to train the way you fight.”

From the battlefield to cyberspace to marketing sites and ecommerce apps, the size, scale, and severity of cyber attacks are increasing. Organizations need innovative solutions from the best and brightest cyber experts out there, and it just so happens that these NSA veterans have the talent and experience to help secure even the most sophisticated systems.