The cyber gold rush
How cities and states are scrambling to become the Silicon Valley of cybersecurity – and ride the next big economic boom.
washington — On an aluminum-gray day, dozens of businesspeople filed off luxury tour buses. They huddled around the Army colonel who commands the sprawling Fort George G. Meade, Md., base that’s home to the National Security Agency and the US military’s cyberwarfare command. He told them that protecting the country from adversaries over computer networks is now just as crucial as protecting it on land, in the air, at sea, and in space. It was hard to hear him over the clanking and screeching of bulldozers and cranes, building what will become a 750,000-square-foot data center.
Yet this cacophonous scene was exactly what Jim Dinegar, chief executive officer of the Greater Washington Board of Trade, wanted the 82 bank presidents, construction magnates, real estate agents, and mortgage brokers he invited on this “cyber bus tour” to see: that the US government is taking the threat so seriously that the base is razing the rest of its cherished 36-hole golf course to make way for more computing power to safeguard the nation.
Mr. Dinegar hopes the military’s double-down on cybersecurity will convince the businesspeople it’s worth supplying the thousands of specialists who will be attracted to the area with everything from homes to dry cleaning to office-moving services. After all, Dinegar’s top mission is to bring jobs and business to the District of Columbia, northern Virginia, and suburban Maryland. He wants boomtowns. Cybersecurity, he says, “is an opportunity that’s bigger than anything I’ve ever seen.”
But Dinegar is facing stiff competition. He’s not the only one equating the country’s cyber insecurity with dollar signs.
While California’s Silicon Valley is the technology capital of America, cities and states across the country are now vying to dominate the next big economic frontier – the booming market for securing what actually lies within the nation’s electronic networks.
From California to Texas to Florida, public and private groups are positioning themselves to win millions in federal contracts and from venture capital firms. Some are going to extraordinary lengths to build what they call “a cybersecurity ecosystem.” They are commissioning economic-impact studies, hatching tax-incentive packages, and hiring PR firms to devise branding strategies. They are investing in start-ups with money from state coffers. With as many as 300,000 cybersecurity jobs in the United States going unfilled last year alone, according to security company Symantec, they are also crafting academic programs for public universities to win research grants and generate the next generation of highly skilled workers poised to make six-figure salaries – and stay local.
The nation has seen all this before, of course. The cyber gold rush is part of an enduring attempt by cities and states to tap the next great emerging industry in the name of economic salvation. From the birth of the automobile and steel industries, through the aerospace, computer, and biotech eras, communities have sought to ride industrial cycles to prosperity and middle-class comfort. Some were successful. Some weren’t. Now cybersecurity promises to produce a similar spreadsheet of winners and losers – with a few notable differences.
Unlike the actual gold rush in California in the mid-1800s, or the clustering of manufacturing industries in the Northeast and upper Midwest decades later, the cybersecurity gold rush is not dependent on the availability of natural resources. And unlike the automobile industry, an ability to build physical structures or sprawling factories to dominate the competition through mass production will not determine which city becomes the epicenter of data protection. Economists note the start-up cost to be a cybersecurity hub – even with pricey data centers – is far less than, say, the relative cost of what it took to create assembly lines in the early 1900s.
Yet the potential return for cities is substantial. In 2011, the global cybersecurity market hit $67 billion. It is projected to grow to as high as $156 billion by 2019, according to Markets and Markets, a Dallas-based research firm. The need for cybersecurity is likely only to grow as more giants such as Sony Pictures Entertainment, Target, and Home Depot are hacked; consumers demand better security; and businesses grow more aware of the potential cost to their sales and reputation if they do not provide it.
On a consumer level, the way people interact with technology in their homes and on their bodies will also drive the market. Networking giant Cisco predicts there will be some 50 billion devices and objects connected to the Internet by 2020. Already, smart watches track your heart rate, and thermostats in your home can be controlled remotely by cellphone apps. This burgeoning Internet of Things drives a pressing need to protect the increasingly personal data people put online.
“This is one of the fastest growing industries – not just in the tech sector, but in the world,” says Peter Singer, a strategist who focuses on cybersecurity at the New America think tank in Washington. And no one has yet claimed it, Mr. Singer says. “What’s the next Silicon Valley for cybersecurity?”
While cybersecurity “is about digital systems and processes,” he continues, “there are still people behind it. The people, and companies they work for, have to physically be somewhere.... Where will these people and firms be located? It’s not yet shook out where it will be.”
D.C. Metro: The federal government advantage
In a competition for cybersecurity business, the area around the nation’s capital has a huge advantage with the alphabet soup of government agencies, and concentration of military installations. For starters, there’s the Central Intelligence Agency and the Pentagon, in Virginia; the Federal Bureau of Investigation and Department of Homeland Security, in the District of Columbia; and Fort Meade and the Defense Information Systems Agency, in Maryland.
Here’s the true power of geography in the Beltway: contracting. Federal contracts with the National Security Agency (NSA), for instance, often have requirements that companies be within a few miles of the government customers paying them. “Silicon Valley is a little bit more than five miles away,” Dinegar quips.
So even as the traditional defense budget shrinks at the end of a decade of war in Iraq and Afghanistan, federal money for cybersecurity is increasing. The Pentagon’s requested $5.5 billion for its cybersecurity operations next year is up 30 percent from just two years ago. The department is on track to spend around $23 billion on it within five years. And the flood of federal dollars is a strong reason why the Washington area posted more than 23,400 cybersecurity jobs last year – dramatically more than any other region, including in the Bay Area.
Cybersecurity, says Jeffrey Wells, Maryland’s director for cyber development, “is just a piece of what Silicon Valley is doing, whereas here it’s our core ecosystem.”
To be a more formidable “cyber capital,” however, Virginia, Maryland, and the District of Columbia should band together, Dinegar argues, because right now each area’s respective assets “cancel each other out” as national leaders.
Economic and business organizations in the three areas want the government to spend around $300 million to extend the routes of Maryland’s and Virginia’s commuter trains to allow more direct access to remote suburban tech hubs. Otherwise, it’ll be tough to attract highly educated 20- and 30-something urban dwellers to those jobs. The Greater Washington Board of Trade is also trying to arrange uniform tax incentives across Maryland, Virginia, and the District of Columbia to attract new business to the region. Since all three jurisdictions have different tax structures, that will be no easy feat either.
Maryland & Virginia: Battle to claim the cybersecurity mantle
But the biggest obstacle to those pushing a Greater Washington cybersecurity domination plan may be that elements within the state governments themselves are, by many accounts, obstructing this kind of kumbaya approach.
To them, it’s clearly a competition. “We are correct in calling Maryland the epicenter for cybersecurity,” says Mr. Wells, the Maryland director of cyber development, pointing to his state’s “Cyber Maryland” initiative. Launched in 2010, it was the country’s first state-coordinated approach to harness federal, state, and local governments; private businesses; and academia to promote cybersecurity opportunities.
But Karen Jackson, Virginia’s secretary of technology, is not willing to capitulate. “Virginia will come out on top,” Ms. Jackson says. “We’re nationally ranked as the best place to do business. That’s a national ranking that says we’re better than everyone else.”
Maryland and Virginia are busy luring jobs and contracts that could make them each No. 1. Jackson says she personally is working hardest on landing the “Civilian Cyber Campus,” which is intended to be a new center to consolidate civilians from the departments of Homeland Security and Justice onto one campus. President Obama’s budget for next year requested $227 million for the center, though the location has not been named. Compared to Silicon Valley, suburban Washington is not exactly known for its entrepreneurial spirit. But private businesses are crucial to creating a successful cybersecurity business ecosystem.
Some successful security companies have sprouted up locally, including Virginia’s Mandiant, which was acquired last year by FireEye for $1 billion, and Maryland’s Sourcefire, which Cisco bought for $2.7 billion the year before. The competition to attract more of these companies is perhaps not surprising. Each state wants to see a return on the public dollars invested. “Our funders care very much about it, and they do look at it as zero sum,” says Rick Gordon of MACH37, a so-called business accelerator designed to make local cybersecurity start-ups succeed, funded in part with
$4 million in Virginia state money over two years. “If Maryland gets one of our businesses, they look at it as a loss.”
In the broader national competition, however, unity advocates believe the clashing incentives are counterproductive. “We’re like, ‘Stop! Stop arguing with each other! We’re collectively the home of cyber here in this region,’ ” Dinegar says.
“Frankly, if we worked better together, we wouldn’t have Silicon Valley eating our lunch, or Austin, Texas, emerging as strong as they’re emerging,” he adds. “There’s plenty for everybody, so let’s not be greedy.”
San Antonio: Forget ‘Alamo City.’ This is ‘Cyber City USA’
San Antonio’s leaders have already claimed the title “Cyber City USA.” And John Dickson wants to cement its position.
That’s why Mr. Dickson, who chairs the cybersecurity task force at San Antonio’s Chamber of Commerce, went door-to-door in the halls of Congress this February to lobby senators and representatives from Texas to bring his city more business. San Antonio’s military presence has already created a nexus of cybersecurity operations in the area. Three centers – the Air Force Cyber Command; the Air Force Intelligence, Surveillance, and Reconnaissance Agency; and the NSA’s Texas Cryptologic Center – are estimated to employ more than 6,000 people.
So Dickson, a former Air Force officer, and other community leaders have been lobbying the Pentagon and NSA to allow local military and intelligence operations to hire their own contractors. Current policy, Dickson says, means companies “have to make a pilgrimage to Maryland to win contracts, so it gives an advantage to contractors in the D.C. area.”
San Antonio’s history with cybersecurity dates back to the mid-1980s, when computer networks were just developing and the military stationed some of the earliest cybersecurity personnel in the city. Over time, the outflow of skilled personnel leaving the military and staying local has in part led to some advantages for the city: Close to 100 cybersecurity-oriented companies are located in the area, according to a study by Deloitte commissioned by the San Antonio Chamber of Commerce. And San Antonio has the second largest concentration of Certified Information Systems Security Professionals in the US, the study shows. As for its odds against other regions, Deloitte put it this way: “Cybersecurity as an industry is still in its infancy, and San Antonio is among the elite locations poised for growth.”
California: Developing a cybersecurity-specific sales pitch
California’s real advantage over the East Coast comes from its lineup of commercial power players, from McAfee in Santa Clara to Symantec in Mountain View. “Silicon Valley is the hub for enterprise cybersecurity, where big businesses are coming up with better firewalls, because there are a lot of big tech businesses out there,” says venture capitalist John Backus.
As Mr. Backus, the founder of New Atlantic Ventures, explains, the East Coast is the hub for research and development – cybersecurity work that’s still classified and may not show up inside the enterprise world for years. When it comes to venture capital in cybersecurity, California dominates the rest of its challengers, according to figures provided by the National Venture Capital Association. In 2014, the state accounted for $1.5 billion of the $2.1 billion total venture capital money spent on cybersecurity.
Last fall, California’s cybersecurity industry got another boost when the William and Flora Hewlett Foundation awarded the University of California, Berkeley and Stanford University each with $15 million to jump-start policy analysis and new ideas in the field. Still, state officials know they have a long way to go before they can claim the mantle of cybersecurity capital. California gets so much seed funding in large part because the venture capital industry is located there, not necessarily because it has a better cybersecurity story to tell.
“There was a thought that companies were being recruited out of California because there was nothing – no narrative – about cyber in California,” says Louis Stewart, who is California’s deputy director of innovation and entrepreneurship. So Gov. Jerry Brown, he says, commissioned a task force to “tell that story.”
The group, led by the Governor’s Office of Emergency Services and the Department of Technology, is working on a proposal for how to unify the state’s efforts on cybersecurity and how much to invest in wooing companies.
While state officials devise a strategy, San Diego is already attempting to become a locus of cyber activity. Ken Slaght, a former head of the Navy’s Space and Naval Warfare Systems Command, located in the city, has retired from the military to co-chair San Diego’s Cyber Center of Excellence. It’s a public-private partnership to accelerate the city’s economy by harnessing its cybersecurity assets. Mr. Slaght, a retired rear admiral, says more than 6,600 people work in the cybersecurity industry in San Diego, including some 3,100 from his former military command, which administers hundreds of millions of dollars a year in contracts. More than 100 small to medium-sized cybersecurity companies call the city home, though others say it is more than triple that size.
Last year, Slaght estimates, cybersecurity workers contributed $1.5 billion to the local economy – the equivalent of hosting more than three Super Bowls or eight Comic Cons, the big comic conventions. “Those are huge tourism drivers here,” he says, “but if you add up what cyber could do, they almost pale in comparison.”
Florida: Cyber in the land of citrus
Forget “Sunshine State.” Sri Sridharan’s goal is to make Florida “the Cyber State.”
Yes, he bolded, italicized, and underlined that prefix for special emphasis in the title of a report asking for $16.1 million every year from the governing board of the State University System of Florida to establish a center for cybersecurity. “One of a handful of states will emerge as the leader in cybersecurity and become the magnet that attracts the billions of dollars of private-sector and military spending that will be invested in this emerging field,” Mr. Sridharan wrote in the pitch, submitted to the board in December 2013. “Florida can become this leader.”
The sales pitch worked. Sridharan now directs the Florida Center for Cybersecurity, which received an initial investment of
$5 million from the state. Headquartered at the University of South Florida, the center connects the state’s 12 public universities and its experts under one umbrella to expand academic curricula and score government grants in cybersecurity. The center will offer the state’s best resources – people and locations – when it submits proposals for contracts. This way, one Florida university will not be competing against another for the pot of cybersecurity grant money.
Across the country, companies can’t hire cybersecurity graduates fast enough to fill the job openings, and Sridharan wants them to pluck people from Florida. With thousands more certificates in cybersecurity predicted across the state under the new initiative, many of these Florida graduates, Sridharan expects, will be taking jobs that pay six-figure salaries. And the state predicts a return on the money it’s investing in the academic programs through increased federal and industry R&D expenditures, patents and licensing revenues, and a proliferation of start-up companies.
Florida, at the outset, seems an unlikely contender to dominate the cybersecurity market. Nine of the top 10 cities in the country known as hotbeds for identity theft are in Florida. Government officials often note, Sridharan acknowledges, “we have the largest number of crooks in the entire country.” But he insists the fraud actually helps his case. “We really need [the Florida center] to address this problem in a big way.”
Massachusetts: Leveraging academic brainpower
Massachusetts is a center for security research and academic study across its many universities, from Harvard and Worcester Polytechnic Institute to the Massachusetts Institute of Technology, the third recipient of the Hewlett Foundation’s $15 million cybersecurity grant. An academic powerhouse, Massachusetts is the natural home for analysts and thought leadership in cybersecurity.
Like California, Boston has the benefit of being an existing venture capital hub. And, in 2011, a nonprofit consortium of universities, local government, and industry launched the Advanced Cyber Security Center. Its membership spans a wide range of businesses, from banks to pharmaceutical companies to health insurance firms. The ACSC also wants to build a “center for excellence.” The vision: Graduate and postdoctoral students, supervised by faculty, would work with cybersecurity companies on research products aligned with industry interests.
Charlie Benway, ACSC’s director, says industry partners have already promised they would triple whatever the state contributes to the project. Local leaders are also trying to get new Gov. Charlie Baker to buy into a broad plan to boost cybersecurity. ACSC hopes he will channel millions of dollars into the field the way the previous Massachusetts administration invested in life sciences.
“We have the resources and capabilities to be one of those centers of gravity [in cybersecurity],” Mr. Benway says.
For now, Cyber Capital USA is anyone’s title to win.
Not all cities will win the prize just because they chase it. There’s precedent for this as far back as the turn of the century. “Automobiles were made everywhere, from Long Island to Richmond, Va.,” New America’s Peter Singer says. “Detroit was the winner of that revolution.”
History also shows that early chasers and champions of an industry don’t always end up winning it. Chicago, for instance, was a hub for the movie industry before Los Angeles, with its diverse scenery, became the star of that business. Similarly, “Philadelphia is, ultimately, the home of the computer, but Silicon Valley is the winner of the computer [industry],” Singer notes.
Perhaps that’s why so many parts of the country are throwing their tax incentives and visions of grandeur into the cybersecurity ring. This includes Washington State, with megacompanies Microsoft and Amazon. And Georgia, where information security generates $4.7 billion in annual revenue. Even Huntsville, Ala., is vying to be an internationally recognized leader in the field.
Still, there is inherent risk in the cybersecurity market being seen as such an easy target – and all competitors offering everything from data centers to tax breaks to a skilled labor pool. Local governments trying to woo business, as Gabriel Mathy, an assistant professor of economic history at American University in Washington, points out, may dole out expensive subsidies and invest in other incentives only to find companies leave when a better offer comes along in another state. That’s why getting in on the industry’s boom early certainly helps even in a digital industry: A critical mass of talented workers who want to live and work around each other, and thus create a pool for businesses to recruit from, will be key to creating a social and business tie to one of these regions as the home to cybersecurity.
It’s worth remembering, though, as an ironic caution, that cybersecurity itself could kill the cybersecurity industry. The only goods and services this sector produces are those to protect against threats to existing technology. If the government manages to deter hackers in countries such as China or Russia, or if cybersecurity solutions become too good, the frenzy of economic development may turn out to be far less profitable. “If the threats disappear, the industry will not do that well,” Mr. Mathy notes.
Fortunately for the business ambitions of these budding cyber empires, the threats are unlikely to disappear anytime soon. And until one region comes out the winner, this is the newest gold rush of the Digital Age.