The cyber gold rush
| washington
On an aluminum-gray day,听dozens of businesspeople filed off luxury tour buses. They huddled around the Army colonel who commands the sprawling Fort George G. Meade, Md., base that鈥檚 home to the National Security Agency and the US military鈥檚 cyberwarfare command. He told them that protecting the country from adversaries over computer networks is now just as crucial as protecting it on land, in the air, at sea, and in space. It was hard to hear him over the clanking and screeching of bulldozers and cranes, building what will become a 750,000-square-foot data center.
Yet this cacophonous scene was exactly what Jim Dinegar, chief executive officer of the Greater Washington Board of Trade, wanted the 82 bank presidents, construction magnates, real estate agents, and mortgage brokers he invited on this 鈥渃yber bus tour鈥 to see: that the US government is taking the threat so seriously that the base is razing the rest of its cherished 36-hole golf course to make way for more computing power to safeguard the nation.
Mr. Dinegar hopes the military鈥檚 double-down on cybersecurity will convince the businesspeople it鈥檚 worth supplying the thousands of specialists who will be attracted to the area with everything from homes to dry cleaning to office-moving services. After all, Dinegar鈥檚 top mission is to bring jobs and business to the District of Columbia, northern Virginia, and suburban Maryland. He wants boomtowns. Cybersecurity, he says, 鈥渋s an opportunity that鈥檚 bigger than anything I鈥檝e ever seen.鈥
But Dinegar is facing stiff competition. He鈥檚 not the only one equating the country鈥檚 cyber insecurity with dollar signs.
While California鈥檚 Silicon Valley is the technology capital of America, cities and states across the country are now vying to dominate the next big economic frontier 鈥 the booming market for securing what actually lies within the nation鈥檚 electronic networks.听
From California to Texas to Florida, public and private groups are positioning themselves to win millions in federal contracts and from venture capital firms. Some are going to extraordinary lengths to build what they call 鈥渁 cybersecurity ecosystem.鈥 They are commissioning economic-impact studies, hatching tax-incentive packages, and hiring PR firms to devise branding strategies. They are investing in start-ups with money from state coffers. With as many as 300,000 cybersecurity jobs in the United States going unfilled last year alone, according to security company Symantec, they are also crafting academic programs for public universities to win research grants and generate the next generation of highly skilled workers poised to make six-figure salaries 鈥 and stay local.听
The nation has seen all this before, of course. The cyber gold rush is part of an enduring attempt by cities and states to tap the next great emerging industry in the name of economic salvation. From the birth of the automobile and steel industries, through the aerospace, computer, and biotech eras, communities have sought to ride industrial cycles to prosperity and middle-class comfort. Some were successful. Some weren鈥檛. Now cybersecurity promises to produce a similar spreadsheet of winners and losers 鈥 with a few notable differences. 听
Unlike the actual gold rush in California in the mid-1800s, or the clustering of manufacturing industries in the Northeast and upper Midwest decades later, the cybersecurity gold rush is not dependent on the availability of natural resources. And unlike the automobile industry, an ability to build physical structures or sprawling factories to dominate the competition through mass production will not determine which city becomes the epicenter of data protection. Economists note the start-up cost to be a cybersecurity hub 鈥 even with pricey data centers 鈥 is far less than, say, the relative cost of what it took to create assembly lines in the early 1900s.
Yet the potential return for cities is substantial. In 2011, the global cybersecurity market hit $67 billion. It is projected to grow to as high as $156 billion by 2019, according to Markets and Markets, a Dallas-based research firm. The need for cybersecurity is likely only to grow as more giants such as Sony Pictures Entertainment, Target, and Home Depot are hacked; consumers demand better security; and businesses grow more aware of the potential cost to their sales and reputation if they do not provide it.听
On a consumer level, the way people interact with technology in their homes and on their bodies will also drive the market. Networking giant Cisco predicts there will be some 50 billion devices and objects connected to the Internet by 2020. Already, smart watches track your heart rate, and thermostats in your home can be controlled remotely by cellphone apps. This burgeoning Internet of Things drives a pressing need to protect the increasingly personal data people put online.听
鈥淭his is one of the fastest growing industries 鈥 not just in the tech sector, but in the world,鈥 says Peter Singer, a strategist who focuses on cybersecurity at the New America think tank in Washington. And no one has yet claimed it, Mr. Singer says. 鈥淲hat鈥檚 the next Silicon Valley for cybersecurity?鈥澨
While cybersecurity 鈥渋s about digital systems and processes,鈥 he continues, 鈥渢here are still people behind it. The people, and companies they work for, have to physically be somewhere.... Where will these people and firms be located? It鈥檚 not yet shook out where it will be.鈥
D.C. Metro:听The federal government advantage
In a competition for cybersecurity business, the area around the nation鈥檚 capital has a huge advantage with the alphabet soup of government agencies, and concentration of military installations. For starters, there鈥檚 the Central Intelligence Agency and the Pentagon, in Virginia; the Federal Bureau of Investigation and Department of Homeland Security, in the District of Columbia; and Fort Meade and the Defense Information Systems Agency, in Maryland.
Here鈥檚 the true power of geography in the Beltway: contracting. Federal contracts with the National Security Agency (NSA), for instance, often have requirements that companies be within a few miles of the government customers paying them. 鈥淪ilicon Valley is a little bit more than five miles away,鈥 Dinegar quips.
So even as the traditional defense budget shrinks at the end of a decade of war in Iraq and Afghanistan, federal money for cybersecurity is increasing. The Pentagon鈥檚 requested $5.5 billion for its cybersecurity operations next year is up 30 percent from just two years ago. The department is on track to spend around $23 billion on it within five years. And the flood of federal dollars is a strong reason why the Washington area posted more than 23,400 cybersecurity jobs last year 鈥 dramatically more than any other region, including in the Bay Area.
Cybersecurity, says Jeffrey Wells, Maryland鈥檚 director for cyber development, 鈥渋s just a piece of what Silicon Valley is doing, whereas here it鈥檚 our core ecosystem.鈥澨
To be a more formidable 鈥渃yber capital,鈥 however, Virginia, Maryland, and the District of Columbia should band together, Dinegar argues, because right now each area鈥檚 respective assets 鈥渃ancel each other out鈥 as national leaders.
Economic and business organizations in the three areas want the government to spend around $300 million to extend the routes of Maryland鈥檚 and Virginia鈥檚 commuter trains to allow more direct access to remote suburban tech hubs. Otherwise, it鈥檒l be tough to attract highly educated 20- and 30-something urban dwellers to those jobs. The Greater Washington Board of Trade is also trying to arrange uniform tax incentives across Maryland, Virginia, and the District of Columbia to attract new business to the region. Since all three jurisdictions have different tax structures, that will be no easy feat either.
Maryland & Virginia:听Battle to claim the cybersecurity mantle
But the biggest obstacle to those pushing a Greater Washington cybersecurity domination plan may be that elements within the state governments themselves are, by many accounts, obstructing this kind of kumbaya approach.
To them, it鈥檚 clearly a competition. 鈥淲e are correct in calling Maryland the epicenter for cybersecurity,鈥 says Mr. Wells, the Maryland director of cyber development, pointing to his state鈥檚 鈥淐yber Maryland鈥 initiative. Launched in 2010, it was the country鈥檚 first state-coordinated approach to harness federal, state, and local governments; private businesses; and academia to promote cybersecurity opportunities.
But Karen Jackson, Virginia鈥檚 secretary of technology, is not willing to capitulate. 鈥淰irginia will come out on top,鈥 Ms. Jackson says. 鈥淲e鈥檙e nationally ranked as the best place to do business. That鈥檚 a national ranking that says we鈥檙e better than everyone else.鈥
Maryland and Virginia are busy luring jobs and contracts that could make them each No. 1. Jackson says she personally is working hardest on landing the 鈥淐ivilian Cyber Campus,鈥 which is intended to be a new center to consolidate civilians from the departments of Homeland Security and Justice onto one campus. President Obama鈥檚 budget for next year requested $227 million for the center, though the location has not been named. Compared to Silicon Valley, suburban Washington is not exactly known for its entrepreneurial spirit. But private businesses are crucial to creating a successful cybersecurity business ecosystem.
Some successful security companies have sprouted up locally, including Virginia鈥檚 Mandiant, which was acquired last year by FireEye for $1 billion, and Maryland鈥檚 Sourcefire, which Cisco bought for $2.7 billion the year before. The competition to attract more of these companies is perhaps not surprising. Each state wants to see a return on the public dollars invested. 鈥淥ur funders care very much about it, and they do look at it as zero sum,鈥 says Rick Gordon of MACH37, a so-called business accelerator designed to make local cybersecurity start-ups succeed, funded in part with
听$4 million in Virginia state money over two years. 鈥淚f Maryland gets one of our businesses, they look at it as a loss.鈥
In the broader national competition, however, unity advocates believe the clashing incentives are counterproductive. 鈥淲e鈥檙e like, 鈥楽top! Stop arguing with each other! We鈥檙e collectively the home of cyber here in this region,鈥 鈥 Dinegar says.听
鈥淔rankly, if we worked better together, we wouldn鈥檛 have Silicon Valley eating our lunch, or Austin, Texas, emerging as strong as they鈥檙e emerging,鈥 he adds. 鈥淭here鈥檚 plenty for everybody, so let鈥檚 not be greedy.鈥
听
San Antonio:听Forget 鈥楢lamo City.鈥 This is 鈥楥yber City USA鈥
San Antonio鈥檚 leaders have already claimed the title 鈥淐yber City USA.鈥 And John Dickson wants to cement its position.
That鈥檚 why Mr. Dickson, who chairs the cybersecurity task force at San Antonio鈥檚 Chamber of Commerce, went door-to-door in the halls of Congress this February to lobby senators and representatives from Texas to bring his city more business. San Antonio鈥檚 military presence has already created a nexus of cybersecurity operations in the area. Three centers 鈥 the Air Force Cyber Command; the Air Force Intelligence, Surveillance, and Reconnaissance Agency; and the NSA鈥檚 Texas Cryptologic Center 鈥 are estimated to employ more than 6,000 people.听
So Dickson, a former Air Force officer, and other community leaders have been lobbying the Pentagon and NSA to allow local military and intelligence operations to hire their own contractors. Current policy, Dickson says, means companies 鈥渉ave to make a pilgrimage to Maryland to win contracts, so it gives an advantage to contractors in the D.C. area.鈥澨
San Antonio鈥檚 history with cybersecurity dates back to the mid-1980s, when computer networks were just developing and the military stationed some of the earliest cybersecurity personnel in the city. Over time, the outflow of skilled personnel leaving the military and staying local has in part led to some advantages for the city: Close to 100 cybersecurity-oriented companies are located in the area, according to a study by Deloitte commissioned by the San Antonio Chamber of Commerce. And San Antonio has the second largest concentration of Certified Information Systems Security Professionals in the US, the study shows. As for its odds against other regions, Deloitte put it this way: 鈥淐ybersecurity as an industry is still in its infancy, and San Antonio is among the elite locations poised for growth.鈥
California:听Developing a cybersecurity-specific sales pitch
California鈥檚 real advantage over the East Coast comes from its lineup of commercial power players, from McAfee in Santa Clara to Symantec in Mountain View. 鈥淪ilicon Valley is the hub for enterprise cybersecurity, where big businesses are coming up with better firewalls, because there are a lot of big tech businesses out there,鈥 says venture capitalist John Backus.
As Mr. Backus, the founder of New Atlantic Ventures, explains, the East Coast is the hub for research and development 鈥 cybersecurity work that鈥檚 still classified and may not show up inside the enterprise world for years. When it comes to venture capital in cybersecurity, California dominates the rest of its challengers, according to figures provided by the National Venture Capital Association. In 2014, the state accounted for $1.5 billion of the听$2.1 billion total venture capital money spent on cybersecurity.听
Last fall, California鈥檚 cybersecurity industry got another boost when the William and Flora Hewlett Foundation awarded the University of California, Berkeley and Stanford University each with $15 million to jump-start policy analysis and new ideas in the field. Still, state officials know they have a long way to go before they can claim the mantle of cybersecurity capital. California gets so much seed funding in large part because the venture capital industry is located there, not necessarily because it has a better cybersecurity story to tell.
鈥淭here was a thought that companies were being recruited out of California because there was nothing 鈥 no narrative 鈥 about cyber in California,鈥 says Louis Stewart, who is California鈥檚 deputy director of innovation and entrepreneurship. So Gov. Jerry Brown, he says, commissioned a task force to 鈥渢ell that story.鈥
The group, led by the Governor鈥檚 Office of Emergency Services and the Department of Technology, is working on a proposal for how to unify the state鈥檚 efforts on cybersecurity and how much to invest in wooing companies.听
While state officials devise a strategy, San Diego is already attempting to become a locus of cyber activity. Ken Slaght, a former head of the Navy鈥檚 Space and Naval Warfare Systems Command, located in the city, has retired from the military to co-chair San Diego鈥檚 Cyber Center of Excellence. It鈥檚 a public-private partnership to accelerate the city鈥檚 economy by harnessing its cybersecurity assets. Mr. Slaght, a retired rear admiral, says more than 6,600 people work in the cybersecurity industry in San Diego, including some 3,100 from his former military command, which administers hundreds of millions of dollars a year in contracts. More than 100 small to medium-sized cybersecurity companies call the city home, though others say it is more than triple that size.
Last year, Slaght estimates, cybersecurity workers contributed $1.5 billion to the local economy 鈥 the equivalent of hosting more than three Super Bowls or eight Comic Cons, the big comic conventions. 鈥淭hose are huge tourism drivers here,鈥 he says, 鈥渂ut if you add up what cyber could do, they almost pale in comparison.鈥
Florida:听Cyber in the land of citrus听
Forget 鈥淪unshine State.鈥 Sri Sridharan鈥檚 goal is to make Florida 鈥the Cyber State.鈥澨
Yes, he bolded, italicized, and underlined that prefix for special emphasis in the title of a report asking for $16.1 million every year from the governing board of the State University System of Florida to establish a center for cybersecurity. 鈥淥ne of a handful of states will emerge as the leader in cybersecurity and become the magnet that attracts the billions of dollars of private-sector and military spending that will be invested in this emerging field,鈥 Mr. Sridharan wrote in the pitch, submitted to the board in December 2013. 鈥淔lorida can become this leader.鈥
The sales pitch worked. Sridharan now directs the Florida Center for Cybersecurity, which received an initial investment of
听$5 million from the state. Headquartered at the University of South Florida, the center connects the state鈥檚 12 public universities and its experts under one umbrella to expand academic curricula and score government grants in cybersecurity. The center will offer the state鈥檚 best resources 鈥 people and locations 鈥 when it submits proposals for contracts. This way, one Florida university will not be competing against another for the pot of cybersecurity grant money.
Across the country, companies can鈥檛 hire cybersecurity graduates fast enough to fill the job openings, and Sridharan wants them to pluck people from Florida. With thousands more certificates in cybersecurity predicted across the state under the new initiative, many of these Florida graduates, Sridharan expects, will be taking jobs that pay six-figure salaries. And the state predicts a return on the money it鈥檚 investing in the academic programs through increased federal and industry R&D expenditures, patents and licensing revenues, and a proliferation of start-up companies.
Florida, at the outset, seems an unlikely contender to dominate the cybersecurity market. Nine of the top 10 cities in the country known as hotbeds for identity theft are in Florida. Government officials often note, Sridharan acknowledges, 鈥渨e have the largest number of crooks in the entire country.鈥 But he insists the fraud actually helps his case. 鈥淲e really need [the Florida center] to address this problem in a big way.鈥澨
Massachusetts:听Leveraging academic brainpower
Massachusetts is a center for security research and academic study across its many universities, from Harvard and Worcester Polytechnic Institute to the Massachusetts Institute of Technology, the third recipient of the Hewlett Foundation鈥檚 $15 million cybersecurity grant. An academic powerhouse, Massachusetts is the natural home for analysts and thought leadership in cybersecurity.
Like California, Boston has the benefit of being an existing venture capital hub. And, in 2011, a nonprofit consortium of universities, local government, and industry launched the Advanced Cyber Security Center. Its membership spans a wide range of businesses, from banks to pharmaceutical companies to health insurance firms. The ACSC also wants to build a 鈥渃enter for excellence.鈥 The vision: Graduate and postdoctoral students, supervised by faculty, would work with cybersecurity companies on research products aligned with industry interests.听
Charlie Benway, ACSC鈥檚 director, says industry partners have already promised they would triple whatever the state contributes to the project. Local leaders are also trying to get new Gov. Charlie Baker to buy into a broad plan to boost cybersecurity. ACSC hopes he will channel millions of dollars into the field the way the previous Massachusetts administration invested in life sciences.听
鈥淲e have the resources and capabilities to be one of those centers of gravity [in cybersecurity],鈥 Mr. Benway says.
For now, Cyber Capital USA is anyone鈥檚 title to win.
Not all cities will win the prize just because they chase it. There鈥檚 precedent for this as far back as the turn of the century. 鈥淎utomobiles were made everywhere, from Long Island to Richmond, Va.,鈥 New America鈥檚 Peter Singer says. 鈥淒etroit was the winner of that revolution.鈥
History also shows that early chasers and champions of an industry don鈥檛 always end up winning it. Chicago, for instance, was a hub for the movie industry before Los Angeles, with its diverse scenery, became the star of that business. Similarly, 鈥淧hiladelphia is, ultimately, the home of the computer, but Silicon Valley is the winner of the computer [industry],鈥 Singer notes.听
Perhaps that鈥檚 why so many parts of the country are throwing their tax incentives and visions of grandeur into the cybersecurity ring. This includes Washington State, with megacompanies Microsoft and Amazon. And Georgia, where information security generates $4.7 billion in annual revenue. Even Huntsville, Ala., is vying to be an internationally recognized leader in the field.听
Still, there is inherent risk in the cybersecurity market being seen as such an easy target 鈥 and all competitors offering everything from data centers to tax breaks to a skilled labor pool. Local governments trying to woo business, as Gabriel Mathy, an assistant professor of economic history at American University in Washington, points out, may dole out expensive subsidies and invest in other incentives only to find companies leave when a better offer comes along in another state. That鈥檚 why getting in on the industry鈥檚 boom early certainly helps even in a digital industry: A critical mass of talented workers who want to live and work around each other, and thus create a pool for businesses to recruit from, will be key to creating a social and business tie to one of these regions as the home to cybersecurity.听
It鈥檚 worth remembering, though, as an ironic caution, that cybersecurity itself could kill the cybersecurity industry. The only goods and services this sector produces are those to protect against threats to existing technology. If the government manages to deter hackers in countries such as China or Russia, or if cybersecurity solutions become too good, the frenzy of economic development may turn out to be far less profitable. 鈥淚f the threats disappear, the industry will not do that well,鈥 Mr. Mathy notes.听
Fortunately for the business ambitions of these budding cyber empires, the threats are unlikely to disappear anytime soon. And until one region comes out the winner, this is the newest gold rush of the Digital Age.听
听
