At the Security Innovation Network (SINET) Showcase at The National Press Club in Washington, D.C., this week, Michael Chertoff, former Secretary of the Department of Homeland Security, presented a dire assessment of the cyber-security threat facing our nation. He discussed how rogue governments and hackers are quietly infiltrating our computer systems and the disasters that can be perpetuated—like those you see on the TV show “24”. Chertoff worries that these risks haven’t yet gripped the public imagination; that it may take a “digital 9-11” to get businesses, consumers, and governments to fortify their defenses.
The most troublesome thing I learned by talking with a who’s who of our nation’s security community was that our government doesn’t believe it has the ability to defend us from the rapidly evolving threats. Yes, the National Security Agency and some branches of government have brilliant computer scientists working for them and can defend their own systems; but the rest of us are our own. The Government simply can’t innovate fast enough to keep pace with the pervasive threats and dynamics of the internet or Silicon Valley’s rapidly changing technologies. Indeed, as George Hoyem, a partner at the CIA-backed venture fund In-Q-Tel, noted, there has been a 571 percent growth in malware since 2006; today, 60 percent of all websites are infected.
The experts agreed that we need private industry to step in and help solve the world’s cyber-security problems. But we can’t count on the big companies—they can’t innovate as fast as startups can. So our entrepreneurs need to lead the charge. And many are doing just that. Robert Ackerman, managing director at Allegiance Capital, said that in 1981 more than 70 percent of research and development in security technology was done by companies with 25,000 employees or more, and less than 5 percent was done by companies with fewer than 1000 employees. Today, the large companies perform 38% of the R&D, and companies with fewer than 1000 employees do about 25%.
But here’s the big obstacle: when it comes to Government—which is one of the biggest markets for security technologies, the deck is stacked against the entrepreneur. Nearly all big government contracts go to large contractors. These contracts run not in the millions of dollars, but in billions. And we don’t get billions of dollars of value—if we’re lucky, we get some clunky old systems that entrepreneurs could have delivered much better versions of in a fraction of the time and a tiny fraction of the cost. Because these contracts are so big, they require many levels of approval—usually by Congress. It typically takes 3-4 years for government to award these. Companies have to go through a grueling “certification” process to get approved to bid, and it costs millions of dollars to prepare proposals and to lobby government officials and political leaders. Startups can’t wait this long or afford the cost of bidding.
The chasm between government and entrepreneur couldn’t be wider. All of the government officials I talked to were open to change and seemed eager to embrace new technologies; yet they had no idea where to start or how to get around their own bureaucracy.
Silicon Valley and Washington, D.C., are located three thousand miles apart in space and light years apart in concept. Technology managers in government don’t know where to find the entrepreneurs who are ready and able to build innovative solutions. And when they do come across them, they don’t have mechanisms to fund, support, or purchase technology from startups. So government managers are forced to deal only with the big contractors—who have a greater incentive to add staff (and so increase billing) than to cut costs through innovation. Not only are we wasting billions of dollars, but our nation’s defense industrial base is neglecting the vast majority of innovation from early stage and emerging growth companies.
What should the government do to remove the obstacles? There were some great ideas discussed, by people like Curtis Carlson, CEO of SRI International; Dean DeBiase, of Reboot Partners; Asheem Chandna of Greylock Partners; and SINET’s founder Robert Rodriguez:
1. Overhaul the acquisition and procurement process to level the playing field for small companies: it must be made easier for startups to bid for government contracts and the selection criteria balanced to weigh equally the risk of technology obsolescence with the risk of a startup’s failing. Procurement times should be reduced to months rather than years; some projects should be done in smaller steps so that the big guys aren’t the only ones qualified to complete them.
2. Increase awareness between technology buyers, builders, investors, and researchers. The SINET event was billed as the first of its kind. In Silicon Valley, such networking events—between entrepreneurs, investors, buyers, and academics—take place at least every week. Why not bring government technologists to Silicon Valley and other tech centers on a frequent basis? They will understand what is happening in the tech world, and entrepreneurs will get the chance to learn what problems need to be solved and to meet the people they can sell their solutions to.
3. Provide tax incentives for security innovations—R&D tax breaks, similar to the high-efficiency-energy tax breaks for consumers.
4. Provide seed funding for startups. One of the reasons for which Silicon Valley has so many Web 2.0-type startups, is that successful entrepreneurs, who have made their fortunes, are playing the role of Angel and VC. They provide funding and mentorship. Why not provide government technology managers with the ability to fund and mentor the startups that they believe can solve critical problems?
One more great idea (not from SINET, but reported by Rob Pegoraro, of The Washington Post) is from Internet pioneer Vint Cerf. Vint advocates the creation of a “cyber fire department”—a recognized, trusted, public entity that companies can call upon when they need help. This would function as Sandia National Laboratories did in battling the Conficker worm.
Bottom line: until changes begin to occur on a national scale, U.S. cyber-security will remain a global backwater in the continually innovating domain that is cyberspace.
Editor’s note: Guest writer Vivek Wadhwa is an entrepreneur turned academic. He is a Visiting Scholar at UC-Berkeley, Senior Research Associate at Harvard Law School and Director of Research at the Center for Entrepreneurship and Research Commercialization at Duke University. You can follow him on Twitter at @vwadhwa and find his research at www.wadhwa.com.