As high-profile hacks continue to dominate the national conversation, a budding industry of former government intelligence specialists is finding success selling cybersecurity services to corporations.
Cybersecurity start-ups in the District, Maryland and Virginia cut 31 deals with venture capitalists in 2016 — twice as many as in 2012 — according to investment data analyzed by the National Venture Capital Association.
Almost all of them involved young companies in the suburban periphery, where the region’s military and intelligence agencies are located. There were 17 deals in the first two quarters of this year, and the third quarter is off to a healthy start, with two additional local cybersecurity companies disclosing sizable funding rounds this month.
Bricata, of Columbia, Md., won an $8 million investment round led by Edison Partners, a New Jersey-based venture capital fund with an office in Baltimore. Another Maryland-based firm, Dragos, raised $9 million in a funding round led by Silicon Valley venture fund Allegis Capital.
The ascendancies of the D.C. metro area’s cybersecurity industry is because of a combination of government cybersecurity talent and newfound interest from corporate America.
The boom is fueled by a steady stream of former spies, intelligence analysts and hackers coming out of the region’s military and intelligence agencies. Suburban Maryland’s security companies draw upon the National Security Agency’s campus at Fort Meade. Virginia’s start-up founders are more likely to filter out of the Defense Department or the Central Intelligence Agency.
Dragos draws heavily on that demographic. Chief executive Rob Lee was an Air Force intelligence officer who later worked for a three-letter intelligence agency (he wouldn’t say which one), where he led a unit that focused on tracking foreign governments’ attempts to hack important industrial systems.
At Dragos, he has surrounded himself with former government technologists.
“These are people who have all served their country, whether in the Air Force, the Navy or the NSA . . . people who have lived these problems and not just admired them,” Lee said.
Lee said he himself had a brief stint on the “offensive” side of the U.S. government’s cyber operations, referring to efforts to hack into rival systems.
His position gave him a deep insight into the security problems and risks faced by industry. But he says he left the intelligence community to actually solve those problems. After all, the power and water systems that are most critical to people’s daily lives are generally under private ownership.
“You can look at threats all day long, but to actually move the needle you need to go to where they have the critical infrastructure and make changes,” he said. “So we all kind of left and joined Dragos.”
Today his company sells security services to about a dozen organizations that manage the country’s “critical infrastructure,” including power and water companies, chemical processors and others.
Lee’s firm is making waves: It published a report this summer noting that hackers allied with the Russian government have apparently developed malware that could theoretically be used to hack the U.S. power grid.
The success of Dragos was made possible in large part by new seed-funding options that have just recently become easier to come by.
Lee got early funding and mentorship from DataTribe, a new Maryland incubator founded by Mike Janke, the former Navy SEAL who co-founded encryption company Silent Circle.
DataTribe has offices in Maryland and Silicon Valley. It has built its mission around connecting Silicon Valley’s community of technology financiers with Maryland’s even-more opaque cyber community, handing teams of start-up founders investments of up to $1.5 million to get them on their way.
For Ellison Anne Williams, who spent more than a decade at the NSA after finishing her PhD in mathematics, that funding was critical to building a team around her. Her company EN|Veil was the first to officially sign up with the Datatribe incubator when it opened last year.
“If you have more money you can bring more of your team out with you,” she said. “You can pay people respectable salaries.”
Competing incubators around the region offer similar options. A Maryland organization called MasterPeace maintains a unique arrangement where founders are paid a salary while they work to develop their ideas, made possible by a government contract. Northern Virginia’s Mach37 incubator cuts much smaller, $50,000 checks in return for a slice of the company, and funding it with taxpayer dollars.
Bricata, one of the recently funded Maryland companies, got early help from Maryland’s state-funded TEDCO program.
There is also a now-thriving network of “angel” investors, who invest in companies in their earliest phases of development. One of the most active is Blu Venture Investors, a consortium of entrepreneurs who fund and mentor new companies.
Last year the firm started a program specific to cybersecurity investments, with a streamlined review process meant to rival Silicon Valley’s quicker turnaround times.
These investors are hoping to convert all that classified talent into technology products for which corporations will pay top dollar. Corporations are continuing to spend more and more money to protect their systems and information, as costly corporate hacks never seem to leave the headlines.
“When we see the impact on our last presidential election, it’s obvious that the demand [for cybersecurity products and services] is there,” said Lenard Marcus, partner at Edison Partners.
Still, Marcus and others see one weakness in the D.C. area’s cybersecurity industry. Even as resources continue to proliferate for the youngest start-ups, the average deal size appears to be getting smaller.
Although the number of cyber deals per year has roughly doubled since 2012, the total amount of venture capital has increased little. With the exception of a few megadeals, at the highest end of the spectrum, such as the $250 million funding round that went to Maryland-based Tenable Network Security, most of the deals are relatively small.