When Apple’s pledge to defy the FBI over a request to unlock the encryption on a terrorist’s iPhone ignited a media frenzy this month, analysts immediately started speculating on how the apparent crisis might create new lines of business.
Corporate data security is “a multibillion-dollar industry that Apple has not really targeted,” Credit Suisse analyst Michael Boyd wrote on financial website Seeking Alpha, where he disclosed a long-term position in Apple stock. “The current situation with the U.S. Government just makes the timing all the better as the case plays out over the coming months.”
But Apple isn’t the only company positioned to bring encryption to new markets. After high-profile hacks hit major corporations such as Sony, JPMorgan and Hilton, many D.C.-area cybersecurity companies specializing in encryption pivoted toward deep-pocketed corporate clients rather than consumers.
One is Silent Circle, the project of encryption pioneer Phil Zimmermann and former Navy SEAL Mike Janke, whose U.S. operations are run out of National Harbor, Md. The company is best known for an encrypted Blackphone, a smartphone initially marketed to individuals trying to evade various forms of surveillance.
A few years ago, the company noticed a shift in where its customers were coming from. Security-concerned businesses were buying Blackphones in bulk so that employees could communicate securely.
Silent Circle responded by launching a suite of services specific to organizations, sometimes charging upward of hundreds of thousands of dollars annually for each subscription.
The company reported a 400 percent surge in subscriptions after Edward Snowden’s National Security Agency leaks in 2013. Sean Penn said he used Blackphone to evade Drug Enforcement Administration phone trackers while coordinating a secret interview with cartel boss Joaquín “El Chapo” Guzmán.
Today more than 95 percent of Silent Circle’s subscriptions come from business or government customers with negotiated contracts.
“Enterprise is overwhelmingly the key market for us,” Bill Conner, the company’s chief executive, in an email.
Bethesda-based Koolspan, which also provides encrypted text and phone services, sells primarily to private businesses — including phone manufacturers such as Samsung — and a few government agencies.
Among Koolspan’s customers, “far and away the biggest population are businesses; people that are communicating about intellectual property,” said Koolspan’s chairman, Elad Yoran.
Koolspan’s secure calling app costs $180 per year for each individual user who is signed up. The company claims to have upward of 100,000 users, but most come through resellers, which take about 30 percent of the revenue from individual users.
And as larger encrypted security companies pivot toward selling to businesses, start-ups are following suit.
A young Tysons Corner, Va.-based company called ArmorText, which once targeted consumers, is aiming its encrypted messaging service at businesses, hoping to mushroom through the workplace like Slack and HipChat by convincing businesses that their product is harder to hack.
Also in Tysons, a start-up called Cyph is trying something similar, selling encryption services for phone and text.
Founders Ryan Lester and Joshua Boehm began toying with the idea in their teenage years without any plans to monetize it before they both ended up as engineers at SpaceX.
“We were using [encrypted messaging] on and off for fun to make us feel like secret agents,” Lester said. “But when the NSA thing happened, we realized not having encryption easily accessible was a big problem for some people.”
They eventually left SpaceX and started their own company.
“Every few weeks, I’ll see some new competitor pop up,” Lester said.
When asked how they feel about the FBI’s demand that Apple build a back door into its encryption, many of these executives recoil. Build even the tiniest, most well-concealed door and the bad guys will find it, they say, defeating the purpose of encryption.
“Once vulnerabilities are introduced into the encryption, the bad guys would find them with almost a mathematical certainty,” Koolspan’s Yoran said.
Still, they’re more flexible when it comes to their business customers. Some businesses have regulatory reasons why they need to be able to retroactively access encrypted communications. Big banks, for example, sometimes need to be able to produce logs of employee-to-employee communications in the event of an audit.
Some encryption providers, including Koolspan and ArmorText, handle the problem by building in ways for company management to access encrypted communications. Others, such as Silent Circle, set up the cryptography so that only the two people communicating can ever see the content of the communication.
“Silent Circle (or anyone else for that matter) cannot decrypt, provide access to or insight on encrypted communications under any of our existing technology,” Conner said in the email, which was forwarded by a company spokesman.
But changes might be coming to the way Silent Circle handles its enterprise — business and government — customers.
The company is “working on the ability to allow enterprise management of our [Enterprise Privacy Platform] so that enterprise can comply with specific industry regulations,” Conner said. “This will allow enterprise to manage their call detail and messaging as prescribed by compliance requirements.”