This article was first published in the May 2016 issue of WIRED magazine. Be the first to read WIRED's articles in print before they're posted online, and get your hands on loads of additional content by subscribing online. For more stories from WIRED's Security issue, click here.
The growth of cybersecurity into a global industry is the result of the weaponisation of code. From 1994 to 2014, we could all enjoy online communication, commerce and convenience without having to think about security. With the evolution of more of our life into zeros and ones and the rise of the internet of things, cybersecurity needs to be accounted for as a central feature in all products being developed and commercialised.
Chris Bronk, a professor of computer and information systems, sees cybersecurity as one of the fastest-growing industries in the world. "It wouldn't shock me if it doubled in size in the next ten years," he says. And, he adds, some of the bigger Fortune 500 companies with global concerns that "really know their business priorities" are moving more and more of their IT departments to work on cybersecurity issues. "Things like managing data centres and email, and providing support to users - that's becoming less labour intensive and the security job is becoming more labour intensive. So I'd say doubling in the next five to ten years is a conservative estimate."
In 2004, the global cybersecurity market was valued at $3.5 billion (£2.43bn). In 2011 it was $64 billion; in 2015 it was $78 billion; and it's projected to be worth $120 billion by 2017. I expect the market size of the cyberindustry to increase even faster, reaching $175 billion by the end of 2017.
Peter Singer, co-author of Cybersecurity and Cyberwar: What Everyone Needs to Know, sees the industry's growth mirroring that of the internet. "It will continue to grow, most likely on an exponential curve because it's going to follow the internet itself. If five billion new people are coming online, five billion new security problems are coming online," he explains.
Finnish cybersecurity expert Mikko Hyppönen agrees. "It's going to be as big a shift for defence industries and for the militaries of the world, as was the technological shift since the second world war," he says. "We are entering an era where the big shift over the next 50 or 60 years will be the development of cyber-ops, completely virtual arms. It's the beginning of the next big shift for the militaries. Fewer than ten countries have nuclear arms. Every single country, in theory, can have cyber arms."
With such a big shift under way, Singer cautions that there's a danger of cybersecurity becoming the next military-industrial complex. If handled incorrectly, the massive growth in the cybersecurity industry could hinge on experts capitalising on our lack of technical knowledge - just as hackers do. "We've got this proto-cyber-security industrial complex, I call it the cyber-industrial complex, that may parallel the broader defence-industrial complex, which is equally taking advantage of our ignorance and fear," he says. He cites as evidence the hike in lobbying dollars going towards these issues in the US. A decade ago, only four companies were lobbying Congress on cybersecurity issues. By 2013, that figure had jumped to 1,500, he says. "There is a gravy train of people making money off this, and it sometimes aligns with government bureaucracies that are interested in heightening the perceptions of the threat to drive budget dollars for them."
The development of a cyber-industrial complex that mimics the military-industrial complex would reach the computers, tablets and smartphones of every internet user. Singer is justified in being vigilant, but I think the development of a cyber-industrial complex is unlikely for several reasons.
First, the development of weapon systems characteristic of the military-industrial complex doesn't match up well with the nature of the weapons and conflict in cybersecurity. The ability to be fast, dexterous and effective will matter more than which member of Congress you have a relationship with when it comes to winning contracts. A lot of money will be made from cybersecurity, but the companies that government will want to work with will be those that can innovate quickly, putting the lumbering bureaucracies of the military-industrial giants at a disadvantage.
Bronk has a hybrid view, expecting dexterous startups to be rolled up into large companies much as the defence giants of the military-industrial complex were, but with a Silicon Valley twist. "What I've noticed," he says, "is that good cybersecurity comes from smart researchers, and smart researchers tend to agglomerate in small groups and startups."
Bronk thinks that a big company or defence firm bulking up their respective cyber defences could buy up or invest in these smart researchers. "Cybersecurity is going to be very similar to Silicon Valley startup and acquisition patterns," he says. When a Silicon Valley company wants innovation, it either does the work in-house or contracts it out. "But getting companies to think differently about what they do and undercut their current way of business and do something radically different to make more money, that isn't in the culture of a lot of companies," he adds.
Bronk recalls talking to a Cisco executive several years ago about what companies do when they want to develop something unorthodox, noting that the US Defense Department faces similar innovation issues. The executive told him that the way his company gets around this is to look for an employee at Cisco with a good idea; then it puts that person on a leave of absence, hooks them up with a venture capital firm in Silicon Valley and gives them a year or two to work on the idea. "And then if you build it and if it works, Cisco gets the first crack at buying it. That's how Silicon Valley largely works," Bronk says. "A little company builds a model or innovates a new product, and then some big guy either pumps venture capital into it and they go public and become a mega company like Facebook or Google, or they're acquired by a mega company and they become a division of them."
Security firms are no different, says Bronk. "They innovate, they come up with a cool device and then somebody like Hewlett-Packard comes along and says, 'We really need that in our suite of network-management tools.' Bam! Now they're the security component of whatever product Hewlett-Packard is shipping in network management."
I agree with Bronk's description of how innovation and the accompanying mergers and acquisitions activity work in Silicon Valley. My expectation, though, is that "mega" companies will break through from the startup ranks rather than military-industrial giants feasting off big cybersecurity contracts.
However growth of the industry takes shape, one point that I have never heard anyone even try to rebut is that the industry is going to get very big very fast. If a college student asked me what career would most assure 50 years of steady, well-paying employment, I would say cybersecurity. The growth is steep, the need will be sustained, and this need currently comes up against a major talent shortage. The qualified job candidates are too few.
The US Bureau of Labor Statistics, an institution that's hardly prone to hyperbole, reports that there will be "a huge jump" in demand for people with information-security skills. Echoing a point made by Jim Gosler, the head of a multi-billion-dollar hedge fund based in New York that invests in cyber, says: "There's a small group of highly talented people who understand this stuff to the point where they can design hardware and software solutions to actually address them." He explains that the unique thing about cyber-security is that it is not just an issue for one industry or vendor to tackle, it is an issue that any connected company or individual will have to face sooner or later: "The stakes are big and they're getting bigger... so it's a bigger problem, or opportunity, depending on your vantage point."
One vantage point that cannot be forgotten is that citizens and small businesses cannot afford the type of expensive protection that governments and corporations can. Security is supposed to be a public good administered by government, not a private good purchased in the marketplace. For all the attention given to protecting our infrastructure such as GPS and banks, there is a huge gap that the market will not solve by itself: citizens and small businesses. Government has a responsibility to protect its people, not just its big businesses and infrastructure.
Government can and should work with the private sector to make sure that the brightest minds are working to develop cyber defences, but there is an as yet unmet obligation by government to define its responsibilities. The way the market is constituted today is analogous to a company developing an anti-aircraft gun at a time when air bombing is rampant - yet only selling the gun to buyers in the marketplace rather than using it to defend the civilian population.
We all want the liberty that comes with a vibrant online life, but liberty without security is fragile, and security without liberty is oppressive. The years ahead will force us to balance these two as we have not had to before.
Alec Ross is a distinguished visiting fellow at Johns Hopkins University, Maryland and former adviser to the US Secretary of State. His book,The Industries of the Future(Simon & Schuster) is out now
This article was originally published by WIRED UK
