Written by Deepak Jeevan Kumar, a Principal at General Catalyst Partners.
Can the next Edward Snowden be from Silicon Valley?
The last 5 years have seen the meteoric rise of the App Economy, which spans mobile apps downloaded on smartphones/tablets and web apps used directly on browsers. The annual revenues of mobile based App Economy is estimated at $72 billion today and is expected to double to $151 billion by 2017. The web based App Economy is far bigger. Most importantly, the App Economy has permeated our everyday lives very deeply and has changed the way we interact with each other, buy virtual goods, order physical retail goods and entertain ourselves. Netflix, Twitter, Zynga, Facebook etc. are only a few of well-known ones. The App Economy is also a great equalizer. Hundreds of other startups like Uber, WhatsApp, Fab, Instagram (acquired by Facebook) and Square are equally important to our everyday lives. New distribution channels and new cloud infrastructure technologies enable even smaller startups with a handful of employees and little funding to reach millions of users in a few months and effectively compete with bigger established players like Google, Electronic Arts and HBO. Unfortunately, security is an afterthought to many of these smaller startups, which are laser focused on product innovation and user acquisition.
Hackers love attacking targets that are either are high profile or have massive quantities of sensitive data. Their attention is turning towards the App Economy very quickly and effectively. Twitter, Tumblr, WordPress, , Facebook, and LinkedIn have all been targets of recent high profile attacks. In April, a hacker tweeting from the account of the Associated Press falsely indicated explosions at the White House and caused a temporary panic on Wall Street. This is only the tip of the iceberg. Damaging attacks can also occur on smaller low-profile startups that don’t have sufficient cyber defenses in place. Many such attacks are not detected or solved. No one knows how many of the smaller gaming, ecommerce and communication startups have been hacked or what data has been stolen from them. This is not a big risk if these smaller startups have only a few users. However, these startups can have millions of users and also store Personally Identifiable Information (PII). In many cases, a hacker can get as much information by attacking these smaller startups, as he would get by attacking a regional bank. A stark example is the March 2013 hack on Evernote, a medium sized startup that has created a popular note-taking app. While not as well-known as Twitter or Facebook, it has millions of users. According to this news article, it is unclear how long the attackers had access to information. Luckily only usernames were compromised. Confidential content in the notes saved by users was safe.
The App Economy of today exists mostly on smartphones, tablets and the web. As new app platforms like Google Glass and iOS for cars emerge, the risks can increase exponentially. A cybercrime syndicate could cause traffic chaos by hacking some of the car apps and giving out misleading directions to drivers. Accidents can occur if these hackers show distracting images to pedestrians who are wearing Google glass. Perhaps, the days of ‘App Warfare’ are not far away!
These attacks can sometimes be life-threatening for startups if companies loose the confidence of their users as a result of theft of confidential data stored in the apps. Denial of Service attacks can increase cloud infrastructure hosting costs significantly and can even bring down a startup’s production servers, which would make it impossible for users to access their apps. Earlier this year, Sony was fined by the UK government for failure to protect against a cyberattack on its PlayStation Network. While the US government or affected users have not yet initiated civil action against smaller startups for such attacks, we can expect this to occur sooner rather than later. Unfortunately, such lawsuits could potentially put these startups out of business as they don’t have the financial muscle of big corporations such as Sony.
Three reasons compound this cybersecurity problem. First, App Economy startups are more interconnected than we think. The recent attack on Zendesk, a helpdesk app used by hundreds of Silicon Valley startups, exposed user accounts on Twitter, Tumblr and Pinterest. Secondly, smaller startups cannot afford armies of cybersecurity specialists unlike bigger organizations such as Google, Twitter, Bank of America, NSA and the DoD. This brings us to the third reason. While innovation in code development and deployment has been very fast, innovation in cybersecurity technology has not caught up. Startups deploy code multiple times a day due to innovations like continuous integration and cloud computing. However, security audits are done once every few weeks, if at all. Most of these security audits are manual and time consuming processes run by security audit firms that charge $50K-$250K. That is unaffordable on a regular basis for smaller startups.
Silicon Valley has two choices, solve this problem with better cybersecurity technology or wait for the government to regulate. The first option is preferable because regulations tend to be backward looking while hackers are not. We need faster and automated cybersecurity tools that can help startups (and larger companies) identify security threats in real-time, detect attacks as soon as possible and remediate critical issues. The government definitely has a big role to play here. As the largest buyer of cybersecurity technologies, the government should make it easier for cybersecurity startups to sell to different agencies. More importantly, research funding should increase to promote long-term innovation in this sector of national importance. The government should not shy away here. It is critical to remember that the internet was the result of a DARPA funded project.
A group of senior technology and policy experts from different branches of the government have recognized this need and moved to the valley as entrepreneurs in startups such as Impermium, Shape Security and Morta Security. They are working hard to combat new cybersecurity threats facing startups, corporate America and government agencies. “Like many of my colleagues, I went to work for the government in order to make a difference. After a few years in Washington DC, I realized that I could actually do more good here in the private sector.” observes Mike McNerney, a cybersecurity startup advisor and former Pentagon official. “The ability to work with smart people and act quickly on new ideas in the field of cybersecurity is especially attractive.”
This brings me to my parting thought. Silicon Valley should think ahead about threats from internal sources in addition to the external sources mentioned above. As the importance of the App Economy increases, and as more sensitive information is being stored in the apps and data centers here, the next Edward Snowden could be a startup contractor or a tech company contractor from Silicon Valley. As we are still in the early years of the App Economy, it is possible to solve this problem through technology innovation and not with regulation. Let’s act before it is too late.
Deepak Jeevan Kumar is a Principal at General Catalyst Partners, a Venture Capital firm with offices in Boston, New York and Palo Alto. He focusses on funding and launching big data, cloud computing and cybersecurity startups.