1 THE FUTURE OF CYBER-SECURITY _ THREATS AND OPPORTUNITIES
2 Global Corporate Venturing Cyber-security is growing as the digital world continues to expand. In this five-part supplement, Global Corporate Venturing and Baker Botts explore multiple strands of the cyber-security world, which is rapidly becoming a hot area of activity for transactions. In his opening comment, Alex Mason of Baker Botts looks in depth at which sectors are growing CHAPTER_1 In the first chapter Global Corporate Venturing editor-in-chief James Mawson looks at how cyber-security has moved from the government world almost in its entirety to become dominated by private organisations CHAPTER_2 In the second chapter, Global Corporate Venturing editor Toby Lewis feels the pulse of activity in the market CHAPTER_3 In the third chapter we profile In-Q-Tel as a venture capital thought leader in the area of cyber-security and analyse its portfolio CHAPTER_4 In the fourth chapter, we look at the tale of Palantir, the fast-growing big data business at the forefront of ensuring cyber-security is a realtime activity Note: Thanks to Dell technology director Don Smith for his help in reading a draft of this report and providing comments.
3 2 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 3 Cyber-attacks are increasing in frequency, in sophistication and in impact The future of cyber-security _threats and opportunities Introduction by Alex Mason, technology practice lead, Baker Botts (UK) Technology and data are swords that organisations, individuals and nation states need to use to further their commercial, social and national interests. Information can be accessed, analysed and utilised by technology in real time to provide competitive advantage to businesses, happiness and fulfilment to individuals, and prosperity and security to nation states. The internet allows instantaneous and limitless ways to communicate and interact, but also can act as an Achilles heel to us all. Unauthorised access to, and misuse of, data, technology and critical infrastructure can cause irreparable damage to reputation, financial loss, disruption and, in some cases, physical harm. Cyber-attacks are increasing in frequency, in sophistication and in impact. Everyone is at risk and every organisation, individual and nation state will at some point be the victim of a cyberattack. It is inevitable. But what can we do to protect ourselves? What can organisations do legally and practically, in an effective and cost-efficient manner, to shield themselves from cyber-attacks and seek redress? Risk = Threat x Vulnerability x Consequences This article analyses the threats as they apply to organisations, and suggests legal and practical steps that can be taken to reduce an organisation s vulnerability to attack, minimise the adverse consequences of an attack and thereby reduce the risks it faces. 1. What are the threats to cyber-security? We know hackers steal people s identities and infiltrate private . We know foreign countries and companies swipe our corporate secrets. Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions, and our air traffic control systems. We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy. US President Barack Obama, 2013 State of the Union Address
4 4 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 5 Motivated to make money, organised crime is becoming increasingly sophisticated in its use of technology to commit fraud Employees are well placed deliberately or inadvertently to disclose or compromise commercially sensitive business and customer data The threats to cyber-security take many forms and are perpetrated by different groups with different objectives, motivations and means. But the actions of each of them can seriously damage organisations. The main groups that launch cyber-attacks can be categorised as follows. a. Sponsored: The disclosures by Edward Snowden have brought data privacy and cyber-security to the forefront of political debate and cast the spotlight on certain countries and their intelligence organisations or sponsored groups, both friendly and hostile, that launch cyber-attacks to gain intelligence, steal corporate secrets and intellectual property, or sabotage critical infrastructure and utilities for political and economic ends. For example, the Stuxnet computer worm was used to attack and disable Iran s nuclear facilities and was believed to be state-sponsored. b. Criminal gangs: Motivated to make money, organised crime is becoming increasingly sophisticated in its use of technology to commit fraud, steal funds and valuable information, such as customer credit card and bank account details. For example the leader of a criminal gang, Hugh McGough also known as the Lord of Fraud was jailed for eight years for attempting to hack into the computers of a City bank to steal 229m in one of the biggest cyber-crimes of its kind. In December 2013, JPMorgan Chase warned 465,000 holders of prepaid cash cards that their personal information may have been accessed by hackers and a global cyber-crime ring stole $45m from banks by hacking into credit card processing firms and withdrawing money from automated teller machines in 27 countries. In the place of guns and masks, this cyber-crime organisation used laptops and the internet. Loretta Lynch, US Attorney for New York s Eastern District c. Hacktivists: Promoting a form of civil disobedience in cyber-space, hacker activists hacktivists are individuals or groups, such as Anonymous, that hack into computer systems for political or socially motivated purposes, usually to bring attention to an issue, rather than for personal or monetary gain. For example, in November 2013, hackers claiming links to international activist group Anonymous defaced dozens of websites belonging to Australian businesses and Philippine government agencies in response to spying allegations. Separately the FBI confirmed that Anonymous secretly accessed US government computers in multiple agencies and stole sensitive personal information, including bank account details, during A recent survey by Verizon suggests that hacktivists who hack into government and corporate computer networks and then release files to embarrass those organisations were responsible for more than half of all data thefts in d. Business competitors: Commercially sensitive data, such as trade secrets, new product launch dates, confidential customer data and intellectual property, provide huge value and competitive edge to organisations. Unscrupulous competitors may test lapses in security to gain this valuable information and data and use it for their own commercial purposes to the detriment of the rightful owner and its market competitiveness. e. Employees and supply chain: From those with a grudge to those who are careless, employees are well placed deliberately or inadvertently to disclose or compromise commercially sensitive business and customer data. Employees, contractors, advisers and those in the supply chain are often within the security firewalls of organisations, with authority to access technology and use and distribute data. Examples of lost or stolen laptops holding sensitive data are reported almost daily. f. Terrorists: While terrorists undoubtedly use technology to communicate and coordinate attacks, it is interesting to note that there have been no major reported incidents of terrorists successfully launching a cyber-attack to instil terror and further their aims. But it is only a matter of time before terrorists use cyber-attacks as a weapon of terror. Terrorism does remain the FBI s top priority, but in the not too distant future we anticipate that the cyber-threat will pose the greatest threat to our country. Robert Mueller, director of the FBI There are many different types of cyber-attack, for example: a. Distributed denial-of-service (DDoS) attacks: where hackers saturate an organisation, such as a bank, with so many external electronic communications that the organisation cannot respond to legitimate requests and conduct its business effectively. b. Phishing: where hackers send s to organisations or specific individuals spear phishing that purport to come from a trusted source but which contain viruses or malware that is installed on a victim s computer and compromises security. c. SQL injection: where sensitive information is retrieved from databases by malicious code, which can be also be used to penetrate wider networks SQL is structured query language, a software protocol for processing data.
5 6 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 7 Cloud providers are at risk of attack and, by association, so are organisations using the cloud Unauthorised access to an organisation s systems and data can cause irreparable damage to its business, its reputation and its value d. Trojan horses, malware and viruses: which give hackers control over computers and stored data after the user clicks on an attachment or link or visits a compromised website. Hackers are using increasingly sophisticated techniques to further their aims and commit cyber-attacks. 2. Where are organisations most vulnerable? All organisations are vulnerable to attack and no security system is infallible. Even national leaders are not immune, as evidenced by German Chancellor Angela Merkel, whose phone was allegedly monitored by the US National Security Agency (NSA) for a decade. The level of vulnerability of an organisation, though, depends on many factors, such as the industry and geographies in which that organisation operates, the nature of the business it conducts, the adequacy of its technology and security systems, processes and procedures, internal compliance with established processes, as well its public profile and supply chain. Governmental and financial institutions are particularly susceptible to attack, but no industry can be complacent. For example, energy companies running critical infrastructure, such as electricity or gas, telecommunications companies handling customer and business data or consumer companies with sensitive personal data are targets and must be alert to threats. The risks of security breaches may be heightened depending on an organisation s structure, systems and supply chain, as well as how it does business. For example: a. Cloud: The processing or storing of sensitive data outside an organisation, for example in a cloud environment, raises security concerns and the Prism government spying scandal, where the NSA monitored electronic communications, has increased scrutiny on this form of supply chain. Cloud providers are at risk of attack and, by association, so are organisations using the cloud. Small and medium-sized enterprises (SMEs) may find that their information and data is exposed or compromised by using a cloud provider handling the data of high-profile organisations that are more attractive targets for cyber-attacks. Cloud providers are focused on adopting high security standards and different types of cloud have heightened levels of security. b. BYOD: The proliferation of use by employees of bring-your-own-device, often unsupported by the employer organisation or not protected within an organisation s network security programme, has raised additional security concerns. The ability easily and regularly to download personal apps on devices handling sensitive business data, while convenient and fun, creates increased vulnerability, as rarely is any robust due diligence conducted on the identity and security of the app providers themselves. The risk is greater if sensitive or commercially valuable data is downloaded to the device, rather than being accessed by the device. c. Professional advisers and supply chain: A cyber-security chain is only as strong as its weakest link, and organisations should be alert when disclosing commercially sensitive data to its suppliers and advisers, including accountants, lawyers and financiers how secure are their systems and processes? The UK government recently warned that cyber-criminals were targeting advisers, such as lawyers, investment bankers and accountants to access confidential information on their corporate clients. The recourse against failures by suppliers and advisers depends on the supply agreements that are in place and the rights and remedies these provide. d. Innocent mistakes and poor internal security: A significant number of data losses and security breaches still occur from unintentional events, such as laptops and other mobile storage mediums being inadvertently lost or compromised, wrong files being attached to s, or s inadvertently sent to the wrong recipients. Good IT practices and processes, coupled with staff being trained to follow, and then following, these security processes, are an effective way to minimise security breaches. e. Cost savings in IT: With the focus on cost savings and rationalisation of technology, the risk of vulnerability to cyber-attacks may increase. For example, accountancy firm KPMG has recently reported that North Sea oil and gas companies and their pipelines could become victims of cyber-attacks as trends to reduce costs by combining pipeline control systems with general IT systems could leave computer systems at greater risk. 3. What are the consequences to organisations of a cyber-security attack? Unauthorised access to an organisation s systems and data can cause irreparable damage to its business, its reputation and its value. The scope and severity of the impact of a cyber-attack will depend on the nature of the attack and the organisation s ability to react and minimise its effect. Disclosure requirements and laws mean that in many cases the fact of the attack may have to be disclosed to regulators, data subjects, investors and the public generally.
6 8 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 9 A DDoS attack can overwhelm an organisation s servers and effectively bring the ability to transact online business with customers to a halt The financial costs in dealing with a cyber-security attack and its consequences can also be significant Organisations need to be fully aware of the implications of unauthorised access to systems and data from these sources. Examples of the effect a cyber-attack can have on an organisation s business include the following: a. Loss of trade secrets: From valuable know-how and product details to cutting-edge processes, attacks that result in such losses can undermine an organisation s competitive advantage or ability to do business. b. Inability to operate and transact business: A DDoS attack can overwhelm an organisation s servers and effectively bring the ability to transact online business with customers to a halt. With systems unavailable, would-be customers may become frustrated with the quality of service they receive and switch to other providers. c. Loss of personal data: Data breaches of this nature provide specific and heightened risks. If personal data, such as customer contact or bank details, or sensitive personal data, such as patient, is lost or disclosed, then an organisation may be under a duty to notify the data subject and/or regulatory bodies in many jurisdictions, as well as incur financial consequences arising from any claims or fines. For example, in June 2012, Brighton and Sussex University Hospitals NHS Trust received a civil monetary penalty of 325,000 for a serious breach of the Data Protection Act after highly sensitive personal data belonging to thousands of patients and staff was left on hard drives sold on an internet auction site. d. Damage to reputation: This can follow a data breach if it becomes public for example, the breach may put into focus lapses in security that gave rise to the breach, or the content of the disclosed information may be prejudicial to that organisation. e. Loss of customers and business: Involving both current and future if the organisation is perceived to be insecure or liable to cyber-attack, together with reductions in customer satisfaction and retention. f. Government or regulatory investigations and fines: These may arise depending on the nature and cause of the attack, and any shortcomings in response by the organisation. g. Legal actions: These may arise, for example, from claims by the data subject or third party whose personal or confidential information has been disclosed or publicised. Directors may have personal liability for certain breaches, for example under section 61 of the Data Protection Act, if an offence under that act was committed by their company with their consent, connivance or neglect that may become apparent after a cyber-attack. In the US, Symantec had to defend itself against a proposed class action accusing it of hiding a software vulnerability in its Norton Antivirus software that left its customers open to cyber-attacks. h. Damage to the value of the organisation: For example, if breaches lead to adverse publicity or a stock price drop after the attack. A poor cyber-security record may also affect the value of an organisation on a sale or funding round, with investors and banks unwilling to invest in organisations with poor security processes. i. Loss of business, reduction in revenue and reduced profits: This may arise from the nature and impact of the cyber-attack. The financial costs in dealing with a cyber-security attack and its consequences can also be significant, for example: a. Investigation costs: Identifying that a breach has occurred in many cases takes months rather than hours. Once a breach has been found, identifying the cause of the breach can also take time and cost. b. Containment costs: Costs in deciding how best to contain the breach and executing to the risk management plan. c. Costs of remedy and repair: Costs shoring up the breach and putting in a fix to prevent similar breaches occurring in the future. d. Management costs: Time spent dealing with the investigation and fall-out from the attack. e. Loss or reconstruction of data: Costs of reconstituting data affected or lost by the attack. f. Financial losses: For example, criminal hackers may access bank passwords and protocols by attacking an organisation s treasury or financial function, and use this sensitive data to transfer funds from that organisation s bank accounts, often an easier way to obtain funds from a bank than attacking the bank itself. g. Fines by legal or regulatory bodies: The UK s Information Commissioner, for example, has the power to impose fines of up to 500,000 for a serious breach of the data protection principles. Significant fines could in extreme circumstances arise if, following a cyber-attack, it became clear the organisation does not have appropriate technical and organisational measures to protect data against unauthorised
7 10 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 11 As soon as an organisation is aware it has been the subject of a cyber-attack, it should act quickly and effectively Depending on the nature and effect of the attack, press and other public statements may need to be made security breaches, and failed to take reasonable steps to prevent a contravention of the data protection principles, when it knew or ought to have known there was a risk of contravention likely to cause substantial damage or distress. h. Professional fees: Such as fees for forensic security or IT consultants, lawyers and accountants as part of the remediation process. i. PR campaign costs: For the public relations exercises limiting the damage to reputation. j. Customer complaints and enquiries: Costs dealing with the increase in customer enquires and helpdesk calls caused by the attack. For example, in 2011, after suffering multiple data breaches involving its PlayStation network, Sony estimated it incurred clean-up costs of at least $171m. In 2013, the UK Information Commissioner fined Sony 250,000 on the basis that the hack could have been prevented if the software had been up to date and user passwords had been kept secure. 4. Cure what to do after you are attacked As soon as an organisation is aware it has been the subject of a cyber-attack, it should act quickly and effectively, putting into action its risk management plan. Its ability to do this efficiently will depend on whether it has a robust cyber-security risk management plan in place that has anticipated the nature and effect of the attack. It is worth noting that often it can be weeks or months before an organisation is even aware it has been subjected to an attack. i. Continue operations and business: The key objectives after an attack are to identify the attack, minimise business disruption, remedy the cause and resume business operations quickly and efficiently. First-responder personnel should be mobilised to take appropriate steps. Internal, and possibly external, technical teams should investigate the incident, protect and, if necessary, recover critical assets and information, resolve the breach for example mine data to find and remove malicious software minimise the impact on the business, and resume business with increased awareness of this type of attack to be better prepared to prevent or respond more quickly to similar attacks. If the attack has seriously affected an organisation s ability to do business for example through a DDoS attack then it may be necessary to initiate disaster recovery plans, for example moving the centre of operations to another office or relying on back-up data centres where critical business information has been duplicated and stored. ii. Communication plan: In response to a cyber-attack, the communications plan forming part of the cyber-security risk management plan should be put into effect rapidly. The plan should focus on: 1. Internal actions: As discussed above, communications should be made to relevant employees to deal with the attack and restore business as usual as quickly as possible, also notifying and involving key management personnel in strategic decisions, investor relations and public relations teams, as well as legal teams to provide legal and commercial support as the attack unfolds. 2. Disclosure requirements: Depending on the nature of the cyber-attack, there may be mandatory notification requirements to comply with. It is important to consider whether a breach of security should be notified, who should be notified and what information should be given, including specific advice to individuals on the steps they can take to protect themselves. In the UK, for example, if there has been an unauthorised disclosure of, or access to, personal data, under the Privacy Regulations, if the affected organisation provides electronic communications services to the public for example an internet service provider (ISP) or telecommunications company it must notify (i) the Information Commissioner s Office (ICO) that a personal data breach has occurred within 24 hours of becoming aware of the basic facts and (ii) the individual adversely affected by the breach. Such service providers must also keep a log of any breaches, and submit this to the ICO on a monthly basis. The ICO can audit compliance and issue penalties for failure to comply. The ICO is subject to the Freedom of Information Act and there is therefore a risk that information disclosed to it, such as service providers logs and associated information, may have to be disclosed by the ICO. The notification requirements for most organisations are currently voluntary but organisations may want to notify, for example, if they are public bodies they may be concerned with transparency and public accountability, whereas private bodies may be more concerned with the stigma of notification. 3. Press and public relations: Depending on the nature and effect of the attack, press and other public statements may need to be made to minimise the reputational damage and reassure customers, investors and regulators that the attack has been successfully dealt with and steps taken to prevent a recurrence. If criminals or terrorists are behind the attack, the organisation should work with law enforcement agencies to help identify the hackers and seek prosecutions. iii. Investigatory lessons from the attack: Once business operations have been resumed its important to conduct investigations to identify the effect of the cyber-attack and to understand what has been compromised, for example, whether specific trade secrets, confidential information, personal data or valuable intellectual property have been accessed, lost or corrupted, whether
8 12 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 13 The perpetrators of cyber-attacks seek anonymity and, in general, it is difficult to identify hackers If a footprint is left, hackers may be identified or the IP addresses and websites they use closed down by the relevant ISP malicious software or logic bombs have been embedded in the computer systems, whether hackers still have access to systems or information, as well as learning from the intrusion to improve protection of the organisation from future attacks. iv. Mitigating costs and losses: The financial impact of cyber-attacks can be significant. It has been estimated that data breaches can cost millions of pounds per major incident, depending on the impact on business and costs of investigating and remedying the attack. Insurance claims may be made for recoverable losses under existing cyber-insurance policies or claims brought against entities in the supply chain that caused the breach. v. Preparing for claims and lawsuits: Depending on the nature and impact of the cyber-attack, the organisation may receive claims from third parties. For example, business partners whose confidential information or intellectual property have been disclosed or misused as a result of the attack, or claims by individuals that the organisation has breached its obligations as data controller. j. What legal rights of redress are available to the victim of a cyber-attack? The perpetrators of cyber-attacks seek anonymity and, in general, it is difficult to identify hackers. Without a defendant, it is difficult for organisations to bring civil claims, or law enforcement agencies to bring criminal claims. But in some cases it might be possible to identify a hacker depending on the nature of the attack and the footprint left by the hacker. There are products and services offered by expert service providers that may allow certain hackers to be identified. If a hacker can be identified and if he or she is in a jurisdiction where effective action can be taken, then there are a number of redress options that may be open. For example: i. Theft of trade secrets: Cyber-criminals may attack companies and individuals by way of breaches of IT security to access servers, the back-ends of websites, intranets or individual computers. These attacks may be an effort to source valued, private information such as bulk data, designs, methodologies, trade secrets or sensitive corporate information. In the UK, trade secrets are protected by the common law of confidential information and contract. When trade secrets are obtained from a cyber-attack, the relationships required for contractual claims are unlikely to exist. Therefore, if the perpetrator can be identified, the remedies against loss of trade secrets by way of a cyber-security breach, hacking or other computer-based attack are found in a mixture of actions, such as the tort of breach of confidence, copyright infringement, database protection and certain criminal actions. ii. The Computer Misuse Act 1990: This created a number of relevant criminal offences, including obtaining unauthorised access to computer material and unauthorised acts intended to impair the operation of computers. The act has been used to prosecute individuals who have hacked company servers. Obtaining copyright works held electronically or by simple access, rather than actual extraction of trade secrets or data, is sufficient for the offence to be committed and therefore DDoS attacks are now criminalised even with no data loss. Law enforcement agencies, rather than the victim organisation, would bring criminal actions. Despite the large number of victims, official figures show that to date only a handful of people have been prosecuted for breaching online security. For example, only 10 cases were brought in England and Wales under the Computer Misuse Act in 2010 for cyber-security offences. iii. Other criminal offences: These may be committed depending on the nature and impact of the cyber-attack, such as the online theft of funds or physical damage to infrastructure caused by tampering with control systems. Such acts could give rise to criminal as well as civil liability. The new Police Intellectual Property Crime Unit may also seek a referral of the breach to allow them to investigate any online criminal activity. iv. Data protection: If the information or trade secret contains personal data statistics, customer details and so on then data protection principles will apply. After the cyber-security breach, the affected organisation may need to notify the ICO. If a footprint is left, hackers may be identified or the IP addresses and websites they use closed down by the relevant ISP. 5. What does the future hold? The increase in incidents and the risks associated with cyber-attacks has put such attacks in focus as never before. But the Edward Snowden scandal has helped focus the minds of politicians on the need for more effective legislation to protect states, organisations and individuals from the perils of data breach. Spying attacks may come from friendly quarters, as well as from hostile ones, but technologies to counter cyberattacks are becoming ever more sophisticated. Legislators and national governments are looking at how to protect states, organisations and individuals from cyber-attacks. The EU is proposing a new EU Data Privacy Directive and draft EU Network and Information Security directive. There are also discussions centring on the scope and nature of the US Safe Harbour regime. As the diplomatic row continues between the US and Europe over spying accusations, there are calls in Europe and elsewhere to provide more secure local cloud and internet services. For example, in November
9 14 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 15 Getting hacked is unfortunately becoming a fact of our cyber-lives, but prudent organisations need not live in fear During the due diligence process, the list of individuals with access to sensitive information increases and, consequentially, the risk of a potential cyber-security attack 2013, Deutsche Telekom announced it would team with RSA, part of EMC, to launch a secure internet service in 2014 for SMEs that will struggle to meet the costs of security measures against sophisticated forms of cyber-crime, while Brazil plans to implement a secure service to thwart cyber-spies. In August 2013, the Cyber-crime directive (2013/40/EU) on attacks against information systems came into force, requiring member states to enact laws, regulations and administrative provisions by September 2015 to provide a consistent pan-european approach to cyber-crime. In January 2014, US President Barack Obama instructed the NSA to scale back spying on allies and proposed safeguards in relation to the NSA s ability to access US phone records. Service providers and security experts now offer the ability to hack the hacker and work with ISPs and enforcement agencies to take down websites and hackers. Steps such as these may provide organisations with greater protection and the ability to protect themselves proactively rather than act reactively after a cyber-attack. However, organisations must be careful that they do not inadvertently commit an offence under the Computer Misuse Act by doing so. Getting hacked is unfortunately becoming a fact of our cyber-lives, but prudent organisations need not live in fear. While no organisation can protect itself totally from cyber-attack, for most, best practice in security arrangements, both before and after an attack, and board level sponsorship, are the most effective ways to limit the impact of cyber-attacks, coupled with robust technology services contracts and specialist security support. With a better understanding of the threats and the vulnerabilities within the technology and security landscape, organisations can take effective steps both before an attack, and afterwards, to protect themselves, monitor the effects of attacks, respond to attacks and thereby mitigate the adverse consequences of cyber-attacks. Key points to consider in a corporate transaction This is a relatively new area, but many professional governing bodies are starting to increase awareness. In January 2014, a guide to cyber-security in corporate finance transactions was published following a review led by the Institute of Chartered Accountants in England and Wales and the UK government. The guide makes a powerful statement that any corporate entity would be foolish to ignore cyber-security. For anyone involved in corporate finance transactions, cyber-security needs to be treated as a high priority. Many boards are still not awake to the risk posed to their companies. A survey published in November 2013 by the UK s Department for Business, Innovation and Skills, the Shareholders Executive and the Cabinet Office highlighted that only 14% of FTSE 350 firms are regularly considering cyber-threats. How then should you deal with cyber-security when involved in a corporate transaction? Due diligence Cyber-security issues come in two main forms during due diligence. First, what due diligence should be made into the cyber-security record of a target company? Second, is the due diligence information itself at risk of cyber-security attack? What sort of questions relating to cyber-security should you be asking a seller or investee company? The level of information required will vary from transaction to transaction. Where the transaction is an acquisition the risks may prove higher, particularly on a share sale where everything in the target business is being acquired and technology systems of the buyer and seller integrated, as opposed to acquisition of a particular asset on an asset purchaser an investment where the IT systems will not integrated with that of the investor. Examples of some relevant questions are set out below: 1. Is there a cyber-security policy in place? 2. Please describe the information security and business continuity in use. 3. Is there specific commercially or personally sensitive data that is subject to heightened protection? 4. Are you aware of any security breaches to the system? 5. If so, what was the impact of such attacks on the business? 6. Are there any claims, investigations or fines in relation to security breaches? 7. Do you have cyber-insurance policies in place? If so, have any laims been made under them? During the due diligence process, the list of individuals with access to sensitive information increases and, consequentially, the risk of a potential cyber-security attack. Coupled with that is the fact that the information circulated during a due diligence exercise is often confidential and can range from employee
10 16 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 17 The warranties and indemnities in a sale and purchase agreement or a subscription agreement should be the main focus for dealing with cyber-security issues As part of this process, the purchaser should ensure that checks are carried out on the system to ensure it is secure details to the intellectual property status of the disclosing company. Consider carefully who should be given access to the information circulated as part of the due diligence. We recommend the list of individuals with access to the information should be minimal. Ideally, in the early stages of a transaction, only senior management and advisers should be granted access. In addition, confidentiality agreements should be obtained from all parties to ensure strict parameters are set around the use of information. An additional concern arises with the use of virtual data. Parties should make sure the virtual data room provider can provide a secure environment at all times. In addition, the disclosing party should consider whether the information needs to be included in the data room in the first place. Where the transaction involved an investment, you will want to consider how the disclosed information is treated. For example, has the virtual data room been deleted? Has all information circulated as part of the due diligence process been stored or disposed of suitably? Conclusion This is an area which cannot be ignored by companies and should rank highly on every board s agenda, particularly when considering or making an acquisition or disposal. Failure to keep information secure can lead to civil and criminal penalties, for example, under the UK s Data Protection Act The transaction documents The warranties and indemnities in a sale and purchase agreement or a subscription agreement should be the main focus for dealing with cyber-security issues. Warranties in the relevant agreement set out the state of affairs and the disclosure exercise can flush out any issues with the business. Therefore any investor or purchaser should pay close attention to the disclosures set out in the disclosure letters. Any investor or purchaser should seek to include warranties regarding the cyber-security systems and practices in place in the business such as: 1. The IT systems do not contain any virus and have not within the last [12 months] been infected by any virus or accessed by any unauthorised person. 2. There is a suitable cyber-security policy in place. If something has been highlighted in the due diligence process, any investor or purchaser may want to ensure an appropriate indemnity is drafted into the relevant agreement to ensure he may make recovery on a poundfor-pound basis in the event that the matter escalates. Post-acquisition Once a share sale or an asset purchase where it involves an IT system or database has been completed, the process of integration should commence. As part of this process, the purchaser should ensure that checks are carried out on the system to ensure it is secure. A review and potential strengthening of the information management and security policies with training for staff across the organisation as a whole should also be considered.
11 18 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 19 CHAPTER_1 The US government plans to spend more than $13bn, 16% of its IT budget, on cyber-security in the current fiscal year A non-obvious approach to cyber-security James Mawson, editor-in-chief, Global Corporate Venturing The relative speed with which governments, business and individuals have become reliant on computers and the internet as a communications platform has been rapid. In the equivalent technological leap for storing and sharing information the printing press developed by Johannes Gutenberg around 1450 it was about 25 years before the first book was published in English. By contrast, the layering of the world wide web over internet protocol means data has exploded. Although a predecessor of the internet was first used in late 1969 and taken up by the US Department of Defense as the Arpanet for military communications, the internet itself was launched formally in 1983 and effectively went from data transfer of zero at that point to 1,200 terabytes to 1,800 terabytes per month a quarter-century later, according to network equipment maker Cisco. The internet has arguably made the world a better place. Yet for those using the technology and the internet, the price of such practically unlimited knowledge amounts to concerns about security and privacy. Some, such as Al Gore, 45th US vice-president, in his book The Future, have described the trade-off of potential security vulnerabilities and loss of privacy as part of a so-called cyber-faustian pact allowing access to the wealth of opportunities the internet and information technology can bring in return. Digital information is now an important strategic resource, in the way oil was during the 20th century. Robert Gates, former US Secretary of Defense, in 2010 told newswire Bloomberg that cyberspace was the fifth domain for potential military conflict, joining land, sea, air and space, and two years later, Samuel Cox, director of intelligence at US Cyber-Command, was reported by newswire Reuters as saying there was a global cyber-arms race under way. Robert Mueller, director of the FBI, two years ago reportedly told the US Senate that while stopping terrorism was currently the number-one priority, down the road the cyberthreat will be the number-one threat to the country. The US government plans to spend more than $13bn, 16% of its IT budget, on cyber-security in the current fiscal year. Worldwide spending on IT security is growing at a compound annual rate of 6.6% and is expected to reach $30.1bn in 2017, according to research firm Canalys. Unlike oil or other strategically important assets, however, information can be sold or given away and still retained, potentially with greater value. Juan Zarate, first assistant secretary of the US Treasury for terrorist financing and financial crimes, in his book, Treasury s War, which covers how the US finance ministry used the banks and other CHAPTER_1 A NON-OBVIOUS APPROACH TO CYBER-SECURITY A NON-OBVIOUS APPROACH TO CYBER-SECURITY CHAPTER_1
12 20 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 21 The potential to protect specific devices or communications, and the people who use them, is seen as challenging NSA surveillance has reportedly led to information on 54 terror plots since 2001 financial services firms to identify and isolate those designated criminals and terrorists from the mid-1990s, said: In an increasingly interconnected world where trade, financing, travel and communications are fundamentally intertwined non-state, networked actors and systems from corporations to influential Twitterati often hold the keys to power and influence globally. Stewart Brand, a technologist, said information [on the internet] wants to be expensive, because it is so valuable. On the other hand, information wants to be free, because the cost of getting it out is getting lower all the time. This quantum-like ability of information to be both free and expensive creates a tension between companies, governments and individuals who often want both to be true at varying times. They also have to contend with what management consultancy McKinsey said in a 2011 report, Meeting the CyberSecurity Challenge, are more sophisticated malevolent actors. US-based non-profit Aspen Institute in 2012 said the US economy suffered $16bn in lost earnings from the theft of intellectual property. In addition, more data is now being generated by the so-called internet of things as part of an estimated billions of bits of data in machine-to-machine communications already under way each year. The Stuxnet computer virus, for example, infected motors in Iranian gas centrifuges and varied their speeds until the motors were destroyed, while software code can enable data to be transmitted through thermostats and cause deactivated mobile phones to switch on, record and send data before deactivating themselves. The potential to protect specific devices or communications, and the people who use them, is seen as challenging. This challenge has caused the private sector to grapple with the same problems as governments, such as safely storing and effectively using increasing amounts of data, with entrepreneurs, not just the large system integrators used in most defence contracts, rewarded for finding ways to manage the risks and opportunities created by the internet. This is creating opportunities for public and private partnerships as they try to source technologies, often in buying or investing in start-ups. A strong exit market for cyber-security-focused start-ups is attracting more venture capital to set up more suppliers. US-based venture capital firms (VCs) invested more than $900m in 82 cyber-security companies as of November 26, an increase from the $663m they invested in 77 such companies in all of 2012, according to data provider Thomson Reuters. As Zarate said in his book: The innovation in public-private coordination is already occurring by necessity in the cyber-domain, with approximately 80% of the cyber-infrastructure in private-sector hands. After the attacks on Google servers by Chinese hackers, Google and the NSA began to work together in 2010 to help Google defend against future attacks. In the wake of the huge attacks on US banks in 2012 and continuing into 2013, the NSA has begun a pilot project with the banks to try to track and prevent cyberattacks. This cooperation between public and private sector, however, has led to concerns. Last year, ahead of a protest organised by the Stop Watching Us coalition, Edward Snowden, who leaked US intelligence secrets to newspapers in June, said: In the last four months, we have learned a lot about our government. We have learned that the US intelligence community secretly built a system of pervasive surveillance. Today, no telephone in America makes a call without leaving a record with the NSA. Today, no internet transaction enters or leaves America without passing through the NSA s hands. Our representatives in Congress tell us this is not surveillance. They are wrong. NSA surveillance has reportedly led to information on 54 terror plots since 2001, including 13 related to the US, and the technology translated to the intelligence community s use through the work of the US intelligence community s strategic investment group, In-Q-Tel, has fed into that effort (see profile). The government surveillance feeds, in instances, from the extensive user information gathered by social networks and internet companies to help deliver more targeted advertising. One law student, Max Schrems, requested the information held by social network Facebook and said he received a file of 1,222 pages, including posts he thought he had deleted, and filed a complaint with the authorities in the company s non- North American headquarters, in Ireland, claiming it was in breach of European Union privacy directives. CHAPTER_1 A NON-OBVIOUS APPROACH TO CYBER-SECURITY A NON-OBVIOUS APPROACH TO CYBER-SECURITY CHAPTER_1
13 22 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 23 Almost every attack now starts with a social component, studying the target organisation With the focus on cost savings and rationalisation of technology, the risk of vulnerability to cyber-attacks may increase These projects are increasingly looking at the widely-regarded weakest link in any security system the people behind the devices, both those using them who might be vulnerable to attack and potentially malevolent actors, rather than the devices themselves called points in the jargon. As Peter Christy, research director of networking at technology research provider 451 Group, put it: The modern security business really began in many ways with broad use of the internet (remember [internet browser] Netscape was only founded less than 20 years ago [in April 1994]) and with the discovery that direct network connection had the unintended consequence of also presenting lots of surface area for others to attack. I think the shift has been to holistic security (use all possible information and purpose it where you can) with an important focus on context it is not just the transaction but the context in which it is being done with respect the user s normal behaviour, device and location, for example. Data analytics companies, such as Palantir (see case study) and forerunner Systems Research and Development, specialise in gathering intelligence from large databases, often in tandem with each other, in an attempt to discover non-obvious relationships between people and so-called insider threats. identification, then place some sort of exploit on to your device. That begins an elaborate, complex attack scenario. What I mean by that is it will start to communicate with a command and control server. What is really different now is that the very first request it makes is to create an encrypted channel. And the reason it creates an encrypted channel is that it can be hidden from all defence technologies. It won t use standard cryptography. It uses very advanced cryptography, something the [governments] have created. This is not off-the-shelf stuff. So all defence products, once it is in place, have no visibility into the communication between it and the command and control server from that point on. That lets it be in place for long periods of time. The persistency of these attacks can last months or years. The average is about a year. Francis Bacon is reported to have said: Knowledge is power. The challenge with an internet-connected physical and online world is that understanding who is collecting the information from which this power is derived is non-obvious. The theory behind this type of data searching is a refinement of the Pareto principle sometimes known as the 80:20 rule that online only 1% of people are responsible for creating most content, while the rest view passively. University of London academic Akil Awan s study of radical jihadist fora in 2005 found 1% of users had posted 500 or more times. Identifying this 1% and then making non-obvious connections to others in their social networks and what their intentions might be has implications for criminals as well as opportunities for organisations trying to reduce risks through proactive work. David DeWalt, chief executive of IQT-backed cyber-security provider FireEye, in an interview with news provider Business Journals said: The vast majority of them [advanced attacks] are coming from social engineering attacks. Almost every attack now starts with a social component, studying the target organisation, finding who in it has the most valuable information, who has the highest net worth. It does not take much research to figure out who your friends are, and who I could send something from to get you to click on it. That is how attacks are done these days. It is very consistent. Start with social CHAPTER_1 A NON-OBVIOUS APPROACH TO CYBER-SECURITY A NON-OBVIOUS APPROACH TO CYBER-SECURITY CHAPTER_1
14 24 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 25 CHAPTER_2 Trends such as the move of enterprises to the cloud, the growth of data centres and the rise of smartphones have complicated computing security Cyber-activity roars to life Interview with transaction professionals and technology experts by Global Corporate Venturing editor Toby Lewis. There is huge excitement about transactions in the cyber-security industry with a string of large initial public offerings (IPOs) in recent times, including that of FireEye and Palo Alto Networks bringing investor attention to the successes of companies in the sector. Robert Ackerman, founder of corporate-backed venture firm Allegis Capital, said: Cyber continues to generate not just smoke but fire as well. Between significant IPOs, major merger and acquisition transactions, new venture capital investments and a market for solutions growing from $65bn in 2013 to a forecast $93bn in 2016 cyber-security is a force to be reckoned with in the innovation landscape. The horizontal nature of cyber-security means that innovation is taking place across a broad landscape. Dr Mike Lynch, founder of Invoke Capital, said: Against a backdrop of industrialised and sophisticated attackers, legacy approaches to information security are no longer working. Businesses have woken up to the need for a proportionate, intelligence-led strategy that stays ahead of emerging threats, instead of constantly chasing behind. This has given way to a new category of cyber-technology that takes security breaches and infiltration for granted, and instead focuses on how to detect live threat in real time. The investment community will be increasingly looking for new fundamental science to back up cyber-capabilities, and continue to make the break from the traditional locks and bolts approach, based on predefined rules and assumptions. Ken Elefant, managing director of Intel Capital s security business unit, which has secured the most exits in the security, said the valuations at present appeared high but this reflected the business strength of many companies in the sector. Markets are extremely good for exits and companies are raising money at high valuations. I do not know how long that is going to last. Yet these are bread-and-butter companies solving real problems. Of the trends mentioned in Alex Mason s introduction, Elefant said: Companies have got to get better security. It is not just buzz, it is real dollars. Elefant added trends such as the move of enterprises to the cloud, the growth of data centres and the rise of smartphones have complicated computing security. There are more vectors for attackers to enter the enterprise. Companies are preparing the best they can. He added this was both driving the opportunities for security companies as well as posing a real threat for the dayto-day functioning of many businesses and institutions. Mark Fishleigh, director at BAE Systems Applied Intelligence, said: We have gone past the stage where we can say buy this product and you will be safe, even though many vendors marketing is along the lines of this is the last security product you will ever need to buy. Fishleigh said this provided opportunities for software providers to sell bespoke products that solved a particular security need to augment organisations basic security software. CHAPTER_2 CYBER-ACTIVITY ROARS TO LIFE CYBER-ACTIVITY ROARS TO LIFE CHAPTER_2
15 26 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 27 More sophisticated organizations, such as banks, had recognised the perimeter was now hard to define There is some discussion about how you build security into the fabric of the network on a global basis James Hatch, director of cyber-security at BAE Systems Detica, said: In the technology product market there will always be start-ups coming up with the next brightest idea. These technology companies are good at raising funding but not necessarily at reaching customers. The big technology companies are looking to buy up those companies, while small start-ups are looking to get bought. It is quite fragmented in the market product area and we expect to see consolidation. Elefant added: With the virtualised environment there is a 100-times bigger attack plane for attackers to go after. If a start-up is not offering a solution for the virtualised environment, I would say it is considered legacy. Elefant said other sectors of particular interest to Intel Capital included mobile security, cloud security and virtual currencies. Detica s Hatch added: There has been a merger between the private life and the professional life and people are doing personal as well as professional work on the same device. If you access work stuff on your own device this creates bigger potential gaps but it is not as big a risk as it might appear if managed properly. Fishleigh explained more sophisticated organizations, such as banks, had recognised the perimeter was now hard to define, given the proliferation of devices and extensive interaction with third parties. He said this meant organisations had moved beyond protecting the perimeter, to focus on managing and securing their data wherever it resided. John Skipper, of consultancy firm PA Consulting, said: New organisations with new ideas on how to tackle problems are able to establish a good market position very quickly. At the same time, big players are investing in building technology through acquisition. This means there is an opportunity for an exit route through trade sales. Skipper added: People working in positions in government agencies are seeing opportunities to exploit them commercially. It is no surprise that there are clusters forming around the West Country in the UK GCHQ is based in Cheltenham and the Washington beltway [where many government agencies are based, including the Pentagon]. Ackerman said: There is some discussion about how you build security into the fabric of the network on a global basis still very much at the conceptual stage but essential to the long-term requirements of the cyber-security challenge, something I am working on with the research and chief technology officer community. Allegis s view of the market Robert Ackerman, of corporate-backed venture firm Allegis Capital, one of the most active investors in the sector, according to data provider CB Insights, summarised what he thought were the most important investment trends in cyber-security. - Detection of threats inside the firewall: Eventually, perimeter defences will be compromised. How you detect and track these threats is an area of major innovation interest. - Security in a mobile BYOD environment: While a reality in the market, securing this environment is a major security challenge. Controlling access to corporate resources and data when the enterprise does not control the device is essential. - Encryption: Not as buzzword-filled as some areas, but the move towards the encryption of all data in motion makes this an area of significant importance. - Secure communications: The fabric of commerce today is digital communications. This infrastructure needs to be secured from hacker threats. Secure mobile communications are essential. - Insider threat detection: Reports indicate that 70% of cyber-attacks originate inside an organisation. How do you identify vulnerabilities and potential internal threats in advance of an attack? - Botwalls: Barriers against automated software tools known as bots that recognise and exploit vulnerabilities in a site s code the ability for websites to defend against automated attacks in an automated fashion. - Autonomic defence: The ability to automate responses to cyber-attacks on an organisation. Manual responses are just too slow with attacks taking place at the speed of light. - Secure cloud computing: The security of the cloud public and public-private hybrids is a gating consideration in deployments. This market will scale for the enterprise only to the extent that it is assured secure. CHAPTER_2 CYBER-ACTIVITY ROARS TO LIFE CYBER-ACTIVITY ROARS TO LIFE CHAPTER_2
16 28 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 29 CHAPTER_3 The main purpose of IQT is to find and source the technologies developed by entrepreneurs that might be relevant to its paymaster Profile: In-Q-Tel James Mawson, Global Corporate Venturing editor-in-chief FACTBOX: In-Q-Tel, as at end-october employees in three offices Arlington, Virginia; Waltham, Massachusetts; Menlo Park, California assets of $218.7m (liabilities of $87m), up from $178m in 2011 and $142.9m in 2010 KEY STAFF: Michael Crow, In-Q-Tel s non-executive chairman and president of Arizona State University Chris Darby, chief executive Bob Gleichauf, chief scientist and director, IQT s Lab 41 Bill Strecker, chief technology officer Steve Bowsher, managing partner INVESTMENT PARTNERS: Mark Breier, Simon Davidson, George Hoyem, Peter Kuper, Brinda Jadeja, Thomas Gillespie, Brian Smith, Eric Kaufmann. There are two things that separate In-Q-Tel s reception area from practically any other around the world. It is not the comfy chairs, glossy table magazines or snack-sized chocolate bars, or the friendly and helpful receptionist or push-buzzer security. It is the lack of company nameplate indicating where you have arrived and the quality of the ideas in the table magazines covering cutting-edge technologies and intelligent predictions about the future. Both point to a group that wants its work to be known and to reach out into the world but on its own terms. Even the name, In-Q-Tel (IQT), points to insider knowingness the Q refers to the gadgets man in the James Bond spy books and movie franchise and marketing. The main purpose of IQT is to find and source the technologies developed by entrepreneurs that might be relevant to its paymaster, the US government s intelligence community. With many governments increasingly acting like large, multinational corporations, where the heads change every few years even if the bulk of the team remain, it is worth looking at the world s largest government for why and how they opened IQT and sustained and evolved the model over more than a decade for potential insights into more general corporate venturing trends. CHAPTER_3 PROFILE: IN-Q-TEL PROFILE: IN-Q-TEL CHAPTER_3
17 30 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 31 Military contracts after the Second World War were critical in providing resources to fund the development of internet With the focus on cost savings and rationalisation of technology, the risk of vulnerability to cyber-attacks may increase Formation: In its tax filing, IQT said it was founded in 1999 as a private, not-for-profit company to help the Central Intelligence Agency and broader US intelligence community identify, adapt and deliver cutting-edge technologies that address national security needs. IQT s strategic investment model [means] on average, for every dollar that IQT invests in a company the venture capital [VC] community has invested over $10, helping to deliver crucial new capabilities at lower cost to the government. One of the executives behind IQT s formation, who remains closely involved, said: IQT was originally modelled as a technology VC because technology and entrepreneurship was the area of interest for us. The government s traditional contracting approaches to established systems integrators were deemed lacking in agility to find and nurture entrepreneurs and companies developing commercial technologies that could be relevant for the intelligence community, which now stretches beyond the CIA to include the Defense Intelligence Agency, the Department of Homeland Security s Science and Technology Directorate, the National Security Agency, the National Geospatial-Intelligence Agency and others. By the late 1990s this need to reach out to entrepreneurs for technology had reached a point requiring an IQT-approach because government contracts were no longer the primary source of defence technology, especially as part of the national security agenda increasingly involved understanding the security opportunity and threats brought about by the internet and computing power. The government was also looking for ways to tap into private research and development for companies not willing or able to go through its established grants programmes, such as the Small Business Innovation Research programme (SBIR). Analysis by Global Corporate Venturing of more than 170 portfolio companies backed by IQT shows less than a quarter (39) have gained SBIR funding (see table). Military contracts after the Second World War were critical in providing resources to fund the development of internet, personal computer and information technology. As one source close to IQT s formation put it, the government went from contracting about 80% of technology it could use for national security to about 20%, with 80% by third parties. The historical pattern of technology transfer, from federally financed laboratories to the military and eventually to civilian use, had reversed after the ending of the Cold War and the collapse of the Soviet Union. But with both government and many corporations grappling with similar challenges of cyber-security and gleaning actionable intelligence from data analysis, they had common ground to work and invest together. One corporate venturing head of investments said: There is a different level of relationship in private-public in this security space and we [and IQT] both approach entrepreneurs with the same needs. We do portfolio swaps as a benefit from dealing with the same currency, for example denial-of-service attacks, so we have a level of expertise for portfolio companies. This special relationship in security is demonstrated by how often IQT co-invests in companies alongside corporate venturing units effectively to reverse-engineer commercial development for government use. Analysis by Global Corporate Venturing of the syndicates in IQT s public deals show nearly half (77 of 172) contained corporate venturing units. In its latest regulatory filing, IQT said by end-march 2012 it had invested in more than 180 portfolio companies, many of which have produced technologies that have contributed directly to intelligence community missions. It went on: Technology delivered by IQT, for example, makes it possible to fuse data from maps, images, text and other sources, visualise information in ways not previously possible, rapidly process vast amounts of information in multiple languages, and identify the critical intelligence faster and more effectively. George Tenet, former director of the CIA who was in charge of IQT s creation, in his book, The Storm: My Years at the CIA, put it more succinctly. The In-Q-Tel alliance has put the agency back at the leading edge of technology. This was some achievement given scepticism that government could effectively fund a VC firm run independently and reap both financial and strategic returns, according to sources working on its launch. A 2001 report for the US Congress and the CIA by consultancy Business Executives for National Security (Bens), called Accelerating the Acquisition and Implementation of New Technologies for Intelligence, Report of the Independent Panel on the Central Intelligence Agency In-Q-Tel Venture, found IQT had made a good start. Lawrence Meador, chairman of the independent, 30-strong panel, wrote in a preface to the Bens report, published by news provider FCW: Several members of this panel from a variety of industry sectors approached this assessment process with what I would describe as an initial reaction of scepticism and concern about the basic In-Q-Tel business model from a policy, legal and competitive perspective. The panel concluded, however, the In-Q-Tel business model makes sense, and its progress to date is impressive for a two-year-old venture. CHAPTER_3 PROFILE: IN-Q-TEL PROFILE: IN-Q-TEL CHAPTER_3
18 32 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 33 Keyhole proved invaluable tracking missiles in Iraq and was in 2004 acquired by US-listed search engine provider Google IQT s focus on what it calls paying for work programmes and non-recurring engineering Insiders credited IQT s relative success and longevity to its focus on getting start-ups technology through the In-Q-Tel Interface Center (QIC) and into use by the intelligence community. IQT s peers, such as DaVenci, OnPoint and Chart Venture Partners, have struggled to maintain the levels of funding IQT has collected. The decision to set up IQT as an independent firm with staff initially sharing part of any profits called carried interest through an In-Q-Tel Employee Fund, attracted talented people, such as its first chief executive, Gilman Louie, a former video games entrepreneur who headed Hasbro Interactive s Games.com group, able to find and back entrepreneurial companies. But the timing of its launch was also opportune, as the intelligence community received a shock with the September attacks on the US mainland, and it subsequently received greater attention and resources to both prevent another such assault and guide the invasions of Afghanistan and Iraq. For example, IQT had in 2001 invested about $2m in the series A round of mapping service Keyhole, cofounded by former foreign affairs operative John Hanke and named after the KH reconnaissance satellites, the original military satellite reconnaissance system. Keyhole proved invaluable tracking missiles in Iraq and was in 2004 acquired by US-listed search engine provider Google to form part of its Google Earth service. IQT received shares in Google as part of the sale and later reportedly sold 5,636 of them after Google s flotation in 2005, reaping more than $2.2m. IQT also invested in US-based data analytics firm Palantir s A round (see case study) after working with its founders to help their company, online money exchange PayPal, fight off Russian fraudsters, according to coinvestors and IQT s staff. Evolution: succession However, Louie s departure in 2006 to set up a VC firm, Alsop Louie, with a former journalist, led to two shortterm chief executives, Amit Yoran and Scott Yancey, before its incumbent, Chris Darby, joined. Regulatory filings show Darby s contract has been renewed until January 2016 after he settled the organisation and helped its evolution to what one insider called a more mature organisation. Darby had been an effective chief executive at tech firm Sarvega before its sale to chip maker Intel. David Cowan, partner at VC firm Bessemer Venture Partners, the start-up investment group founded by steel magnate Henry Phipps in 1911, told news provider SiliconBeat at the time of Darby s appointment: We at Bessemer were invested in Sarvega, and so we saw him in action. Through strong recruiting, good strategic moves and effective business development, Darby turned the company around and saved our investment. But the effect on IQT as an organisation in a period of management succession allowed what insiders called political factors to force substantial changes in its approach and operation. The Employee Incentive Plan (EIP), giving staff carried interest in return for investing 10% of their salary in a fund, was closed in 2007, according to a regulatory filing. In effect, there was concern that IQT was too good at doing deals its regulatory filing for 2005 reported by newswire Bloomberg showed IQT sold for $12m investments that had cost it $1.96m. As well as closing its EIP, IQT also moved towards an approach of offering more cash for companies technology development or conversion to intelligence community needs rather than taking equity and following on in deals. One co-investor alongside IQT in multiple deals said it had taken years for the organisation to recover its cultural connection to entrepreneurs and re-engage with them through a series of hires, including both George Hoyem and Peter Kuper in IQT s focus on what it calls paying for work programmes and non-recurring engineering, and sometimes receiving warrants in return rather than necessarily investing directly for equity, means it acts as a conduit for start-ups technology to be seen and become ready for use by the intelligence community its primary purpose without necessarily diluting other investors equity. As one outside analyst noted, VCs now love them because if you pass IQT diligence they can safely assume that the technology or product has value and is technically sound. A co-investor said by trying to avoid diluting outside investors on deals, the government was effectively underpinning the broader venture industry. The analyst concurred that its data showed security plays are predictably acquired by bigger players for nice multiples IQT-backed ArcSight was acquired by Hewlett-Packard for $1.5bn last year after its initial public offering in 2008, and IBM bought Initiate in In turn, by accessing VC-backed technologies, IQT said in its regulatory filing it had leveraged more than $3.9bn in private-sector funds to support technology for the CIA and the intelligence community. Current Effectively, therefore, IQT has evolved to a more sophisticated open-innovation programme with venture capital investments of up to $3m as just one tool. While IQT has an estimated nine investment partners reporting to managing partner Steve Bowsher, it had 92 employees in total in 2011, according to its regulatory filing for CHAPTER_3 PROFILE: IN-Q-TEL PROFILE: IN-Q-TEL CHAPTER_3
19 34 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 35 IQT has actively examined the ethics of the technologies it can help develop through its portfolio With the focus on cost savings and rationalisation of technology, the risk of vulnerability to cyber-attacks may increase Looked at another way, IQT s public deals from its website to end-october 2013 showed it had done 11 new deals in that calendar year, primarily in North America, while previous years were similarly productive 18 in 2012, 13 in 2011, 20 in 2010, 14 in 2009, 15 in 2008, 11 in 2007, 13 in 2006 and 11 in At an estimated average of $2m per deal, and with few follow-on investments, the bulk of IQT s annual budget seems to go in other areas, even if the portfolio holds multiple companies valued at more than $1bn, such as Palantir, FireEye, Pure Storage and MongoDB. IQT s filing for the year ending March showed a broader group of programme-related investments of $59.7m. And, over the five-year period to 2011, IQT raised $282.8m in grants and contributions from the intelligence community, mainly through so-called black budgets outside public scrutiny. However, IQT has actively examined the ethics of the technologies it can help develop through its portfolio, commissioning noted academic Patrick Lin to review the applications for drones, or unmanned aircraft. It has also been active in making sure the technologies stay available even if a start-up is struggling. Overall, IQT divides its focus areas into information and communications technology, such as advanced analytics, cloud and infrastructure, digital identity, tools for field missions and mobility, and physical and biological, including DNA fingerprinting, genome analysis, energy harvesting and batteries, lasers and threat detection. The Q in its name, therefore, remains apt, as its portfolio companies develop tools suitable for a spy book, including Sonitus Medical, which told news provider NPR in 2012 it had received IQT funding to turn its hearing aid into a two-way radio that allows users to attach the device to their teeth rather than their ear to hear sound. IQT declined to comment on-record for this article due to our global audience but fact-checked the data and its staff agreed to talk on background. Concerns about publicly discussing IQT meant all other sources wanted to remain on background. In December 2003, news provider Institutional Investor singled out the example of US-based software company Graviton, which ran into financial trouble earlier that year and laid off its engineering team when its wireless sensor system for detecting chemical and radiological exposures was only two-thirds complete. In-Q- Tel helped arrange a transfer of Graviton s technology to a new company, Soflinx, which rehired the engineers. More recently, Geosemble, a 2004 spin-off from University of Southern California (USC), whose GeoXray product automates the process of discovering, geospatially visualising, monitoring and sharing relevant unstructured information from any source, was acquired by IQT portfolio company TerraGo in July Geosemble had been a partially-owned subsidiary of IQT-backed Fetch Technologies, a data services company that also grew out of collaborations between USC researchers and the government. Under Darby, IQT has added an open-source laboratory, called Lab41, on the opposite side of the hallway to its investment team. Under IQT s chief scientist, Bob Gleichauf, Lab41 creates challenges on specific data problems, particularly around flash memory storage technology applications, experts involved in projects said, and allows the intelligence community to meet and share its technology needs and then work on creative ways to solve them. The 4 in its name reflects what it said were the four communities government, academia, industry and IQT. A rotating cast of people work in an unclassified environment at Lab41 for three to 12 months to bring a proof-of-concept out to meet a specific challenge, with the technical findings and code available for open-source publication. CHAPTER_3 PROFILE: IN-Q-TEL PROFILE: IN-Q-TEL CHAPTER_3
20 36 BAKER BOTTS_THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES THE FUTURE OF CYBER-SECURITY_THREATS AND OPPORTUNITIES_BAKER BOTTS 37 CHAPTER_4 Palantir one of the biggest start-up companies Case study: Farsighted Palantir sees data s potential James Mawson, Global Corporate Venturing editor-in-chief Detective work is often about recognising criminal patterns so as to identify ways to prevent future crimes. So when the anti-fraud team at online payments provider PayPal noticed that Russian criminals trying to breach security were using multiple servers to bounce internet packets around the world and so hide their origin, it became a signal for blocking them if a message came in with more than 15 of these jumps, it was flagged. This relatively simple step helped moved cyber-security to real time rather than after-the-event identifying the loss, working out what was taken and plugging gaps through updates to the software several months later. It also marked the evolution of cyber-security from, in the jargon, point-based to user-based from protecting a device, such as a personal computer, to looking at the person using the device and his relationships with others, even if these links are not immediately obvious as signs of potential fraudulent or otherwise interesting behaviour. And one of the biggest startup companies targeting this space is Palantir, created a decade ago by the people who first noticed the criminal patterns at PayPal. After three years without significant revenues but eating up lots of corporate, angel and government funding to develop its platform to help customers examine their data, Palantir has exploded to what investors on background said was a valuation of at least $9bn in its latest $196.5m round that provisionally closed in September, according to its regulatory filing. This would imply a so-called up-round from the valuation a year earlier when employees and early investors sold some stock at a $4bn valuation, insiders said. This came on the back of many other large previous rounds, including $50m raised in May 2011 and $90m in Prior to the latest investment, which could reportedly exceed $200m when finally closed, Palantir s funding totalled about $500m, according to Alex Karp, chief executive of Palantir in an article by news provider Forbes. Karp was also co-founder of Palantir alongside Lonsdale and fellow Stanford computer sciences alumni Stephen Cohen, who remains as an executive vicepresident, Nathan Gettings and Peter Thiel. In an interview with Forbes for its September article, Thiel, cofounder and chief executive of PayPal until its purchase by online auction company Ebay for $1.5bn in 2002, said Palantir could be worth as much as Facebook, a Nasdaq-listed social network he had privately funded and that now has a market capitalisation of more than $100bn, but it would take time to get to a similar valuation. Enterprise software companies always grow much more slowly at first. CHAPTER_4 CASE STUDY: FARSIGHTED PALANTIR SEES DATA S POTENTIAL CASE STUDY: FARSIGHTED PALANTIR SEES DATA S POTENTIAL CHAPTER_4