Signs of notable change in federal cybersecurity posture; who stands to benefit?

The U.S. federal government has generated a flurry of orders, pronouncements and guidelines over the past year aimed at helping government entities and the private sector deal with an increasing number of high-profile cyberattacks.

The words are remarkably similar to what policy makers have written over the past 25 years. Most would say these policies led to actions that fell well short of their goals.

Skeptics say this time will be no different, but we see several signs the current measures will create sustained momentum toward a meaningfully improved cybersecurity posture.

We think prospects for this change bode well for companies that can tap into spending by the U.S. federal government as well as those that serve companies that supply and partner with the government, and we highlight some of the potential winners and losers from such a change.

Flurry of federal initiatives the latest in a series dating to the 1990s

The U.S. federal government has generated a flurry of orders, pronouncements and guidelines over the past year aimed at helping government entities and the private sector deal with an increasing number of high-profile cyberattacks on a variety of assets, including critical infrastructure. The most prominent measure is Executive Order 14208, signed by President Biden on May 12, which has eight major provisions and directs several agencies to take specific actions by specific dates.

TABLE 1: Major sections of Executive Order 14208, signed by President Biden, May 12, 2021

Source: Executive Order 14208.

While this measure is more specific and prescriptive in some areas relative to past measures (and as the headlines of the sections indicate, quite broad in scope), overall, the order is remarkably similar to numerous other executive orders on cybersecurity we’ve seen since the advent of the internet, starting with Executive Order 13010 in 1996 by President Clinton and running through orders issued by presidents Bush, Obama and Trump, a sample of which are shown in Table 2.

With each order, organizations that track cybersecurity risks hoped the government was finally waking up to the magnitude of the problem and taking definitive action to protect itself. These measures were greeted with enthusiasm by cybersecurity companies hoping to gain business from increased federal initiatives and directives. But while the government and society are no doubt marginally more secure because of these efforts, most would say they fell well short of their promise. Bureaucracy hindered implementation while technology advanced quickly, leaving overall cybersecurity risk as great as ever.

TABLE 2: Sample of presidential executive orders (EO) relating to cybersecurity over past four presidents

Source: Federal Register.

Skeptics say this time will be no different, and we acknowledge that could be true. However, we see several signs indicating the current measures will result in significant change. We still expect bureaucracy and competing agendas to make progress slow, but we now see a seriousness of purpose that was missing in the past and that we expect to create sustained momentum toward a meaningfully improved federal cybersecurity posture. In this report, we examine the factors that suggest this time is different. Then we highlight some of the cybersecurity subsectors and companies we think stand to benefit most.

Why this time is different

Colonial Pipeline was perceived differently from previous attacks. Two of the most prominent cybersecurity attacks in the past year were the SolarWinds and Colonial Pipeline attacks. We view the SolarWinds attack as by far the more destructive of the two.  Because of how it was perpetrated, the SolarWinds attack put thousands of company networks at risk, likely sent troves of sensitive information to bad actors, including foreign adversaries, and highlighted the cybersecurity risk posed by third-party suppliers in an unprecedented way. Ultimately, though, and like other major headline-grabbing attacks such as on Target in 2013 and Equifax in 2017, the tangible effects of the SolarWinds attack were limited to data. And digital inconveniences and losses feel different than physical ones.

By contrast, the Colonial Pipeline attack – a run-of-the-mill ransomware attack – reduced the flow of fuel to communities in the southeastern United States for several days, prompting a run on gasoline and long lines at gas stations. Images of closed stations and accounts of the sometimes humorous and extraordinary steps drivers took to secure gasoline dominated the news. This was perhaps the first time a cyberattack gave so many people a visceral understanding of how life could be turned upside down by cyberattacks, and we believe it caused an increase in the general population’s willingness to support and even demand government action to counter such risks.

TABLE 3: Colonial Pipeline – system map

Source: Colonial Pipeline Co.

Supply chains being rebuilt regardless of security. While the SolarWinds attack and some others that preceded it highlighted how cybersecurity risks compound and ripple through supply chains, the COVID-19 pandemic has made supply-chain risks headline material on a near-daily basis throughout the past 18 months. From N95 masks and toilet paper at the start of the pandemic to semiconductor and other high-tech components, critical goods shortages have made supply chain integrity and resiliency a top economic priority. We think the many industries now building more resilient supply chains will take advantage of this opportunity to address cybersecurity risks as they also address more traditional risks such as shipping bottlenecks, natural disasters, trade wars and conventional wars.

Supply chain giant China is now perceived more clearly as an adversary. In the past five years, China has become increasingly regarded as an adversary of the United States, joining countries such as Russia, Iran and North Korea that are commonly reported to host or sponsor cybersecurity attacks against the United States and other countries. Unlike those other countries, however, only China plays a significant role in U.S. (and worldwide) supply chains. While China’s Huawei equipment has always been controversial, today nearly all goods containing components or parts that have passed through or been manufactured in China are suspect. This concern is particularly acute at government security agencies and within Defense Department circles. Given the size of the U.S. global defense budget, the cybersecurity standards the Defense Department requires of its suppliers, particularly regarding China’s role in supply chains, will force supply chain shifts and increased cybersecurity scrutiny.

Cyberattacks increasingly perceived as a form of warfare, the domain of government. We believe businesses are starting to better understand the role foreign governments are playing in fostering cyberattacks. With an emerging appreciation of cyberattacks as a form of warfare, businesses are increasingly looking to the U.S. government to lead the defense effort. While there has been some historical cooperation between government and the private sector on cybersecurity, it has been more the exception than the rule. Businesses have often been leery of sharing information about hacks and compromised data due to fears the government will publicly blame or penalize them. They’ve also been reluctant to provide government detailed records for fear the records might become fodder for plaintiffs in civil lawsuits. On the other side, we feel the government has done little to assuage these concerns to date. Now the stakes may be getting too high for either side to continue these approaches. We think businesses and governments will begin creating a security framework for data assets that more closely mirrors the security frameworks seen in the world of physical assets, with clearer domains for government and the private sector.

For example, brick-and-mortar banks take significant precautions against theft and robbery. They employ security guards, maintain video and other surveillance systems and limit the amount of cash in teller drawers to minimize losses in case of robbery. They strictly control access to vaults containing large amounts of cash, and their security systems can send real-time alerts to local police. All these practices are well established, and it is understood that these costs are part of the overhead of operating a bank. However, these provisions are not designed to protect against general civil unrest in and around the bank. While bank processes may reduce losses from such events, banks and society view protecting against civil unrest as a police or perhaps national guard responsibility. Taking the analogy further, no one expects a bank’s internal security measures to protect against an attack by a foreign army; that’s clearly the federal government’s responsibility.

TABLE 4: European Union’s General Data Protection Regulation (GDPR) cumulative sum of fines

Source: www.enforcementtracker.com/?insights

The relevance of this physical security framework to cybersecurity is increasingly evident. The federal government has likely used its offensive cybersecurity capabilities to send messages to foreign adversaries over the years, but such actions have mostly been hidden from the public eye. We see hints this is changing based on some of the latest government guidance and initiatives as well as President Biden’s public comments, following meetings with Russia’s President Putin, regarding critical infrastructure being out of bounds for hacking and that the United States government would respond to attacks on private critical infrastructure.

The regulatory hammer has gotten substantially bigger. Among the earliest major cybersecurity-related regulatory efforts was the Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA is enforced by the Department of Health and Human Services Office for Civil Rights (OCR). Since the April 2003 compliance deadline, OCR has received over 270,000 HIPAA complaints. Through July 2021, 101 of these led to civil penalties totaling $135 million, indicating this regulation has some teeth, although its scope is limited to the healthcare industry. The Payment Card Industry Digital Security Standard (PCI DSS) was another early, widely adopted mandated security standard. PCI DSS was created and is enforced by the private sector, though it arguably was created to ward off government regulation.

We feel cybersecurity-related regulation increased by an order of magnitude with the European Union’s General Data Protection Regulation (GDPR), which became enforceable in 2018 and stands out due to its broad applicability to all entities collecting data in the European Union or on EU citizens. Though many of the 756 fines leveled for GDPR violations to date have been small, they include some significant ones such as 184 million pounds for British Airways (later reduced to 20 million pounds after COVID-19 severely disrupted British Airways’ business), 50 million euros for Google, and 225 million euros for WhatsApp. Amazon Europe was fined a record 746 million euros this summer but is appealing. The pace of enforcement is picking up as shown in Table 4.  Of the almost 1.3 billion euros of GDPR fines since inception, nearly 1 billion euros of fines has come in the past three months. We think GDPR has conditioned private enterprises to expect and manage increased government regulation related to cybersecurity and privacy, and it is generally viewed as the model for many other cybersecurity and privacy laws outside the European Union, including the California Consumer Privacy Act.

Opportunities for technology companies

We think prospects for this shift bode well for companies that can directly tap into increased spending by the U.S. federal government. This includes large prime contractors, the D.C. beltway network of subcontractors, and cybersecurity companies specializing in the government vertical, such as Palantir Technologies (PLTR).

But we see the opportunity as still broader and highlight private sector security companies that can migrate their offerings to address a new framework for how the private sector and government collectively manage cybersecurity risks. These include mega technology players that have significant security offerings as part of a broader portfolio, such as Cisco Systems (CSCO), Microsoft (MSFT), IBM (IBM) and BroadCom (AVGO). The U.S. government is not a particularly large vertical for any of the large pure-play cybersecurity companies, such as Zscaler (ZS), CrowdStrike Holdings (CRWD), Palo Alto Networks (PANW) and Fortinet (FTNT); however, we think they stand to benefit as their domestic private sector customer base invests to address continued threats and the need to comply with government mandates.

Cybersecurity for operational assets is another area where we see big opportunity, particularly for providers focused on U.S. critical infrastructure. These include some of the companies noted above, smaller cybersecurity companies with a strong operational asset focus, such as Tenable Holdings (TENB) and Forescout, and operational asset specialists like Dragos, Fortress Information Security^[1], and Industrial Defender.  

While the list of potential beneficiaries is long, we don’t think this shift in federal cybersecurity posture will benefit all companies, and it may even be a headwind for some. Specifically, we think foreign companies and even U.S. companies that maintain substantial intellectual property, development and operating resources outside the United States may be disadvantaged. Government spending with such companies is already heavily scrutinized, and this scrutiny is likely to only increase.

This could dissuade a wide swath of private enterprises from buying these companies’ cybersecurity solutions for fear of being excluded from government or government-related business at worst or subject to increased scrutiny at best. These cybersecurity providers may attempt to mitigate this challenge by beefing up their U.S. presence and by adding U.S. defense and intelligence community alumni to their boards or as advisors. Claroty is an example: This operational technology cybersecurity provider was founded in Israel but moved its global headquarters to New York in 2017 and has taken other actions to bolster its U.S. credentials. It is in good position to benefit from the focus on operational assets mentioned above if its efforts to be treated more like a U.S. company succeed, a dynamic we will monitor.

The factors above are tailwinds even without federal pressures 

We acknowledge predicting the pace and effectiveness of federal government policy enforcement may be a fool’s errand and, despite the factors noted, the current directives may gain no more traction than historical precedent. Though cybersecurity buyers may worry less about the domicile of their providers in the absence of a stronger federal cybersecurity posture, we believe the factors we discuss above will force society and the economy to respond, creating further tailwinds and continuing long-term trends that have made cybersecurity such a fertile and durable market.

^[1] First Analysis is an investor in Fortress through its venture capital funds.