DataTribe Insights - Q1 2022: First a pandemic, then a war – cybersecurity put to the test
The DataTribe Team
Typically each year, January brings anticipation of Spring just around the corner. Excitement grows with events such as the Cherry Blossom Festival in Washington, D.C., or with sporting events such as the Super Bowl, NCAA’s March Madness and Major League Baseball spring training. Just when COVID-19 appeared to get under control and people started to return to the workplace, the world was rocked with the Russian invasion of Ukraine. How are these events impacting the cyber landscape and investing environment?
Russia Ukraine War – First Global Cyber Bar Fight?
With the Russian invasion of Ukraine continuing into its third month, the global community is reeling from the largest conflict in Europe since WWII. The residual effects are hitting gas prices in the U.S., while corporations and governments are bracing for the impact to hit in cyberspace. Surprisingly, the immediate impacts on cybersecurity have not been further exploited by previously executed well-known hacks, which many expected and continue to prepare for. Such attacks include BlackEnergy, an attack on the Ukrainian electricity grid in 2015; the NotPetya malware attack on Ukraine (and spread worldwide) in 2017; Solar Winds, discovered in December 2020; or a repeat of last year’s attack on the Colonial Pipeline launched by DarkSide ransomware, a group believed to be based in Russia.
There is a new scale and dynamic to cyber action, and it is hard to pinpoint attribution. Are these new kinds of attacks a shift in tactics by existing criminal or nation state actors? Or is there a new player in the game — the hacktivist — often being enlisted to defend Ukraine.
“Ukraine authorities estimate some 400,000 multinational hackers have volunteered to help counter Russia’s digital attacks,” said Yuval Wollman, president of CyberProof.
In February, via Twitter, Anonymous declared it was waging a “cyber war” against Russia. Since then, the account — which has more than 7.9 million followers —has claimed responsibility for disabling prominent Russian government, news and corporate websites and leaking data from entities such as Roskomnadzor, the federal agency responsible for censoring Russian media. Dozens of databases belonging to Russian internet providers, government agencies and even retailers have been compromised according to researchers. Though not everyone is encouraging individuals to get involved, as conveyed in a recent Tweet from Dragos Founder, Rob Lee:
Ukraine War Displacing IT/Development Software Teams
Over the last 15 years, Eastern Europe has become a major outsourcing provider to global enterprises and software companies (i.e., independent software vendors, or ISVs). According to DAXX, a remote software teams firm, there are 200,000 Ukrainian developers, and 20% of the Fortune 500 companies have remote development teams in Ukraine. Estimates are that 200,000 engineers in Russia, Belarus and parts of Ukraine are consumed by the conflict, either through displacement or because they have taken up other roles in response to the invasion. Another 300,000 from Ukraine will be impacted as the conflict continues. Enterprises and ISVs are scrambling to backfill their offshore teams via other regions such as India and Latin America. This hits in addition to the staffing pressures caused by COVID-19 and the Great Resignation, making it very difficult to start new projects or expand teams. This displacement of talent will likely have an impact in all phases of software development for all sizes of organizations. Since outsourcing, in particular, is more affordable and flexible than hiring employees, startup innovation will slow.
New Federal Regulations Increase Cyber Preparedness
A concert of federal efforts to fortify national and private sector defenses against potential cyberattacks, particularly those coming from Russian offensive efforts, have flooded the news in the first quarter of 2022. The Cybersecurity and Infrastructure Security Agency (CISA) issued “Shields Up,” a call for hypervigilance with regard to potential Russian cyberattacks. Due to the ongoing conflict in Ukraine, “All organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.” Included in this campaign are recommendations for executive leadership and resources for organizations of all sizes.
In March 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act as part of the omnibus spending bill. This act creates a requirement for critical infrastructure organizations, potentially including financial services, energy providers, hospitals and water facilities — businesses that could impact economic security or public health and safety — to report cyberattacks to CISA. While many reacted by focusing on the potential burden of reporting requirements, the potential long-term benefits of a national datasets like this are far reaching. With a view across the entire country, companies will have a clearer picture of which threats are prioritized at a given time, and the government will have the opportunity to fill necessary gaps where vulnerabilities exceed what the private sector can solve for, such as providing support for small businesses with ransomware. The combination of information and potential for coordinated response means that the U.S. will have a uniquely precise view of nation-state offensive strategies against the U.S., which will better enable both private and public defense efforts.
Clearly, this act, and the other two bills that constitute the Strengthening American Cybersecurity Act of 2022, were created to shore up cyberdefenses and increase the power of agencies investigating cybersecurity incidents. But one has to wonder, despite the increased awareness these bills drive, if this is an example of “closing the barn door after the horses have run out.”
Another recent regulatory change shifted the Cybersecurity Maturity Model Certifications (CMMC) from being a recommendation to a requirement for government contractors to submit to random spot checks, which has organizations scrambling for an immediate solution.
Overall, we think these regulations will cause industry to increase its defenses in important ways. This is a positive reaction to the nation’s cybersecurity posture.
As an example of past positive reactions to regulation, through DataTribe’s investment in Refirm Labs, we found that corporations originally did not care about the integrity of firmware and potential for its exploitation until the Department of Defense — and later, the White House — pushed the issue to national attention.
Q1 Cyber Deal Activity – More Money, More Deals, But Storm Clouds On The Horizon
The Q1 2022, overall early stage deal volume continued near historical highs. Seed deal volume continued at peak levels compared to last quarter, but Series A deals, while still high, have softened. This type of pattern is quite common in economic downturns. Public markets and later stage private equity are the first market segments to be impacted. Eventually, earlier stage market segments will be impacted. We expect if the economic downturn continues, we may see a decrease in deal volume at the seed stage as well. We foresee early stage cyber deals to be somewhat more resistant to an extended economic downturn, but will wait to confirm in the next few quarters.
While the number of deals has started to cool off as seen in the prior chart, valuations and deal size continue to surge — particularly for cyber deals. Cyber seed deal size increased year-over-year by 87% (Q1 2021: $2.7 million to Q1 2022: $5 million), while cyber series A deals have increased by 35% (Q1 2021: $10 million to Q2 2022: $13.5 million). Year-over-year, cyber seed deal valuations have increased by 133% (Q1 2021: $7.7 million to Q2 2022: $18 million), and cyber series A valuations have increased by 59% (Q1 2021: $28.3 million to Q2 2022: $45 million). If the economic downturn extends and deal volume continues to dry up, we expect to see deal valuations and correlated deal sizes decrease to a more sustainable level. Again, the early seed stage deals will be slowest to react to the downturn and generally will be the least correlated to short term economic conditions. Separate from economic conditions, cyber is heavily driven by global conflict and the growing number of online criminal actors who take advantage of the never ending migration of all aspects of life to online. Unfortunately, we expect to see heightened global political tensions to continue, which could drive cyber deal volume and deal valuations to be more resilient compared to overall deal activity.
Promises Not Kept or Wishful Thinking?
Breach and Attack Simulation systems (BASs) gain momentum but still lack actionable insights. BASs are a relatively new, fast-growing security technology that identifies vulnerabilities to real-world attacks and runs on the idea that the best preparation is for organizations to test their systems against real-world attacks. Other approaches, such as Pen Testing or red teaming, provide some of the desired insights but lack the continuous testing aspect.
The BAS market is expected to grow at a compound annual growth rate (CAGR) of 37%, jumping from $278 million in 2021 to over a billion ($1,355 million) by 2026,according to The Business Research Company.
Some say that BASs do not go far enough, offering insights only on the cyber tech stack deployed by an organization. But what about weaving data into the analysis regarding how the team responds and how its playbooks stand up to real-world attacks?
The obvious immediate questions to answer are: How well prepared are my people, processes and tooling against actual threats? How can that defense be measured?
BAS platforms need to expand to leverage data from other systems, such as SEIM systems, workflow systems and trouble ticketing systems, to provide evidence-based insights and recommendations against specific attacks and frameworks.
SBOM Is the Bomb
Working to understand and defend the software supply chain continues. Large established firms such as Synopsys, Sonotype and JFrog, as well as startups like Anchor, are making investments. Understanding what goes into one’s software, including firmware, is being driven by the federal government. In February, the National Institute of Standards and Technology (NIST) came out with its “Recommended Criteria for Cybersecurity Labeling for Consumer Internet of Things (IoT) Products” white paper in support of Executive Order (EO) 14028. This EO tasked NIST and the Federal Trade Commision (FTC) to provide guidance on consumer labeling. This included guidance on producing a software bill of materials (SBOM) for software systems and IoT products with a goal of “improving the nation’s cybersecurity.” Other agencies, such as the U.S. Food and Drug Administration (FDA), have jumped on the bandwagon and directed the pharmaceutical and medical device industries to develop SBOM information as well.
Government agencies are not the only organizations clamoring for more insights into the ingredients going into today’s software — commercial initiatives have also come onto the scene. An example is the Linux Foundation’s OpenChain initiative). This project maintains the international standard for open source license compliance, allowing companies of all sizes to adopt the key requirements of a quality open source compliance program.
These public and private initiatives are indicative that the SBOM requirement will continue to spread.
Despite these efforts, vulnerable software is already out in the wild — Log4J and solar winds are recent examples. So, the SBOM is a nice concept, but how is it operationalized? Gartner claims the industry is five to ten years away from organizations having a solid understanding of what’s currently in their software stack. Software composition tools do exist, but tools with more automation that are sophisticated enough to guide the extraction of supply chain-oriented vulnerabilities are needed.
Small and Medium Business Cyber Solutions Include Insurance
In last quarter’s Insights, we discussed the cyber needs for the small and medium-sized enterprise (SME). Work-from-home trends have expanded the attack surface; new regulations mandate security controls; and the threat from global bad actors is rising. As a result, SME cybersecurity is finally getting more attention. These organizations’ cyber needs not only include the technology and services required for protection and mitigation, but also insurance. Previously, most insurance companies have addressed the needs of larger corporations that invest heavily in protecting themselves. This has been a lucrative market for insurance companies, as the best, lowest cost insurance goes to the companies that are well protected. That, however, is changing, as claims rise and underwriters struggle to accurately assess an organization’s risk of a cyberattack — insurers won’t write policies (or will write obscenely expensive ones) if they can’t quantify the risk of a claim.
What about the SMEs? Until recently, they have been mostly uninsurable but have increasingly become targets of ransomware attacks. Compared to their enterprise brethren, SMEs tend to underinvest in cybersecurity, making them more vulnerable to a cyberattack and largely uninsurable. Enterprise security software is expensive and complicated, as it typically requires a seasoned security expert (if one is available AND affordable) to use effectively. Some new players have come onto the market offering not only insurance, but the technology and tools to prevent malicious attacks and recover quickly should an attack occur. These new products aim to simplify cybersecurity, making it accessible to SMEs while providing underwriters (or the security companies themselves) better information with which to assess the risk of an organization falling victim to a cyberattack. Better information leads to lower cyber insurance premiums for companies and healthier premium margins for insurers. The approach is similar to auto insurance companies that provide devices to monitor how safely drivers operate their vehicles. This information, along with other external data such as location, driving distances, past tickets, etc., provide more informed and, therefore, more cost-effective premiums — benefiting both the insured and the policy underwriter. The emerging breed of cyber insurance providers will take a similar approach, gathering data about the investments made by the end client for cyber protection — in some cases, facilitating those investments — and also gathering external data about threat actors targeting smaller companies. SMEs stand to improve their security posture while gaining access to affordable cyber insurance policies.