DataTribe Insights - Q2 2022: Economic Storm Makes Landfall
The DataTribe Team
Heraclitus’ observation that “the only constant in life is change,” is as true today as it was when he first said it thousands of years ago. The past two years alone have supplied us with a decades’ worth of surprises, enough to make one wonder: “What’s next?” For those of us in the cybersecurity world, there are a lot of variables at play. Whether war or inflation, cybersecurity continues to be essential in an increasingly-online world. Cyber is a seawall in an economic hurricane.
In the first quarter of 2022, all eyes were on Russia’s shocking invasion of Ukraine, where unprovoked brutality continues. Yet while Ukraine’s territory has been invaded, there hasn’t been a major breach of Ukrainian cybersecurity despite attempts being made. In fact, quite the opposite: hackers like Anonymous united to attack Russia. Ukrainian cyber defenses are holding against Moscow’s cyberwar apparatus, a sign that cybersecurity can and does work.
In the second quarter, U.S. markets continued to flounder, dragging down an already fragile global economy. The world is still struggling to contain the pandemic and continues to suffer from supply chain challenges and rocketing inflation. The Federal Reserve increased interest rates to fight inflation and all major stock indexes continue to fall (including our beloved NASDAQ, by a shocking 22%), Bitcoin was decimated, and IPOs have all but disappeared. Yet despite these challenges, public and private cybersecurity companies have remained more resilient compared to other tech sectors. This is not all that surprising given cybersecurity is a top spending priority according to a Goldman Sachs survey of CIOs. Gartner projects spending on cybersecurity will grow 11% this year and next.
We did, however, see a correction in Q2. While not as hard-hit as the rest of the market, public cybersecurity stocks fell. Select companies, mostly late-stage, laid off employees. Big picture, we think this is a great time for cybersecurity investing. Public and late-stage private companies will be taking advantage of the environment to make good acquisitions, and keep up the flow of capital going to cybersecurity. Great cybersecurity companies will also be born.
Q2 Cyber Deal Activity
Overall, early-stage deal volume was down in 2022 Q2 compared to Q1 2022. This is not surprising, given the federal reserve hiked interest rates to combat inflation and the stock market tumbled in response. Private investors naturally reevaluated positions and became more disciplined, leading to fewer deals at all stages. Cyber seed deal volume decreased year-over-year by 19.5% (Q2 2021: 41 to Q2 2022: 33) while overall deed deal volume increased by 5% (Q2 2021: 1214 to Q2 2022: 1275). Cyber Series A deals declined by 43%( Q2 2021: 21 to Q2 2022: 12) while overall Series A deal volume declined by 28% (Q2 2021: 467 to Q2 2022: 339). As a percent of overall deals, Cyber seed deals are down but still in line with historical averages of 3%. Cyber Series A deals have fallen from the peak of 8% at the beginning of the pandemic in Q2 2020.
Median cyber seed deal valuations have dropped by 33% from $18 million in Q1 2022 to $12 million in Q2 2022, but still 50% higher than Q2 2021 when cyber seed pre-money valuations were $8 million. Cyber series A saw a 10% drop in median valuation from $45 million to 40.5 million, which is 23% higher then Q2 2021.
While PitchBook data shows a decline in early-stage cybersecurity deal volume and valuations, DataTribe continues to see a robust and quality flow of cybersecurity companies. In our talks, founders generally understood that capital was scarcer and seemed more open to lower valuations. In the long run, realistic valuations will better serve seed-stage entrepreneurs as they raise future rounds of capital.
Shields Stay Up
Today’s geopolitical and economic turmoil makes being ready more important than ever before – and while it may seem a daunting task at first, the threats present in today’s ecosystem are only growing. Russian and Chinese malware and botnets have already been deployed against Ukraine, and there are no signs that these threats will subside anytime soon. In response to the increased threat environment associated with Russia’s invasion of Ukraine, the Cybersecurity and Infrastructure Agency (CISA) borrowed from Star Trek to create its easy-to-remember “Shields Up” campaign to tell organizations to level up cyber defenses.
But hyper-vigilance is impossible to sustain for long. How do we keep ourselves safe without being on red alert forever? The Biden Administration has prioritized improving cyber infrastructure across the country to upgrade defenses, raise the nation’s security baseline, and share some of the defense burdens. The philosophy is simply that prevention is easier than curing, and cooperation is the first step toward prevention. Better infrastructure with fewer vulnerabilities will help foil attacks.
Similarly, targeted, actionable notices will keep industry and the public primed in cases of imminent threats. The Administration and CISA can provide information on detecting, responding to, and recovering from attacks, ultimately lessening the impact of intrusions. This notification system could be applied at any level – from individuals, all the way to a nationwide threat announcement, with information and guidance tailored accordingly.
Ultimately, improving cybersecurity is a multi-layer process. It means knowing which of your assets are exposed, consistently monitoring for intruders, having backups ready to minimize disruptions, and being prepared to respond in the event of an attack. It requires time, effort, and know-how, even if there is no immediate or imminent threat at hand.
Clear and Present Danger to Industrial Environments
In Q2, a new industrial control systems malware toolset was discovered that appears to be particularly troublesome. Dubbed PIPEDREAM by industrial control systems security firm Dragos, Dragos characterizes the attack tools as a “clear and present danger”. CISA, the National Security Agency, and the FBI are now urging industries to implement defenses against malware attacks that target industry control systems (ICS) and operational technology (OT) networks that use programmable logic controllers (PLCs) from Schneider Electric and Omron, and servers based on Open Platform Communications Unified Architecture (OPC UA).
While it is unclear where these malware came from, their sophistication points to state actors, likely Russia or China. Attackers are able to download data, alter devices, surveil industrial environments, identify high-value targets, and launch attacks against sensitive systems. There is massive destructive potential in these attacks, up to and including loss of life – and defending against them is critical. The first steps are zero trust architecture, stronger passwords, and disabling unnecessary or unused functions. More details are yet to come on this evolving threat, but limiting vulnerabilities and hardening devices remain the surest ways to stay secure and ward off an opportunistic attack.
Knowing Your Attack Surface Is Getting Harder
As digital transformations continue, cloud infrastructure and the countless internet-connected assets grow, multiplying the complexity of attack surfaces. Attack Surface Management is the process of discovering, classifying, and assessing the security of all of an organization’s assets to try to eliminate vulnerable points that attackers might exploit. To stay ahead of bad actors, organizations must continuously monitor their attack surfaces, maintain asset inventories, and determine which vulnerabilities to address to reduce risk. It’s a never-ending battle.
We see Attack Surface Management getting even more challenging and poised for disruption as Internet Protocol version 6 (IPv6) is adopted. IPv6 was developed to deal with the long-anticipated problem of IPv4 address exhaustion. It provides a much larger addressing space, which allows for not only more IP addresses but also more efficient network routing. A number of ISPs have already migrated their networks to v6. As well, the Department of Defense and Office of Management and Budget mandates to migrate to v6 only by 2025 are compelling forcing functions for private sector companies that do business with them. These migrations are just the start to a foundational shift in the architecture of internet networking.
On the surface, the benefits of v6 are great, but IPv6 introduces new complexity into networks as devices that may be locked down appropriately in IPv4 may be inadvertently misconfigured in IPv6. This can result in network assets being accidentally left exposed on public-facing networks. Keeping track of all this creates a new challenge for network defenders.
Rise of the Web3 Hacks
Systems are being built on many Layer 1 networks, i.e., networks that provide final transaction settlement security and validation and Layer 2 networks which can manage higher volumes of transactions that eventually settle on Layer 1 networks. In this ecosystem, bridges link all these networks together, enabling assets to be transferred, and eventually smart contracts on one network to be called from another network. They’ve done a good job, but they could not plan for the complexity of network interactions as systems grow. Yet the weak link, the lowest-hanging fruit for hackers are the relatively immature and difficult-to-implement bridging technologies. This vulnerability has generated an endless stream of bridge hacks, including the Harmony bridge most recently.
Other aspects of the Web3 architecture also need to be secured, even though their vulnerabilities don’t grab as many headlines as bridge hacks. This includes common decentralized application (aka dApp) components such as the user interface and services like RPC Hosts, IPFS gateways, and network indexing services. The attack surface of Web3 has become complex, and while some traditional cybersecurity solutions can be applied to this new architecture, there are many opportunities to build new solutions to solve Web3-unique challenges.
With Lockdown Mode, Apple Escalates Against NSO Group
In the Q3 2021 Insights section, we covered Israeli spyware vendor NSO Group and its work helping governments to combat terrorism. NSO Group has also unfortunately been helping governments target journalists and activists by exploiting Apple devices’ zero-click, zero-day vulnerability. Apple quickly released an update to fix this vulnerability, and is taking even bigger steps to secure its users.
A new security tool will be introduced with iOS 16 this autumn called Lockdown Mode. It will give users the ability to cloak from tools like Pegasus (NSO’s product) and protect their data and privacy across iPhones, iPads and Macs. Furthermore, it will now offer enhanced security features by default across the board to all its users. The fact that anyone can turn on Lockdown Mode will be a huge step in cybersecurity awareness for the average person.
Given the degree of intimate personal information that is on a smartphone, it’s bad enough that offensive cyber teams at the nation state level are developing skeleton-key-level access to these devices. The fact that companies like NSO group seek to capitalize on these capabilities is troubling. We’re encouraged by companies like Apple are stepping up to the challenge of offering great security and privacy on their products. We hope more will follow suit.
MSPs Are Increasingly Attractive Targets
Last quarter, we highlighted the cybersecurity needs of small and medium-sized enterprises (SMEs), as well as the solutions available to them. SMEs are among the most vulnerable to cyberattack, as they often lack the budgets and skilled personnel to protect themselves. Adversaries are fully aware of this; attacks on small businesses accounted for 43% of cyber attacks in 2019. In fact, small business are more likely to be targeted than large enterprises, according to Barracuda Networks.
In order to manage the complexity of their IT, many small businesses outsource it to Managed Service Providers (MSPs) for their IT needs. In May, NSA issued an advisory specifically addressing the fact that Managed Service Providers (MSPs) were being target by hackers.
According to the NSA, vulnerabilities can make these MSPs little more than Trojan horses, allowing attackers access to sensitive systems and data. Attacking an MSP allows an adversary access to multiple businesses and individuals at the same time–a golden opportunity for any adversary.
Don’t Forget About China
While Russia’s hackers may be in the headlines today, the Chinese hacking apparatus is perhaps the graver threat to “our economic and national security.” China’s cyber operatives are well-funded, well-trained, and capable of launching the most sophisticated attacks that often go beyond cybersecurity. The Center for Strategic and International Studies analyzed 160 publicly-reported instances of Chinese espionage against the U.S. since 2000, and found only 41% of reported spying incidents involved cyber espionage.10 Chinese espionage programs cast wide nets, generally targeting businesses, academic institutions, lawmakers, or the general public to acquire commercial technologies. CSIS reported 51% of the 160 cases were aimed at acquiring commercial technology,11 whereas 34% of the incidents aimed to acquire sensitive military technology.
The Xi regime is less and less shy about throwing its weight around and will leverage every advantage it can against its geopolitical foes. Cyber attacks are just one weapon in its arsenal; Chinese officials routinely pressure overseas Chinese to spy for them or defend the regime across the world, from Sweden to Australia. The CSIS report found 32% of the cases it found involved private Chinese citizens, and a further 26% involved U.S. nationals who had been recruited by Chinese officials. China’s efforts to steal intellectual property, which the FBI believes to be larger than all other advanced countries combined, means companies of all sizes be vigilant in defending their attack surfaces.