DataTribe Insights - Q3 2022: Brakes are Smoking… Headin’ for the Runaway Ramp

The DataTribe Team

Introduction

At the end of Q3 2022, with conflict in Europe and the world creeping back to normalcy after years of pandemic disruption, we find ourselves in odd economic times buffeted by conflicting crosscurrents. Inflation is at its highest levels since the ‘70s and the Fed, white-knuckled, is pumping the brakes. So far, the Fed has increased rates five times in 2022 for a total increase of 2.25%. Accordingly, the S&P 500 is down 21% YTD. In spite of all this, it still is remarkably hard to hire. Labor markets remain tight.

A majority of economists see a recession ahead. The Wall Street Journal’s economist survey reports 63% of economists believe a recession will occur in the next year, up from 49% in July. Bloomberg projects the recession is 100% certain and will start in ten months. In most of tech, it feels like it is already here. The NASDAQ is down 30% YTD. There is no appetite for IPOs and valuations have contracted and continue to shrink. This mood seems evident in venture capital as well, where investing is down 53% since Q3 2021 and down 37% from Q2 2022. Late-stage deals are down 63% from Q2 2022 to Q3 2022, while seed-stage deals are down 18% from Q2 2022 (though seed-stage cybersecurity was flat).

At the same time, bubbly financings are continuing to happen (ex. Jasper’s recent $125M raise at a $1.5B post valuation). Our corner of the economy, early-stage cybersecurity, feels insulated from the maelstrom. We started collecting applications for the annual DataTribe Challenge in early August 2022, and can attest to the strong and steady march of disruptive innovation.

Looking ahead, 2023 is likely to be a slog for most startups, but less so in cyber. While several CISOs we work with highlight new levels of scrutiny in their budget requests, malicious actors and cyberattacks continue to drive robust growth in cyber markets.

In this quarter’s report, we reflect on the Twitter whistleblower’s claims and how they mirror broader trends in cybersecurity, explore parallels between the ‘90s Crypto Wars and efforts to regulate cryptocurrency, and look at how key management remains a major weakness in enterprise cyber hygiene.

Q3 Cybersecurity Deal Activity

It should come as no surprise that overall U.S. venture activity is down year-over year. The current economic headwinds are pressuring private capital markets, just as they are the public markets. The exception is Seed investment activity in cybersecurity, which increased 37.5% from 24 to 33 deals YoY. Cybersecurity Series B investors also notched a slight increase in activity, with one additional deal inked in Q3 2022 (8) vs. Q3 2021 (7). Across a broader spectrum of investment rounds (Seed through Series E), cybersecurity activity is down only 3.3% YoY, compared to the 23.7% decline observed YoY across all verticals. Anecdotally, from our own deal flow and conversations with other security investors, this is expected. Innovation in cybersecurity continues to thrive, particularly for the youngest companies.

Source: Pitchbook U.S. deal activity in all verticals and cybersecurity for Early Stage Venture Seed, Series A, and Series B
Source: Pitchbook U.S. deal activity in all verticals and cybersecurity for Late Stage Venture Series C, Series D, and Series E
Source: Pitchbook U.S. deal activity in all verticals and cybersecurity for Early Stage Venture Seed and Series A

Q3 2022 also marked a continued decline in valuations across nearly all stages. Seed investments in cybersecurity are the notable exception, with median pre-money valuations increasing 12.5% YoY from $12M to $13.5M, but still well off the all-time high of $18M observed in Q1 2022. While a good directional indicator, it’s important to note that monthly and quarterly changes in private company valuations paint an incomplete picture of the venture capital landscape. Valuation is only one of the variables in the transaction equation.

Another interesting data point to analyze is the percentage of the company that startups are selling to investors in their investment rounds. As you can see in the chart above, the percentage purchased over the last ten years is quite stable. At Seed, it has remained almost flat at 25%. This speaks to the venture capital model and that VCs are typically targeting a certain ownership percentage in a financing. What has changed more has been valuations and thus the round sizes.

While things are more expensive today than they were ten years ago, it does not require 6-7 times as much capital to get a company from Series A to B today. So, what’s going on? There are a couple factors at play. First, the characterization of venture rounds continues to evolve. What was a “Series A” in 2012 is more like a “Seed” round today. So, the rounds themselves are not entirely apples-to-apples over the last decade. Second, record amounts of private capital have gone into venture capital over the last five years contributing to more capital seeking quality startups resulting in upward valuation pressure.

Paul Revere Meets the Fail Whale

In early Q3 2022, the recently-dismissed CISO of Twitter, Peiter “Mudge” Zatko filed a lengthy whistleblower report to the SEC about the lax security practices at Twitter. Later in the quarter, his complaints came to life through his broadcast testimony to the Senate Judiciary Committee. The specifics include general lack of controls over user data. According to Mudge, nearly half the company (mostly engineers) were granted broad access to user data with little or no monitoring. There was also discussion of concern that countries, including China and India, had intelligence agents embedded on Twitter’s staff with unfettered access to the hundreds of millions user accounts. Mudge said, “We simply lacked the ability to hunt for foreign intelligence agents and expel them on our own.” (Tip: We know a place where Twitter can get this capability, https://striderintel.com)

First thing to know about Mudge is that he is an OG member of the cybersecurity world. He started an elite hacker think tank, has worked with DARPA and Google, and has been trailblazing in cybersecurity since he testified in front on Congress on serious internet security issues in the late ‘90s. The video of the 1998 hearing is fascinating. In fact, Senator Joe Lieberman in ’98 dubbed him the “Paul Revere of cybersecurity.” So, Mudge brings credibility to his observations.

The episode of Mudge and Twitter is an operatic example of a broader phenomenon that is happing throughout tech in general: the collision between the cultures of speed-oriented-just-ship-it software engineering and risk-mitigating security. Twitter and Mudge each represent these two respective cultures in their purest form. 

Twitter, a viral success, experienced torrid growth for years. Remember the early days of Twitter when the notorious Fail Whale would routinely come up instead of the site? The rapidly-growing engineering team struggled to just keep the things up. Then, there was how to make money with it. So, it’s no surprise that security corners were cut. “Many engineers at Twitter had a stance that security measures made their lives difficult and slowed people down,” said Edwin Chen, a Twitter engineer, quoted in the Washington Post.

Enter Mudge, the Paul Revere of cyber, to this behemoth of sensitive PII, 50-million-follower influencers, years of technical debt, and mis-aligned incentives. It was the proverbial immovable object meeting the irresistible force. The ensuing difference of opinions led to Mudge’s eventual dismissal and the whistleblower report.

While this is a conflict between software engineering and security on a grand scale, the same dynamic is playing out in most all organizations that produce software. Long considered an afterthought at the end of the software development lifecycle, security is ascending in importance and shifting left, earlier in the development cycle. This reorientation of focus and skills in the software development process is a foundational trend. The AppSec and DevSecOps trends have been happening for years, but we are still only in the early phases of the transition to a world where software development process and security are seamlessly integrated.

Twitter, while not as large as other social networks, is where journalists and thought leaders congregate. That gives Twitter outsized influence and, thus, responsibility. While we are sure that there are two sides to the complaints that Mudge reported, it’s clear that there was enough there to be concerning. For example, something really striking to come out in Mudge’s testimony is that allegedly Twitter engineers directly checked code into production. They don’t have staging or test environments. It’s actually hard to believe. If true, it would represent a reckless shortcut.  

There is much more to come for Twitter with the ongoing saga with Elon Musk’s bid to buy the company. Whether there is a change of ownership or not, Twitter has been through a protracted period of demoralizing uncertainty and stress. Inevitably, a large number of staff at Twitter will leave – likely including key engineers that possess critical institutional knowledge. It will be a period of elevated security risk.

Mudge could have just left Twitter and shrugged it off. He didn’t have to author his report and take the personal cost to make it known to the public. We applaud him for doing so, and hope that it helps accelerate the adoption of more rigorous security controls at one of the world’s most important communication platforms.

‘90s Crypto Wars… Again?

In August, Tornado Cash was sanctioned by the U.S. Treasury’s Office of Foreign Assets Control (OFAC). According to the U.S. Treasury, Tornado Cash is “a virtual currency mixer that launders the proceeds of cybercrimes…” More specifically, because there is no entity called Tornado Cash, the focus of the sanctions prohibits U.S. entities from interacting with the addresses on the Ethereum chain that hold and run the smart contracts associated with the Tornado Cash service.  The rationale for the sanctions was because an estimated $7 billion worth of tokens were laundered through the Tornado Cash smart contracts – a good portion by hacker groups, such as North Korea’s Lazarus Group.

This fact is not disputed (other than maybe by North Korea), and sanctions likely made it significantly harder to launder funds through Tornado Cash because the anonymity of transactions is related to the volume of transactions through the system.  Based on this fact, the sanctions were a success. But the implications of such a sanction and the reaction from the crypto community is quite significant. 

The sanctions were against a piece of software, owned by nobody, and running autonomously on Ethereum. In 1995, Bernstein vs. U.S. ruled software to be speech and therefore protected by the first amendment.  Are these sanctions a violation of the first amendment?  Sanctioning a smart contract could be analogous to sanctioning the use of Linux, which doesn’t make sense, and likely would be a clear violation of the first amendment.

The lack of details provided around such a groundbreaking application of sanctions threw the crypto community into a tizzy (admittedly it doesn’t take much to get this crowd going). The concern is warranted. Without clear details on how to treat the sanctions, there has been mass confusion around a square peg rule being applied to a round hole situation. Where will the government draw the line on how privacy can be implemented within blockchains? How can privacy be implemented for a trustless blockchain environment that doesn’t run afoul with current regulations and potentially sanctions if bad actors use the implementation. Bad actors use any tool that is beneficial to their goals, including cash, encryption, private communication tools, and of course, cryptocurrency. 

The adversarial interaction between the government and builders in Web3, particularly those focused on building privacy capability, is similar to the crypto wars of the ‘90s. The post Bernstein vs. United States executive order that removed encryption from the U.S. Munitions List led to worldwide availability of quality encryption algorithms, thereby leading to mass adoption of e-commerce and the management of business data on the internet. Today, without more privacy around blockchain transactions, Web3 will not see mass adoption for business transactions and general payments.

While in the short term, the U.S. government likely views the sanctions as a win, will these actions drive the crypto community to more aggressively build capabilities to protect against government intervention with even less regard to how it could impact law enforcement’s ability to protect society from bad actors?  This would be bad for both sides.  As the world migrates to Web3 architectures, it will not be possible for developers to solve all the world’s problems by building autonomously running systems that implement perfectly balanced rules and incentive structures (tokenomics, in Web3 parlance). 

In spite of strong libertarian undercurrents in the Web3 world, we have a hard time seeing a future that is governed purely by software and automated systems. There will be a need for manual, people-managed rules, regulation, and law enforcement. Figuring out smart regulation that gets the most out of the potential of Web3 while minimizing negative unintended consequences will not be easy. Web3 technologists and policy makers (hopefully many of whom will be Web3 technologists) will need to work together.  

Cybersecurity Trends to Watch

“Be Yourself; Everyone Else Is Already Taken…”

… said Oscar Wilde, but we need to make sure that they don’t take your identity as well. Identity and authentication continue to be active areas of innovation—and for good reason. Stealing or spoofing an identity using data from a data breach or social engineering is a leading attack vector. The weak link in these attacks is the password used for authentication.

So, it makes sense that the cybersecurity industry is behind passwordless authentication. At the Authenticate Conference, the big three—Google, Apple, and Microsoft—all promoted their passwordless passkey capabilities. But what does “passwordless” really mean, and how are passkeys better than passwords? The terms are a lot more about how the underlying technology works versus any notable changes to the user experience. Mobile phone users are already quite used to using a PIN, face scan, or fingerprint scan to authenticate with their phone, and mass adoption of passwordless authentication by these users will actually not feel much different. The difference is there no longer will be complicated passwords to remember for each app or website, as users can just use the same face scan they are already using to unlock their phone.

So, how does this work? Much of what the big three and many others are promoting is based on the FIDO2 standard. FIDO2 provides a standard way for websites and other services to interact with user devices using public key infrastructure (PKI). A public key is generated for a participating website to keep, and a corresponding private key (the passkey) is stored in a super-secure way on the user’s device—typically in a secure enclave. The private key can never leave the enclave and can only be used to authenticate if the PIN or successful biometric scan was done on the actual device. When all users are using these passkeys, it will be a bad day for the bad actors. There will be no central databases of passwords and no way to trick users into giving them the passkey—because it never leaves its storage location. This is great, but unfortunately, there are still ways in for the bad actors. It could still be possible to install keyloggers or remote access trojans (RATs) that can enable them to see a user’s PIN as it’s being typed. To defend against these attacks, some type of multi-factor authentication (MFA) scheme still needs to be incorporated.

The Enterprise Password on a Post-It

In Q3 2022, both Uber and the Veterans Administration each experienced high-profile breaches that were made worse by hackers finding unprotected secrets.

In Uber’s case, an 18-year-old socially engineered his way to getting an employee to give him an internal system password. From there, the hacker was able to find “highly-privileged credentials on a network file share and them to access everything, including production systems, Uber’s Slack management interface and the company’s endpoint detection and response (EDR) portal.”

As reported in FedScoop, the Veterans Administration breach resulted from a “federal contractor published source code containing sensitive credentials on internet hosting service GitHub, sources told FedScoop… The compromised information included hard-coded administrator account privileges, encrypted key tokens and specific database table information.”

There’s much to say about Uber’s security controls and the Veterans Administration’s software development practices. However, we’re going to focus here on the fact that in both of these situations sensitive secrets were left out for the taking.

The general lack of rigorous identification and management of secrets remains a major issue within enterprise IT. For example, while guidelines from NIST and PCI call for encryption keys to be rotated one per year, this already complex task is made harder by the fact that many organizations have no idea of where all their secrets reside. Only the most advanced organizations have a practice of rigorously searching for secrets, inventorying them, and ensuring they are properly managed in a key management system.

Knowing where your secrets are and ensuring that they are not being hard-coded into software or left on file servers is a form of basic cyber hygiene that is long overdue for systematic improvement. We sympathize with the relentless list of priorities confronting CISOs on any given day. However, we believe improvements in this area will fundamentally improve security risk for organizations and help to shorten that to-do list.