From: Forbes
Written by Deepak Jeevan Kumar, a Principal at General Catalyst Partners.
Can the next Edward Snowden be from Silicon Valley?
The last 5 years have seen the meteoric rise of the App Economy, which spans mobile apps downloaded on smartphones/tablets and web apps used directly on browsers. The annual revenues of mobile based App Economy is estimated at $72 billion today and is expected to double to $151 billion by 2017. The web based App Economy is far bigger. Most importantly, the App Economy has permeated our everyday lives very deeply and has changed the way we interact with each other, buy virtual goods, order physical retail goods and entertain ourselves. Netflix, Twitter, Zynga, Facebook etc. are only a few of well-known ones. The App Economy is also a great equalizer. Hundreds of other startups like Uber, WhatsApp, Fab, Instagram (acquired by Facebook) and Square are equally important to our everyday lives. New distribution channels and new cloud infrastructure technologies enable even smaller startups with a handful of employees and little funding to reach millions of users in a few months and effectively compete with bigger established players like Google, Electronic Arts and HBO. Unfortunately, security is an afterthought to many of these smaller startups, which are laser focused on product innovation and user acquisition.
Hackers love attacking targets that are either are high profile or have massive quantities of sensitive data. Their attention is turning towards the App Economy very quickly and effectively. Twitter, Tumblr, WordPress, , Facebook, and LinkedIn have all been targets of recent high profile attacks. In April, a hacker tweeting from the account of the Associated Press falsely indicated explosions at the White House and caused a temporary panic on Wall Street. This is only the tip of the iceberg. Damaging attacks can also occur on smaller low-profile startups that don’t have sufficient cyber defenses in place. Many such attacks are not detected or solved. No one knows how many of the smaller gaming, ecommerce and communication startups have been hacked or what data has been stolen from them. This is not a big risk if these smaller startups have only a few users. However, these startups can have millions of users and also store Personally Identifiable Information (PII). In many cases, a hacker can get as much information by attacking these smaller startups, as he would get by attacking a regional bank. A stark example is the March 2013 hack on Evernote, a medium sized startup that has created a popular note-taking app. While not as well-known as Twitter or Facebook, it has millions of users. According to this news article, it is unclear how long the attackers had access to information. Luckily only usernames were compromised. Confidential content in the notes saved by users was safe.
The App Economy of today exists mostly on smartphones, tablets and the web. As new app platforms like Google Glass and iOS for cars emerge, the risks can increase exponentially. A cybercrime syndicate could cause traffic chaos by hacking some of the car apps and giving out misleading directions to drivers. Accidents can occur if these hackers show distracting images to pedestrians who are wearing Google glass. Perhaps, the days of ‘App Warfare’ are not far away!
These attacks can sometimes be life-threatening for startups if companies loose the confidence of their users as a result of theft of confidential data stored in the apps. Denial of Service attacks can increase cloud infrastructure hosting costs significantly and can even bring down a startup’s production servers, which would make it impossible for users to access their apps. Earlier this year, Sony was fined by the UK government for failure to protect against a cyberattack on its PlayStation Network. While the US government or affected users have not yet initiated civil action against smaller startups for such attacks, we can expect this to occur sooner rather than later. Unfortunately, such lawsuits could potentially put these startups out of business as they don’t have the financial muscle of big corporations such as Sony.
Three reasons compound this cybersecurity problem. First, App Economy startups are more interconnected than we think. The recent attack on Zendesk, a helpdesk app used by hundreds of Silicon Valley startups, exposed user accounts on Twitter, Tumblr and Pinterest. Secondly, smaller startups cannot afford armies of cybersecurity specialists unlike bigger organizations such as Google, Twitter, Bank of America, NSA and the DoD. This brings us to the third reason. While innovation in code development and deployment has been very fast, innovation in cybersecurity technology has not caught up. Startups deploy code multiple times a day due to innovations like continuous integration and cloud computing. However, security audits are done once every few weeks, if at all. Most of these security audits are manual and time consuming processes run by security audit firms that charge $50K-$250K. That is unaffordable on a regular basis for smaller startups.
Silicon Valley has two choices, solve this problem with better cybersecurity technology or wait for the government to regulate. The first option is preferable because regulations tend to be backward looking while hackers are not. We need faster and automated cybersecurity tools that can help startups (and larger companies) identify security threats in real-time, detect attacks as soon as possible and remediate critical issues. The government definitely has a big role to play here. As the largest buyer of cybersecurity technologies, the government should make it easier for cybersecurity startups to sell to different agencies. More importantly, research funding should increase to promote long-term innovation in this sector of national importance. The government should not shy away here. It is critical to remember that the internet was the result of a DARPA funded project.
Leave a Reply