Image: NSA public archive
As much as Silicon Valley's techno-libertarians would like to believe that they discovered the first semiconductors buried in the California wilderness, the relationship between Big Government and the nation's tech capital is long, complicated, and well-documented. The internet itself was a military research project, and government R&D funding has pushed along technologies ranging from GPS to Siri. Tech companies have made a fortune off government contracts, and intelligence agencies have even unleashed their own personal venture capital firms to invest in tech startups and recruit top tech talent to help mine through mountains of surveillance data.
But recently, the revolving door of the Military-Information Complex has started to swing both ways. As the New York Times reported recently, over the last year former military and intelligence operatives have flocked to Silicon Valley, where they are founding startups that specialize in helping other firms avert cyber-threats. As the market for cyber-security grows, these security analysts are leveraging the skills and connections they acquired in government intelligence agencies into a flood of venture capital cash: In 2012 alone, venture firms poured more than $1 billion into security startups, more than double the amount in 2010, according to the National Venture Capital Association.
To find out more about the intelligence community's Western migration, I spoke to Jay Kaplan, a 27-year-old former NSA analyst who left the agency in February to co-found Synack, a Menlo Park security startup that aims to safely crowd source penetration testing for enterprise companies. Based on the "bug bounty" programs used by big tech companies like Google and Microsoft, Synack formalizes the model on a more trustworthy platform, acting as an intermediary between companies and a vetted global community of white hat hackers that Kaplan and his co-founder Mark Kuhr have curated based on connections and experience they developed while working in the NSA's Counterterrorism Division at Fort Meade, Md. The company, which recently raised $1.5 million in seed funding from Valley VC heavyweights like Kleiner Perkins Caufield & Byers and Allegis Capital, is proof of the premium that the tech world is willing to pay for an inside understanding of the national security apparatus.
MOTHERBOARD: Your company, Synack, is trying to crowdsource vulnerability testing to a vetted community of part-time, white hat hackers. How exactly does that model work?
Basically, the way the process works is that a customer comes to us and they say, 'We need to make sure that our internet-based properties are secure—we don't want anyone to hack into them, we don't want any type of adversary or someone with nefarious intent to gain access to customer records or do anything malicious. So they come to us, and that's where the penetration-testing model comes in.
There are a couple of consultancies that do this type of work. We're a little bit different though, because we don't just hire people in-house to perform this work. We recruit a global community of researchers, and we incentivize them differently — it's not on a time-materials basis, they get paid when they actually discover security vulnerabilities. So after a company engages us, we list that on our web portal and we then have a pre-recruited researcher community on board [for our hackathons.]
We've gained access to these researchers either through previous connections we've had, or through other experts in the industry, and also through recruiting efforts that we've done. These guys have been vetted through various steps to make sure that they are actually a trusted community, which allows us to leverage them for more sensitive types of testing.
What's the vetting process like?
We keep some of that under wraps, so I can't really speak to that in its entirety. But there are a couple of gates that we make our researchers go through. The first is a skills assessment to make sure that they are truly experts in the specific areas we're recruiting for. Beyond that we have a series of steps to tie these researchers back to their identities, to prove that they are who they say they are and aren't anonymous or using alias. We're also currently formulating a series of steps to go even further into their backgrounds and ensure that they can be trusted by customers.
So it's like the Google bounty program, except that you guys get to pick the hackers. Do you think that companies are looking for more trustworthy way to test their vulnerabilities?
At the end of the day, when you're performing security assessments, a company is only going to be as secure as the people performing those assessments. You want the widest range of expertise that you possibly can obtain. In today's industry, if you hire out an outside consulting firm, you're going to get one or two guys, with varying levels of expertise, performing the work over a set period of time, usually about a week. They're going to submit a report to that company at the end of the engagement, and that company is going to pay a flat fee for that type of engagement.
That model is just fundamentally broken. By leveraging hundreds, if not thousands, of researchers around the world for any particular engagement, [we're] getting a much wider range of expertise. Because our researchers are incentivized only when they find issues, it makes them think more creatively….It really mimics adversarial intent and motivation and that's ultimately what we're trying to achieve.
A company like Google, they spend millions of dollars on security — they still can't stay ahead of their security problems. They're receiving hundreds of submissions a day through their bounty program...These are from people around the world who are doing research, [whom] Google has not engaged with directly, and Google is paying out a ton of money to these guys.
That's how we conceptualized [Synack] initially. We decided to formalize it, and make it accessible to any company in a more trusted environment, so they can utilize this type of testing for unreleased products and internal infrastructure, which I think is going to be a real game changer.
Jay Kaplan, left, and Mark Kuhr, right, ditched the NSA's Counterterrorism Division to found security firm Synack. Photo courtesy of Jay Kaplan.
You and your partner met as interns at the Defense Department's Information Systems Agency, and then spent four years with the NSA's SIGINT division. How does your background inform what you're doing at Synack?
I've spent a ton of time in the the penetration-testing vulnerability space on the offensive side, looking at a variety of different technologies from around the world. At the end of the day, we came to the realization that when you put the right type of people in the same room and have a lot of people working on a problem, you're usually pretty successful.
Having those connections also gave us the ability to tap into a really interesting research community and we're able to leverage talent that they never really would have access to before. Because the model lets people do this work on the side, companies have the ability to leverage talent from engineers at some of the biggest companies, they are able to leverage talent within the government, they are able to leverage talent overseas. It's a really powerful model because you get access to these guys who would never really be doing work for a normal consultancy.
Why do you think so many former intelligence operatives are leaving the government for startup life?
I don't think it is necessarily a new trend, however it's clear that many innovative and entrepreneurial careers launch at intelligence organizations working on extremely difficult problems — some are the the same problems that have direct applicability to private sector growth segments causing these opportunistic government employees to leave their jobs. There is a long history of public to private sector migration, whether in the security space or elsewhere — I think we're seeing more prevalence in the news recently that could give off the perception of a growing market.
So far, Synack has been focusing on enterprise customers. Do you think the government would ever use your product?
The government is traditionally pretty conservative, especially on the security front. However, we are centering our entire model around trust, and because of that, I think it's absolutely possible that the government could engage in this type of work. We see government agencies getting breached quite frequently — I think [our] model has proven itself, I think it would be extremely effective and valuable for them, so I certainly do see it as a possibility.
I think the government is starting to be a lot more open-minded about private technology solutions that can make them more secure. The government realizes that they can't develop everything in house, and [that] private industry is going to come up with a lot of innovative technologies that they can leverage….But that's probably all I can speak to.