SAN FRANCISCO — In the ranks of technology incubator programs, there is AngelPad here in San Francisco and Y Combinator about 40 miles south in Mountain View. And then there is the Pentagon.
In the last year, former Department of Defense and intelligence agency operatives have headed to Silicon Valley to create technology startups specializing in tools aimed at thwarting online threats. Frequent reports of cyberattacks have expanded the demand for security tools, in both the public and private sectors, and venture capital money has followed. In 2012, more than $1 billion in venture financing poured into security startups, more than double the amount in 2010, according to the National Venture Capital Association.
For years, the Pentagon has knocked on Silicon Valley’s door in search of programmers to work on its spying technologies. But these days, it’s the Pentagon that is being scouted for expertise. Entrepreneurs and venture capitalists are finding it valuable to have an insider’s perspective on the national security apparatus when trying to find or prevent computer vulnerabilities or mine large troves of data.
“They have unique insights because they’ve been on the front line,” said Matthew Howard, a former intelligence analyst in the Navy and now a managing partner at Norwest Venture Partners, referring to former military and intelligence operatives who have hatched startups. He has invested in several such companies. “Now they’ve got commercial desires. The lines are blurring.”
One of the startups is Synack, which promises to vet an army of hackers to hunt for security vulnerabilities in the computer systems of government agencies and private companies. The company’s founders, Jay Kaplan and Mark Kuhr, met in Fort Meade, Md., in the counterterrorism division of the National Security Agency. They left the agency in February after four years there, and later decamped to Silicon Valley. Within weeks, they had raised $1.5 million in seed money; they are now working with their first customers and pitching their experience in the spy agency.
“Doing things on a classified level really opens your eyes,” Kaplan said. “The government is doing a lot of interesting things they don’t disclose. You have a unique perspective on what the adversary is doing and the state of computer security at a whole other level.”
Morta Security, another of the startups, was founded by Raj Shah, a former F-16 fighter pilot for the Air Force in Iraq. He described himself as “a policy adviser” to the NSA before moving to Silicon Valley to establish the company this year with two former analysts. Morta’s work is in such “stealth mode,” in valley parlance, that the company has said nothing about what it is working on. Nor would Shah describe fully what his two co-founders were doing at the agency before they formed the company.
“There are very sophisticated threats that are able to steal data from corporations and government,” is all Shah would say. “Our guys’ background — they just have a deeper understanding of that problem.”
Although Silicon Valley sees itself as an industry far removed from the Beltway, the two power centers have had a longstanding symbiotic relationship. And some say the cozy personal connections of ex-intelligence operatives to the military could invite abuse, like the divulging of private information to former colleagues in the agencies.
“They have enormous opportunities to cash in on their Washington experience, sometimes in ways that fund further innovation and other times in ways that might be very troubling to many people,” said Marc Rotenberg, executive director at the Electronic Privacy Information Center in Washington. “Both sides like to maintain a myth of distant relations. The ties have been in place for a long time.”
The ties are more than personal; the National Security Agency is among the few organizations in the world, along with companies like Facebook and Google, with a cadre of engineers trained in mining big data.
By working at the NSA, “you get to be on the bleeding edge, not just the cutting edge of what’s possible,” said Oren Falkowitz, who left the agency last year to start Sqrrl, a big data analytics company based on technology developed at the agency. Falkowitz has since left Sqrrl, which is in Boston, and is considering moving to Northern California to start working with a big data company.
Last year, Sumit Agarwal left his post as a deputy assistant secretary of defense to join Shape Security, a Mountain View company that offers what it calls “military grade” security solutions against botnets, groups of infected computers used for attacks.
Shape Security’s chief executive is Derek Smith, a former Pentagon consultant whose last company, Oakley Networks, which specialized in detecting insider threats, was sold to Raytheon, the military contractor, in 2007. Since its inception in 2011, Shape Security has raised $26 million in venture financing.
Computer security experts are leaving other parts of government for startups, too. Sameer Bhalotra, who worked on cybersecurity issues at the White House, was recruited by a Redwood City-based security company called Impermium. And Shawn Henry, a former computer security specialist from the FBI, left his job in government last year to help establish CrowdStrike, a computer security firm.
In Israel, government security workers have long found a career path in moving to startups, said Peter Wagner, a partner at a recently opened venture firm, Wing Venture Partners, in Menlo Park. Many Israeli entrepreneurs come out of the Israeli military and intelligence services, he pointed out.
“It’s not surprising that some of the same type of experience is finding its way into entrepreneurial endeavors here in the U.S.,” Wagner said.
The idea for Synack came to its founders, Kuhr, 29, and Kaplan, 27, when they were working side by side at the NSA’s computer network operations division; within the agency, that includes figuring out how to attack or exploit data gathered from a computer network. Nights and weekends, they hatched their business plan. They proposed to assemble an army of vetted bounty hunters from around the world to find security bugs. Their product is a variation of the so-called bug bounty programs run by large companies, like Facebook and Microsoft, that in effect invite security researchers to try to crack vulnerabilities in their systems — and reward them if they do.
Part of their pitch to potential customers is that they will vet the bounty hunters before setting them loose. They hope to sign up government agencies as customers, along with private firms, especially in the software services sector.
“We are able to provide security experts previously inaccessible to companies,” Kaplan added.
Both men’s college educations were paid for by NSA scholarships — Kaplan at George Washington University, Kuhr at West Point Military Academy and then at Auburn University. With that came an obligation to work at the agency, which they did, each for four years.
“We really liked our jobs there,” Kuhr said.
Then they headed west, drawn by the same dream of riches that draws so many other people here.
With the threat of cyberattacks growing, Silicon Valley entrepreneurs are rushing to develop technology to thwart online threats. To find the top talent in defense and intelligence, startups are looking to Washington.