Hi there fellow Fools!
The recent SolarWinds hack has amped up my already strong belief that cyber security was going to grow robustly for years to come…and is why I normally tell young people studying Computer Science, Math, or Game Design to consider this for their future career.
So how big is it? Don’t know but it’s gotten a lot of press lately. The commonly quoted numbers are $3 Trillion per year in 2015, $6 Trillion in 2021 and >$10 Trillion per year by 2025. If true those numbers are mind-numbing! Note that these costs include direct theft, IP loss, costs due to loss of internet service, etc. They do not include cyberbullying, youth predation or a host of other cybercrimes. Only the US and China have a bigger GDP than $6 Trillion per year (Japan is third at $5 Trillion/year). So these numbers would mean that cybercrime is already the third largest economy in the world…if only it had borders.
https://www.investopedia.com/insights/worlds-top-economies/
When I’ve tried to find the original sources for these numbers I failed. Many cybersecurity companies make these claims, and newspapers repeat them. One report claimed that the World Economic Forum (group that puts on Davos) was the source. Here they say something similar but then point back to Cybersecurity Ventures which points back at the World Economic form as being the source.
https://www.weforum.org/projects/partnership-against-cyberci…
https://cybersecurityventures.com/cybercrime-damages-6-trill…
Two groups quoting each other seems less than rigorous to me.
The best number I can come up with was calculated by Accenture which reported in 2019 that the aggregate world cost from 2019-2023 would total $5.2 Trillion. Toward the bottom of this page is a link that will get you a copy of the report:
https://www.accenture.com/us-en/insights/cybersecurity/reinv…
These are the numbers actually reported by the World Economic Forum’s Partnership against cybercrime. This looks to be a pretty serious group involving lot of competent companies. You can download their ‘Insight Report’ dated Nov 2020 here:
https://www.weforum.org/reports/partnership-against-cybercri…
So this cuts down the cost of cyber crime considerably, by a factor of 5, but still…it’s a big number…which implies to me that the TAM associated with the cybersecurity companies we study is probably much larger than currently thought.
The SolarWinds Hack has caused a great deal of turmoil. As a result, US politicians are pushing for government oversight, regulation and perhaps even using it as a central source of appropriately tested software.
https://www.politico.com/news/2020/12/19/how-federal-hack-ha…
The US Government organization most centrally focused on cyber security (not including FBI, NSA, etc. which have substantial capabilities) is the Cybersecurity & Infrastructure Security Agency https://us-cert.cisa.gov/
Their assessment of the SolarWinds hack is available here: https://us-cert.cisa.gov/ncas/current-activity/2020/12/19/ci…
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
Here are several points as I understand them (as a physical scientist, not as a computer scientist…so please recognize that I’m WAY out of my pay grade in this posting).
-They don’t actually know who did the hacking, or how many groups were involved…although there is a favorite suspect. Apparently cybercriminals were selling access to SolarWinds computers through underground forums which might mean that there was a school of predators feeding rather than just a single government entity (https://www.reuters.com/article/global-cyber-solarwinds/hack…)
-They don’t know the extent of the hacking but it is almost certainly much larger than reported and we’ll learn part of that in the coming months. It also isn’t clear whether other software systems had vulnerabilities were hacked as well…meaning that we don’t yet know if the companies we’ve invested in are fault free.
-The exploited vulnerabilities existed largely in legacy systems…which strengthens the call for Cloud-based security products, software update, and data storage.
-Government software releases will be tested a lot more before release in the future, which will slow and limit government software procurement. For example: NASA’s JPL restricts software distribution until approved, and has done so for a long time. Any growth of government regulation/testing will mostly impact the companies that have a large part of their revenue coming from the government.
-More scrutiny will be given to corporate cybersecurity and software procurement…which probably favors the incumbents (as in: nobody ever got fired for picking IBM).
In summary I think we can anticipate a LOT more turmoil for some months to come…that will provide both risk and opportunity for the companies we follow. Also, I think the cybersecurity TAM has been grossly underestimated (5x, 10x?)…and public exposure from the SolarWinds hack is likely to provide big tailwinds to the growth of Cybersecurity and data analytics companies.
Sorry for being so longwinded. I’m hopeful that it adds more data than noise to the conversation.
Larry (Cloudstrike is my largest holding, so I’m very much hoping that they prove to be a solution rather than a problem)