CIA Investment Arm Has Its Sights -- And Money -- Set On Security Startups


A publicly funded investment arm of the CIA has injected millions into the security industry, making strategic investments in companies that put its development requests to the front of the line, often giving the government's needs the highest priority.

Investments made by Arlington, Va.-based In-Q-Tel have influenced almost every area of information security, from identity management and data analytics to vulnerability management and malware analysis. Former and current In-Q-Tel staff and leaders at six of the dozen or so security firms that accepted funding from the firm told CRN that the injection of cash helped foster innovative new security technologies.

In-Q-Tel, which was created in 1999 as a nonprofit, has long been seen as the investment arm of the CIA. The venture capital firm receives more than $50 million in taxpayer funding annually through the CIA and other government sources, but also attracts private sector funds from venture capital firms to co-invest in the startups it finds attractive. In addition to the CIA, In-Q-Tel has broadened its scope to support the National Geospatial-Intelligence Agency, the Defense Intelligence Agency and the Department of Homeland Security Science and Technology Directorate.

"We like to call ourselves a public-private partnership," said Peter Kuper, a partner at In-Q-Tel, at a recent media dinner showcasing two firms that had accepted investments from In-Q-Tel. "We formed to break down the barrier between the government and private sectors to support the intelligence community with the tools they need."

SECURITY INVESTMENTS

The list of security companies receiving funding from In-Q-Tel includes ArcSight, a security information and event management company that was acquired by Hewett-Packard in 2010 for $1.5 billion. In-Q-Tel made a reported $3 million investment in the startup in 2002. Silver Tail Systems, which detects online fraud in real time by monitoring website behavior, accepted In-Q-Tel funding in 2010; it was acquired last year by EMC.

In-Q-Tel doesn't disclose exactly how much money it gives companies, but data gathered from the organization's tax forms and other sources indicate that it typically invests up to $3 million in startups. The list of information security companies also includes RedSeal Systems; Reversing Labs; SafeWeb, now part of Symantec; Cleversafe; and Oculis.

In-Q-Tel's investments aren't limited to security, however. The company also has made investments in big-data-related companies such as Palentir and Cloudera and file-sharing and collaboration platforms such as Huddle. In-Q-Tel provided funding to biotechnology firms as well.

Amit Yoran, who served a brief stint as CEO of In-Q-Tel in 2006, said the firm is an invaluable way for the CIA to tap into the private sector for innovative technologies. Yoran also spent a year as director of the Department of Homeland Security's National Cyber Security Division, where he helped build out the capabilities of the United States Computer Emergency Response Team.

"Government procurement practices are challenging and In-Q-Tel is trying to get over the high walls of the intelligence community, which is even more challenging, to help identify startups with technologies that would never make their way into the government or the intelligence community through the typical procurement practices," Yoran said.

Yoran has a relatively long history in the security industry, having co-founded network security company RipTech, which was acquired by Symantec in 2002. He was CEO of NetWitness, which was acquired in 2011 by RSA, the Security Division of EMC, and is currently senior vice president and general manager of the security management and compliance business unit at RSA.

"In-Q-Tel is less about the investment. as the core to its mission is to find commercially available capabilities and help them make their way into the intelligence community," Yoran said.

The innovation brought on by the government and, more specifically, In-Q-Tel, fosters innovation across the entire security spectrum, said Jim Butterworth, a former intelligence official who currently serves as chief information security officer of HBGary, which provides incident response and malware analysis.

"They would rather find a commercial entity and throw money at it to develop it than have the government create a huge research lab and innovate on its own," Butterworth said. "I don't think these guys can develop and research like a free market can."

Butterworth pointed to advances in data analytics and the potential for combining threat data with business data for contextual awareness as one of the areas being fostered by In-Q-Tel funding and other federal sources with seed money. Advances in behavioral analysis and malware functionality also are receiving funding.

TOO CONFIDENTIAL?

Skeptics, however, point out the difficulty in ensuring funding benefits without an entity in place, usually the public, to ensure an organization doesn't balloon out of control. Burgeoning budget expenditures and a lack of transparency have long been associated with the black budget -- secret military expenses that are kept confidential for national security reasons, said Pete Sepp, executive vice president of the National Taxpayers Union, one of the oldest taxpayer organizations in the nation, which calls itself nonpartisan.

"A fund or a mechanism like this is not necessarily a bad idea, but questions ought to be asked about how this is different from the problem-plagued current [government] processes and [whether it can] avoid becoming a problem," Sepp said. "Generally, trying to resolve the clash between the need for some parts of secrecy over details of projects and the need for transparency over the results and financial propriety is very difficult, and getting it right is important not only for national security, but for fiscal security too."

The government is not skilled at being an early adopter of important technologies and has a difficult job weeding out red tape in its procurement processes, Sepp said.

While In-Q-Tel doesn't provide specific details about its investment activities, the nonprofit does provide a good deal of transparency into its operations in its 990 tax forms. For its fiscal year from April 1, 2011, to March 31, 2012, the organization reported it received $64 million in government funding.

The 990 discloses the firm's operating expenses and currently lists assets totaling more than $218 million. In-Q-Tel said it receives 98 percent of its funding from the federal government. The document also provides a glimpse into some of its investments, but not a complete picture. Each year, the organization lists its top five highest-paid "independent contractors." In its latest filing, In-Q-Tel disclosed that it spent $7.5 million on technology development with five firms.

In that same fiscal year, In-Q-Tel paid out $22 million in salaries. In addition to 11 trustees, the company lists 14 full-time employees. Christopher Darby, CEO of In-Q-Tel, is listed as earning $1.6 million in compensation and $271,000 in additional compensation, which includes retirement and other benefits, according to the tax form. Darby's base salary is $617,000. He received a bonus of $1 million in the fiscal year.

Steve Bowsher, executive vice president who heads the firm's investment strategy, received $1.2 million in compensation and about $251,000 in retirement and other benefits. Bowsher's base salary is $569,000. He received a bonus of more than $701,000 in the fiscal year.

Darby has renewed his contract with In-Q-Tel through 2016, receiving a $400,000 signing bonus. His base salary is frozen at $630,000, according to the IRS document. Bowsher also renewed his contract, receiving a $200,000 signing bonus. His base salary is frozen at $580,000.

The investment firm states on its 990 form that it is bound to the CIA by a charter agreement. In-Q-Tel participates in reviews by the CIA's Inspector General's office and the U.S. Select Committee on Intelligence to test the effectiveness of the technologies it gets from its investments.

ROAD MAP INFLUENCE

Recipients of In-Q-Tel funding, while typically tight-lipped about how much money they've received from the investment group, told CRN that In-Q-Tel has influenced their product plans to effectively drive innovation in the security industry.

The government overall does a good job at developing security standards but relies on the private sector to develop security technology, said Chris Wysopal, chief technology officer at Veracode, which accepted In-Q-Tel funding in a 2008 deal that Wysopal said has benefited the company's product portfolio.

Veracode underwent a thorough review by In-Q-Tel, including an analysis of the potential for its application security technology and its long-term road map, Wysopal said.

"In-Q-Tel accelerates the parts of your business that help the intelligence community," Wysopal said. "Sometimes they steer you and say that the thing you have a year or two years out is something the intelligence community can use today."

Wysopal said the impact has been beneficial for all customers.

"The relationship is not much different than having a large customer requesting a feature," Wysopal said. "You find yourself doing a balancing act between helping out a customer with a specific need and working on features and functions that have more broad appeal to some degree."

Dov Yoran, co-founder and CEO of ThreatGrid, an antimalware analysis platform that recently received In-Q-Tel funding, said the investment firm required a certain influence on the product road map. The funding ensures that the intelligence community not only gets the technology, but gets a product that is more refined for their needs, he said.

Government procurement cycles and technology adoption are tremendously long and slow, and to get something on a proper schedule can be extremely costly, which eliminates companies with limited resources, Yoran said.

"In-Q-Tel helps you break that government veil of being an outsider looking in," Yoran said. "It benefits the company with not only larger exposure to potential clients, but real clients that are actually going to buy."

All In-Q-Tel funded firms interviewed by CRN declined to disclose the specific technologies or features that were developed for the intelligence community. At least one security startup rejected In-Q-Tel funding because it didn't want to be restricted by the firm's requirements, an executive at the security firm told CRN.

Meanwhile, Ron Gula, CEO of Tenable Network Security, said sometimes features from In-Q-Tel requests make it into the product set for all customers, but "sometimes it isn't something all our customers want."

"James Bond may need a feature that most customers don't," said Gula, a former National Security Agency staffer. "The relationship we have with them is that they're introducing us to things to work on that require us to innovate and it may only be a one-off feature."

Tenable has accepted a $15 million investment that included funding from In-Q-Tel. With 13,000 customers worldwide, it's impossible to work on every feature request that comes in, Gula said. In-Q-Tel requests get fast-tracked, he said.

"In our case, In-Q-Tel is asking us to go quicker," Gula said. "We think their feature requests are indicative of a mature type of customer for us."

Gula, an advocate of continuous monitoring for vulnerabilities and configuration issues, pointed to In-Q-Tel's investment in his firm and Veracode as a sign of the importance of software security. Gula said In-Q-Tel's investment in FireEye helped trigger advancements being made in sandboxing. Network monitoring is gaining subtle improvements and security is being embedded into deeper layers of the system, he said.

And the innovative technology for intelligence gathering is needed by the government more than ever before, according to In-Q-Tel's Kuper. The latest report from security firm Mandiant links China to hundreds of attacks against U.S. firms. The Aurora attacks in 2009 illustrated how a nation-state attack, believed to be driven by China, can target 30 of the top U.S. technology companies simultaneously, Kuper said at the media dinner.

"Aurora was organized, structured smash and grabs where it is literally damaging to the United States economy," Kuper said. "They are stealing intellectual property that we would be minting for our benefit and they will be replicating over there."

PUBLISHED MAY 28, 2013