The internet is increasingly an extension of the battlefields of real life. It’s time to back the good guys, says Matthew Partridge.
If you were ever under the illusion that anything you send over the internet – be it an email, phone call, or even a photograph – was guaranteed or even likely to be private, the events of the past year should have put paid to that.
Last summer, Edward Snowden, a former employee of America’s National Security Agency, revealed the existence of several secret programmes that involved tracking people’s online activity.
Since then, the revelations of just how closely monitored we all are have come thick and fast. This week we learned that listening stations in Cheltenham, run by Britain’s surveillance agency GCHQ, were even able to gain access to people’s webcams (we also learned that webcams are largely used to trade pictures of their owners’ intimate areas).
This has led to a growing debate over where the acceptable trade-off lies between national security and individual privacy. Our digital and our ‘real’ lives are ever more intertwined.
The idea of living entirely offline, let alone ‘off-grid’, is increasingly impractical. In a world where we have little choice but to maintain an online presence, how much surveillance is too much? It’s a good question.
Unfortunately, beyond the activities of our own government’s agencies – who have at least a semblance of democratic accountability – there are plenty of others out there who couldn’t give a hoot about the debate over privacy, and just want to steal as much data as they can, by fair means or foul.
Wars move online
The Chinese military has been particularly aggressive, hacking the websites and email systems of foreign firms ranging from newspapers (such as The New York Times) to defence contractors.
All 20 of the largest US defence companies are believed to have had their websites hacked, with suggestions that the Chinese may have been able to steal blueprints for various top-secret technologies as a result.
Overall, the American government’s US-China Economic and Security Review Commission estimates that over 141 firms have been affected.
Cyberspace is also increasingly viewed as an extension of the battlefield. The Syrian Electronic Army, a group of online supporters of the Assad regime, have hacked into various news websites, posting pro-Assad propaganda.
Last April, a fake ‘tweet’ about an explosion at the White House, sent from the Associated Press Twitter feed, briefly caused the Dow Jones to plunge by 145 points, wiping $140bn off shares, before it was exposed as a hoax.
The group has also threatened to hack US Central Command, which controls American troops in the Middle East, central Asia and north Africa, if America takes any action against the regime in Damascus.
The idea of cyberwarfare seems overblown until you grasp the extent to which our world is becoming ever-more connected. There’s the much-hyped ‘internet of things’, where household devices will all be linked to one another, raising the possibility of a cyberattack that disrupts everything from your electric toothbrush to your power supply to your car’s operating systems.
Then there’s the far more advanced field of cloud computing, where firms store data on external servers owned by third parties, rather than having to spend fortunes on their own storage systems. This is eminently practical – but it also means we’re creating data treasure troves that are obvious targets for hackers.
Should you care?
How much does all this matter in practice? Hackers can do a lot of damage. In 2012, the Cutting Sword of Justice, a group linked to the Iranian government and Hezbollah, broke into the system of Saudi state oil company Aramco, which supplies 10% of the world’s oil.
While the hackers failed to shut down production, they did succeed in damaging an estimated 30,000 computers. Similar attacks have also been launched against firms in Qatar and the UAE. And it will only get worse as more and more systems become accessible online.
The Bipartisan Policy Center, an American think tank, recently released a report on the US electricity grid, warning that a cyberattack could be incredibly costly, “triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery”.
Worryingly, insurance syndicate Kiln has turned down several utilities seeking insurance against cyberattacks, because it felt their safeguards were inadequate.
A sceptic might see parallels with the over-hyped millennium bug – the fear that ageing computer systems couldn’t cope with the change of date to 2000. Even the top experts in the area admit that it’s impossible to fully gauge the scale of the threat.
But if we step away from visions of cyber-apocalypse and warfare, and consider the more prosaic threat of fraud and theft, then if anything, there’s a good chance that everyone might be underestimating the problem.
After all, companies don’t like to disclose breaches of data security – giving the impression that customer data is unsafe is bad for business. Viewed in this context, the fact that the Bank of England has revealed that four of the five biggest lenders told it last year that they were worried about cyberattacks, is especially worrying.
Indeed, some of the biggest and most sophisticated technology companies, including Apple, Facebook and Google, have all admitted in the past to being attacked.
Last year, hackers broke into the databases of America’s giant retailer Target, stealing card details from around 40 million customers. Another major breach came when US bank Citigroup had more than 360,000 accounts hacked. Other high-profile victims include the Federal Reserve, document storage service Evernote, and the Washington state court system.
Perhaps the most serious attack in recent history was the one that shut down Sony’s PlayStation network for more than a week in 2011, putting millions of accounts at risk. With lost sales, legal fees and other costs, the total bill came to around $170m.
If hackers can cause this level of disruption even in tech-savvy companies, it stands to reason that the overall problem must be bigger in less up-to-date firms.
Meanwhile, low-level cybercrime, such as identity theft and skimming (using fraudulent transactions to steal credit cards numbers) is also a significant problem. With a fifth of all non-food retail transactions in the UK now made online (according to the British Retail Consortium), opportunities for thieves and fraudsters in this area have multiplied.
A survey of British retailers by card payments firm CyberSource suggests that 1.26% of online orders are fraudulent and that 1.65% of revenue is lost to fraud.
A hint of what may await us comes from Sweden, which is currently trying to make the shift to becoming an entirely cashless economy. While the move has cut down on the amount of petty theft (because fewer people carry cash around on them), there has been a big increase in the amount of fraud, mostly involving fake online billing scams.
According to one survey, as many as 3% of Swedes have been the victims of tricksters in the past year. This is reflected in the number of computer-enabled fraud cases, which has jumped from 3,304 in 2000 to 20,000 three years ago.
Taking all this together, it is clear (even if you take the most egregious estimates of security industry salespeople and the paranoia-inducing predictions of government security heads with a pinch of salt) that cybercrime and warfare are potentially very costly.
Easily compare UK shares by sector or index using our free performance tool.
The companies combating the hackers
And this is all good news for the companies who combat these threats. Governments are keen to act. While military budgets are being cut overall in the developed world, the US is increasing the amount that it spends on defending its military and essential infrastructure from cyberattack.
Not only will Cyber Command receive $500m this year, but experts believe that related spending in other areas of the defence and homeland security budgets will total several billion. Most of these major spending projects will be carried out by private contractors.
Other governments are following suit. Last year, British defence secretary Phillip Hammond announced that the government would spend hundreds of millions of pounds to improve its ability to defend against cyberwar and to wage counterattacks.
At the centrepiece of such plans was the creation of a Joint Cyber Reserve that would involve the recruitment of a large number of experts.
Gulf States are also dramatically ramping up spending on cyber defences. In 2012, the UAE created the National Electronic Security Authority, the first government body in the region dedicated to dealing with threats to national security that come from the internet.
Governments won’t be able to combat all threats, especially those that don’t involve the military or vital infrastructure. But they aren’t ignoring the issue.
The European Commission is finalising a directive that looks set to require large firms to disclose significant security breaches to their national authorities. This may also lead to more stringent rules on protecting customers’ data.
While the American equivalent (in the form of an executive order) only encourages disclosure, rather than making it compulsory, the basic aim is the same.
The fact that the private sector, rather than government, is going to have to take the lead in meeting these new requirements might be tough on individual firms, who will have to spend money on complying with the rules. But it is good news for the online security industry, which should benefit from increased demand.
A report by Bank of America Merrill Lynch predicts that the market for cybersecurity will nearly double from its 2011 level of $63.7bn to $120.1bn by 2017. That’s an annual growth rate of more than 10%.
The analysts also note that this market has plenty of room to grow – currently less than 4% of firms’ IT budgets is spent on protection against threats, a number that has significant scope to increase.
This growth has been followed by a surge in mergers and takeovers in the sector, as larger IT firms try to get a foothold in this area. This trend kicked off with Intel’s acquisition of antivirus software maker McAfee in 2011.
In the last year alone, there have been several more high-profile deals, with network equipment giant Cisco paying $2.7bn for network security expert Sourcefire, IBM buying cybercrime prevention company Trusteer for $1bn and private-equity specialists Vista Equity paying $1bn for web security group Websense.
Mandiant, the industry leader in providing analysis of and defence against Chinese attacks, was taken over by FireEye – a fellow cybersecurity specialist – for a similar amount.
Technology consultancy Gartner reckons there will be “a lot more consolidation” this year, with 2014 seeing “the larger players acquiring smaller players”. Analyst Lawrence Orans also points out that the “complicated” nature of threats means that small businesses simply “don’t have the time or resources to bring their people up to speed”.
In his view, it makes sense for them to outsource their security efforts to dedicated firms that have the experience rapidly to adapt to the changing threats.
The five stocks to buy now
American multinational F5 Networks Inc. (Nasdaq: FFIV) isn’t a pure play on internet security. The overall business is involved in helping firms to run their computer networks more efficiently. However, clearly a large part of this involves the field of security, and the company has been making a deliberate effort to focus more on this area and position itself to take advantage of the ongoing shift towards cloud computing.
It is expected to release a range of new security-related products in upcoming months, such as improved firewalls (which shield a network from malign traffic), which should boost earnings. It trades on a 2014 price/earnings (p/e) ratio of 22, falling to 16 by 2016.
VMware (NYSE: VMW) is currently the market leader in ‘virtualisation’ software. Virtualisation allows companies to make far more efficient use of existing computer hardware, and VMware also provides access to ‘virtual machines’, which are leased to firms and let users harness the processing power of ‘the cloud’, boosting performance. As part of this, VMware also provides its own security packages.
The latest sales and earnings figures show it is meeting, and in some case surpassing, analyst expectations. It’s not cheap – the p/e ratio is around 42, falling to 22 in 2016 – but it should be well-placed to benefit from the growing popularity of cloud computing.
Israeli company Check Point Software (Nasdaq: CHKP) sells both software and hardware related to internet security, though its major speciality is firewalls.
It has an estimated 15% share of the network security market, and customer loyalty is high, which allows it to maintain its high operating margins of around 60%. It also has plenty of cash available for strategic acquisitions and share buybacks.
JP Morgan expects the company to maintain a sales growth rate of around 8%, while analysts at US asset manager Needham suggest it could reach double-digits. At the moment it trades on a p/e of 21, falling to 15.7 times in 2016.
As you’ll have noted by now, most cybersecurity companies are priced with the expectation of aggressive growth – hence the high p/e ratios. Symantec (Nasdaq: SYMC) is the major exception, trading at 11.3 times 2014 earnings. So why the relatively low valuation?
It’s because the large global companies that Symantec focuses on have their own in-house security teams, which means that sales are growing at a slower rate. However, the firm is trying to boost growth by restructuring and focusing on winning new customers (rather than just holding onto existing clients).
It is also making a big effort to ensure that its products are as advanced as those of its rivals. So if you’re looking for a potential turnaround story in the sector, this is the one to go for.
It offers a number of internet-security-related services, including group escrow and group assurance. Under group escrow NCC ensures that vital data, including software source code, is protected if a company’s supplier disappears, or experiences problems. NCC also launched assured service, a cloud-based version of group escrow, in January.
Group assurance, meanwhile, involves testing company networks so that potential flaws are discovered before they allow a major breach. The company currently trades on 22 times 2015 earnings.