Revisiting Our Cybersecurity Theme
A new age of cyber war has commenced. This war pits nations against nations; non-state actors against states, corporations and individuals; and lone individuals (or wolves) against states, corporations and other individuals. It is a battle without boundaries, and waged around the clock, 24/7. It’s also a conflict that is escalating thanks to the proliferation of the internet, with the netizens of the world now numbering roughly 3.5 billion, or almost half the world’s population. That is another way of saying that never before in history have so many citizens been connected; and thanks to the explosion in the Internet of Things (IoT), never before have so many machines been connected.
“We are now entering the great age of digital crime.”
— author of Future Crimes
Global connectivity is a growth industry, but so too are the threats and vulnerabilities that come with a more interconnected world. Nations, governments, corporations, households, individuals—nothing is immune to the prying eyes of cyberspace. As the industry refrain goes, “there are two types of companies—those who have been hacked, and those who don’t know they have been hacked.” Ditto for many households, many of which are open and public playgrounds for cyber hackers. Add in the rise of the first presumed cyber superpower— Russia—and the market for cybersecurity has never been healthier.
Indeed, with hundreds of millions of cybersecurity events per year, and up to 70% of attacks going undetected, the global cybersecurity market is only expected to expand over the medium term. Worldwide revenues for security-related hardware, software, and services are expected to grow 8.2% in 2017 to $82 billion and reach nearly $105 billion in 2020 (Exhibit 1). By region, the United States spent the most on cybersecurity at an estimated $31.5 billion in 2016, with Western Europe in second place, spending $19.5 billion. Other parts of the world are lagging in spending, although annual growth in cyber expenditures continues to rise at double-digit rates. Cybersecurity, in other words, is a global growth industry, notably in key developing markets like China, India and in particular Russia.
Exhibit 1: A Snapshot of the Global Cyber Security Market
*Mexico data for 2014
Sources: International Data Corporation; McAfee; Center for Strategic and International Studies; Gartner.
Data as of March 29, 2017.
The Cyber Superpower
“In the future, wars will be fought with a four-to-one ratio of nonmilitary to military measures. The former… should include efforts to shape the political and social landscape of the adversary through subversion, espionage, propaganda, and cyber attacks.”1
Russia seems to have become one of the most sophisticated nation-state actors in cyber space as a result of a culmination of many years of cyber development. As Russia has been building up its arsenal of cyber capabilities, various cyber-attacks have taken place in its bordering countries for the past decade. For example, in 2007 Russia was believed to have carried out a denial of service attack in Estonia, disrupting internet access for several weeks, in response to the Baltic country removing a Soviet war memorial. The following year, the Georgian government accused Russia of combining hacks on government and media websites with military force, marking a new age of the integration of cyber warfare and military planning operations. Such attacks can cripple a nation’s economy, especially in this information age where business, government, and banking operations have become increasingly reliant on digital flows. In the current political environment, information hacks attempt to disrupt the democratic process and weaken the public’s perception of western institutions. Such was the case for the alleged Russia-linked Democratic National Committee hacks, as well as for the ‘fakenews’ spreading throughout the German and French election campaigns.
One of the major factors in Russia’s rise to dominance in cyber space has been the investment and recruitment of talented programmers from universities and the private sector. Also adding to the talent pool, according to Western officials there is a degree of overlap between state agencies and criminal networks. This contrasts with the substantial shortage of security analysts in other areas of the world, particularly the U.S. and the U.K. Around 209,000 cybersecurity jobs went unfilled in the United States alone in 2015, with the global workforce gap projected to widen to 1.8 million by 2022.
The Threat
The open and competitive nature of the cybercrime market leads to faster innovation than in the cyber defense industry, where incentives are shaped by bureaucracies. Outdated security systems expose both companies and government agencies. For example, the 2015 data breach where over 21 million personnel files were stolen by hackers from the U.S. government’s Office of Personnel Management may have been prevented with modernized software and better security practices. Still, human error continues to be an unavoidable factor in cyber attacks; IBM reports that 95% of all security incidents involve human error, such as not having a secure password or opening an infected link.
For large corporations, ransomware has become a leading threat. Ransomware attacks, where users are prevented from accessing their systems unless a ransom is paid, grew 167-fold in 2016 to 638 million intrusion attempts, with 70% of infected businesses agreeing to pay a ransom.2 Certain industries are targeted more than others. Healthcare companies are targeted in 88% of detected ransomware attacks, as hackers abuse hospitals that would rather pay a ransom than shut down their systems and put patient’s lives at risk.3
The Opportunity
Defense against cyber threats calls for collaboration among government, academic institutions, corporations and non-profit organizations. In Washington, cyber defense is a main priority. From 2013 to 2015, the Director of National Intelligence named cyber as the number one strategic threat to the U.S., placing it ahead of terrorism for the first time since 9/11. As the threat grows, more and more funds are being allocated to cyber protection. For 2017, the federal government set aside $19 billion for cybersecurity, a 35% increase from the prior year (Exhibit 2).
Exhibit 2: U.S. Federal Government Expected To Be a Driver of Cybersecurity Spending Growth
*FY 2013 decline based on accounting treatment change.
Data from 2006 – 2015 represent fiscal year spending. 2016 and 2017 are estimates from president’s budget.
Sources: FISMA Annual Report to Congress; Morgan Stanley Research; 2016 White House Cybersecurity National Action Plan.
Data as of 2016.
Past performance is no guarantee of future results
While cyber spending represents a small portion of total defense spending—approximately 1% of the 2017 Department of Defense (DoD) budget—President Trump’s defense-heavy budget is a signal that expenditures may pick up. Although there was no direct statement of how much of the $639 billion DoD budget would be used for cyber capabilities, Trump’s budget proposal specifically mentioned strengthening cybersecurity in various other departments, including the Department of Homeland Security (additional $1.5 billion), Office of Electricity Delivery and Energy Reliability, Department of Justice, Department of the Treasury and NASA.
Companies are also expected to grow their IT security budgets. According to the SANS (SysAdmin, Audit, Network and Security) Institute, the percentage of IT budget expenditures devoted to security was projected to be 7% to 9% in 2016, up from 4% to 6% in 2015. The banking industry is estimated to have made the largest investments in cybersecurity in 2016, followed by discrete manufacturing. Five banks alone spend more than $1.5 billion on cybersecurity. And with Deloitte estimating that 40% of manufacturers suffered a cyber attack in the last 12 months, with 38% of the attacks causing over $1 million in damages, it’s no surprise manufacturing companies have strengthened their defenses.
How To Invest In the Age of Information War
With almost half of the world connected to the internet, corporations are increasingly finding the need to invest in cybersecurity to protect sensitive customer data, safeguard intellectual property and other critical assets, and avoid the outsized costs of a data breach. Additionally, as the IoT multiplies to an estimated 21 billion connected devices in 2020, cybersecurity is becoming integrated into every aspect of the economy—from banking and healthcare to automobiles and household appliances.
Traditional players in the cybersecurity space will continue to benefit from these macro trends and geopolitical tensions. Companies will need to be positioned to adapt to innovative cyber threats, and the use of machine learning and the potential of blockchain technology will help them outpace competitors. As security incidents rise, large technology services providers that are able to understand and address rapidly evolving client concerns, while attracting customers at lower costs, will be best suited to take advantage of this growing market. Also important to these companies is the ability to adapt their business models to expand outside of traditional firewalls and focus on the security of the cloud and endpoint protection.
We also see opportunities to invest in cybersecurity outside of traditional technology names. We consider defense primes, government IT service providers and multi-industrial companies as key sectors to benefit from the pickup in public and private cybersecurity spending. First, defense contractors are tasked with providing mission-critical or classified cyber protection for the U.S. Department of Defense and U.S. Intelligence Community. These names will be direct beneficiaries of defense spending increases, given their expertise and long experience in providing cybersecurity to U.S. defense organizations. Also, government IT service providers, which offer their own cyber solutions or integrated solutions by packaging services from multiple cybersecurity vendors, are expected to perform well, given their exposure to civilian and commercial information security needs in addition to government demands. Finally, as the push towards greater industrial connectivity continues, in order to drive production efficiency and lower costs, the need to protect critical assets (water, electrical, communications, manufacturing, oil and gas, etc.) will increase. Multi-industrial companies that have the domain expertise in this infrastructure, the existing installed base in need of cyber protection and have efficiently integrated cybersecurity into their business models will be in high demand as industrial control systems become a top hacking target for nation-state actors and ransomware criminals.
1The New Yorker, "Trump, Putin and the New Cold War." As of March 6, 2017. For original article published in Military-Industrial Courier by Chief of Russian General Staff Gen. Valery Gerasimov, see "The Value of Science Is in the Foresight." As of February 27, 2013.
213D Research, “Trumponomics and escalating cyber attacks set the stage for cybersecurity stocks to outperform.” As of March 2, 2017.
3Solutionary Security Engineering Research Team, “Quarterly Threat Intelligence Report.” As of Q2 2016.
This report is provided for informational purposes only and was not issued in connection with any proposed offering of securities. It was issued without regard to the specific investment objectives, financial situation or particular needs of any specific recipient and does not contain investment recommendations. Bank of America and its affiliates do not accept any liability for any direct, indirect or consequential damages or losses arising from any use of this report or its contents. The information in this report was obtained from sources believed to be accurate, but we do not guarantee that it is accurate or complete. The opinions herein are those of U.S. Trust, Bank of America Private Wealth Management, are made as of the date of this material, and are subject to change without notice. There is no guarantee the views and opinions expressed in this communication will come to pass. Other affiliates may have opinions that are different from and/or inconsistent with the opinions expressed herein. All charts are based on historical data for the time period indicated and are intended for illustrative purposes only.
This publication is designed to provide general information about economics, asset classes and strategies. It is for discussion purposes only, since the availability and effectiveness of any strategy are dependent upon each individual's facts and circumstances. Always consult with your independent attorney, tax advisor and investment manager for final recommendations and before changing or implementing any financial strategy.
Other Important Information
Past performance is no guarantee of future results.
All sector recommendations must be considered in the context of an individual investor's goals, time horizon and risk tolerance. Not all recommendations will be suitable for all investors.
Investments focused in a certain industry may pose additional risks due to lack of diversification, industry volatility, economic turmoil, susceptibility to economic, political or regulatory risks and other sector concentration risks.
International investing involves special risks, including foreign taxation, currency risks, risks associated with possible differences in financial standards and other risks associated with future political and economic developments.
Investing in emerging markets may involve greater risks than investing in more developed countries. In addition, concentration of investments in a single region may result in greater volatility.
