The cyber-attack which recently struck one of the biggest oil infrastructures in the US, the Colonial Pipeline, is the latest in a series of high-profile attacks targeting critical US infrastructures. Back in December, the Sunburst/SolarWinds infiltration operation made the headlines as it hit the US Treasury, the US Department of Commerce as well as most of the Fortune 500 companies.
In the Colonial case, the hackers were able to freeze IT systems and asked for a ransom to unlock it. This classic ransomware attack is often directed against private companies having the means to pay hefty amounts and, at the same time, not incentivized to disclose the breach in order to protect their reputation. But as these recent cyberattacks are becoming increasingly systemic for the country’s economy, a better private-public cooperation is needed to reduce the overall intrinsic risk.
President Biden’s cybersecurity Executive Order (EO) signed last week goes exactly this way. The EO focuses on three main points. First, it aims to modernize and increase federal networks’ protection and to secure the “software supply chain”. Second, it targets a better sharing of information between the public and the private sector. And third, it seeks to strengthen the US ability to respond at such incident. To carry out this project, a small share of the $2.3 trillion American Jobs Plan will be allocated to cybersecurity.
The modernization of federal government cyber-defense systems will notably rely on Zero Trust security. This model crosses out the traditional practice of trusting devices connected to a network by default and always checks the identity and integrity of each device before a connection. Part of this Zero Trust strategy, a multi-factor authentication is also recommended for users at government agencies. Finally, data encryption and securing of cloud services will also be completed.
Information sharing between the private and public sector is also a substantial aspect of the US cybersecurity strategy. The order gives guidance for a smoother share of information and disclosure of breaches incurred by private companies and relies on security vendors to collect and report data tied to attack prevention, detection and response.
When needed, the ability to respond to such incident will also be crucial. The set-up of a cybersecurity review board composed of public and private members will be analyzing incidents and make recommendations to react and avoid future recurrences.
Consequences for the private sector are multiple. First, federal spending on cybersecurity is likely to pick up materially over coming years and to benefit most security software vendors that have had historically a large government exposure, with Palantir standing out.
Second, the order’s emphasis on Zero Trust and authentication is likely to accelerate adoption of solutions offered by Zscaler, CrowdStrike and Okta that rank among our largest portfolio positions.
And finally, the role of data collection and analytics should keep rising in cybersecurity, with Palantir, Splunk or FireEye leading the pack in this specific space.
The start to the year has been pretty underwhelming for our Digital Security certificate, as the industry has been viewed more as a work-from-home trade than a reopening one. But we remain convinced by the industry’s growth outlook and rerating potential considering that cybersecurity is a mission-critical building block of the whole digital economy and offers exposure to secular growth drivers (digital payments, connected cars, health wearables… in other words, the Internet of Things), well beyond work-from-home.