Robotics, medical research, bridges, Heinz Ketchup, the Pittsburgh Toilet — these are the signatures of innovation in the Steel City. But buried underneath the surface of its journey from kitschy and industrial to kitschy and tech-centric is a story about the origins of the global cybersecurity industry.
Pittsburgh’s tech economy has long been recognized for its prowess in robotics and artificial intelligence, largely stemming from a strong pipeline of expertise out of local schools like Carnegie Mellon University and the University of Pittsburgh. While autonomous vehicle companies and autonomous mobile robot providers alike have found ways to profit off of those opportunities, there’s a bedrock of a wider range of technical know-how still waiting to be leveraged into commercial possibilities.
Enter cybersecurity: an industry that was (arguably) born in Pittsburgh.
As the story goes, it all started with CERT, formerly an acronym for the computer emergency response team. The division was founded within CMU’s Software Engineering Institute in 1988 as a response to the internet vulnerabilities exposed by the Morris worm, the country’s first major internet attack.
“In the early hours of response to the Morris worm, you had a number of people working at DARPA at the time — the Defense Advanced Research Projects Agency — who had either ties to the SEI or to Carnegie Mellon School of Computer Science,” Bill Wilson, current deputy director of the CERT Division, told Technical.ly.
Those DARPA employees reached out to CMU contacts, “and they quickly kind of cobbled together a foundation and framework to begin to work with and build a community to as quickly as possible first, mitigate and solve the vulnerability underlying the Morris worm,” Wilson said. But really, the purpose was to respond to what had been a sort of “technical wakeup call” in the realm of internet security. From the outset, it was always clear that CERT would be a new kind of organization in tech, something to “work with a network of vendors and researchers to as best as possible, analyze and identify the [new internet] vulnerabilities and then rally the community to get the necessary solutions in place,” he said.
Pittsburgh’s early influence
A big part of that effort was building the talent base and expertise of people who could keep up with new cyber threats as computers and associated technology rapidly evolved throughout the ‘90s. Leveraging both talent within the SEI and working to foster the creation of new agencies across the globe, CERT spent the first 10 years helping other see the necessity of its services.
Much of that involved working with the government. By 2003, the Department of Homeland Security formed its own computer security incident response team, US-CERT. (At this point, CMU had trademarked the “CERT” name, and it still maintains that trademark. But it frequently licenses it out to organizations doing work in the realm of computer security incident response.) The US organization, which is distinct though often collaborative with the CMU one, is now housed in the DHS Cybersecurity and Infrastructure Security Agency.
That same year saw the founding of another significant effort from CMU, the CyLab Security & Privacy Institute, “which is really an umbrella over all of its cybersecurity researchers,” Wilson said. Now, CyLab brings together over 100 faculty and 30 graduate students across 15 departments within the university, and has trained over 75,000 people in security and privacy skills since its formation. Its research encompasses hardware security, IoT security and privacy, biometrics, blockchain, network security and more.
Outside of its research, CyLab has also been the source of some of Pittsburgh’s more noteworthy commercialization efforts in the world of cybersecurity. David Brumley, CEO and cofounder of application security startup ForAllSecure, was previously the director of CyLab. His company made waves earlier this year by closing a $21 million Series B round and promptly launching a new initiative to pay software engineers to use the startup’s fuzz testing tech to protect their open source software.
He sees CyLab as the organization that really launched a surge in cybersecurity talent concentrated in Pittsburgh.
“At one point CMU had the majority of papers at top-tier conferences,” he said of the early days for CyLab. “So if you went to [the conferences] we had over 50% [of the work there], and it’s kind of that culture of having that top cybersecurity research that grew the cybersecurity field here.” And Pittsburgh’s relative proximity to DC certainly helped too, Brumley said, adding that having easy access to the funding and resources provided by DARPA or the National Security Agency created more opportunities for CyLab to evolve its research over time as new threats emerged.
The challenge of growing local cyber firms
But as far as commercialization resources for CyLab’s depth of academic projects and research, Brumley sees some struggles that might help explain why more startups haven’t come out of the organization so far. One is a need for improved tech transfer processes from local universities, but another is the classic problem of limited local venture capital volume, he told Technical.ly.
Pittsburgh's cybersecurity industry hasn't generated as many startups as its robotics industry. How to change that?
There is some access to capital, but it’s typically not an easy process and it’s not abundant in the amount, he said, though there are signs that has started to change with the pandemic, as some of the biggest VC firms in the country have begun to look outside of their signature markets.
“They’re starting to look at new places, and we’re starting to see more than one target outside of the West Coast,” Brumley said. Still, it’s a new trend, and top firms like Sequoia Capital or Andreessen Horowitz, “they’re not here, they don’t have offices here yet.”
But what if the reason Pittsburgh’s cybersecurity industry hasn’t generated as many startups as, say, its robotics industry isn’t because of funding challenges, but because the latter is product-oriented while the former is a more nuanced service?
David Hickton, who is the former US attorney for the Western District of Pennsylvania and the founding director of the University of Pittsburgh Institute for Cyber Law, Policy and Security (Pitt Cyber), thinks that difference between the two makes sense for why entrepreneurship hasn’t taken off for cybersecurity despite a deep well of local expertise. As one of the region’s and country’s most prominent cyber attorneys, he’s been approached several times by startups looking to take him on as an advisor or leader of some sort. But none have persuaded him.
“In order to be a startup that I would be interested in, you’d have to have a tangible product to sell as opposed to a labor-intensive service,” he said. “I’m not interested in, for example, being a cybersecurity service tech to teach people how to protect their program. I would be interested in something that would be a more wholesome application.”
Outside of the expertise of CERT, CyLab and CMU, Hickton’s work as the local US attorney under President Barack Obama and his leadership at Pitt Cyber have anchored the city as more than just a mecca for technical expertise, but for law and policy, too. Recognizing the local talent available in the cyber industry, Hickton focused his team on law enforcement within that industry. He counts six big cases as moments of progress for Pittsburgh in building an understanding of how cybersecurity laws can be formed and enforced, making the city a leader in that space.
From the outset, his team focused on a growing problem at the time, of intellectual property theft through hacking from foreign actors. And in May 2014, the US Justice Department indicted five members of the Chinese military based on findings that Hickton’s team had compiled — the first time the US would charge another country in connection with cyber-related criminal charges. The other five cases Hickton mentioned as early landmarks in his office’s work on cyber law are the June 2014 indictment of Evgeny Bogachev, the July 2015 Darkode case, the Avalanche case in November 2016, Boyusec in November 2017, and the Fancy Bear case in May and October 2018. The latter three concluded after Hickton had left his role as US attorney and helped launch Pitt Cyber in 2016.
The state of local cyber jobs
When it comes to the local cybersecurity industry, Hickton has one of the more experienced perspectives, which makes his thoughts on the lack of local startups all the more intriguing. Because while cyber-focused entrepreneurship hasn’t thrived, local cyber jobs look like they soon might.
According to a CompTIA report published earlier this month, Pittsburgh’s tech industry currently employs around 5,655 cybersecurity and systems engineers, a number that’s expected to grow by at least 0.8% by the end of this year. Nationally, the industry’s expected to grow by over 253% by 2030. That makes sense given the rapid increase in the number of cybercrime threats in 2021, which is expected to cost the world $10.5 trillion annually by 2025.
So, what role does Pittsburgh have in mitigating these threats?
To grow the local cyber economy even more, though, a key step will be figuring out how to stop losing talent to other markets.
Some companies have started to take matters into their own hands, hiring in-house cyber professionals to ensure their technical products are built safely and securely. Meanwhile, local academic institutions continue to partner with nearby corporations to continue building expertise and cross-industry initiatives in cybersecurity.
To grow the local cyber economy even more, though, a key step will be figuring out how to stop losing talent to other markets, Hickton said, noting that there aren’t as many cybersecurity-focused corporations with locations in Pittsburgh. However, he said, Pittsburgh is increasingly on the map as a tech and advanced manufacturing hub, pointing to Commerce Secretary Gina Reimondo’s recent remarks on the benefits semiconductor chip funding could have for the Steel City’s economy.
But cyber, in the mind of the everyday person, is still different from other spheres of tech that Pittsburgh has found success in.
“Cybersecurity, in the minds of most people, it’s like the hockey goalie — you know, protecting against the other team putting the puck in the net,” Hickton said. “It’s not like the scorers and and so it doesn’t have some of the same sex appeal that artificial intelligence, self-driving vehicles and semiconductor tech have.”
And maybe that’s part of the issue. Maybe the one factor needed to propel the local cyber industry to the success other sectors of tech have seen is simply a bit more excitement. Who knows — maybe today’s Pittsburgh cyber pros will squash the 21st-century version of the Morris worm.
Sophie Burkholder is a 2021-2022 corps member for Report for America, an initiative of The Groundtruth Project that pairs young journalists with local newsrooms. This position is supported by the Heinz Endowments.