March 06, 2024

00:47:54

Episode 247 Deep Dive: Alex Trafton | Strategic Partnerships and Cybersecurity Compliance for Global Defense and Trade Relations

Episode 247 Deep Dive: Alex Trafton | Strategic Partnerships and Cybersecurity Compliance for Global Defense and Trade Relations
KBKAST
Episode 247 Deep Dive: Alex Trafton | Strategic Partnerships and Cybersecurity Compliance for Global Defense and Trade Relations

Mar 06 2024 | 00:47:54

/

Show Notes

In this episode, we are joined by with Alex Trafton (Managing Director of National Security, Trade, & Technology – Ankura) to unravel the complex dynamics of cybersecurity, government regulations, and the landscape of defense and technology at a global scale. We explore the challenges and opportunities for small companies, the impact of strategic cooperation between democratic nations, and the crucial role of integrity and innovation in the industry. Join us for a candid conversation that sheds light on the future of cybersecurity and the call for collaboration between nations.

Alex Trafton is a Managing Director in the National Security, Trade, & Technology practice at Ankura Consulting Group, based in Los Angeles, CA, USA. He has over 15 years of experience in finance, risk management, and cybersecurity. Alex leads the NSTT cybersecurity function and serves as a subject matter expert in cybersecurity program design, implementation, and assessment with a focus in foreign investment control and oversight (CFIUS), Defense Industrial Base (DIB) cybersecurity requirements, and international trade control compliance program support (ITAR/EAR). Alex is focused on working with multi-national defense contractors to help them meet cybersecurity and export control requirements before, during, and after mergers and acquisitions.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: In this kind of strategic tug of war put poll with China is how do you collect more of these countries that are democratic, like Australia, that have highly educated, highly technical workforces, get them inside the tent more and ease that trade and make it easier for them to access your markets and vice versa, to increase cooperation, to increase the flow of capital, to increase innovation and to increase kind of military acquisition capabilities, abilities and technological advancements. [00:00:30] Speaker B: This is KBCAt. As a primary target for ransomware campaign. [00:00:36] Speaker A: Security and testing and performance risk and compliance. We can actually automate that, take that. [00:00:41] Speaker B: Data and use it. Joining me today is Alex Trafton, managing director, national security, trade and technology from Ankara. And today we're discussing opportunities for australian companies to work with the US defense. So Alex, thanks for joining and welcome. [00:01:00] Speaker A: Thanks for having me, Chris. [00:01:01] Speaker B: I appreciate it with your view. Now, obviously your accent, you're based in the United States. So maybe give us an overview of how you see the cybersecurity world from your point of view. Know, over in the. [00:01:15] Speaker A: And so I actually used to live in Australia, so I am used to being told I have an accent. So I'm not taking. So I guess certainly my perspective anyway is I tend to take kind of a holistic view of national security and certainly for the work we do. So for me, cybersecurity fits into that. Right. So we deal a great deal with basically government regulation around cybersecurity, data privacy, export controls, foreign investment. So the way I see cybersecurity is really through the lens of government regulation and how that's shaping market forces and how that's shaping cybersecurity for both government contractors and industry. And there's certainly plenty of things to talk about. But I think one thing that is clear, and I think specifically with reference to the US interaction with Australia, that there is a very clear divide in the world between what I call Team USA and Team China. And cybersecurity is a piece of that. That conflict plays itself out in the cyber world from our perspective with what we work on. The US government is waging that war with a number of tools. Some of those are trade controls around high performing computing, AI, quantum computing, dual use technologies, U. S. Munitions, list ITAR military technologies and foreign investment. So there's a regime of restricting foreign investment in the US from strategic rival nations, which is similar to Ferb. In the Australia context, there's now a, well, in the US it's called Committee on Foreign Investment in the US, Cypheus. And there's also a reverse CFIUS, which is now proposing to restrict us investment in foreign. You know, this all kind of works itself out in heightened animosity and tension, increased cyber activity, cyber threat activity from strategic rival nations like the Ukraine war has. And I think specifically in the australian context, it kind of plays itself out with how the US engages in foreign policy and partnerships, how it chooses to share technology, how it chooses to address cyber threats and build cyber defenses. I would say that there is certainly now an enhanced enforcement and regulation push in the US. The government has issued legislation, the president has issued executive orders. Federal agencies have gone into rulemaking to further regulate cybersecurity. So there is a lot more, both preventive and reactive measures that affect companies. In many ways, part of the national cybersecurity strategy really was to address cybersecurity at the national level through things like federal government acquisition. So we see a lot of rules around acquisition, cybersecurity performance in those contracts, we see enhanced enforcement. The Department of Justice issued its civil Cyber Fraud initiative, which intends to hold companies accountable, and even individuals accountable for the failure to implement cybersecurity controls when under contract or in industry, when there are guardians and required to safeguard personal data or company data or national security sensitive data. So it's an area, I would just say, I guess there's just an enhanced landscape of risk for companies, both from cyber threat actors and from government regulation and government enforcement of those regulations. [00:05:01] Speaker B: So you said before what the US chooses to share technologies with. So obviously you're aware of all the Orcas initiative between Australia, US, UK. Do you think, though, from your point of view, that people are sharing technologies, or do you think it's still sort of emerging, or what's your view on that? [00:05:20] Speaker A: I think there's competing, you know, technology controls in the international trade context exist in two places. One with the US Department of State, which manages the international Traffic and Arms Regulation, the ITAR, and with the US Commerce Department, which manages the commerce control bliss and the Export administration regulations. Or the ear, for instance, the Commerce department has a dual hat. It's to promote U. S. Businesses abroad, but also to restrict the flow of dual use technologies to certain restricted countries. And so there's competing equities. Right. So I think there's a strong american desire for trade with our partners in clubhouse countries. But I think at the same time, when those countries come into conflict with us national security strategy or national interests, that these agencies will restrict that trade in an effort to make these countries more amenable to american foreign policy strategy, or to restrict access to critical us technologies, which provides qualitative military edge or other kind of technical advances and advantages over near peer adversaries. So it's definitely been a case of both. So at some level the promoting trade with our partners but also restricting trade with partners who don't kind of align as well with our national foreign policy. [00:06:44] Speaker B: So when you say restricting trade, I'm assuming you're talking about China and France or is this across the board? [00:06:51] Speaker A: Yeah, so it can be across the board, but it's very specifically targeted at between. The emerging rivalry between the US and China is the defining rivalry of this century the way the rivalry between the Soviet Union and the US was the defining rivalry of the last half of the 20th century. Yes, I think that that's definitely the objective is to maintain both our military edge but also our industrial edge over China and to restrict that trade. Right. Restrict access to high performance computing technologies, to semiconductors, to artificial intelligence, to stealth technology, to silent sub technology, things like that. And the response from China is to close that gap, to engage in intellectual property theft against us companies, against best defense industrial base companies, the Department of Defense itself and also our bilateral allies who will share defense projects with uS, the UK, Australia, Israel, things like that. So yeah, it's a multifaceted kind of. [00:08:00] Speaker B: Piece of come back to that. But before because obviously there's a lot going on here, but I want to. Maybe now let's flip it to opportunities for australian companies to work with the US. Obviously I'm based here in Australia, you can tell by my accent. But a lot of people that I speak to are like, hey, I want to go work with the US. And how I do that, you guys have a lot more money and people, a lot more stuff going on. So it's more appealing to australian companies, but I want to hear your thoughts on that before I go a bit deeper. [00:08:32] Speaker A: Sure. So I think certainly the United States has the most robust defense industrial base, which is that sector of companies which supply the Department of Defense with products and services. And I think that the US would love to expand that into foreign countries to the degree that it aligns with their security objectives and their national security objectives. Right. And it doesn't compromise the data and those acquisition programs that it engages contractors to provide. As far as they're concerned, yes, they would love very much to include countries specifically close allies. And the AUCUS agreement does specifically address the kind of intermeshing and the expansion of the defense industrial base to include Australia and of course the UK. Just the other day we had opportunity to speak with some members of the Department of know, both in the DoD and contractors know, are engaged in bilateral negotiations and multilateral negotiations with the UK, with Israel, with Sweden, with Australia, to harmonize specifically the cybersecurity requirements that are required of us defense contractors to participate in that defense industrial base. And certainly there are requirements like the DSPF or similar in Australia. The. You know, that too is true. In the United States, we have very robust contracting requirements, certainly around cybersecurity and securing critical defense data that's not classified. Certainly have classified requirements, but the unclassified data as. So, you know, those requirements may be foreign and alien to australian companies. And so that's where I think getting some perspective on how Department of Defense acquisitions work and specifically the cybersecurity programs and program requirements work is important for those contractors to understand. [00:10:28] Speaker B: Okay, operative word that you used was harmonized security requirements. So do you believe that that's hard to do? I asked this question because I've seen a lot of these little initiatives popping up and people have the right attention, but again, it's hard. People are in different time zone, different parts of the world, different cultures, et cetera. So how do we actually harmonize this for this to work effectively so everyone is operating in harmony? [00:10:55] Speaker A: Yeah, I think it's problematic in some ways. Right. The cybersecurity requirements to kind of conduct business as a contractor or even a subcontractor with the Department of Defense are fairly stringent. There's a requirement to implement the NIST special publication 800 and 171, which relates to the protection of confidentiality of controlled unclassified information. There's obviously classified data security requirements. There are, as we mentioned, export control requirements, the ITAR, the e that can make trade difficult. Harmonize those and say, what in these countries are they doing that can be considered equivalent? Because the US is certainly not interested in lowering the standard of protecting this data in order to ensure a foreign contractor gets access to the market. I think that one of the most impactful rules that's being made now was with the Department of Defense. It's now with the Office of Management and Budget, OMB, to be a final rule and regulation and contract clause is the cybersecurity maturity model certification. So previously, the United States, the DoD had allowed companies to self attest to the implementation of NIST special publication 871 and multiple audits and inspector general reports revealed that critical data continued to leave the defense industrial base and wind up in China with near copies of gen five fighter aircraft turning up in China, and that this self attestation regime that they had implemented was not sufficient. They had tried several other methods, spot audits by their primary defense, and they weren't working. So this cybersecurity maturity model certification, the CMMC is going to bring in a third party audit regime which would be conducted by private sector companies that are certified by something called the cyber AB, which is a private sector nonprofit that essentially acts as a fiduciary of the Department of Defense in these audits. So I think that the negotiations with foreign countries are going to need to address those specific equities that the Department of Defense feels that self attestation is not sufficient and that they want independent audits of that cybersecurity program that are a condition of participating in these acquisition contracts. So that may mean an equivalent program in those countries. It may mean that those countries need to stand up their own independent auditing firms which can audit the CMMC in this special publication 871. I don't know where that lands. I do know that we have worked extensively with european and other defense contractors and some of those projects were paused as their ministries of defense were engaged in those bilateral negotiations and multilateral negotiations. So I think the DoD is definitely interested in making that happen. I don't know with Australia specifically where they are with that. But I do know certainly in the DSPF for Australia, that this special publication 800 171 is one of the standards that's accepted as an ICT security standard. So certainly that is a standard that's not unfamiliar to Australians or the australian Ministry of Defense. [00:14:09] Speaker B: So would you then also say, alex, that this is just going to take a little bit of time before companies like know meeting the standards that you've spoken about? Obviously, we don't want the US to lower their standards, et cetera. But when do you believe we'll get through this stage, in your words, when we start to see that harmony? Or was this going to take a lot longer than people are sort of thinking? Because again, these things are not. We just turn them on like lights, like it does take a little bit of time. But I'm just curious because again, geopolitical tensions are rising every day as we're seeing. So be really keen to get sort of a barometer from. [00:14:48] Speaker A: I mean, that's a great question right now, if an australian company is a contractor, a defense contractor to the Department of Defense, these are all enforceable through contract law, right? So they'll sign a contract with the Department of Defense or with a us prime contractor, Lockheed Martin Orthodox Grumman. Right. And that company will then flow down these contract requirements. So currently the risk for these companies is limited to contract law. Right. Is there privy of contract with the Department of Defense? Can they enforce, so, you know, is there going to be another mechanism of enforcing this? I don't know if there can be. Can there be another, more of a gating mechanism? Right. You have to prove that you can do it before you can enter into the contract. That seems much more likely to me with looking at how long it's taken for that to happen inside the United States. This saga of protecting controlled and classified information, which is really the big weak spot in the defense industrial basis, started in 2010 with an executive order. 13 years later, we've had a standard for 800 171 for seven years. For four or five of those years, it was self attestation. And they've been trying to make this rule, it applicable to us companies. Right. And theoretically to any australian company that would have that contract clause for cybersecurity, that's another three or four years of rulemaking. I mean, to then establish multilateral or bilateral agreements may be many years in the future. So for the coming years, my expectation is that there may be an audit process there, but there's still going to be exclusively contract mechanisms to enforce this. And it's probably going to be the same requirements in this special publication, 800 hundred and one and 71. I don't think the US is going to adopt or accept a foreign standard because of the way us law works. And that for the Defense Department must require that the National Institutes of Standards and Technology, NIST, produce their cybersecurity standards. It is a law. They cannot use ISO 27,001, they can't use any other standard. They have to use those from NIST, which is a function of the US Commerce department. So I don't think that the US government is going to be able to lower that standard or even change that standard. And whether there's reciprocality, it's unclear to me. And there's certainly other issues at play. The same contract clause that requires companies, defense contractors to implement 800 and 171 also requires them to provide forensic access to the Department of Defense in the event of a cyber incident where us government data is compromised or potentially compromised. And foreign defense contractors are signing that now. But they really should be hesitating in doing, because these systems may be commingled with sovereign defense programs in the UK and Israel and Sweden and Germany and Australia. And does the australian government really intend to permit the US Department of Defense forensic access to potentially very sensitive australian or whatever country it is, defense programs? And so there's other considerations just beyond the standards. So the reciprocality would include, well, can the australian government conduct forensics? Can the australian government ensure media preservation and malware sampling? Malware samples are sent to the US and the FBI and the NSA. So there's a lot to negotiate there. And I think that takes time. The government wheel, especially in the US, in Australia too, but certainly in the US, turns very slow. [00:18:15] Speaker B: So the timeline was 2010. Now at 2023, that's 13 years. So it's probably going to be like a 20 year endeavor. I mean, obviously, we don't know. [00:18:26] Speaker A: Yes. And it's been a very painful saga. Right. And one of the initiatives that the government. So the government is at one time saying, we're going to use procurement law to require contractors to do cybersecurity. How can we force people to do cybersecurity, is the question. Right. At the same time, they've also engaged in the civil cyber Fraud initiative, which in the US, there's a statute which is called the False Claims act, that if you lie to the government to get them to buy your services, that's a false claim. And it's a very, very expensive fine that relates to the cost of the products, the number of violations they have. Now know False Claims act. And it's a whistleblower driven initiative. Right. Because whistleblowers take home some percentage of the finding and the settlement. So the US government, the Department of Justice, has been using this tool in the last three, four, five years to hold defense contractors, but other contractors accountable for failure to implement cybersecurity. Right. So there's currently risk there. Right. I don't know how that would work with a foreign contract or where in the contract the deciding law is going to be carried out. Is that in the US? Is that in Australia? Right. The other thing is the mean. This is very interesting, maybe tangentially related, but the US government has now started, they've realized that holding entities, companies accountable is only part of the equation. They're also coming after individuals. I think case in point is the chief security officer at Uber. I don't know if you track this case, but he's actually end up in jail or lying about ransomware payments and whether those were bug bounties or whatever. And that's a major development as well in this process. And giving the threat actors, the attackers, actually reduced prosecution, reduced sentencing. To testify against the CSO was an interesting development, kind of tangentially related, but I think those are current enforcement mechanisms. So if we don't see an immediate resolution to bilateral agreements. We don't see an immediate resolution to an auditing standards, things like that. Australian contractors who sign these defense federal acquisition regulation supplement clauses in their defense contracts are still subject to these risks. Right. These false claims risks and many others. [00:20:50] Speaker B: Okay, I want to go back just a second. You said the False Claims act. So again, people lying to the government about capability or whatever. So give me an example of what that would look like. Are you saying someone claims, oh, we use machine learning and they don't. Is that considered then, lying to the government? [00:21:08] Speaker A: Well, I mean, I can certainly talk about the cases that have been made public. Right. And there was a large case. It was the Marcus versus Aerojet rocket dyna. And Marcus was a member of the cybersecurity team at Aerojet rocket dine. Aerojet rocketine made large rocket engines for the US government, went in missiles and space aircraft and things like that. They had been telling the US government that they met at the time, what were the cybersecurity standards in their defense contract? So Aerojet acquired Rocketdine in a merger. Rocketdyne had some serious issues with cybersecurity, and this relator blew the whistle because they weren't listening to him, basically about how he thought they should with respect to remediating these issues. The case settled in summary judgment, and I think they paid $9 million to the relator. The Department of Justice didn't join the case. But what they said was very interesting in a statement of interest they sent to the court. And in that statement of interest, they said that, what was the false claim? It has to be made knowingly. And so how do they assume or how do they think the company knew? And the company had had incident response documentation from cyber incidents. They had had pen testing reports showing that controls weren't implemented. They had internal and external audit reports. And so what they told the court was that these are material. And the question is inducement. Was the government induced under false pretenses to purchase these products? And could they prove harm? And they could prove harm because these were taken, very sensitive information, was exfiltrated, most likely, and the government could prove that they were harmed and that the company did so knowingly. And the threshold was so low. Right. Thinking about that, a pen test report, it identifies a control that wasn't implemented or was only partially implemented. And then you went to the government and said, oh, we're in compliance. And the government held that every invoice that they submitted after that time was an instance of a false claim. And it's $20,000 per instance. So if you're invoicing the government 30, 40, 50 times a month, all of those fines begin to stack up. And so I think that what that case showed was how low the bar was for the government to consider you a bad faith actor. It wasn't that you lied about the existence of something, and there was just another false claims case, which the DOJ also did not join, but the relator continued to press. The case publicized was Penn State, and they had done something very similar. They had essentially, according to the relator, this is an accusation. Falsified internal cybersecurity assessment documents to improve their. There's a requirement to submit a summary score of your implementation of IST 800 and 171, and that in a pinch, they falsified these documents. And that's the claim of the relator. It's not been adjudicated in court. But that's also. You kind of fake an assessment. That's a false claim. So the bar is really, really low to get in trouble. There was yet another case that was related to Phi, that a government contractor had two files, two files of us service members on a server that was unsecured, and they ended up paying $900,000 for that. And so the bar is just really extremely low. The question is, how do you get to the point where the Department of Justice is looking into your servers? Rakate. I mean, you probably have to screw up to get there, but again, the bar is very low. [00:24:37] Speaker B: So then I guess you mentioned before, which is why they're phasing out this self attestation side of things, because people can't be trusted. Because you've just rattled off three instances where people have lied or they've falsified things. Wow. Okay. That's really interesting. I don't get why you do that, though. Okay, I understand. For monetary gain, I get that. But again, you're doing cybersecurity stuff. So for me, it's more than just a job. So there has to be level of integrity there, which is around protecting people. If you don't have any minimum sort of security compliance at all, it just really goes against your whole mission. So I don't kind of understand that. [00:25:23] Speaker A: Yeah. Look, I think that when you run a company and you're judged on financial performance, there becomes a competing set of incentives. Right. I mean, certainly I'm in this job, and the rest of my team are in this job because, one, we like what we do, but also, we kind of also believe that the national security of the United States is very important. And in a lot of our engagement, certainly in the foreign investment world we operate, the company pays us, but we are an oversight fiduciary of the federal agencies and so we work on their behalf frequently to kind of make sure companies are being accountable and are being operating with integrity and credibility. And we tell everybody who will listen, the currency of the realm with the government is being a trusted partner and the currency is credibility, accountability and integrity. And I think that companies in a capitalist economy are sometimes incentivized to cut corners or to view things with rose colored glasses and to make decisions. In the case of the uber CSO, that would violate maybe my integrity, but into time may seem like good ideas because they're judged on, I don't know, performance metrics that are different from mine potentially. And so you think about it and you go, man, that is really dumb. You shouldn't have done that. And then very obviously so. But at the time, people tend to have a very different opinion of what integrity might look like. [00:26:51] Speaker B: Yeah, totally understand it. And great points. So, hey, I now want to focus on Aussie companies. So you've listed a fair few checks and balances. If you want to work with us defense, for example, you sort of can't just roll up there and begin working as you've clearly articulated today. But would you say now it may be a deterrent because to get all of these checks and balances done, that's going to cost money and depends on the company. If it's a big company, of course it's different. If they're multinational, of course it's different. But these startup companies or scale ups. [00:27:28] Speaker A: I think you've summarized in a pretty short sentence the concern not just for australian companies, but for american companies, right? I mean, I think that's when the way laws become regulation is through agency rulemaking, right? So they basically say the Defense Department shall protect our data and then they go, the Defense Department shall go make a rule. And these are all products of those rules, these standards we have, and they're required to take public comments and 80 90% of the public comments are related to cost and burden. This is very expensive, this is very hard. How do you expect us to do it? And I think that that's a very salient question, that how does a small company meet this requirement, right? That may even be a third tier subcontractor that no one the deod even knows exists, not signed a contract with the DoD, it's still subject to the requirements. A great question. And the answer from the federal government has been very clear. We don't care. On the other hand, I went to an acquisition conference for the DoD last year in San Diego, and there was three admirals and a general on stage saying, screaming, we need small businesses in innovation to come to the US defense industrial base and work with the DoD. When Bill Clinton left office, there was over 100 prime contractors. Right? Those were large aerospace and defense contract companies that worked for the DoD. We're down to about six today. So there's just been a great deal of consolidation and that's flowed innovation. So I think your point is exactly right. If I, as a forward thinking war fighter who has to deal with global threats that are potentially technologically sophisticated, that are extremely dangerous, and I need to keep my people alive. Like, I want smart, capable, fast moving people to produce what I use to accomplish my mission, right? Because my mission is to be fast, mobile and quick and all of those things. And so the DoD obviously wants these companies to be involved. And so the question is, how do they do it? And I don't think they have the answer. One, there are ways to get around certainly these requirements. There's what's called an OTA, which is other transaction authority where the DoD can identify high impact technologies and things like that and kind of create a different avenue, typically for smaller businesses to get acquisition contracts without all the burdens. And keep in mind that when you look at what's in a federal contract, and I'm sure it may be similar in Australia, but you have tons of requirements. The cybersecurity requirements are but a few of hundreds. You have requirements on cost accounting, child labor certifications that you're not using, child labor, you name it, it's in there. Is this small business owned by a minority? Is there Native Americans? All of those things come into play in contracting. So there's a lot there that companies have to work with. And so for smaller companies, they don't have counsel to review these things, right? So they just sign them or they avoid them. And so they are these mechanisms for the Department of Defense to engage highly mobile, highly agile tech companies. And they are definitely doing outreach in Silicon Valley and high tech places. And I think that's where an opportunity exists for australian companies, right. I mean, I think that the US Defense Department would be very eager to work, know, high speed, high tech companies from Australia. I mean, some that I've even worked with, we've worked with tech companies from Australia trying to help them get into this and, you know, great thinkers. Obviously, Australia is incredibly technologically advanced country, well educated population, hardworking, all the ingredients you need to be successful and productive, right? Certainly in this space. And it would be a shame if the US weren't able to benefit from that and vice versa, that the Australians weren't able to benefit from american technological innovation. And so I think that's the problem that the US government needs to solve in this kind of strategic tug of war. Put pole with China is how do you collect more of these countries that are democratic, like Australia, that have highly educated, highly technical workforces, get them inside the tent more, right, and ease that trade and make it easier for them to access your markets and vice versa, to increase cooperation, to increase the flow of capital, to increase innovation, and to increase kind of military acquisition capabilities and technological advancements. [00:31:59] Speaker B: Okay, so a couple of things in there I want to explore a little bit more. And just going back to your comment around innovation, that's exactly going to be my next question. So I want to map out what's going on in my mind because I think you agree with this theory, which is, okay, you speak about innovation. In Australia, they harp on a lot about innovation, but then just hypothetically, it's like, oh, well, no, we can't work with you. You're too small, you haven't been around for seven years. And then it's like, oh, but we need to have diversity of thought. So then it's like, well, we can't do that because you're not enabling us to do that because I've been around for six months. You may have a better solution to perhaps a larger company, but they get overlooked. And then it's like, well, the big companies just keep getting fed and then the poor little companies are just going, this is what I've seen in the last three years, especially here in Australia. They're not getting the vcs that care about security companies here in Australia. The money isn't flowing here from a private equity point of view. So what does that then look like? [00:33:05] Speaker A: It's a great question. I've read the requirements, right, at least in the australian legal world, to engage with the australian defense industrial base. And it's a track record of running a business, right? They want trusted partners. We need seven years, and we need you to meet all these requirements and have these certifications and implement these standards. And you look at great technological advancements. It's three guys in their mother's garage with GPU. Those people aren't going to meet the criteria, right? So I think the government is having the governments, both Australia and the United States are having to balance the requirements of being a fiduciary of their citizens data, their national security, and also getting innovative people in. I mean, what's been the result? Certainly there are defense focused venture capital funds in the US. It's a market we've tried to engage with and say you can give them money, but how do you help them get access to the market if they don't already have it? Right. Because that's part of the piece in the acute problem that you've described and well articulated, that they don't have access to that market. Right. And I think the US has solved some of that with different, those otas and other transaction authorities and ways of acquiring those systems. Right. But specifically in the cybersecurity space, that's another place where we need agile companies. Right. We need diversity of products. A good company will run two types of firewalls, not just one. Right. I mean, so diversity of cybersecurity tools, diversity of cybersecurity services. The DoD definitely wants more cybersecurity personnel available as both employees and contractors. So how do they get that? Right? And it's definitely an acute problem, and I don't know how they solve it with kind of balancing the equities of security and fiduciaries of their citizens in terms of data protection. And what's, one of the things that's certainly happened in the United States and I described earlier was that consolidation of the market so large companies can identify these companies that may be struggling to access the market and certainly acquired. Right. Or larger companies. And so what you have, again, is basically what's going on throughout the US economy. Right. And I assume in Australia, maybe not as acute a problem, but certainly not peculiar to the US either, is large, very wealthy companies are acquiring many, many more companies. And what you have is fewer and fewer companies delivering more and more of the products and services consumed in the economy and certainly consumed by the governments. And I think that's probably a general risk. And I think it's one of the outcomes of the problem you described is that some of these smaller companies never are able to scale before they can be acquired. And certainly the founders are incentivized to sell when they feel like they can make enough money. Right. So they're not necessarily operating on the notion that I have to deliver this product as a small business to the defense Department. That'll change the world. Right. They're thinking, well, we get $100 million, I'm out of here, right. So there's lots of competing incentives. I think is the problem. [00:36:17] Speaker B: Yeah, you're so right. And I'm seeing that every day because obviously we get the notifications as a media company into our inbox. So I'm seeing it like every day a big company goes and acquires x company, little companies, large and medium sized ones. So do you think it's going to get to a stage where we just have, I don't know, I'm just going to make up a number 20 or arbitrary number 20 random large big companies that have just acquired all the little companies in between? Or do you think there'll still be a balance or what do you mean? [00:36:48] Speaker A: Let's take cybersecurity as an example. I mean, we see companies doing major acquisitions, right, Google bought Mandy. Right, Palo Alto does acquisitions. You just name the security company and you see a bunch of smaller companies being acquired, at least in the US, for instance, the cloud market, certainly Microsoft and Azure, they're very big in the defense space and they have a very impressive suite of tools. And Google is trying to close that gap and they're doing so just by acquiring the capabilities and trying to patch them together. So these are all companies that individually may have innovated are now part of a behemoth. Right. How does that end up? Yeah, I think that there is some, certainly in the US, they have antitrust laws to break up these companies. They've threatened to do that to Amazon, they've threatened to do that to Microsoft, they've threatened to do it to Google. I don't think they've used antitrust now, but I think it does create a problem for diversity of thought, certainly in the cybersecurity space. Right. That is a very hot market for think it's, I don't know if it stifles innovation, but it could. [00:37:53] Speaker B: Yeah, that's an interesting observation. So then just going back on that a little bit more, what about the intention? So, I mean, I work with a lot of startups and a lot of people in the startup sphere in this country, in yours and UK, et cetera. So do you think now people are just creating security companies with the intent of, I just want to get an acquisition, like you said, $100 million amount. So then what does that then do for our actual ecosystem if you're not building a company to change the world, in your words? [00:38:18] Speaker A: Yeah, I was at RSA conference in San Francisco, I don't know, 18 months ago. I go for meetings and I walk the floor to collect free shirts for the year, re up the wardrobe and so I'm walking around, I'm seeing all of these companies, and they're all like MDR companies or whatever, MDX now, and it's dynamic software scanning and statics, code analysis companies. It's all just different flavors. And they're all there with venture capital money, right? And most of these companies don't make it, right. They don't even get an exit. They just kind of go away because venture capital companies are incentivized to distribute risk. So they invest in ten companies, let's say they invest in cybersecurity sector, they invest in ten MDR solutions, or MDX or whatever they're calling it now. And they only need one of those to be a rocket success. The other nine can wither and die, and they still make enough money to kind of perpetuate their model. So you end up with a bunch of companies that may never had really a viable product or a viable business model, but that didn't stop them from getting capital. And that was this collapse of the Silicon Valley bank in the US. Right? And I don't know if you guys tracked this there. This was a very serious issue. It's been a long time in the US since a bank became insolvent and the federal government had to step in and there was concern that would be a broader run on the banks. I mean, that was driven a lot by this culture of incessant compulsive serial investing in tech companies and specifically security companies that really didn't ever deliver a lot of value. And so, among other things, right, but that venture capital element that this bank served, VC funds, that was one of their main businesses. And so that was kind of a product of this culture of just compulsive serial investing in these companies. And maybe there's a few there that don't belong. Or more importantly, maybe there are companies that are great and they throw money at them and ignore them and never nurture them, and they end up dying when they could have been revolutionary. So it could go either way. But I think it's a real know. I think certainly the United States is a great source of innovation, but I don't know if that's an indefinite title. I don't know if champion of innovation in the world, the lead innovator, is going to be true forever. We certainly have other countries trying to nip it or heels, certainly in India and the subcontinent, in China, parts of Europe. There's certainly other very technocratic societies now that have kind of industrialized and grown their economies and can kind of certainly start to challenge us. And I think that circling back to my original point, that's part of this new technical, technological cold war, is that we're realizing that our massive technical gap that existed in the doesn't exist as much anymore. And what are we going to do to kind of maintain our edge, right? Is it more VC money? Is it DoD gets VC money? Or is it like we deny technology to our rivals? I think this kind of comes full circle to the problem of how do we maintain our qualitative, industrial and military edge over rival. And that's a collection of nations that includes what I consider western, not pejoratively, but just the way in the parlance, right, western democracies, New Zealand, Australia, United States, Canada, Western Europe, and probably Japan and South Korea. How do we maintain those qualitative edges? And so I don't know, and I think that's a big problem. But I think these multilateral and bilateral agreements do a lot to ease the strain and lower the barriers to that cooperation and participation that's probably ultimately necessary. [00:42:09] Speaker B: Yeah, those are great points. Look, I don't know either. I think harm will tell. Maybe they're going to bring a vc on the show and hear their thoughts. I'm aware that that's their model. They're going to buy ten horses back, all of them, but only one's going to win. So, look, I don't know. It's interesting. I think time will tell, but I want to get your thoughts on this. Just my observation as an Aussie, I was in the United States for a month last year, so in December it was great. People are very lovely there. Very nice. One of the things that was apparent is everyone in Australia here, like at least the US, in day to day conversations, comes up multiple times a day, not the other way around. When you're in the US, Australia never comes up. Now, I understand that wholeheartedly because you got everything there. So it's like Aussie companies coming into the US. I get that. But then how do we get reciprocity with the US then coming into Australia? Because again, I rarely saw an Australian. I think I saw one family at Disneyland and I was there for a month. People couldn't guess my accent a lot of the time, or it's just not a thing. So how does that then look, coming from the other side of the coin of US companies coming here, know, deploying capability into Australia? And that does happen. But again, it's just probably not the first thought for a lot of these us based companies. [00:43:39] Speaker A: I agree. It's a good question. In one this just kind of probably is an indicator of the solipsism of America. And I lived in Australia. Right. So I appreciate what an amazing country it is and beautiful landscape, environment, people, economy. But yeah, I haven't given that so much thought. But I think that's part of the point of some of these agreements and certainly cybersecurity cooperation agreements and military cooperation agreements. Right. Is to kind of open, to build that trust and open those markets. I think with respect to american companies, it's lowering the barriers to entry. Tax incentives are things that companies would look for and you certainly have your own regime of foreign investment review. Right. We have think as these cooperation agreements grow, I think as the United States really starts to realize what a critical partner Australia is. Right. Their proximity to our eastern rivals or western rather depends on how you think about, know, their proximity, their similarity in culture and government. I think those agreements tend to lower the barriers right. To entry and so hopefully the acquisition of us british submarines leads to vice versa us investment in the australian economy. But I don't know what those numbers are. Right. What is the amount of foreign investment from the US into Australia now was ten years ago. I don't know if it's trending flat up or down, so I probably couldn't comment. [00:45:23] Speaker B: So is there anything specific, Alex, you'd like to leave our audience with any closing comments or final thoughts? I know we've covered a lot of topics today and we could probably go on for a while, but is there anything that you'd like to leave everyone with? [00:45:37] Speaker A: Yeah, I do think australian companies, you're thinking selfishly as an American have a lot to offer specifically in the defense space. Right. And I would encourage australian companies, australian defense contractors to bid on and join american acquisition contracts, Department of Defense contract, probably don't need to urge them. Right. That's probably something they're thinking about. But when doing so from small to large company, making sure that they're really paying attention to the cybersecurity piece and operating in good faith when they're implementing those things, it's really going to reduce the risk. I think that's it. And also to be good partners. Right. And I think we could all learn from that. But also being good partners when they're operating under these agreements or under export agreements, taas, things like that, that these companies are guardians and fiduciaries of our national security as well, and to take those kind of duties and obligations seriously. And I think that's a big one. That's counsel, we give american companies all the time, frankly, but do encourage specifically australian innovation and participation in our defense industrial base and our economy at large, because I think that the partnership between Australia and the United States is extremely critical for both countries at a time of growing both kinetic and cyber threats. And partnership spans all of those. And so I think it's a good opportunity, to your point, to grow trade, to grow bilateral economic relations and defense relations. So do absolutely encourage it. [00:47:12] Speaker B: This is KBcast, the voice of cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. This episode is brought to you by Merckset, your smarter route to security talent. Merksech's executive search has helped enterprise organizations find the right people from around the world since 2012. Their ondemand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected]. Today.

Other Episodes