Could Howard County be the Silicon Valley of cybersecurity? Part 3

8 minute read

In part 1 of this series I essayed some initial (negative) answers to the question of whether Howard County could ever become the Silicon Valley of cybersecurity. In part 2 I delved a bit more into the question of whether and how the success of Silicon Valley might be replicable elsewhere, relying heavily on the opinions of Paul Graham and Bradford Cross and Russell Jurney. Again my answer was in the negative. Can the third time (well, actually the fourth time) be the charm? I don’t want to keep you in suspense, so …

Answer #4: There are some things we could possibly do to improve the prospects (some of which I think would be good ideas anyway), but the bottom line as I see it is that the news is not good regarding Howard County’s ability to become an entrepreneurial haven in the mold of Silicon Valley, be it for cybersecurity or anything else. Things aren’t necessarily hopeless, but our hope probably lies in a different direction.

Based on Paul Graham’s criteria, if I had to pick a local candidate community for becoming a startup hub, Howard County would be pretty low on the list. By Graham’s lights Baltimore would be a much better possibility: It has a world-class university in Johns Hopkins (albeit in medicine, not computer science), an intact central city, personality to burn, and in general seems to be much more the kind of place where hip young startup founders might like to congregate. In fact a few of them are starting to congregate there; check out Dave Troy’s blog and the scene at the ETC and Beehive Baltimore for some early signs of entrepreneurial life.

As I implied in my mention of Johns Hopkins though, medicine, health care, and biotechnology seem to be much more fruitful areas than cybersecurity (or IT in general) for Baltimore and Maryland to focus on, at least in terms of promoting entrepreneurial innovation. There are already world-class Maryland-based institutions focused on these areas and there are some Maryland firms that have achieved some success. True innovation in health care is tough because it’s a heavily regulated area and because the presence of third-party payers (i.e., private insurance firms and government insurance programs like Medicare) mean that providers don’t have a truly direct and productive relationship with the end customer. But it’s at least plausible that Maryland could be successful in this area.

But back to cybersecurity. To respond to the question in HoCo Rising’s original post, is there any advice on that subject I could offer Howard County Republicans (or Democrats, for that matter)? Can government make a positive difference at all? (Full disclosure: I’m a Democrat, so I’m not unbiased when it comes to this question; however since HoCo Rising was the inspiration for this series of posts I’ll strive to look at things from the other side of the aisle as well.)

There are a number of possibilities, some of which I think are worth trying and some of which are not. An obvious first possibility is to have government fund startup activity by directly investing in startups. Dave Troy has proposed exactly this, recommending that Maryland devote $10M of Governor O’Malley’s proposed Invest Maryland initiative to funding IT startups. Dave’s a smart guy, and we could do a lot worse than taking his advice. However I agree with Paul Graham’s comments on the ability of government to intelligently make such investments, so I think direct investment as a strategy faces (and should face) a lot of skepticism.

(It’s worth noting here that Graham has proposed an alternative to funding new startups, namely bribing existing startups to relocate:

Suppose to be on the safe side it would cost a million dollars per startup. If you could get startups to stick to your town for a million apiece, then for a billion dollars you could bring in a thousand startups. That probably wouldn't push you past Silicon Valley itself, but it might get you second place. For the price of a football stadium, any town that was decent to live in could make itself one of the biggest startup hubs in the world.

As Graham notes, the chances of any city or state actually doing this are essentially zero, but it’s still an interesting thought experiment in economic development.)

The next possibility on the agenda is providing space for cybersecurity companies, either at the low end (like the ETC in Baltimore) or at the high end (like the Shady Grove Life Sciences Center in Montgomery County). Personally I think this is unnecessary at the high end and ill-advised at the low end. As Wordbones can tell you, the high end of the cybersecurity real estate market is doing just fine by itself, thank you very much. At the low end (i.e., brand-new startups) I’m not convinced the demand is there, and even if it were I suspect it could be satisfied by existing spaces. (I’ve previously proposed using one or more of Columbia’s village centers for this, but as Paul Graham notes in general startups will want to choose their own spaces.)

A third (and for this post at least, the final) possibility is one that has the advantage of not costing the government a dime; in fact, it could even save the government money. I noted in part 1 of this series that Columbia was home to two of the 75 companies that were finalists in the SC Magazine 2010 awards, Sourcefire and Tenable Network Security. What’s notable about both companies is that their products and services are based on so-called open source software, namely software whose creators allow it to be freely used, redistributed, and modified by others. Sourcefire’s business is based on the Snort system for detecting and preventing computer network intrusions, and Tenable Network Security’s on the Nessus system for scanning networks for vulnerabilities.

Open source may seem like a very new idea to those previously unfamiliar with it, but it’s actually a return to the early days of computing, when computer hardware vendors provided their customers with the source code to their systems’ operating systems and other utilities, and when government agencies like NASA funded development of major software systems and then released them to the public domain. Government-funded software development was critical to several major industry areas, including supercomputing in general and computer-aided engineering in particular.

Unfortunately over time this practice has succumbed to the fetishization of intellectual property (in this case, copyrights on software and patents on the methods it embodies) as a supposed driver of innovation: that if some form of property rights over information is a good thing (a point with which most informed observers would agree) then maximizing property rights over information must be the best thing of all. (See James Boyle’s comments on how and why this dynamic typically plays out.)

As it happens, in the US government-developed software is actually supposed to be in the public domain, since by law the Federal government can’t hold copyrights in software or anything else. However there’s a loophole, in that government contractors are often allowed to retain copyright on software they develop with government funding. This loophole and an increased government emphasis on purchasing commercial off-the-shelf (COTS) software have greatly reduced the amount of government-developed software available for others to use and build on.

The nice thing about open source software is that developers can work with it as government employees and contractors, both using the software and helping to develop it, and then can go off and try to build businesses on this same software: selling services to government and commercial customers, creating commercial versions of the software, and so on. In this way open source software can provide a base for industry innovation.

If Howard County Republicans (or Democrats) are looking for relatively straightforward and low-cost ways to help save the government money and perhaps help create new businesses like Sourcefire and Tenable in the process, I suggest they look at promoting the use and creation of open source software at the local, state, and Federal level. A good place to start is at the Open Source for America website. (Note for Republicans: open source and open data are areas that the Obama administration is promoting, so you’ll need to resist the temptation to act in knee-jerk opposition to it.)

Is open source the key to making Howard County another Silicon Valley? Of course not. There are still lots of reasons why Howard County’s chances of having an entrepreneurial economy are pretty low. With respect to cybersecurity in particular, one unique barrier is the closed nature of government cybersecurity efforts. As Paul Graham notes in another essay, one of the things that makes the US relatively more hospitable to startups is its openness to immigration, so that the smartest people in the world can come to America and build great companies. That’s a pretty tough dynamic to encourage in an economic environment where the price of entry is often US citizenship and a top-secret clearance.

Could this change? Or is Howard County destined to remain forever economically dependent on government spending as part of Top Secret America. I’ll debate this question with myself in some of my future posts. For now I’ll leave you with a final comment from Bradford Cross and Russell Jurney:

A better plan than imitation is to reflect on what you are passionate about, what you can do now with your own location, what the advantages and disadvantages are, and start innovating in your own way. What can your city be world class at? As Steve Blank says, no successful startup ecosystem was built from local talent. How can you draw the best talent from all over the world? ... What factors are working in your city's favor in a particular area more than any other city in the world? The way to create the next silicon valley is to not try to create the next silicon valley, but to reflect on your city's passions, circumstances, personality and resources, and then innovate accordingly.