REDWOOD CITY, Calif. — A few years ago, when Greg Martin was in his mid 20s and teaching a computer security course for NASA engineers, he stumbled on an arcane bit of information that stopped him cold: the original set of rules governing the Internet, created in September 1981, the month he was born.
That coincidence helped Martin understand a little better his improbable journey from rural Texas to the center of the fight against cybercrime. A former child hacker who commandeered his high school’s servers and spent his teens studying, manipulating and repairing some of the earliest computer networks, Martin’s life had paralleled the rise of the Internet, culminating with an explosion in data theft, corporate espionage and digital warfare that made him and a generation of other self-taught security experts some of the most sought-after figures in Silicon Valley. “I was just born at the right time,” he said.
The escalating roster of high-profile attacks against America’s most powerful corporations, including a hack of Sony Pictures that stoked hostilities between the U.S. and North Korea, has fueled the rise of a cybersecurity industry in which a growing number of CEOs are native hackers like Martin, now 33 and the founder of a startup called ThreatStream, which helps companies and government agencies share data on attacks as they develop around the world.
Martin and his contemporaries were the first wave of Americans who grew up online, encountering home computers in the 1980s as young children. They taught themselves to write code, which they used to infiltrate networks for childish pranks and shared their adventures on primitive chat rooms. They outsmarted their parents, teachers and authorities. They basically had the run of the place.
For most, this mischief-making remained a hobby. But in the 1990s, as their playground became the foundation of the global economy, many of the best young hackers turned their skills into careers. Some went into commerce, communications, or entertainment. Some used their skills to steal money, or cause mayhem. And some sought to protect the thing they loved.
That last group, those who spent their teens and 20s advising businesses and law enforcement agencies, are now among an elite group of “white hat” hackers who are forming their own companies. The breathtaking scope of cybercrime, from data theft to corporate espionage to terrorism, has fed an unprecedented rush of venture capital cash into these startups.
“Where there’s a need, there’s money for companies that have a solution.”
“The Internet was never designed to be safe and secure,” said Dan Kaminsky, 35, renowned for discovering a flaw in the Internet’s domain name system and the founder of a bot- and malware-detection firm called White Ops. “And when security started being a problem, the people who really knew what to do about it were us.”
Venture capital investment in cybersecurity startups jumped sharply this year, to more than $3.3 billion, the highest total in at least five years, according to the research firm PrivCo.
“Cybersecurity used to be this little niche in IT,” said Ray Rothrock, a longtime Silicon Valley investor and former chair of the National Venture Capital Association. “Now a lot of people are in it because of the news. There’s an awareness of cybersecurity. And I’ll be blunt. We’re at war on this front. This country, all countries. We don’t need a Pearl Harbor to know it. This is just the wave of the future.”
Rothrock and other investors—not to mention security entrepreneurs themselves—say that while the current rush of cash into Silicon Valley may turn out to be a bubble, the sub-specialty of cybersecurity does not appear as risky, because its companies are taking on “real problems” using “real technology” and selling them to the outside world.
“Every day, it seems, the next big company has been compromised and the threat landscape evolves. And as a result, companies are looking for the most innovative cutting edge solutions,” said Jay Kaplan, 29, a former NSA counterterrorism agent who in 2013 co-founded Synack, a venture capital-backed firm that recruits security experts from around the world to help companies find bugs in their networks. “Where there’s a need, there’s money for companies that have a solution.”
As it turns out, many of the qualities that make a good hacker—risk-taking, extreme self-confidence, the compulsion to break things and understand them, and the desire for recognition—are also key ingredients of successful entrepreneurship. “Hackers need validation,” said Lance James, 36, head of cyber intelligence at Deloitte and Touche. “They like to control things. What better way to get understood than to form a company? People listen to companies. They pay companies to tell them things. They’re taken seriously."
Now the challenge for these young executives is to prove their products will make the world safer.
Martin embodies the profile of the hacker-turned-entrepreneur. His story is remarkable, but it is not unusual among his peers, where golden careers are spun from threads of serendipity, obsession and hard work.
In 1988, when Martin was 7, his father, a real estate broker in working-class Waxahachie, Texas, brought home their first personal computer, an IBM Clone 8086. Martin taught himself to write code, and the following year authored his first attack, a program that flooded the local Domino’s Pizza with bogus calls. He joined hacker forums, where he was hazed as a “newb,” but relished the escape from small-town doldrums. He stayed up to 2 a.m. many nights chatting with others about new techniques. He studied books on operating systems. And no one around him knew what he was up to. “He talked about hacking, but I didn’t understand what he was doing,” his father, Tony Martin, said.
Back then, hacking did not have the criminal connotations it does today. Hackers thought of themselves not as lawbreakers—the early Internet was relatively untouched by conventional legal statutes—but as kind of digital graffiti artists, breaking into places just to see what they could get away with, and to earn respect within their small world.
“It was a subculture at the time that I sought out specifically because it interested me,” Martin said in an understated drawl. He’s got dark wavy hair, green eyes and a few days of stubble, and he takes care not to appear cocky or self-aggrandizing. “So I found it where I could find it, and went to the deepest depths of anywhere to find any kind of information and completely immerse myself in it.”
Martin wasn’t interested in causing much trouble. He just enjoyed the feeling of having control over things. “That was my special power,” he said. He infiltrated his school’s network, but instead of changing his grades, he programmed computers to shut off simultaneously. He later got a part-time summer job administering that network. That’s when he discovered a shed of discarded high-powered computers, donations to the school after a massive government physics project planned in Waxahachie called the Superconducting Super Collider was scrapped. He took one of the machines home, boosting his power “from hobbyist to hard-core.”
A year later, at 16, Martin was making $500 a week helping to run a local Internet service provider. While he worked there, a rival hacker stole his customers’ passwords. “That upset me so much that I shifted my entire brain from just caring about offensive hacking to, ‘How do I protect people from hackers?’” Martin said. “Once you’re victimized yourself, it changes your perspective.”
Martin also began to realize that his computer skills could lead to a real career. He daydreamed about starting his own company.
Martin, too busy with computers to study, barely graduated high school. He moved to Dallas to work as a network engineer. He left after a couple years to try college, but it bored him, so he returned to cybersecurity, first helping a startup develop anti-spam software, then running security for a company that leased servers to websites around the world, a precursor to what is now the cloud. That was where he came face to face with the ugliest aspects of the burgeoning Internet underground: spam rackets, purveyors of stolen credit cards, child porn rings, purported terrorists, “carding forums” where cybercriminals, many in Eastern Europe, traded secrets. Soon federal agents began showing up with warrants demanding access to the company’s servers. None of the agents knew much about how the Internet worked. So Martin, at 22, became their translator and guide.
For the next two or three years, Martin says, he assisted the Secret Service and the FBI with about 50 cases, helping them track and shut down criminal networks. The Secret Service made him an unofficial member of the North Texas Electronic Crime Task Force. The FBI, he said, paid him with envelopes of cash. “It was like being a cyber crime buster without having to wear a badge or totally drink the Kool-Aid,” Martin said. That relationship tapered off after Martin became director of security for a firm that built “intrusion prevention systems”—he no longer had direct access to criminals' operations, and the agents were learning how to investigate them on their own. Martin now specialized in “penetration testing,” showing clients the weakness in their networks by breaking into them. That included the Dallas County Jail, where, on a client's challenge, he said he gained access to security cameras and inmate release forms.
In 2009, Martin became a high-paid consultant for ArcSight, helping some of the world’s biggest companies repel attacks on their networks. During that time, he wrote ArcOSI, a piece of open-source software that automated massive feeds of threat intelligence data. It became popular, downloaded by corporations and government agencies, and was the seed that developed into ThreatStream, which he created on the theory that if the bad guys are collaborating, the good guys should be doing the same.
Martin left ArcSight in 2012, moved to New York and filed the corporation papers. He envisioned housing his company in a Manhattan loft, but mentors persuaded him to move to Silicon Valley, where he’d be closer to venture capitalists, and the small pool of high-grade talent.
He sunk his savings, and $300,000 from investors, into the business. He found an office in Redwood City, sandwiched between a CalTrain commuter line and the San Mateo County jail. He and his wife, who’d wed a couple months earlier, spent the 2013 holidays painting the walls for a January 2014 grand opening. By then he’d started pitching venture capitalists.
The crux of ThreatStream’s business model is giving companies and governments the ability to analyze and share data on cyber attacks as they unfold in real time. The subscribers can then use that information to develop a more sophisticated defense of their networks. The approach, Martin said, is similar to that used by the U.S. Transportation and Security Administration, which guards American airports by connecting to systems around the world that share up-to-date intelligence on terrorists.
Martin founded ThreatStream at a time when cybercrime was breaking into public consciousness, including the high-profile hacks of Home Depot, JPMorgan Chase, and Sony Pictures. That helped fuel the interest of venture capitalists, led by Google Ventures, who plowed $4 million into ThreatStream in February.
The ThreatStream headquarters look a lot like what a child hacker would daydream about. On a recent December morning, techno music pumped from far end of the open-layout offices, where salesmen in headsets pitched potential clients near a giant inflatable reindeer, surrounded by a mini gong, an array of shot glasses, a ping pong table, a play sword and a toy gun. When the snack delivery man arrived, a cheer erupted. The company’s engineers remained cordoned off in a nearby room where they could concentrate on building software. The vibe is expectant, optimistic.
This January, one year after moving in that freshly painted office, Martin will move ThreatStream and its 30 employees into a 10,000-square-foot space around the corner, twice as big as the existing place, with room to hire more. The rent is about three times per square foot what Martin paid a year ago, thanks to an influx in technology companies into Redwood City. Walking downtown with a coffee, or eating tacos on the sidewalk, Martin, who lives in the nearby hills, runs into CEOs just like himself, which he said feels “super weird.”
His aspiration, as with just about any Silicon Valley startup, is to ultimately sell his company to a larger corporation or take his business public. He points to FireEye, a publicly traded company considered the Google of the cybersecurity industry, as a model.
On a recent trip to New York, Martin rented out a conference room at the posh Essex House to give updates to his most prized corporate clients. It was the same December day that ThreatStream announced its second round of venture capital funding, $22 million. The investment made him a millionaire, at least on paper.
“Among hackers, the accomplishment used to be to have a big talk at a conference like Black Hat. That was when Wall Street didn’t give a sh-t, and hacks were done to showboat,” Martin said. “Now it’s shifted to your product and your company and they money you raised. That’s how hackers are measuring their success now.”