New York State Cybersecurity and Homeland Security Industry Study

Confidential

Prepared For: New York State Economic Development Council

Attention: Ryan Silva Executive Director

July 2019

k2intelligence.com

New York · London · Madrid · Geneva · Los Angeles

Restricted Use Warning

This report was prepared by K2 Intelligence at the request of the client to whom it is furnished ("Client"). The Client acknowledges and agrees that this report and information received from K2 Intelligence (collectively, the "Report"), is being provided solely with respect to the Services defined in, and subject to the Client's compliance with, the terms and conditions of the Professional Services Agreement ("PSA") and is intended for the Client's use consistent with the terms of the PSA; provided that nothing in this Report shall be considered legal, business, regulatory, investment, financial, insurance or accounting advice, opinions, endorsements, recommendations or the like. Any other use and any reliance upon or communication, disclosure, publication, or reproduction of the Report in any portion thereof without the prior written consent of K2 Intelligence is strictly forbidden.

The Report may rely upon third party and public information that has not been verified for accuracy, completeness, or otherwise by K2 Intelligence. As set forth in the PSA, the Client agrees to indemnify and hold harmless K2 Intelligence against any damages and liabilities resulting from unauthorized use of the Report, or the Client's or any third party's reliance thereon. K2 Intelligence assumes no obligation to inform the Client of any facts, circumstances, events, or changes that may hereafter be brought to its attention regardless of whether or not they may alter, affect or modify the information contained in the Report.

Table of Contents

1. Executive Summary ...... 4

2. Introduction ...... 9 2.1. Key Definitions ...... 9 Cluster ...... 9 Industries ...... 9

3. Methodology ...... 11

4. Strength of Homeland Security & Cybersecurity Markets ...... 12 4.1. The Cybersecurity Market ...... 12 4.2. The Homeland Security Market ...... 13 4.3. Market Futures ...... 14

5. Factors Driving Cluster Development ...... 15 5.1. Talent: Access to Talent Drives Location Decisions ...... 15 5.2. Customers: Face-to-Face Meetings Still Critical ...... 16 5.3. Economic Incentives: Government Spending Only Goes So Far ...... 17

6. Fast-Growing Regional Clusters ...... 18 6.1. San Antonio, Texas...... 18 Proximity to Federal Government Resources ...... 19 Academic Institutions & Public-Private Partnerships ...... 20 Economic Incentives ...... 20 Challenges to Growth ...... 21 6.2. Pittsburgh, Pennsylvania ...... 21 Proximity to Federal Government Resources ...... 22 Academic Institutions & Public-Private Partnerships ...... 22 Economic Incentives ...... 23 Challenges to Growth ...... 23 6.3. Colorado Springs, Colorado ...... 24 Proximity to Federal Government Resources ...... 25 Academic Institutions & Public-Private Partnerships ...... 25 Economic Incentives ...... 26 Challenges to Growth ...... 27 6.4. Augusta, Georgia ...... 28 Proximity to Federal Government Resources ...... 28 Academic Institutions & Public-Private Partnerships ...... 29 Economic Incentives ...... 30 Challenges to Growth ...... 30

Privileged and Confidential 1

7. The New York State Landscape ...... 31 7.1. Tier One ...... 31 New York City ...... 32 Mohawk Valley Region ...... 33 Central New York Region ...... 36 7.2. Tier Two ...... 38 Capital Region ...... 38 Finger Lakes Region ...... 40 Long Island Region ...... 43 Western New York Region ...... 45

8. New York Challenges ...... 48 8.1. National Shortage of Cybersecurity Talent ...... 48 8.2. Pessimism about Upstate New York ...... 48 Perception That Quality of Life Upstate Lags Behind New York City ...... 49 Lack of Transportation to Major Urban Centers ...... 49 Customer Education Required in Upstate New York ...... 50 New York State’s Corporate Tax Structures are a Disincentive ...... 50

9. New York State’s Strengths ...... 52 9.1. Market Share Argument ...... 52 Location of Major Industries Drives Demand ...... 52 New York’s Unique Threat Landscape ...... 53 New York’s Economic Clout – A Force Multiplier ...... 55 9.2. Diversity of Talent Pool ...... 56 9.3. Affordable Cost of Living and Talent ...... 56 9.4. Potential to Expand Existing Hotspots ...... 57

10. Development Opportunities ...... 59 10.1. State-Sponsored Technology Testbed ...... 59 10.2. Apprenticeship Laboratory ...... 59 10.3. Leveraged Purchasing Power ...... 59 10.4. Star Power ...... 60 10.5. Cultural Re-Branding ...... 60 10.6. Tax Credits & Other Economic Incentives ...... 60 10.7. Legislative Action ...... 60 Cybersecurity Requirements for Financial Services Companies ...... 61 Data Breach Notification Laws ...... 61 Opportunities for Forward-Looking Legislation ...... 62

11. Conclusion: Dedicated Statewide Development Effort Required ...... 63

Privileged and Confidential 2

State-Level Leadership is Necessary to be Competitive ...... 63 Opportunity for Impact ...... 63

Privileged and Confidential 3

1. Executive Summary

K2 Intelligence, LLC (“K2”) was engaged by the New York State Economic Development Council (“NYSEDC”) to conduct an analysis of the homeland security and cybersecurity industry clusters in New York State and to identify New York State’s competitive advantages and challenges compared to other states for the attraction of homeland security and cybersecurity companies. In order to prepare this report, K2 reviewed materials provided by NYSEDC pertinent to the New York State economy, and augmented this review with research in open sources to include media reports, academic publications, federal, state, and local government reports, industry and trade publications, business data aggregators, market research reports, and other sources. K2 investigators also conducted targeted interviews with industry stakeholders who are knowledgeable about the development of the industries inside and outside of New York State, as well as the trends and drivers shaping the industries’ development at a range of levels. Definitions For the purposes of this report, K2 defined an economic cluster to be a geographic region with a concentration of inter-connected companies and related organizations in a particular field. The homeland security industry was defined as the universe of private sector entities that create and/or provide products or services that safeguard individuals or organizations from malicious incident or destruction. The cybersecurity industry was defined as the universe of private sector entities that create and/or provide products or services that safeguard computers, networks, programs, and data from digital attack or unauthorized access. These are not necessarily considered two distinct industries; in recent years, security professionals have begun to view cybersecurity as a subset of homeland security. Per the direction of NYSEDC, K2 focused its research on the technology-oriented segment of these industries. Market Size Precise figures on the size of the global, national, and regional homeland security and cybersecurity markets are difficult to obtain, as almost all industries are potential consumers of such services and related spending is often located within multiple operational areas of a business or government agency. Nevertheless, research indicates that these are both sizable markets with considerable growth expected in the coming years, suggesting there is a significant development opportunity for states that move aggressively. Published estimates place the size of the global cybersecurity market at $100 billion or even $200 billion dollars a year, with the US market alone projected to reach or shortly reach between $60 and $120 billion a year. The homeland security market is even larger; estimates of the industry reflect yearly global spending of $400 billion and growth projected to potentially reach $600 billion within five years. Factors Driving Cluster Growth K2 spoke with homeland security and cybersecurity industry sources to understand the factors that affect decisions on where to locate or expand these types of businesses. Talent, Customers, and Access to Capital Sources overwhelmingly cited proximity to talent and customers as the driving factors that contribute to a cybersecurity or homeland security company’s decisions regarding location, with many adding access to capital as an additional ingredient. As one investor noted, “there’s a new version of Silicon Valley every

Privileged and Confidential 4

day,” but those regions come and go unless there’s enough follow-through and investment to maintain consistent access to talent, customers, and capital. Talent comes from varied sources Sources noted that talent in the technology sector comes from various pipelines, including government, competitors, adjacent fields like software development, and technical universities, and is not exclusively defined as those with technical skills. A diverse set of candidates, including those who can be trained internally, are desired. Customers require face-to-face attention but can be served remotely Multiple sources noted that despite technical advances and the ability of companies to service customers worldwide, face-to-face meetings were still critical to growing business and a driving factor in where companies are based. A senior executive at a New York City-based cybersecurity company noted that there is “still nothing better than a face-to-face meeting” especially for professional services offerings when your customer requires in-person work. Incentives are common but only go so far In general, sources noted that incentives needed to be present in discussions with homeland or cybersecurity companies, but they tended not to be the deciding factor in locational decisions. One source in the venture capital community said that incentives are a “wash” when deciding where to locate. The source noted that some incentives need to be in place, but ultimately the decision-makers need to want to live where the company will be located. Fast-Growing Clusters Four metropolitan areas outside of New York State – San Antonio, Texas; Pittsburgh, Pennsylvania; Colorado Springs, Colorado; and Augusta, Georgia – were selected for study to understand the types of opportunities and challenges that New York State may face as it develops these industries. Each of these four areas have burgeoning, and in some cases robust, cybersecurity and/or homeland security clusters. Each of the four regions are anchored by a strong military or government presence and contain a combination of elements that can be critical to homeland security and cybersecurity cluster development, such as robust academic programs that act as a talent pipeline, mature private sector economies in related fields, and public-private partnerships that spur research, innovation, and workforce development. These clusters often developed with the support of local business leaders, academic institutions, and development groups. Most of these regions offer economic incentives to private companies that locate within the cluster; however, these incentives do not appear to be an integral part of each cluster’s development. Across the regions examined, access to talent appears to be the greatest challenge to future development of the cybersecurity and/or homeland security industry. The New York Landscape New York State has a substantial and diverse cybersecurity and homeland security landscape, which includes both national players in the industries and smaller companies and startups. K2 identified seven regions that have operational or nascent cybersecurity or homeland security clusters.

Privileged and Confidential 5

Regions with fully operational clusters, categorized as the “tier one” regions, are comprised of the New York City, Central New York, and Mohawk Valley Regions, each of which demonstrate operational cybersecurity or homeland security industry clusters. Regions with nascent clusters, categorized as the “tier two” regions, are comprised of the Finger Lakes, Long Island, Capital, and Western New York Regions. These regions have elements that could be further developed into a cybersecurity or homeland security industry cluster. New York State’s Challenges for Growth As part of K2’s outreach to industry insiders, we sought to gather intelligence on the challenges faced by the cybersecurity and homeland security industries in general, and the challenges to prospective development in New York State specifically. The “War for Talent” One of the major challenges to the growth of the cybersecurity industry nationally is the shortage of qualified cyber professionals, leading to what one source working in economic development in New York State described as a “war for talent.” This shortage poses particular challenges to New York State as talent tends to naturally flow to large urban centers where there are robust job markets and competition for services. At the statewide level, New York City wins at the expense of other locations; regionally, a similar dynamic plays out with larger cities gaining preference. Quality of Life Multiple sources noted that one of the challenges in fostering economic development in places like Upstate1 New York is the perceived poor quality of life compared to urban centers like New York City. While Upstate New York can market its affordable cost of living, sources repeatedly noted that talented employees and millennials are looking for denser “downtown” living options and secondary networks that imbue a place with character and an identity – restaurants, coffee shops, cultural institutions, and similar attractions – as well as convenient public transportation options to avoid feelings of “isolation.” Pessimism About Upstate New York A perceived dichotomy between “Upstate” and “Downstate” New York also leads to pessimism and a public relations challenge for development. One source noted that New York City has its own “gravitational pull” that other areas of the state can find it hard to measure up against in the talent competition. Another source noted it would be possible for a cybersecurity or homeland security cluster to develop elsewhere but it would be an “uphill battle.” Such sentiments can cloud even positive trends in upstate areas. Lack of Knowledge Hampers Local Progress Sources in Upstate New York noted that the general lack of knowledge in the local business world about the impact of cyber vulnerabilities posed challenges in gaining traction and placing graduates. One source noted that their biggest challenge was to find a local industry that understood its cybersecurity risks.

1 Sources contacted by K2 often sought to differentiate the economic landscape of greater New York City with that of regions elsewhere in New York State, which they typically referred to with the shorthand of “Upstate New York.” K2 followed this convention throughout the report.

Privileged and Confidential 6

New York State’s Strengths K2 also interviewed homeland security and cybersecurity professionals to understand areas in which New York State held a competitive advantage compared to other states in attracting cybersecurity and homeland security development. Major Industries, Unique Target, Economic Clout First and foremost, sources we spoke to noted that the size and scale of the New York State economy was a major strength in attracting business in the cybersecurity and homeland security industries. Two of New York’s largest industries – finance and health care – are critically important customers of the cybersecurity industry, with the financial services sector being the largest market for cybersecurity services in the United State outside of the government and the healthcare sector being the fastest-growing industry segment of the cybersecurity market. In the homeland security space, New York remains an epicenter of security threats as well as the vanguard for defending against them. The existing homeland security threat landscape was redefined by the terrorist attacks of September 11, 2001, and as stated by former New York Police Commissioner Ray Kelly in a 2013 Council on Foreign Relations speech, the threat to New York is omnipresent, with images of the World Trade Center and New York City being regularly displayed on jihadist websites and al Qaida publications. New York State’s GDP of over $1.5 trillion accounts for over 8 percent of the United States total, the third largest in the country. Sources noted almost all companies and organizations are consumers of homeland security and cybersecurity products and services, and thus scale matters. Diversity in an Under-Represented Industry A second common theme that arose in source interviews was that New York State has the potential to offer a pipeline of diverse talent to the cybersecurity and homeland security spaces, both of which struggle to attract individuals from under-represented groups nationally. While New York City is commonly thought of as diverse, sources pointed to Upstate New York’s diversity as a significant selling point as well. Affordability to Support Operations Sources noted that the cost advantages of Upstate New York can be of particular importance in the cybersecurity and homeland security industries. Multiple sources noted it is common for cybersecurity companies to house their leadership and client-management teams in major hubs like New York City but host engineering teams elsewhere in locations where costs are lower. And likewise, as homeland security startups move to innovate and develop more agile solutions, the establishment of test beds where development and failure is less expensive becomes important. Development Opportunities In the context of our discussions, multiple sources discussed ideas for development models that could be applicable in the context of attracting more cybersecurity and homeland security investment to New York State. State-Sponsored Technology Testbed One source noted there could be an opportunity for New York State to develop a corporate or state- sponsored center of excellence that companies in the area could leverage as a technology testbed for evaluating the viability and scalability of solutions before pushing them into the marketplace.

Privileged and Confidential 7

The source noted that upstate regions could be particularly advantageous locales to perform this type of work because the cost of talent would be significantly lower than in more expensive cities. Another source noted that the startup community in particular needs affordable places to experiment. Apprenticeship Laboratory A senior executive at a startup focused on cybersecurity training noted that New York State could have an opportunity to leverage its State University of New York (“SUNY”) system to launch a Virtual Cybersecurity Apprenticeship initiative to target the cybersecurity skills gap. The objective of the program would be to connect industry directly with academia and develop a local pipeline of talent into which New York-based companies could tap. The initiative could gather students in apprenticeship laboratories housed at SUNY campuses to pair them with local industries in need of cybersecurity talent using a virtual internship model. Leveraged Purchasing Power One source noted that cooperation between the state and the private sector to leverage New York State’s purchasing power as a consumer of services could be a significant driver of development. The source noted that if the state expressed a preference for buying from companies that developed or tested their products in laboratories within New York as a “New York-certified solution,” that would be compelling. Legislative Action A source noted that New York State could help cybersecurity companies flourish by mirroring states like Ohio, which enacted legislation that incentivizes businesses to purchase cybersecurity services. Jeff Kosseff, an assistant professor of cybersecurity law at the United States Naval Academy, wrote that incentives would be particularly useful to small and midsized companies, as those “often do not have the resources to have even a dedicated information-security staffer” but “constitute the majority of all cyberattack victims.” The Need for a Dedicated Statewide Development Effort Multiple sources noted that the development of a new homeland security or cybersecurity cluster in New York State would require a long-term, dedicated, and interdisciplinary effort with a substantial amount of attention and monetary support. The development needs were stated succinctly by one source, who noted that in order to attract development, they would market the affordability of Upstate New York, focus development efforts on creating the supporting infrastructure to entice talent, and create a series of incentives and amenities like housing to encourage companies and talent to move there. Feedback from multiple sources suggested that active state-level leadership would be welcome as New York works to keep pace with the efforts of other states.

Privileged and Confidential 8

2. Introduction

2.1. Key Definitions In the following section, K2 has detailed the definitions we have employed for the following key terms used throughout this report: (1) cluster, (2) homeland security industry, and (3) cybersecurity industry.

Cluster For the purposes of this report, K2 defined an economic cluster to be a geographic region with a concentration of inter-connected companies and related organizations in a particular field. As noted in the economic clusters theory of Harvard Business School economist Michael Porter (“Porter”),2 clusters often include a web of inter-related companies, suppliers and customers, academic institutions, governmental and non-governmental organizations, and skilled employees that connect symbiotically in a given field.3 As discussed in Porter’s 2014 Working Paper, “Clusters and the New Economics of Competition,” clusters can include

suppliers of specialized inputs such as components, machinery, and services, and providers of specialized infrastructure. Clusters also often extend downstream to channels and customers and laterally to manufacturers of complementary products and to companies in industries related by skills, technologies, or common inputs. Finally, many clusters include governmental and other institutions— such as universities, standards-setting agencies, think tanks, vocational training providers, and trade associations—that provide specialized training, education, information, research, and technical support.4 Porter and the paper’s other authors noted that a growing body of empirical literature has shown “that the presence of related economic activity matters for regional and industry performance, including job creation, patenting, and new business formation.” 5

Industries K2’s working definitions of the homeland security and cybersecurity industries are drawn from industry publications and other open sources. Note that these are not necessarily considered two distinct industries. In recent years, as critical infrastructure systems and sensitive data in industries such as finance and healthcare have become digitized and moved online, and as the number of “Internet of Things” devices has

2 Michael Porter Harvard Business School biography, see: https://www.isc.hbs.edu/about-michael- porter/biography/Pages/default.aspx. 3 Porter, Michael. "The Economic Performance of Regions." Regional Studies 37, no. 6-7 (2003): 549-78. doi:10.1080/0034340032000108688, see: https://pdfs.semanticscholar.org/de0e/a94b8048b7e7ce4d1ac7193d9bfb9847f735.pdf. 4 Porter, Michael E. "Clusters and the New Economics of Competition." Harvard Business Review. August 01, 2014, see: https://hbr.org/1998/11/clusters-and-the-new-economics-of-competition. 5 Delgado, Mercedes, Michael Porter, and Scott Stern. "Defining Clusters of Related Industries." NBER Working Paper No. 20375. August 1, 2014. doi:10.3386/w20375, see: https://www.nber.org/papers/w20375.pdf.

Privileged and Confidential 9

proliferated, security professionals have begun to view cybersecurity as a subset of homeland security. This realignment has been mirrored within the government. As an example, the Department of Homeland Security’s (“DHS”) 2014 strategic plan noted that protecting homeland security does not just include physical protection of people, but of their information in the cybersphere as well.6 In November 2018, a new DHS agency was established – the Cybersecurity and Infrastructure Security Agency – that is “responsible for civilian cybersecurity throughout the government.”7

2.1.2.1. Homeland Security For the purposes of this study, K2 defined the United States homeland security industry as the universe of private sector entities that create and/or provide products or services that safeguard individuals or organizations from malicious incident or destruction. Consumers include the United States federal government, as well as state and local governments; private and public companies; nonprofit organizations; academic and religious institutions; and private individuals.

2.1.2.2. Cybersecurity K2 defined the cybersecurity industry as the universe of private sector entities that create and/or provide products or services that safeguard computers, networks, programs, and data from digital attack or unauthorized access. Consumers include the United States federal government, as well as state and local governments; private and public companies; nonprofit organizations; academic and religious institutions; and private individuals.

6 Fiscal Years 2014-2018 Strategic Plan,” Department of Homeland Security, 2014, see: https://www.dhs.gov/sites/default/files/publications/FY14-18%20Strategic%20Plan.PDF. 7 CISA replaced the National Protection and Programs Directorate; “The Cybersecurity 202: Trump set to make a new DHS agency the top federal cyber cop,” Washington Post, November 16, 2018, see: https://www.washingtonpost.com/news/powerpost/paloma/the- cybersecurity-202/2018/11/16/the-cybersecurity-202-trump-set-to-make-a-new-dhs-agency-the-top-federal-cyber- cop/5bedb9a71b326b3929054867/?utm_term=.aa3b228e2886.

Privileged and Confidential 10

3. Methodology

In order to prepare this report, K2 reviewed materials provided by NYSEDC pertinent to the New York State economy including annual reports, economic reports, and industry studies prepared by each of New York State’s ten Regional Economic Development Councils (“REDCs”).8 K2 augmented this review with research in open sources to include media reports, academic publications, federal, state, and local government reports, industry and trade publications, business data aggregators, market research reports, and other sources. Due to the volume of materials our research could not be comprehensive. Our report is restricted to information identified in publicly available sources, and so may not include the most up-to-date spending or department budget figures. Relevant open source citations are included in footnotes in the body of the text. K2 investigators conducted targeted interviews with industry stakeholders who are knowledgeable about the development of the industries inside and outside of New York State, as well as the trends and drivers shaping the industries’ development. K2’s sources included individuals introduced to K2 by NYSEDC, individuals within K2’s network of contacts, and individuals identified during the course of our open source research. Sources included cybersecurity and homeland security executives inside and outside of New York State, private equity and venture capital investors, principals at nonprofits and development agencies focused on the industries, and homeland security and cybersecurity educators at public and private academic institutions. Please note that the commentary provided by each source (e.g. a venture capital investor) should not necessarily be considered representative of each group as a whole (e.g. all venture capital investors). K2’s sources were provided an assurance of confidentiality when requested; the names and associations of these sources have been anonymized throughout this report. Per the direction of NYSEDC, K2 focused its research on the technology-driven segment of both industries.

8 In 2011, Governor Andrew Cuomo redesigned the state’s approach to economic development, tasking ten new Regional Economic Development Councils (REDCs) with development of strategic economic development plans specifically tailored to the region’s unique strengths and resources. The ten REDCs are: Capital Region, Central New York, Finger Lakes, Long Island, Mid-Hudson, Mohawk Valley, New York City, North County, Southern Tier, and Western New York, see: http://regionalcouncils.ny.gov/about; https://www.governor.ny.gov/news/governor-cuomo-announces-1-billion-economic-development-funding-will-be-available-through- new.

Privileged and Confidential 11

4. Strength of Homeland Security & Cybersecurity Markets

Obtaining precise figures on the size of the global, national, and regional homeland security and cybersecurity markets is a challenge, as almost all industries are potential consumers of such services and spending is often located within multiple operational areas of a business or government agency. 9 Nevertheless, K2’s research indicates that these are both sizable markets with considerable growth expected in the coming years, suggesting there is a significant development opportunity for states that move aggressively.

4.1. The Cybersecurity Market K2’s research identified the following information pointing to the current and future size of the cybersecurity market:

• Worldwide: In its 2019 Cybersecurity Almanac, research firm and publisher Cybersecurity Ventures estimates that “global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five-year period from 2017 to 2021 - and the cybersecurity market will continue growing by 12 to 15 percent year-over-year through 2021.”10 In addition, an August 2018 press release from international research firm Gartner predicted that the global cybersecurity market would reach $114 billion in 2018 and $124 billion in 2019.11 The Gartner study identified three primary “drivers” for cybersecurity spending: security risks, business needs, and industry changes.12 The study also noted that “privacy concerns are also becoming a key factor” and “will drive at least 10 percent of market demand for security services through 2019.”13 • United States: K2 identified several figures that estimate the amount spent on cybersecurity in the United States. In its “Playbook” released in April 2015, the Telecommunications Industry Association reportedly predicted that the amount spent on cybersecurity in the United States would reach $66 billion in 2018.14

9 As noted by in Cybersecurity Ventures’ 2018 Cybersecurity Market Report, citing a 2016 IT Security Spending Survey published by the SANS Institute, in cybersecurity, “Tracking security-related budget and cost line items to justify expenditures or document trends can be difficult because security activities cut across many business areas, including human resources, training and help desk,” see: https://cybersecurityventures.com/cybersecurity-market-report/. 10 2019 Cybersecurity Almanac: https://cybersecurityventures.com/cybersecurity-almanac-2019/. 11 “Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” Gartner, August 15, 2018, see: https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to- exceed-124-billion-in-2019. 12 “Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” Gartner, August 15, 2018, see: https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to- exceed-124-billion-in-2019. 13 “Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019,” Gartner, August 15, 2018, see: https://www.gartner.com/en/newsroom/press-releases/2018-08-15-gartner-forecasts-worldwide-information-security-spending-to- exceed-124-billion-in-2019. 14 Spending on cybersecurity in the United States from 2010 to 2018 (in billion U.S. dollars), Telecommunications Industry Association, obtained from Statista.com, see: https://www.statista.com/statistics/615450/cybersecurity-spending-in-the-us.

Privileged and Confidential 12

In April 2016, Business Intelligence Insider, a research service associated with the business news website Business Insider, estimated that $655 billion will be spent on cybersecurity initiatives to protect personal computers, mobile devices, and Internet of Things devices between 2015 and 2020 – or approximately $110 billion per year.15

In addition, Morgan Stanley’s research division estimated in June 2016 that the market for cybersecurity products and services was expected to surpass $60 billion in 2016, and that this figure could double by 2020.16 • Government Spending: According to the United States Office of Management and Budget’s 2019 Analytical Perspectives volume, the proposed FY2020 President’s Budget included an allocation of $17.4 billion for cybersecurity-related activities, a 5 percent increase from the 2019 estimate.17 (The Analytical Perspectives volume caveats that this amount is not comprehensive given the “sensitive nature” of some of the United States’ cyber activities).18 The report also noted that the largest portion of the cybersecurity budget allocation was reserved for the Department of Defense with $9.6 billion in funding.19

• In New York State, the Office of Information Technology Services (“ITS”) is charged with cybersecurity – its responsibilities include “providing for the protection of state government cyber security infrastructure, including but not limited to identifying and mitigating vulnerabilities, deterring and responding to cyber events, and promoting cyber security awareness within the state.” 20 According to New York State budget data, ITS’s 2019-2020 estimated spending is approximately $654 million.21

4.2. The Homeland Security Market K2’s research identified the following information pointing to the current and future size of the homeland security market:

• Worldwide: According to an abstract of a February 2019 report issued by Homeland Security Research Corp., an international market and technology research firm, the global homeland security and public safety market is estimated to grow from $431 billion in 2018 to $606 billion in 2024, with a compound annual growth rate of 5.8 percent.22 Similarly, a press release covering a report by

15 “This one chart explains why cybersecurity is so important,” Business Insider, April 5, 2016. 16 “Cybersecurity: Rethinking Security," a Morgan Stanley Blue Paper, was referenced in an article posted on Morgan Stanley’s website on June 15, 2016: http://www.morganstanley.com/ideas/cybersecurity-needs-new-paradigm. 17 United States Office of Management and Budget’s 2019 Analytical Perspectives volume (Cybersecurity): https://www.whitehouse.gov/wp-content/uploads/2019/03/ap_24_cyber_security-fy2020.pdf. 18 United States Office of Management and Budget’s 2019 Analytical Perspectives volume (Cybersecurity): https://www.whitehouse.gov/wp-content/uploads/2019/03/ap_24_cyber_security-fy2020.pdf. 19 United States Office of Management and Budget’s 2019 Analytical Perspectives volume (Cybersecurity): https://www.whitehouse.gov/wp-content/uploads/2019/03/ap_24_cyber_security-fy2020.pdf. 20 “An Inside Look at New York State Government Cybersecurity,” Government Technology, March 18, 2019, see: https://www.govtech.com/blogs/lohrmann-on-cybersecurity/an-inside-look-at-new-york-state-government-cybersecurity.html. 21 New York Budget Data website, see: https://openbudget.ny.gov/spendingForm.html; Office of Information Technology Services website, see: https://its.ny.gov/eiso. Budget data accessed as of July 1, 2019. 22 Homeland Security Research Corp., see: https://homelandsecurityresearch.com/reports/global-public-safety-homeland-security- markets-industry-technologies/.

Privileged and Confidential 13

Allied Market Research states that the global homeland security market will reach $418 billion by 2022, with a compound annual growth rate of 5.9 percent.23

• Government Spending: As with the cybersecurity market, the federal government is a significant player within the homeland security market in United States. As an example, a budgetary summary document published by DHS notes that the FY2020 President’s Budget allocated DHS $51.7 billion in net discretionary funding for that department alone.24 • At the New York State level, the New York Division of Homeland Security and Emergency Management (“DHSES”) 25 has a 2019-2020 estimated budget of approximately $1.336 billion, according to New York State data.26

4.3. Market Futures During interviews we conducted, several sources discussed what they saw as the future of the cybersecurity and homeland security industries. While the discussions were not comprehensive, K2 has provided their comments below for NYSEDC’s background.

Sources in the cybersecurity industry noted that machine learning, even more than artificial intelligence, will be a game-changer for cybersecurity and will allow organizations to scale, and that the industry will focus on areas including insider threats, countering fraud, and blending the cyber and physical worlds.

Sources in the homeland security industry noted that the coming disruptors in physical security would be augmented reality, digitization of manual processes, data analytics, algorithm-driven cameras, the fusion of artificial intelligence and sensors, Unmanned Aerial Vehicle (“UAV”) technologies, and advanced global positioning systems (“GPS”). According to media reports, technology developments occurring in the homeland security industry largely revolve around innovation that can make security better and faster. In aviation security, for example, there are improvements in the fields of biometrics, specifically facial recognition software, and screening, including 3D computed tomography scanners. These are more sophisticated than X-ray scanners, can expedite a traveler’s security check experience, and improve the screening process.27

23 “Homeland Security Market to Reach $418 Billion, Globally, by 2022,” Allied Market Research press release, September 2016, see: https://www.alliedmarketresearch.com/press-release/homeland-security-market.html. 24 Department of Homeland Security - FY 2020 Budget in Brief, see: https://www.dhs.gov/sites/default/files/publications/19_0318_MGMT_FY-2020-Budget-In-Brief.pdf. 25 DHSES is comprised of four offices: the Office of Counter Terrorism, the Office of Emergency Management, the Office of Fire Prevention and Control, and the Office of Interoperable and Emergency Communications. New York State Homeland Security and Emergency website, see: http://www.dhses.ny.gov/. 26 New York Budget Data website, see: https://openbudget.ny.gov/spendingForm.html. Budget data accessed as of July 1, 2019. 27 “T.S.A. Testing 2 Technologies to Speed Airport Screening,” The New York Times, June 28, 2017, see: https://www.nytimes.com/2017/06/28/travel/tsa-testing-2-technologies-to-speed-airport-screening.html.

Privileged and Confidential 14

5. Factors Driving Cluster Development

K2 spoke with homeland security and cybersecurity industry sources to better understand the factors that influence decisions on where to locate and expand these types of businesses. Sources overwhelmingly cited proximity to both talent and customers as the driving factors that contribute to a cybersecurity or homeland security company’s decisions regarding office locations, with many adding access to capital as an additional ingredient.

• The argument was stated succinctly by one investor, who noted that “there’s a new version of Silicon Valley every day,” speaking of regions where a company will launch and attract a few more similar businesses. But the investor noted that those regions come and go unless there’s enough follow-through and investment to maintain consistent access to enough talent, customers, and capital to sustain development. The investor noted that access to capital was especially critical for younger, smaller companies.

• This mix of drivers was also cited by a cybersecurity company founder who described New York City’s strength as its proximity to funding, talent, and customers, especially Fortune 500 companies. The source described the venture capital ecosystem in New York City as being especially important to their business.

In addition to these elements, sources cited other factors including the location of a company’s founders, the cost of living and talent, and the presence of development incentives.

• The location of a founder was most critical at the time of company creation. The founder of one cybersecurity company noted their company was based in New York City because the founders were from the area. An investor likewise noted that many early-stage companies locate wherever the chief executive officer starts the business.

• Sources offered mixed opinions on the value of economic incentives, observing that they were necessary to foster development but were not typically the determining factor in a company’s decision about where to locate.

5.1. Talent: Access to Talent Drives Location Decisions The focus on talent was shared by company executives inside and outside New York State, as well as individuals within the venture capital community. • One source in the venture capital community noted that their firm is geographically agnostic in where it looks to make investments, but still wants to make sure there is sufficient talent in a target company’s geographic area to support its development. The source noted that geographic locations can differentiate themselves through strong academic programs, low cost of living, better taxes (personal and corporate), and a quality of life that appeals to young employees.

• A senior executive at a cybersecurity company based in New York City with offices in the Washington, D.C. metropolitan area and overseas noted that ease of recruiting talent drove their office location decisions, as did a senior executive at a cybersecurity startup located in the Washington, D.C. metropolitan area.

• A senior cybersecurity executive at a New York City-based company noted that there are thousands of cybersecurity providers that have similar offerings, and so cybersecurity providers –

Privileged and Confidential 15

or those looking to start new companies – need fruitful environments with access to skilled developers and technical people and an easy exchange of ideas so that novel solutions can develop. The source noted that the phenomenon of Silicon Valley-like regions where there is a community of like-minded individuals is very attractive to those looking to join the cybersecurity industry. When it came to sourcing talent, multiple industries and pipelines were cited as valuable recruiting grounds for the cybersecurity and homeland security industries.

• One source in the venture capital community noted that many security companies emerge from the defense or industrial control industries and that software development companies are a natural pathway for talent.

• One senior executive at a cybersecurity company noted that talent in the technology sector comes from competitors, adjacent fields, technical universities, or is developed internally within companies.

Locations with robust educational programs and adjacent industries were often cited as strong talent pools.

• One senior executive stated that Pittsburgh, Pennsylvania (home of Carnegie Mellon University) and Baltimore, Maryland (home of the National Security Agency) are good examples of cities with good sources of talent.

• Another Maryland-based cybersecurity executive noted that the company’s initial focus was to recruit from government agencies that had already developed talent, but a relationship with a university also makes sense if a connection exists and the company in question is located nearby.

• A founder at a New York City-based cybersecurity company stated that the company had identified talent at New York University and Columbia University and was not only looking for technical skills, indicating that the company also hired candidates who could be trained in-house as analysts.

Locations with less competition over talent hold appeal for smaller technology companies.

• One senior homeland security executive based in London, United Kingdom told K2 that the competition for talent had led their multinational company to locate many back office technical jobs to cities elsewhere in the UK. This source stated it was easier to procure and hire talent outside of major cities, noting there is fierce competition in major cities with big-name technology companies like Facebook and Google. • Likewise, the New York City-based cybersecurity company founder noted that if they looked to relocate portions of their teams it would likely be to locations like Kansas City or St. Louis, Missouri, where there is engineering talent and lower cost of living.

5.2. Customers: Face-to-Face Meetings Still Critical When it came to customers, multiple sources noted that despite advances in telecommunications and technology, as well as the ability of companies to serve customers worldwide, face-to-face meetings were still critical to growing business and a driving factor in where companies are based.

• A senior cybersecurity executive based in New York City noted that having a face-to-face relationship with customers has facilitated the expansion of their company. The source noted New

Privileged and Confidential 16

York City has been a good location due to the easy Amtrak access to government customers in Washington, D.C.

• A second senior executive at a New York City-based cybersecurity company noted that for some business offerings such as managed security services and cybersecurity products a company’s location was not as critical because much of the work is done remotely, but there is “still nothing better than a face-to-face meeting” especially for professional services offerings when your customer requires in-person work. The source said that a small corporate office could be located close to major companies in New York City, allowing technical staff to be based elsewhere.

5.3. Economic Incentives: Government Spending Only Goes So Far Sources offered mixed opinions on the value of economic incentives in driving business location decisions.

• One source in the venture capital community said that incentives were generally a “wash” when deciding where to locate. The source noted that some incentives need to be in place, but ultimately the decision-makers (e.g. the chief executive officer) need to want to live where the company will be located. The source asserted that a personal connection to a geographic area is the number one driver for relocation.

• Another source told K2 that regions outside of New York State had offered economic incentives like tax breaks to the source’s company to explore operations there, but that given the ongoing competition for cybersecurity talent (see further discussion in the “New York Challenges” section, below) the offers were not compelling without a corresponding investment in human capital.

Nevertheless, incentives are reportedly common within the industry.

• One investor stated that Pennsylvania typically offered incentives in the form of capital projects, but also offered softer incentives like business development connections that the state helped facilitate.

• Another source, a senior executive at a cybersecurity company, noted that another state offered incentives to their company in the form of free rental space while the company built a facility in the state and also contributed funds towards the facility’s construction in an area that was being converted from an industrial zone.

Privileged and Confidential 17

6. Fast-Growing Regional Clusters

K2 conducted research on four metropolitan areas outside of New York State which have burgeoning, and in some cases, robust cybersecurity and/or homeland security clusters. These regions offer examples of the types of opportunities and challenges that New York State may face as it develops these industries. Each of the four regions are anchored by a strong military or government presence and contain a combination of elements that can be critical to homeland security and cybersecurity cluster development, such as vibrant academic programs that act as a talent pipeline, and public-private partnerships that spur research, innovation, and workforce development in each industry. These clusters often developed with the support of local business leaders, academic institutions, and development groups – most of these regions offer economic incentives to private companies that locate within the cluster; however, these incentives do not appear to be an integral part of each cluster’s development. In all cases, access to talent appears to be the greatest challenge facing the future development of the cybersecurity and/or homeland security industry in the regions studied. Please note that the following cluster descriptions are intended as high-level overviews and are not a comprehensive summary of all homeland security or cybersecurity activity in each region.

6.1. San Antonio, Texas San Antonio, Texas - or “Cyber City USA”28 - a city of 1.5 million people in south-west Texas and the fastest growing large city in the United States 29 is reportedly home to over 40 cybersecurity headquarters. 30 According to Business Facilities Magazine, “Texas also is emerging as a go-to location for cybersecurity startups thanks to its robust infrastructure, network of industry partners and access to venture capital.”31 The private sector cybersecurity industry in San Antonio is composed of both large defense contractors (e.g. Northrop Grumman, Lockheed Martin and Booz Allen Hamilton) and local startups (e.g. Digital Defense, IP Secure, GlobalSCAPE, and Red Knight) founded by retired military

28 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 29 “More people Moved to San Antonio Last Year than to Any Other Large U.S. City,” Texas Public Radio, June 3, 2018, see: https://www.tpr.org/post/more-people-moved-san-antonio-last-year-any-other-large-us-city. 30 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 31 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/.

Privileged and Confidential 18

personnel.32 San Antonio is additionally home to nearly 900 Department of Labor-designated IT companies and over 80 companies in the defense technology cluster, according to the San Antonio Economic Development Foundation.33

Proximity to Federal Government Resources San Antonio is currently home to four military facilities, all part of Joint Base San Antonio (“JBSA”),34 which employs over 80,000 people.35 JBSA consists of Fort Sam Houston, Randolph Air Force Base, Lackland Air Force Base, and Martindale Army Airfield. 36 In 2017, JBSA had an estimated economic impact of $30.37 billion on the Texas economy, according to the Texas Comptroller of Public Accounts.37 A 2013 Washington Post article reported that San Antonio at the time ranked ninth among metropolitan areas with the largest concentrations of United States federal government and military workers.38 Due in part to its robust military presence, San Antonio also hosts the second largest concentration of cybersecurity professionals in the United States outside of Washington, D.C.39 San Antonio’s cybersecurity industry is anchored by the presence of active units of the National Security Agency (“NSA”) and the United States Air Force. The San Antonio Chamber of Commerce (“SACC”) has also played a role in the development of the city’s cybersecurity cluster, bringing together military, commercial, and academic capabilities through a series of initiatives. For instance, the SACC reportedly lobbied to bring the Air Force Cyber Command to Lackland Air Force Base (“Lackland”) in San Antonio.40 Three cyber-related units at Lackland operate under the Air Force Cyber Command: the 624th Operations Center, the 67th Cyberspace Wing, and the 688th Cyberspace Wing.41 Lackland also hosts the NSA/CSS Texas Cryptologic Center, a satellite campus of the NSA that “conducts worldwide signals intelligence, cyberspace operations, and cybersecurity operations.”42

32 San Antonio Cybersecurity Fact Sheet, see: http://www.sanantonioedf.com/images/uploads/CybersecurityFactSheet.pdf; Port San Antonio website, see: http://www.portsanantonio.us/Webpages.asp?wpid=478. 33 San Antonio Economic Development Foundation, see: http://www.sanantonioedf.com/industry-sectors/information-technology- cybersecurity/. 34 Joint Base San Antonio Information, see: https://www.jbsa.mil/Information/. 35 Joint Base San Antonio (Lackland, Randolph, Sam Houston) In-depth Overview, see: https://installations.militaryonesource.mil/in- depth-overview/joint-base-san-antonio-lackland-randolph-sam-houston. 36 Joint Base San Antonio (Lackland, Randolph, Sam Houston) In-depth Overview, see: https://installations.militaryonesource.mil/in- depth-overview/joint-base-san-antonio-lackland-randolph-sam-houston. 37 The Texas Comptroller of Public Accounts analyzed the economic impact of Joint Base San Antonio (JBSA) on the Texas economy at the request of the Texas Military Preparedness Commission (TMPC), see: https://www.sanantonio.gov/Portals/0/Files/OMA/2017- economic-report.pdf. 38 “Relying on a federal paycheck during the shutdown,” The Washington Post, March 7, 2013. 39 “Texas Cybersecurity: Protecting Data Systems,” San Marcos Corridor News, March 28, 2019. 40 San Antonio Chamber of Commerce, see: https://www.sachamber.org/about-us/history/. 41 Air Forces Cyber (Units), see: https://www.afcyber.af.mil/About-Us/Units/. 42 NSA/CSS Texas, see: https://www.nsa.gov/about/cryptologic-centers/texas/.

Privileged and Confidential 19

Academic Institutions & Public-Private Partnerships San Antonio also has a significant academic presence in cybersecurity including several NSA and DHS- designated National Centers of Academic Excellence (“CAE”) in Information Security. 43 Prominent academic institutes include: • The University of Texas at San Antonio’s Institute for Cyber Security, which “conducts basic and applied research in partnership with academia, government and industry;”44 • The Center for Infrastructure Assurance and Security, a “center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security;”45 and • The Southwest Research Institute, a nonprofit research and development center focused on advanced sciences and applied technology.46 In 2009, the SACC developed the San Antonio Cyber Action Plan (“SACAP”) “to outline ways to expand cyber operations in San Antonio and help promote collaboration among academic, business and government entities involved in cyber security and information assurance,” according to the SACC’s website.47 As part of this plan, San Antonio launched the public-private partnership Build Sec Foundry, a “long-term incubator helping founders launch security product startups in Central Texas.”48 The program was founded in 2016 with funds raised by local technology companies.49

Economic Incentives The impact of Texas’s business-friendly tax policies (Texas has no corporate income tax) and funding programs designed to support economic development in the San Antonio cluster has been “negligible,” per a study by the New America Foundation on how the cybersecurity industry can stimulate economic growth.50 These funding programs include the Texas Enterprise Fund and the Product/Business Revolving Loan Fund that “provide funds for research, commercialization, and production” and have reportedly “failed to attract established companies and large conglomerates to the area.”51

43 San Antonio Economic Development Foundation, see: http://www.sanantonioedf.com/industry-sectors/information-technology- cybersecurity/. 44 Institute for Cyber Security, see: http://ics.utsa.edu/. 45 The Center for Infrastructure Assurance and Security, see: http://cias.utsa.edu/. 46 Southwest Research Institute, see: https://www.swri.org/. 47 San Antonio Chamber of Commerce, see: https://www.sachamber.org/about-us/history/. 48 Build Sec Foundry website, see: https://buildsecfoundry.com/. 49 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 50 Natasha Cohen et al. “Cybersecurity as an engine for growth,” New America, September 2017, see: http://www.newamerica.org/cybersecurity-initiative/. The authors cite: Adam Prager and Philip Schneider, Cybersecurity Industry Report, (New York: Deloitte Consulting, 2014), Interview with the Authors. Conducted March 24, 2017. 51 Natasha Cohen et al. “Cybersecurity as an engine for growth,” New America, September 2017, see: http://www.newamerica.org/cybersecurity-initiative/. The authors cite: Adam Prager and Philip Schneider, Cybersecurity Industry Report, (New York: Deloitte Consulting, 2014).

Privileged and Confidential 20

Challenges to Growth In 2015, the SACC released a study on the region’s cybersecurity industry.52 The study reportedly noted that San Antonio’s economic development had focused on attracting companies from the outside and connecting to federally controlled government money. However, research by development economists helped San Antonio change focus to a model that relied on expansion from within by supporting collaboration between local start-ups and forming local relationships to units operating in the San Antonio area. The researchers recommended that local enterprises forge stronger connections with education institutions, and combining efforts of smaller firms to achieve government recognition and assistance.53 Even with these strengths, a report from the Federal Reserve Bank notes that San Antonio faces challenges in sustaining its cluster growth. It points to the lack of local talent qualified for cybersecurity jobs.54 The report also raises the region’s dependency on government jobs, which are perennially vulnerable to federal budget cuts.55

6.2. Pittsburgh, Pennsylvania The Pittsburgh metropolitan area houses a cybersecurity cluster anchored by a sizeable Federal Bureau of Investigation (“FBI”) presence, paired with successful academic and research and development (“R&D”) programs. The region is home to approximately 2.3 million people, with around 300,000 located in the city of Pittsburgh, 56 and is also home to branches of major technology companies such as Google and Uber.57 As of August 2016, there were over 40 cybersecurity companies located in Pittsburgh. 58 The city claims to be the recipient of $3

52 “SA Chamber Committee Releases Study on Cyber Security in San Antonio,” Press release from City of San Antonio Economic Development Foundation, March 13, 2015, see: https://cosaedd.wordpress.com/2015/03/13/sa-chamber-committee-releases-study- on-cyber-security-in-san-antonio/. Note that this study was reportedly released to the media at the time it was completed; however, to date, K2 has not located a copy of it online. 53 Natasha Cohen et al. “Cybersecurity as an engine for growth,” New America, September 2017, see: http://www.newamerica.org/cybersecurity-initiative/. The authors cite: Adam Prager and Philip Schneider, Cybersecurity Industry Report, (New York: Deloitte Consulting, 2014), Interview with the Authors. Conducted July 14, 2017. 54 “San Antonio: At the Heart of Texas: Cities’ Industry Clusters Drive Growth,” Federal Reserve Bank of Dallas, December 2018, see: https://www.dallasfed.org/-/media/Documents/research/heart/sanantonio.pdf. 55 “San Antonio: At the Heart of Texas: Cities’ Industry Clusters Drive Growth,” Federal Reserve Bank of Dallas, December 2018, see: https://www.dallasfed.org/-/media/Documents/research/heart/sanantonio.pdf. 56 Census reporter, see: https://censusreporter.org. 57 Andes, Scott, Mitch Horowitz, Ryan T. Helwig, Bruce Katz, Scott Andes, Mitch Horowitz, Ryan T. Helwig, and Bruce Katz. "Capturing the next Economy: Pittsburgh's Rise as a Global Innovation City." Brookings. October 24, 2018, see: https://www.brookings.edu/research/capturing-the-next-economy-pittsburghs-rise-as-a-global-innovation-city/. 58 “Cybersecurity in the Pittsburgh Region,” Pittsburgh Regional Alliance, August 2016, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectors_IT_CyberSecurity.pdf.

Privileged and Confidential 21

billion in R&D investment annually “spanning academic, corporate, and government” sectors.59 Pittsburgh industries tangential to cybersecurity include information technology and robotics.60

Proximity to Federal Government Resources Pittsburgh’s cybersecurity cluster began to develop in 2002, when the FBI supported the establishment of the National Cyber-Forensics & Training Alliance (“NCFTA”),61 which, according to the FBI, has become “an international model for bringing together law enforcement, private industry, and academia to share information to stop emerging cyber threats and mitigate existing ones.”62 NCFTA’s website advertises that it has prevented $1.9 billion in financial losses, produced over 9,000 intelligence reports, and referred over 1,500 cases to law enforcement, and that its work has led to over 600 law enforcement arrests.63

Academic Institutions & Public-Private Partnerships Pittsburgh also has strong academic programs, with institutions like Carnegie Mellon University (“CMU”) and the University of Pittsburgh, which generate 2,600 IT degree graduates annually, making the region second in the United States for IT degrees.64 The region’s academic strengths include the following:

• CMU has been designated a CAE in Information Assurance/Cyber Defense Education, Information Assurance/Cyber Defense Research and Cyber Operations by DHS and NSA.65 This is largely due to the CyLab Security and Privacy Institute, which “brings together experts from a variety of disciplines across the University to collaborate on cutting-edge research and educate the next generation of security and privacy professionals.”66

• CMU also hosts the Computer Emergency Response Team (“CERT”) Coordination Center, a federally funded cybersecurity research and development center with over 250 cybersecurity

59 Why Pittsburgh for Information Technology, Pittsburgh Regional Alliance, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectorInfoCommTechnology.pdf. 60 Why Pittsburgh for Information Technology, Pittsburgh Regional Alliance, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectorInfoCommTechnology.pdf. 61 National Cyber-Forensics & Training Alliance, see: https://www.ncfta.net/; “The NCFTA: Combining Forces to Fight Cyber Crime,” FBI.gov, September 16, 2011, see: https://www.fbi.gov/news/stories/the-ncfta-combining-forces-to-fight-cyber-crime. Note that K2 identified conflicting reports as to whether the NCFTA was established in 1997 or 2002. 62 “The NCFTA: Combining Forces to Fight Cyber Crime,” FBI.gov, September 16, 2011, see: https://www.fbi.gov/news/stories/the- ncfta-combining-forces-to-fight-cyber-crime. Note that K2 identified conflicting reports as to whether the NCFTA was established in 1997 or 2002. 63 NCFTA website, see: https://www.ncfta.net/. 64 “Why Pittsburgh for Information Technology,” Pittsburgh Regional Alliance, August 2016, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectorInfoCommTechnology.pdf; Information Technology, Pittsburgh Regional Alliance, see: https://www.pittsburghregion.org/why/information-technology/. 65 CyLab Security and Privacy Institute, see: https://www.cylab.cmu.edu/education/programs.html. 66 CyLab Security and Privacy Institute, see: https://www.cylab.cmu.edu/index.html.

Privileged and Confidential 22

personnel. 67 Per its website, CERT “partners with government, industry, law enforcement, and academia to improve the security and resilience of computer systems and networks.”68

• The NSA and DHS have also certified the University of Pittsburgh Laboratory of Education and Research on Security Assured Information Systems (“LERSAIS”) as a national CAE in Information Assurance Education.69 As an example of corporate recognition of the magnitude of the Pittsburgh technical cluster, Kamal Nigam, engineering director at Google Pittsburgh, is quoted on the Pittsburgh Regional Alliance website: “Google has been building an engineering presence in Pittsburgh since 2005. The combination of a strong tech ecosystem and rich pipeline of world-class talent … have allowed us to continue to grow from two engineers to over 300.”70

Economic Incentives While the region may have economic incentives for companies that relocate, they are not widely advertised on local economic development websites reviewed by K2. In addition, several sources referenced Pittsburgh’s lack of economic incentives as a barrier to development, as discussed in the following section. The Allegheny Conference on Community Development, a local economic development organization, notes in its 2018-2019 plan that one of its foci in the coming year will be to make the state’s onerous business tax structure, which is discussed further below, more competitive.71

Challenges to Growth Although Pittsburgh has achieved some success with its cybersecurity cluster, according to a 2018 report published by The Brookings Institution, a D.C.-based think tank, the city has not been able to compete with places such as Austin, Texas because too few startups “are scaling to the point of being regional employment drivers.”72 In addition, the “level of innovation inputs (such as patents and R&D investments)” outstrips the region’s “economic outputs (jobs, GDP, and firms in advanced industries).” 73 Pittsburgh has also faced some systemic challenges in developing its cybersecurity cluster:

67 “Cybersecurity in the Pittsburgh Region,” Pittsburgh Regional Alliance, August 2016, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectors_IT_CyberSecurity.pdf. 68 CMU Software Engineering Institute, see: https://www.sei.cmu.edu/about/divisions/cert/. 69 “Cybersecurity in the Pittsburgh Region,” Pittsburgh Regional Alliance, August 2016, see: https://www.pittsburghregion.org/wp- content/uploads/2016/08/KeySectors_IT_CyberSecurity.pdf.; LERSAIS, see: http://www.sis.pitt.edu/lersais/. 70 Information Technology, Pittsburgh Regional Alliance, see: https://www.pittsburghregion.org/why/information-technology/. 71 2018-2019 Agenda: Creating A Next Generation Economy For All, see: https://www.alleghenyconference.org/wp- content/uploads/2018/04/018_AgendaDocument_sprd.pdf. 72 Andes, Scott, Mitch Horowitz, Ryan T. Helwig, Bruce Katz, Scott Andes, Mitch Horowitz, Ryan T. Helwig, and Bruce Katz. "Capturing the next Economy: Pittsburgh's Rise as a Global Innovation City." Brookings. October 24, 2018, see: https://www.brookings.edu/research/capturing-the-next-economy-pittsburghs-rise-as-a-global-innovation-city/. 73 Andes, Scott, Mitch Horowitz, Ryan T. Helwig, Bruce Katz, Scott Andes, Mitch Horowitz, Ryan T. Helwig, and Bruce Katz. "Capturing the next Economy: Pittsburgh's Rise as a Global Innovation City." Brookings. October 24, 2018, see: https://www.brookings.edu/research/capturing-the-next-economy-pittsburghs-rise-as-a-global-innovation-city/.

Privileged and Confidential 23

• The Tax Foundation notes that Pennsylvania’s top statutory corporate tax rate is one of the highest in the country (behind only Iowa and New Jersey) at 9.99 percent,74 and has a ranking of 43rd among all states in the 2019 Corporate Tax Rank compiled by the Tax Foundation, a Washington D.C.-based think tank.75

• Pittsburgh also faces demographic shortcomings: its population did not grow between 2009 and 2014, while the population of peer cities such as Austin, Texas did. In addition, Pittsburgh’s workforce is older than the national average.76

• The Allegheny Conference on Community Development identified the following barriers to Pittsburg’s competitiveness in its 2018-2019 agenda: lack of diversity in population, workforce and leadership; infrastructure, including water and sewer systems and bridges; transportation and connectivity; workforce and education gaps; and unfavorable tax policies and regulatory climate and limited availability of incentives.77

6.3. Colorado Springs, Colorado Colorado Springs, Colorado, with a population of about 700,000, is a third region that has leveraged a robust military presence to encourage growth of cybersecurity and homeland security clusters. Per a 2018 interview with former Colorado Governor John Hickenlooper: Colorado has been at the center of the cybersecurity industry for a long time, and the sector continues to grow…Colorado Springs is home to the United States Northern Command along with more than 100 cybersecurity businesses. That, combined with the universities and colleges there, as well as the military expertise in this area, make it a prime location from which to train, educate and research. We took advantage of the assets we had to grow the cybersecurity industry.78 Per the chief economic development officer for the Colorado Springs Chamber of Commerce & Economic Development Corporation, the region’s selling points are “low business and living costs, [an] innovative atmosphere, and [a] robust economy.” 79

74 Cammenga, Janelle. "State Corporate Income Tax Rates and Brackets for 2019." Tax Foundation. March 26, 2019, see: https://taxfoundation.org/state-corporate-rates-brackets-2019/. 75 Walczak, Jared, and Katherine Loughead. "How Does Your State Rank on Corporate Taxes? | 2019 State Rankings." Tax Foundation. November 01, 2018, see: https://taxfoundation.org/corporate-tax-rank-2019-state-business-tax-climate-index/. 76 Andes, Scott, Mitch Horowitz, Ryan T. Helwig, Bruce Katz, Scott Andes, Mitch Horowitz, Ryan T. Helwig, and Bruce Katz. "Capturing the next Economy: Pittsburgh's Rise as a Global Innovation City." Brookings. October 24, 2018, see: https://www.brookings.edu/research/capturing-the-next-economy-pittsburghs-rise-as-a-global-innovation-city/. 77 2018-2019 Agenda: Creating A Next Generation Economy For All, see: https://www.alleghenyconference.org/wp- content/uploads/2018/04/018_AgendaDocument_sprd.pdf. 78 “Colorado: Growing Their Own Talent,” Business Facilities Magazine, October 17, 2018, see: https://businessfacilities.com/2018/10/colorado-governors-report-growing-talent/. 79 Colorado Tech Tour, see: http://coloradotechtour.org/post/as-tech-industry-booms-in-colorado-springs-so-does-need-for-talent/.

Privileged and Confidential 24

The region’s cybersecurity sector includes more than 125 companies.80 In the aerospace sector, the region includes facilities for eight of the country’s major aerospace contractors, including The Boeing Company, Lockheed Martin, Northrop Grumman, and Raytheon.81

Proximity to Federal Government Resources Colorado Springs is home to several military installations and strategic command centers, including but not limited to:82 • Peterson Air Force Base, home to the 21st Space Wing (a unit of the United States Air Force Space Command) and the United States Air Force’s “only organization providing missile warning and space control to unified combatant commanders worldwide.”83 It is also the headquarters of the United States Northern Command (“NORTHCOM”), which “provide[s] command and control of Department of Defense (“DOD”) homeland defense efforts” and “coordinate[s] defense support of civil authorities;”84 and the North American Aerospace Defense Command (“NORAD”), “a United States and Canada bi-national organization charged with the missions of aerospace warning, aerospace control and maritime warning for North America;”85 among other units.

• Fort Carson, a United State Army base that houses the 4th infantry division, among other units.86 Colorado Springs also participates in the emerging commercial aerospace sector for Unmanned Aircraft Systems (“UAS”).87 The United States Air Force Academy (“USAFA”), also located in Colorado Springs, is a center for UAS activity; the USAFA and the United States Air Force train remotely piloted aircraft (“RPA”) pilots at Doss Aviation’s flight training facility at the Pueblo Airport in Colorado Springs.88

Academic Institutions & Public-Private Partnerships Five NSA and DHS-certified CAEs are located in the region, according to the Colorado Springs Chamber of Commerce and Economic Development Corporation: USAFA; The University of Colorado, Colorado Springs; Colorado Technical University; Regis University; and Pikes Peak Community College.89

80 Cybersecurity in Colorado Springs, Colorado Springs Chamber of Commerce & Economic Development Corporation, March 29, 2019, see: https://coloradospringschamberedc.com/wp-content/uploads/2016/10/Pikes_Peak_Region_Cyber_Companies.pdf. 81 “AEROSPACE: Colorado Industry Cluster Profile,” Metro Denver Economic Development Corporation, January 26, 2017, see: http://www.spacecolorado.org/media/230105/aerospace_2016_co_012617.pdf. 82 Key Industry: Defense & Homeland Security, Colorado Office of Economic Development & International Trade, see: https://choosecolorado.com/wp-content/uploads/2016/06/CO-Defense-Profile.pdf. 83 Peterson Air Force Base, see: https://www.peterson.af.mil/About/Welcome-to-the-21st-Space-Wing/. 84 NORTHCOM, see: https://www.northcom.mil/About-USNORTHCOM/. 85 NORAD, see: https://www.norad.mil/About-NORAD/. 86 Fort Carson, see: https://www.carson.army.mil/allunits.html. 87 “Aerospace & Defense Industry Profile,” Colorado Springs Chamber of Commerce & Economic Development Corporation, 2017, see: https://coloradospringschamberedc.com/wp-content/uploads/2016/10/Chamber_EDC_Aero_Defense_Brochure-2.pdf. 88 “Aerospace & Defense Industry Profile,” Colorado Springs Chamber of Commerce & Economic Development Corporation, 2017, see: https://coloradospringschamberedc.com/wp-content/uploads/2016/10/Chamber_EDC_Aero_Defense_Brochure-2.pdf. 89 Cybersecurity in Colorado Springs, Colorado Springs Chamber of Commerce & Economic Development Corporation, March 29, 2019, see: https://coloradospringschamberedc.com/wp-content/uploads/2016/10/Pikes_Peak_Region_Cyber_Companies.pdf.

Privileged and Confidential 25

USAFA in particular is currently expanding its cybersecurity footprint by building a Center for Cyber Innovation on its campus. 90 This center will reportedly house three USAFA programs that are already operating:

• Air Force CyberWorx, a public-private partnership focused on cybersecurity;91 • the Center of Innovation, an early-stage research center that is a collaboration between the DHS, DOD, and private industry;92 and

• USAFA Department of Computer and Cyber Science, a CAE that is home to the Academy Center for Cyberspace Research, which “conducts research in cyber warfare, information assurance, unmanned aerial systems, and cyberspace education.”93 Colorado Springs is also home to the National Cybersecurity Center (“NCC”), a nonprofit organization that describes itself as “providing collaborative cybersecurity knowledge and services to the nation” 94 and “operates in partnership with local higher education, military and private companies to promote research, education and innovation in the industry.” 95 The NCC was established by the Colorado Cybersecurity Initiative bill, which was enacted in May 2016 by Governor Hickenlooper96 and provided almost $8 million in funding to build the center.97 The NCC officially opened in 2018. The NCC describes its mission as three-fold: public policy and cyber awareness, job creation, and workforce development.98 As part of its mandate to create jobs, the NCC has partnered with Exponential Impact, a startup accelerator that provides mentoring, seed funding, and leadership development opportunities for technology entrepreneurs – specifically those focused on blockchain, cybersecurity, and artificial intelligence.99 Regarding workforce development, the NCC is partnering with K-12 schools, as well as higher education institutions, to promote cybersecurity education and promote diversity within the industry.100

Economic Incentives The Colorado Springs cybersecurity cluster may also benefit from Colorado’s simplified tax structure and state-funded development initiatives. Colorado’s corporate income tax rate of 4.63 percent is one of the

90 United States Air Force Academy, see: https://www.usafa.org/cyber. 91 AF CyberWorx, see: https://www.usafa.edu/af-cyberworx/. 92 Center of Innovation, see: https://www.usafa.edu/research/research-centers/center-innovation/. 93 USAFA Department of Computer and Cyber Sciences, see: https://www.usafa.edu/department/computer-science/. 94 National Cybersecurity Center, see: https://cyber-center.org/. 95 “Five Reasons Why Colorado Springs is a Hotspot for Cybersecurity Innovation,” Colorado Springs Chamber of Commerce & Economic Development Corporation, February 3, 2017, see: https://coloradospringschamberedc.com/five-reasons-colorado-springs- hotspot-cybersecurity-innovation/. 96 “Five Reasons Why Colorado Springs is a Hotspot for Cybersecurity Innovation,” Colorado Springs Chamber of Commerce & Economic Development Corporation, February 3, 2017, see: https://coloradospringschamberedc.com/five-reasons-colorado-springs- hotspot-cybersecurity-innovation/. 97 “National Cybersecurity Center Opens in Colorado,” Government Technology, January 22, 2018, see: https://www.govtech.com/security/National-Cybersecurity-Center-Opens-in-Colorado.html. 98 The Pillars of the NCC, see: https://cyber-center.org/pillars/. 99 Exponential Impact, see: https://cyber-center.org/job-creation/; https://exponentialimpact.com/. 100 NCC Workforce Development, see: https://cyber-center.org/workforce-development/.

Privileged and Confidential 26

lowest in the nation, according to the Tax Foundation.101 Likewise, there are state-sponsored programs that support these so-called advanced industries (e.g. cybersecurity, aerospace) in their various phases of growth.102 For instance, the Global Business Development (“GBD”) division of the Colorado Office of Economic Development and International Trade is “focused on aligning its portfolio of programs, services, and incentives within industries that strategically and operationally benefit companies currently in Colorado, while also recruiting and expanding occupations that are forecast to grow.”103 One of the services offered by the GBD is the Advanced Industries Accelerator Program, which was created in 2013 to promote growth and sustainability in Colorado’s advanced industries “by driving innovation, accelerating commercialization, encouraging public-private partnerships, increasing access to early stage capital and creating a strong infrastructure that increases the state’s capacity to be globally competitive.”104

Challenges to Growth The primary challenge to the growth of Colorado Springs’ cybersecurity cluster is lack of talent. A local technical recruiter is quoted on a local development website as saying: “There is no denying that companies are facing increasingly robust competition for talent in cities like Seattle, San Diego and Washington, D.C., and we are not immune to that competition here in Colorado Springs.”105 The chief economic development officer for the Colorado Springs Chamber of Commerce & Economic Development Corporation similarly stated on the development website, “As we visit with business leaders, the one topic that consistently arises is the need for talent recruitment resources.” 106

101 Taxes in Colorado; The Tax Foundation, see: https://taxfoundation.org/state/colorado/. 102 Colorado Office of Economic Development & International Trade, see: https://choosecolorado.com. 103 Colorado Office of Economic Development and International Trade’s Annual Report 2018, see: https://choosecolorado.com/wp- content/uploads/2018/11/OEDIT-Annual-Report-2018_final-1.pdf. 104 “$47 million Advanced Industries Awards Fuel 20 Colorado Start-ups,” Colorado Office of Economic Development & International Trade press release, May 17, 2018, see: https://choosecolorado.com/4-7-million-advanced-industries-awards-fuel-20-colorado-startups/. 105 Colorado Tech Tour, see: http://coloradotechtour.org/post/as-tech-industry-booms-in-colorado-springs-so-does-need-for-talent/. 106 Colorado Tech Tour, see: http://coloradotechtour.org/post/as-tech-industry-booms-in-colorado-springs-so-does-need-for-talent/.

Privileged and Confidential 27

6.4. Augusta, Georgia Augusta, Georgia – comprised of the consolidated governments of Augusta and Richmond Counties – is Georgia’s second largest city with over 200,000 people. The entire Augusta Metropolitan Statistical Area (“MSA”) includes more than 600,000 people.107 Augusta was included in a 2017 Fortune article as a "dark horse when it comes to winning the race to be a cyber capital."108 As a result of its military presence, Augusta is home to almost 100 defense-related companies that focus on communications and cybersecurity.109 The state itself is third in the country in information security companies, which produce almost $5 billion in annual revenue in Georgia.110 Augusta also benefits from its proximity to Atlanta, which is considered an up-and-coming cybersecurity cluster and is home to major research institutions such as the Georgia Institute of Technology.111

Proximity to Federal Government Resources The region is home to Fort Gordon, which is a major employer in Augusta with a workforce of nearly 16,000 military personnel, over 7,000 civilians, and an annual economic impact of nearly $1.4 billion.112 Units at Fort Gordon include:

• the United States Army Cyber Center of Excellence, described as the United States Army’s “force modernization proponent for Cyberspace Operations, Signal/Communications Networks and Information Services, and Electronic Warfare (“EW”);”113

• the United States Army Signal Corps, which “supplies information systems and worldwide networks for the Army, the Department of Defense and allied nations in coalition operations;”114 and

• the United States Army Cyber Corps.115

107 Augusta Economic Development Authority, see: https://augustaeda.org/demographics-richmond-hill. 108 “7 Cities That Could Become the World's Cybersecurity Capital,” Fortune, April 6, 2017. 109 Augusta Economic Development Authority, Business & Industry, see: https://augustaeda.org/business-industry-target-industries. 110 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 111 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 112 “Georgia’s Little Secret Cybersecurity Hub: Enter Augusta…,” Cyber Defense Magazine, May 4, 2018. 113 United States Army Cyber Center of Excellence, see: https://cybercoe.army.mil/. 114 Signal Corps School, see: https://www.goarmy.com/soldier-life/becoming-a-soldier/advanced-individual-training/signal-corps.html. 115 United States Army Fort Gordon, see: https://home.army.mil/gordon/. Note that this website does not describe the mission of the United States Army Cyber Corps.

Privileged and Confidential 28

In 2013, the United States Army Cyber Command (“ARCYBER”) announced it would move its headquarters from Fort Meade, Maryland to Fort Gordon by 2022 – ARCYBER “operate[s] and defend[s] Army networks and deliver[s] cyberspace effects against adversaries to defend the nation.”116

According to the Augusta Economic Development Authority, the United States Army selected Fort Gordon as the permanent location for ARCYBER headquarters for “operational and cost reasons.”117 ARCYBER’s move to Augusta will reportedly create approximately 4,000 new jobs by 2019.118

Academic Institutions & Public-Private Partnerships Augusta’s cybersecurity cluster developed with state support and educational investments. In January 2017, Georgia announced a $50 million investment to build the Georgia Cyber Innovation & Training Center (also referred to as the “Georgia Cyber Center”) on Augusta University’s Riverfront Campus 119 – the Georgia Cyber Center opened in July 2018.120 The Georgia Cyber Center is a “public/private partnership involving academia, state and federal government, law enforcement, the US Army and the private sector” that is focused on training “the next generation of professionals.”121 Academic and government agencies involved in the Georgia Cyber Center include, according to its website: Augusta University, Augusta Technical College, the University System of Georgia’s research institutions, the City of Augusta, the Georgia Bureau of Investigation, and the Georgia Department of Defense.122 Governor Nathan Deal (“Deal”) announced an additional $35 million in November 2017 to accommodate this expansion.123 Deal said regarding the Georgia Cyber Center, “Given Georgia’s growing status as a technology and innovation hub, this additional investment will further cement our reputation as the ‘Silicon Valley of the South’…When complete, the center will house a cyber range, the Georgia Bureau of Investigation’s new cybercrime unit and an incubator for startup cybersecurity companies.” 124 Augusta University is also home to the Augusta University Cyber Institute, which was founded in 2015 and is focused on cybersecurity workforce development, among other initiatives. 125 One of the institute’s

116 United States Army Command, see: https://www.arcyber.army.mil/Organization/About-Army-Cyber/; The Augusta-Richmond County Comprehensive Plan, see: https://www.dca.ga.gov/sites/default/files/augusta- richmond_county_adopted_comp_plan_2018.pdf. 117 "Army Cyber Command announces Augusta’s Fort Gordon as new headquarters, creating 1,500 jobs," Augusta Economic Development Authority press release, see: https://augustaeda.org/downloads/NewsUpdates_17_983440946.pdf. 118 Georgie Department of Economic Development, Center for Innovation for Information Technology, see: http://workforce.georgia.gov/business-resources/georgia-centers-of-innovation/center-innovation-information-technology/about-the- center/. 119 “Georgia Cyber Innovation and Training Center coming to Augusta University Riverfront Campus,” WRDW12, January 11, 2017, see: https://www.wrdw.com/content/news/Georgia-Cyber-Innovation-and-Training-Center-coming-to-Augusta-University-Riverfront- Campus-410411365.html. 120 Georgia Cyber Center, see: https://cybercenter.georgia.gov/. 121 Georgia Cyber Center, see: https://cybercenter.georgia.gov/. 122 Georgia Cyber Center, see: https://cybercenter.georgia.gov/. 123 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 124 “Cybersecurity Takes Center Stage,” Business Facilities Magazine, April 16, 2018, see: https://businessfacilities.com/2018/04/cybersecurity-takes-center-stage/. 125 Augusta University Computer & Cyber Sciences, see: https://www.augusta.edu/ccs/about.php.

Privileged and Confidential 29

partners is the Alliance of Cybersecurity Education (“ACE”), a local organization that strives “to raise the effective value of the secondary educational system’s cyber education and its integration into post- secondary education.”126

Economic Incentives Georgia offers several incentive programs focused on encouraging local growth, including the Economic Development, Growth and Expansion (“EDGE”) Fund, which “provide[s] financial assistance to eligible applicants [i.e. locations in Georgia] that are being considered as a relocation or expansion site and are competing with another state for location of a project.”127 Georgia also advertises various tax incentives to companies (these do not appear to be targeted at technology companies specifically) considering moving to the state, noting that its corporate tax rate has been “low for 50 years and your tax obligation is based on one factor: your sales inside Georgia.”128

Challenges to Growth According to one media report, San Antonio is considered to be a model for Augusta’s cybersecurity cluster development. 129 One cybersecurity consultant told The Augusta Chronicle regarding the region’s burgeoning cybersecurity cluster, “In order for an ecosystem to thrive, it has to live on its own – you can’t keep importing people…At first you’re going to have to attract them, and then you’re going to have to self- generate. That’s how ecosystems work. They don’t grow overnight...” 130

According to the same report in The Augusta Chronicle, in addition to lacking enough highly skilled workers, challenges include “the region’s lack of venture capital and an entrepreneurial culture that historically skewed more conservative than creative. Like many mid-sized Southern cities, Augusta’s economy has generally been dominated by risk-averse, rather than innovative, industries.” 131

126 August University Cyber Institute, see: http://cyber.augusta.edu/us/#alliances. 127 OneGeorgia Authority EDGE Fund Program, see: https://www.dca.ga.gov/community-economic-development/funding/onegeorgia- authority/edge-fund. 128 Tax Credits, Georgia Department of Economic Development, see: https://www.georgia.org/competitive-advantages/incentives/tax- credits. 129 “Path to cyber preeminence is challenging but conceivable,” The Augusta Chronicle, April 22, 2018. 130 “Path to cyber preeminence is challenging but conceivable,” The Augusta Chronicle, April 22, 2018. 131 “Path to cyber preeminence is challenging but conceivable,” The Augusta Chronicle, April 22, 2018.

Privileged and Confidential 30

7. The New York State Landscape

New York State hosts a substantial and diverse cybersecurity and homeland security landscape, which includes both national players in the industries and smaller companies and startups. The 2018 Cybersecurity 500, a list of the “world’s hottest and most innovative cybersecurity companies to watch,” issued by Cybersecurity Ventures, includes 29 companies that are headquartered in New York State.132 Data compiled by CB Insights, a market intelligence platform, reflects that New York ranks fourth among states in terms of hosting the country’s most well-funded cybersecurity companies. The top state, California, is home to 33 percent of the country’s most well-funded companies, a total of 25 companies, all of which have raised more than $100 million in venture capital. New York, in fourth place with 6 percent of the country’s most well-funded companies, is right behind Virginia and Massachusetts, which are home to eight and seven percent of these companies, respectively.133 Texas and Maryland are tied for fifth place. On the education side, New York State is home to 11 academic institutions that have been designated by the NSA and DHS as CAEs in Cyber Defense (“CAE-CD”) or in Research, per data compiled by a third- party data aggregator. New York is tied for fourth in the country behind Maryland, Texas, and Florida. Virginia also has 11 CAE-CD designated institutions. 134 K2 identified seven regions in New York State – Mohawk Valley, Central New York, New York City, Finger Lakes, Long Island, Capital and Western New York – that are home to operational or nascent cybersecurity or homeland security clusters. The industry clusters in these regions, divided into two tiers, are further explicated below.

7.1. Tier One The first tier, comprised of the New York City, Central New York, and Mohawk Valley Regions, demonstrate operational cybersecurity or homeland security industry clusters. New York City’s cluster is a result of its economic size and premier academic institutions, providing the cybersecurity industry with access to both talent and consumers. The Central New York and Mohawk Valley Regions are home to a much smaller, albeit efficient industry cluster anchored by the United States Air Force Research Lab, which has attracted private industry, and the unmanned aerial systems industry development that extends from Syracuse to Rome along the I-90 Thruway.

132 Cybersecurity 500, see: https://cybersecurityventures.com/cybersecurity-500/. 133 CB Insights website, see: https://www.cbinsights.com/research/cybersecurity-us-map/. 134 See: https://www.cybersecuritymastersdegree.org/dhs-and-nsa-cae-cd-designated-schools-by-state/. The following programs are CAE-CD designated programs in New York State: Excelsior College (Capital Region), Mercy College (Mid-Hudson Region), Mohawk Valley Community College (Mohawk Valley Region), New York Institute of Technology, School of Engineering and Computer Sciences (New York City and Long Island Regions), New York University, School of Engineering (New York City Region), Rochester Institute of Technology, Department of Computing Security (Finger Lakes Region), Syracuse University, Engineering and Computer Science (Central New York Region), University of Buffalo, the State University of New York, Computer Science and Engineering (Western New York Region), Utica College, School of Business and Justice Studies (Mohawk Valley Region), Pace University, School of CSIS (New York City and Mid-Hudson Regions), and U.S. Military Academy, West Point, Army Cyber Institute (Mid-Hudson Region).

Privileged and Confidential 31

New York City The New York City Region is comprised of Brooklyn, Bronx, New York, Queens, and Richmond Counties. As of July 2018, the region’s population was approximately 8.4 million people, per the U.S. Census Bureau.135 The New York City Region has a growing cybersecurity industry cluster, with dozens of cybersecurity companies, top-tier universities, and a strong customer base. The region is taking strides to build, in the parlance of a recent TechCrunch article, a “new local empire” in New York City that can compete with well-established cybersecurity clusters in other parts of the country, including Silicon Valley, Boston, and the Washington, D.C. metropolitan area.136

7.1.1.1. Cluster Overview A November 2018 article in The New York Times reporting on the city’s efforts to become a “capital of cybersecurity” noted that, per the New York City Economic Development Corporation, the industry “already is a $1 billion-plus…with more than 100 companies and 6,000 employees.”137 A total of 23 companies on Cybersecurity Ventures’ Top 500 list in 2018 are located in New York: 21 in Manhattan and two in Brooklyn. 138 These companies range from multinational consulting companies that have cybersecurity practices, including Booz Allen Hamilton, Deloitte, and Accenture, to pure play firms like White Ops, Uplevel Security, and Varonis.139 The city’s efforts to expand its nexus as a cybersecurity cluster have been streamlined and advanced by Cyber NYC, a $100 million public-private investment project that was launched in the fall of 2018.140 The initiative will include creating a cybersecurity cluster in Chelsea and an investment hub and accelerator in SoHo. The Cyber NYC initiative is less than a year old and is newer than its counterparts in other regions – like the Cybersecurity Association of Maryland or the CyberTexas Foundation, for example, both of which were established in 2015.141 The future impact and success of these dedicated spaces and educational programs remains to be seen. The initiative also relies on the city’s academic programs and institutions – including City University of New York, Columbia University, and Cornell Tech, as well as iQ4, a platform that seeks to narrow the skills gap – to attract students to the cybersecurity field and provide continuing education courses for professionals.

135 “Current Estimates of New York City’s Population for July 2018,” NYC Department of City Planning website, see: https://www1.nyc.gov/site/planning/data-maps/nyc-population/current-future-populations.page. 136 “NYC wants to build a cyber army,” TechCrunch.com, October 2, 2018. See: https://techcrunch.com/2018/10/02/nyc-wants-to- build-a-cyber-army/. 137 “A Plan to Turn New York Into a Capital of Cybersecurity,” The New York Times, November 28, 2018. 138 Cybersecurity 500, see: https://cybersecurityventures.com/cybersecurity-500/. 139 Cybersecurity 500, see: https://cybersecurityventures.com/cybersecurity-500/. 140 “NYCEDC Unveils Global Cyber Center, Innovation Hub, and New Talent Pipelines to Secure NYC’s Future,” NYCEDC Press Release, October 2, 2018. See: https://www.nycedc.com/press-release/nycedc-unveils-global-cyber-center-innovation-hub-and-new- talent-pipelines-secure-nyc. 141 CyberSecurity Association of Maryland website, see: https://www.mdcyber.com/about-md-cyber-2/; CyberTexas Foundation website, see: https://www.cybertexas.org/show-timeline/.

Privileged and Confidential 32

The iQ4 platform also offers a cyber boot camp geared to individuals without prior background.142 These programs will require students to travel to New York to participate, per a source working on the Cyber NYC initiative. More broadly, the New York City Region has organic growth opportunities as a result of its position as a major economic center for varied industries, including financial services; advertising and marketing; media; as well as life sciences, an industry cluster that was singled out by the New York City Region’s 2018 Progress Report as a key area of focus. The report notes that it is home to a large concentration of medical research institutions, universities, health care service providers and major pharmaceutical operations, and that the state and the region committed a total of $1.2 billion in public incentives in 2016 to support public- private initiatives that advance the life sciences industry.143 While the New York City Region’s financial services sector is the city’s anchor industry,144 the fastest job growth is in technology-related industries, with a 63 percent increase in high-tech jobs over the last decade, per the New York City Region’s 2018 Progress Report.

Mohawk Valley Region The Mohawk Valley Region is comprised of six counties: Fulton, Hamilton, Herkimer, Montgomery, Oneida, Otsego and Schoharie. The region’s economic center is the Utica-Rome metropolitan area, which has a population of approximately 300,000 people, per the 2010 United States Census. The Mohawk Valley Region 2018 Progress Report lists cybersecurity, and growth of a cybersecurity cluster, as a regional priority: “Cybersecurity, the integration of Unmanned Systems in to the National Air Space, and technology commercialization represent our region’s multi-pronged assault.”145

7.1.2.1. Cluster Overview Rome – located in Oneida County – is home to two primary economic anchors for the Central New York Region (discussed in the following section of this report) and the Mohawk Valley Region in the security and defense industries: the Information Directorate of the Air Force Research

142 “NYCEDC Unveils Global Cyber Center, Innovation Hub, and New Talent Pipelines to Secure NYC’s Future,” NYCEDC Press Release, October 2, 2018. See: https://www.nycedc.com/press-release/nycedc-unveils-global-cyber-center-innovation-hub-and-new- talent-pipelines-secure-nyc. ` 143 “State of the Region: New York City 2018 Progress Report.” see: http://regionalcouncils.ny.gov/sites/default/files/2018- 10/NYCREDC_Progress_Report_2018_0.pdf. 144 “State of the Region: New York City 2018 Progress Report.” see: http://regionalcouncils.ny.gov/sites/default/files/2018- 10/NYCREDC_Progress_Report_2018_0.pdf. 145 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf.

Privileged and Confidential 33

Laboratory (“AFRL”), located at Griffiss Business and Technology Park in Rome;146 and the UAS test site at Griffiss International Airport. The airport drone test site is one of seven Federal Aviation Administration (“FAA”)-designated UAS test sites in the United States; it is operated by the NUAIR Alliance, a nonprofit coalition based in Syracuse.147 Described as the Air Force’s “premier research organization for Command, Control, Communications, Computers, and Intelligence (“C4I”) and Cyber technologies,” the AFRL Information Directorate creates new technologies used by the United States Air Force to maintain its superiority, per the AFRL website.148 The AFRL’s economic impact in the region was $412,268,595, per a 2018 economic impact analysis available on its website.149 The analysis reflects that 100 percent of the military personnel and nearly 97 percent of civilian personnel and site contractors, a total of 1,150 individuals, live in the region; the annual payroll of these employees is $146.5 million. An additional 1,300 indirect jobs are created as a result of the AFRL. Closely tied to innovation at AFRL is the UAS industry. Between 2015 and 2018, New York State invested more than $40 million to push drone technology forward.150 In March 2018, Governor Cuomo announced that New York State had pledged to provide additional funding to the Mohawk Valley Region and Central New York Region to benefit the UAS industry.151 The UAS cluster that has spawned encompasses both regions in the form of a 60-mile UAS traffic corridor between Syracuse and Griffiss International Airport.152 Per a source working on economic development in Central New York and the Mohawk Valley, the FAA test site at the airport has been critical in “help[ing] build the eco-system,” which has helped drive over $2 billion in research dollars, including for cyber-related research, in the region. The cluster is enhanced by the Griffiss Business and Technology Park (“GBTP”) and numerous cybersecurity and defense-oriented companies, including Peraton, BAE Systems, Siege Technologies, ANDRO Computational Solutions, Booz Allen Hamilton, and Assured Information Security, further described below.153 A source who works on economic development in the region indicated that GBTP is at “99.9 percent occupancy” and that there are already plans to build a new $10 million space for further expansion. The source indicated that the region’s prime attraction is that it is an “epicenter of high-skilled talent,” which renders existing and new businesses willing to make long-term investments in the area.

146 See: https://romenewyork.com/griffiss-business-technology-park/; “Congress extends national drone test site in Central New York for 6 years,” Syracuse.com, April 27, 2018. See: https://www.syracuse.com/politics/2018/04/congress_extends_national_drone_test_site_in_central_new_york_for_6_years.html/. 147 NUAIR website, see: https://nuair.org/. 148 AFRL Information Directorate website, see: https://www.wpafb.af.mil/afrl/ri/. 149 AFRL Information Directorate website, see: https://www.wpafb.af.mil/Portals/60/documents/afrl/ri/EIA%20TRIFOLD%20FY18_88ABW-2019-0358.pdf?ver=2019-03-07-092805- 117. 150 “Companies commit to creating drone-related jobs,” Times Telegram, December 12, 2018. 151 “Companies commit to creating drone-related jobs,” Times Telegram, December 12, 2018. 152 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 153 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf.

Privileged and Confidential 34

Since the GBTP opened, it has attracted approximately 20 cyber-related companies and more than 900 employees, according to the Mohawk Valley Region’s 2018 Progress Report.154 The GBTP houses the Griffiss Institute Business Incubator (“GIBI”), which serves as an intermediary that helps to “foster relationships” between the GBTP and AFRL.155 In 2018, GIBI received a $2 million Upstate Revitalization Initiative grant to create IDEA NY, a business accelerator program.156 IDEA NY will reportedly “target entrepreneurs in the areas of cybersecurity, UAS, and information technology, with an emphasis on data analytics.”157 According to the Mohawk Valley Region’s 2018 Progress Report, IDEA NY gives entrepreneurs the opportunity to leverage intellectual property based at the AFRL to “build and grow new high tech companies in the Mohawk Valley.”158 One notable private sector cybersecurity company operating in the Mohawk Valley Region is Assured Information Security.

• Assured Information Security (“AIS”), a software company that focuses on “critical Air Force and Department of Defense cyber technology requirements research,” is headquartered in Rome with two additional offices in New York State, one in Syracuse and one in Rochester.159

In March 2019, AIS announced that it had been awarded a $46.8 million contract by the DOD for research and development on cyberwarfare tools and technologies, per a company spokesperson.160 The work will be completed in Rome and the contract will last through March 2024. 161 AIS had previously been the beneficiary of several lucrative government contracts, including $48 million in January 2018 to develop cyber assessment tools for telecommunications technologies,162 and more than $100 million in federal contracts from the DOD for the 2017 fiscal year, per the Pentagon Revolving Door Database, a watchdog group.163 Though precise numbers regarding AIS’s headcount are not publicly disclosed, at year-end 2017, the company reported in its Form-5500 filed with the United States Department of Treasury that 256 employees were active participants in the company’s health benefit plan and 273 employees participated in the company’s 401(k) plan.164

154 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 155 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 156 Mohawk Valley Regional Economic Development Council Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 157 Mohawk Valley Regional Economic Development Council Progress Report, See: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 158 Mohawk Valley Regional Economic Development Council Progress Report, See: https://regionalcouncils.ny.gov/sites/default/files/2018-10/MohawkValley2018ProgressReport.pdf. 159 Assured Information Security website, see: https://www.ainfosec.com/about-ais/. 160 “AIS lands $48.4 million contract with Air Force,” AIS Press Release, March 11, 2019. 161 “AIS lands $48.4 million contract with Air Force,” AIS Press Release, March 11, 2019. 162 “AIS awarded Air Force deal worth $48.4M; Rome company will develop cyberwarfare technologies,” Observer-Dispatch, March 8, 2019. 163 POGO website, see: https://www.pogo.org/database/pentagon-revolving-door/companies/assured-information-security/. 164 Form 5500. Assured Information Security Inc. Health and Welfare Benefit Plan, filed October 1, 2018; Form 5500 Assured Information Security Inc. Employees 401(K) Plan, filed October 15, 2018.

Privileged and Confidential 35

Several of the region’s educational institutions have dedicated academic programs that focus on cyber and homeland security, including Mohawk Valley Community College, which has a drone training program;165 and Utica College, which offers a bachelor of science degree in cybersecurity that is a CAE-CD certified program by NSA and DHS.166

Central New York Region The Central New York Region is situated in the middle of New York State between the Mohawk Valley Region and Finger Lakes Region. It is comprised of Cayuga, Cortland, Madison, Onondaga, and Oswego Counties. The life sciences industry represents the largest industry-wide employer, providing one in seven jobs in the region, employing nearly 44,000 people.167

7.1.3.1. Cluster Overview Syracuse is Central New York’s largest urban center, with a population of 145,170, per the 2010 United States Census, and an MSA of more than 650,000.168 Of the 200 largest metropolitan areas in the United States evaluated by Forbes in 2018, Syracuse ranked in the bottom half, at number 113, in terms of “best places for businesses and careers.” 169 While the cost of business in the city was low, with a ranking of 29, and its education rank was a moderate 96, its job growth rank was 177.170 Syracuse is also described as one of the fastest-shrinking cities in the country; its MSA dropped from around 662,000 in 2010 to 654,000 in 2017, per the United States Census Bureau.171 The city has vibrant healthcare and academic industries; the largest employer in the region is SUNY Upstate Medical University with close to 9,000 employees, per the Business Journal News Network’s 2018 Book of Lists.172 St. Joseph’s Health and Crouse Health also each employ several thousand people in Syracuse. The Central New York Region has a strong core of homeland security-oriented companies, including: • Lockheed Martin, which has a plant at Electronics Business Park in the Syracuse suburb of Salina that has received approximately $1 billion in Department of Defense contracts for work on electronic

165 Mohawk Valley Community College website, see: https://www.mvcc.edu/cced-community/drone-training. 166 “Utica gains National Centers of Academic Excellence designations from major government agencies,” see: https://programs.online.utica.edu/programs/online-cybersecurity-center-of-excellence. 167 Central New York Regional Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/CentralNewYork2018ProgressReport.pdf. 168 See: http://www.centerstateceo.com/sites/default/files/October%202018%20Fact%20Sheet.pdf 169 “The Best Places for Businesses and Careers,” Forbes.com, see: https://www.forbes.com/sites/kurtbadenhausen/2018/10/24/the- best-places-for-business-and-careers-2018-seattle-leads-the-way/. 170 “The Best Places for Businesses and Careers,” Forbes.com, see: https://www.forbes.com/sites/kurtbadenhausen/2018/10/24/the- best-places-for-business-and-careers-2018-seattle-leads-the-way/. 171 “Which Upstate NY cities are shrinking (and growing) the fastest? 25 cities, ranked,” NYup.com, April 5, 2018, see: https://expo.newyorkupstate.com/erry-2018/04/009a59bc1d7473/which_upstate_ny_cities_are_sh.html. 172 Crouse Health website, see: https://www.crouse.org/careers/current/.

Privileged and Confidential 36

defense systems and, as of December 2018, employed more than 1,500 people, per media reports.173

• Saab Sensis Corporation (“Saab Sensis”), an East Syracuse company that delivers air traffic control solutions,174 and whose parent company, Saab Defense and Security USA, focuses on UAS work. Saab Defense and Security USA announced in January 2017 that it is moving its headquarters from Virginia to East Syracuse after receiving $30 million from New York State in combined tax credits and grants.175

In announcing the move, the company’s president and chief executive officer Erik Smith said, “We have proven an ability to attract talent from across the nation to Syracuse…Overall the relationship with the state and local governments and with our peer organizations locally here … just means that Syracuse is the right place for Saab right now and certainly the right place to locate our defense company.”176 Furthermore, in collaboration with the Mohawk Valley Region, the Central New York Regional Economic Development Council issued a “Central New York Rising Plan” that sought to focus on key investment areas and initiatives as part of the Upstate Revitalization Initiative (“URI”). 177 One of the plan’s signature investments is enhancing the Central New York Region as a “Global Center for Unmanned Systems and Cross-Connected Platforms.178 To that end, in the fall of 2016, Governor Cuomo announced the development of a UAS traffic corridor extending between Syracuse and Griffiss International Airport in Rome. The corridor and other aspects of collaboration between the Central New York and Mohawk Valley regions toward the development of a UAS industry were previously discussed in the “Mohawk Valley Region” section of this report. Of note is that Saab Sensis’s remote tower technology is being tested in the UAS corridor,179 an indication of the success of an industry cluster in which public-private partnerships and corporate participation can lead to technological advances. However, despite the Central New York Region’s stated commitment to the UAS industry, individuals employed in the sector declined from 44,639 in 2011 to 42,005 in 2017, a 5.9 percent reduction, per the Central New York Region’s 2018 Progress Report.180 On the education side, Syracuse University’s College of Engineering and Computer Science offers a bachelor or master of science in cybersecurity, as well as a certificate of advanced study in cybersecurity,181

173 “Lockheed Martin Syracuse lands $184M contract for Navy ship defenses,” Syracuse.com, December 26, 2018; “Lockheed Martin Syracuse lands $184M contract for Navy ship defenses,” Syracuse.com, December 2018. 174 Saab Sensis Corporation website, see: https://saab.com/saab-sensis/. 175 “Saab to bring 260 jobs to East Syracuse,” Syracuse.com, January 11, 2017. 176 “The Obama team that will remain in Trump’s Pentagon; Saab moves defense biz to Syracuse; Defense sector growth expected; and more,” DefenseOne.com, January 19, 2017. 177 Central New York Rising, see: https://esd.ny.gov/central-ny-rising-uri. 178 Central New York Regional Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/CentralNewYork2018ProgressReport.pdf. 179 “Congress extends national drone test site in Central New York for 6 years,” Syracuse.com, April 27, 2018. 180 Central New York Regional Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/CentralNewYork2018ProgressReport.pdf. 181 Syracuse University website, see: http://eng-cs.syr.edu/program/cybersecurity/.

Privileged and Confidential 37

as does Le Moyne College, whose bachelor of arts program in cybersecurity began in 2017. 182 Syracuse University has a long tradition of academic expertise in this field. In the early 2000s, the university housed a Systems Assurance Institute that enabled students to study computer systems assurance. 183 The university had first been designated a CAE in Information Assurance by NSA and DHS in 2001.184 In recent years, the program at Syracuse University has been the recipient of several accolades. The Military Times ranked it the top school for cybersecurity in the country for veterans and military-connected students in 2017 and again in 2018. In April 2018, a team of Syracuse University students received first place honors at a National Cyber Analyst Challenge at Temple University.185

7.2. Tier Two The tier two New York State regions, comprised of the Finger Lakes, Long Island, Capital, and Western New York Regions, are home to what may be considered nascent clusters, or have elements that could lead to the development of a cybersecurity or homeland security industry cluster.

Capital Region The Capital Region is comprised of eight counties: Albany, Columbia, Greene, Rensselaer, Saratoga, Schenectady, Warren, and Washington. The region’s total population is 1.17 million and its economic center, Albany, had a population of under 100,000 people as of 2017. The Albany-Schenectady-Troy MSA has an overall population of approximately 870,000 people, per the United States Census Bureau.

7.2.1.1. Cluster Overview Six of the region’s ten largest private sector employers are healthcare centers or supermarkets, per statistics provided by the New York Department of Labor.186 The Capital Region’s 2018 Progress Report identifies four industry clusters on which the region is focusing: life sciences, advanced manufacturing,

182 Le Moyne College website, see: https://www.lemoyne.edu/Academics/Colleges-Schools-Centers/College-of-Arts- Sciences/Majors-Minors/Cybersecurity; See: https://lemoyne.interviewexchange.com/jobofferdetails.jsp;jsessionid=8C3D6371144A549215F5A58E225065FE?JOBID=88867&lo wVisibility=true. 183 “$2.5 million federal grant won by Syracuse University’s Systems Assurance Institute will provide scholarships for 30 graduate students to study computer systems assurance,” Syracuse University News, February 17, 2003, see: https://news.syr.edu/blog/2003/02/17/2-5-million-federal-grant-won-by-syracuse-universitys-systems-assurance-institute-will- provide-scholarships-for-30-graduate-students-to-study-computer-systems-assurance/. 184 “SU Redesignated as Center of Academic Excellence in Information Assurance,” Syracuse University Press Release, August 17, 2007. 185 “Syracuse University Cybersecurity Program Named No. 1 By Military Times,” Syracuse University News, February 8, 2018, see: https://news.syr.edu/blog/2018/02/08/syracuse-university-cybersecurity-program-named-no-1-by-military-times/. 186 See: https://www.labor.ny.gov/stats/nys/largest-private-sector-employers-nys.shtm.

Privileged and Confidential 38

food and agriculture, and government.187 The only mention of cybersecurity is in the context of plans to build a “Cyber Hub” as part of a $10 million Downtown Revitalization Initiative (“DRI”) project won by the city of Albany to revitalize the Clinton Square section of its downtown.188 Albany’s 2018 DRI application notes that the hub will be focused on cybersecurity with “co-working spaces, workforce training, meetup and event areas.”189 A positive trend for the region in terms of cyber or homeland security industry growth is provided on the academic front.

• State University of New York at Albany (“SUNY Albany”), which established the College of Emergency Preparedness, Homeland Security, and Cyber Security, began offering a bachelor’s degree program in 2017190 and now offers two master of science degrees, as well as a doctorate in information science.191 More than 360 students signed up to the program in its first year, per a local media report.192 A source associated with the program indicated that the program now has over 1,000 undergraduate majors and between 200-300 graduate students. Designed as a means to provide a new generation of professionals in homeland security and cybersecurity for both government and industry in New York State, more than half of the college’s students identify as female, black, Latino or as member of another minority group.

K2 spoke to a recent graduate of the cybersecurity undergraduate program at SUNY Albany who indicated that as a student, there seemed to be few opportunities for internships in private industry. The source noted that students seeking out internships ended up with information technology- related positions in state government and that it was difficult to be attractive to private companies because the program was so new. The source also told K2 that the program’s career fair largely featured representatives from New York State or accounting firms that were marketing risk assurance positions, but did not attract any pure play cybersecurity companies that would be of more interest to many of the students. When asked if the source’s fellow graduates stayed in Albany after graduation, the source said, “No, no one,” except for a couple of students who went to work for SUNY Albany or who were from Upstate New York.

• Rensselaer Polytechnic Institute (“RPI”) is a preeminent computer science school located in Troy. RPI does not have a dedicated cybersecurity program but graduates of its computer science program complete coursework relevant to the cybersecurity field and RPI’s Institute for Data Exploration and Applications is led by James Hendler, a cybersecurity expert.193 Moreover, RPI’s Computer Security Club, RPISEC, has performed highly at various cybersecurity competitions

187 “Capital Region Creates,” Capital Region Economic Development Council 2018 Progress Report, see: http://regionalcouncils.ny.gov/sites/default/files/2018-10/CapitalRegion2018ProgressReport.pdf. 188 “Capital Region Creates,” Capital Region Economic Development Council 2018 Progress Report, see: http://regionalcouncils.ny.gov/sites/default/files/2018-10/CapitalRegion2018ProgressReport.pdf. Also see, “Here are the projects in the mix for that $10 million that Albany has from the state for the Clinton Square area of downtown,” AllOverAlbany.com, December 19, 2018. 189 City of Albany Downtown Revitalization Initiative Application 2018, see: http://capitalizealbany.com/wp- content/uploads/2018/06/DRI-2018-City-of-Albany-Clinton-Square-Application-Final.pdf. 190 “Governor Cuomo Announces Nation's First College of Emergency Preparedness, Homeland Security and Cybersecurity Approved for Bachelor's Degree Program,” New York State Press Release, July 8, 2016. 191 SUNY Albany website, see: https://www.albany.edu/cehc/programs. 192 “Why there is an 'enormous appetite' for this major at UAlbany,” Albany Business Review, July 27, 2017. 193 “#RPI Cybersecurity Expert James Hendler Available to Discuss Cybersecurity and Elections,” RPI Press Release, August 9, 2018.

Privileged and Confidential 39

across the United States, including receipt of first place honors at the New York University Tandon School of Engineering Cyber Security Awareness Week games in 2017 and 2018.194

• Excelsior College is based in Albany but is an online-only program geared towards veterans or National Guard service members using federal education benefits. The college has offered a bachelor’s degree program in cybersecurity since 2009 and a master’s program since approximately 2011, per a source associated with the college; it also runs a dedicated academic and research center called the National Cybersecurity Institute.195 The program has about 300 undergraduate students and less than 50 graduate students. A source who works in education indicated that the college does not coordinate significantly with the state government on the academic or programmatic side and does not have current ties with local Chambers of Commerce.

One notable cybersecurity company in the Capital Region is GreyCastle Security which is headquartered in Troy – in Rensselaer County – and employed 35 people there, and 75 people overall, as of 2018.196 A September 2018 media interview with Reg Harnish, the company’s then-chief executive officer, reports that there are plans to grow the company to 250 employees. 197 The firm, which was ranked 115th on Cybersecurity Ventures’ Top 500 List in 2018, is a subsidiary of Assured Information Security, previously profiled in the Mohawk Valley Region section of this report. While the Capital Region does not yet have all the elements that may be required to foster a mature cybersecurity or homeland security industry cluster, the region’s advanced manufacturing capabilities in areas such as semiconductors and nanotechnology contribute to the region’s overall technological advantage and provide adjacencies that can help spur economic growth in the cybersecurity or homeland security space.

Finger Lakes Region The Finger Lakes Region is comprised of nine counties: Genesee, Livingston, Monroe, Ontario, Orleans, Seneca, Wayne, Wyoming and Yates. The region’s total population is 1.21 million and its economic center, Rochester, had a population of 210,000 people as of the 2010 census198 and an MSA of 1.08 million.199 Rochester is the third largest city in the state, after New York City and Buffalo.

194 “Found: Our Best Future Cyber Protectors in World's Biggest Student-Led Cybersecurity Games,” NYU Press Release, November 14, 2017; “World’s Biggest Student-Led Cybersecurity Games Announce Winners of CSAW 2018,” NYU Press Release, November 14, 2018. 195 National Cybersecurity Institute website, see: https://www.nationalcybersecurityinstitute.org/about/. 196 “GreyCastle Security founder Reg Harnish leaves CEO job for new role,” Albany Business Review, March 19, 2019. 197 “GreyCastle Security grew 453 percent in 3 years. Here's how the CEO is managing that growth,” Albany Business Review, September 5, 2018. 198 United States Census Bureau, 2010 Census. 199 “Comprehensive Housing Market Analysis, Rochester, New York,” U.S. Department of Housing and Urban Development. See: https://www.huduser.gov/portal/publications/pdf/RochesterNY-comp-17.pdf.

Privileged and Confidential 40

7.2.2.1. Cluster Overview A major 20th century manufacturing hub, Rochester – located in Monroe County – is the headquarters of Eastman Kodak, which today has about 1,600 employees in Rochester, and is also the home of a large Xerox Corporation office with approximately 4,000 employees.200 As of 2017, the University of Rochester was the region’s largest employer, with around 29,000 employees.201 The Finger Lakes Region’s 2018 Progress Report identifies three sectors on which the region is focusing: agriculture and food production; next generation manufacturing and technology; and optics, photonics and imaging.202 The cybersecurity or homeland security industries are not mentioned in the report. However, photonics, the technology of light, is highly relevant to the security industry, including technologies to improve optical sensing technology and laser-guided weapons.203 The number one export from the Finger Lakes Region is computer and electronic products, which accounted for $1.07 billion in real exports in 2017.204 Performance indicators included in the Finger Lakes Region’s 2018 Progress Report reflect that it has positive trends in several key areas related to higher education, including a number one ranking in STEM degrees per capita versus United States metropolitan areas with a population of more than 1 million people; a larger number of patent awards as compared to several other New York regions; and more federal dollars for research and development in the region vis a vis New York regions.205 Perhaps the most robust element of a nascent cybersecurity industry cluster in the Finger Lakes Region is on the academic front. The Rochester Institute of Technology (“RIT”) - the first university in the country to have a dedicated computing security department (it began in 2005)206 - has both bachelors and masters of science degree programs in computing security and the institute has been designated a CAE by the NSA and DHS. RIT’s College of Computing and Information Sciences is one of the largest programs in the country, with more than 4,200 students. In 2016, security platform CloudPassage conducted a study of computer science and engineering programs at top universities in the United States and found that, of the 121 universities studied, RIT offered the highest number of elective courses in cybersecurity (10) as compared to any other program.207 RIT is also in the midst of building a Global Cybersecurity Institute which is expected to open in July 2020 and will house a “cyber learning experience center, simulated security operations center, five research labs, and several student lounges, instructional labs and faculty offices.”208

200 “Kodak’s decades of decline,” Rochester Business Journal, September 13, 2017. 201 “Here are the largest 20 employers in the Rochester area,” Democrat & Chronicle, November 9, 2017. 202 “Seven Years of Transforming our Region: A Strategy For Prosperity,” Finger Lakes Region Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/2018FLREDCAnnualReport.pdf. 203 National Photonics Initiative website, see: https://www.lightourfuture.org/home/importance-of-light/technologies/. 204 “Seven Years of Transforming our Region: A Strategy For Prosperity,” Finger Lakes Region Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/2018FLREDCAnnualReport.pdf. 205 “Seven Years of Transforming our Region: A Strategy For Prosperity,” Finger Lakes Region Economic Development Council 2018 Progress Report, see: https://regionalcouncils.ny.gov/sites/default/files/2018-10/2018FLREDCAnnualReport.pdf. 206 “RIT collaborates with IBM to enhance Cybersecurity Lab,” Foreign Affairs, July 29, 2015. 207 “CloudPassage Study Finds U.S. Universities Failing in Cybersecurity Education,” CloudPassage Press Release, April 7, 2016. 208 “RIT readies for new Global Cybersecurity Institute,” RIT Press Release, January 18, 2019.

Privileged and Confidential 41

In addition to RIT, several area community colleges offer associate degrees in cybersecurity, including Finger Lakes Community College and Monroe Community College. The talent pool in Rochester has not gone unnoticed by private industry. In 2016, GreyCastle Security, a Troy, New York-based cybersecurity firm (also referenced in the Capital Region section of this report), opened a second office in Rochester to “tap into that city’s wealth of talent,” per a local media report.209 As of June 2018, GreyCastle employed ten people at its Rochester office.210 Several notable cybersecurity companies based in the Finger Lakes Region include:

• CloudCheckr, Inc. (“CloudCheckr”), a cloud data security company located in Rochester. CloudCheckr, the self-described “largest independent cloud management platform provider,” has customers that include NASA, Intel, Nastec and Comcast, in addition to the public sector.211 The company also promotes its Silicon Valley culture, including pet dogs, an open office plan, and a company keg.212 In 2017, CloudCheckr, which has since been named to the Rochester Chamber of Commerce’s Top 100, raised $50 million in capital and hired 100 people. The company disclosed in its 2017 Form-5500 filed with the United States Department of Treasury that 133 employees were active participants in the company’s retirement plan.213 Local media also reports that the company moved to office space at the Village Gate in June 2017 that is roughly four times larger than the space it previously inhabited.214

• Datto, Inc. (“Datto”), a data backup company that is headquartered in Norwalk, Connecticut, has a large presence in Rochester, as well as a sizeable office in East Greenbush in the Capital Region. Datto employs 450 people across New York – including more than 275 employees in Rochester and more than 165 in East Greenbush.215 Its chief executive officer, Tim Weller, has specifically pointed to the talent available in Upstate New York as a reason for the company’s locations, noting that the lower cost of living in the region is attractive to the firm’s employees.216

New York State has invested in attracting technology-oriented startups to the Finger Lakes Region, including via Luminate NY, a photonics, optics, and imaging startup incubator, and the Finger Lakes Forward Venture Capital Fund, which received $25 million from New York State and is being managed by Excell Technology Ventures, an affiliate of the University of Rochester.”217

209 “Cybersecurity firm expands to Rochester to take advantage of city's tech talent,” Albany Business Review, March 3, 2016. 210 “Downtown Troy cybersecurity company acquires Rochester business,” Albany Business Review, June 7, 2018. 211 “How companies new to the Rochester Chamber Top 100 made the list,” Democrat & Chronicle, November 4, 2018. 212 “How companies new to the Rochester Chamber Top 100 made the list,” Democrat & Chronicle, November 4, 2018. 213 Form 5500. CloudCheckr Inc. Retirement Plan, filed June 19, 2018 214 “CloudCheckr grows at Village Gate and in the 'cloud',” Democrat & Chronicle, June 5, 2017. 215 “Datto Celebrates New York Growth and New Office in East Greenbush,” Datto Press Release, April 5, 2019. 216 “Tech firm Datto moves to new East Greenbush office,” KabulPress.Org, April 5, 2019. 217 “$25M fund to assist high-tech startups here,” Democrat & Chronicle, September 27, 2018.

Privileged and Confidential 42

Long Island Region The Long Island Region, comprised of Nassau and Suffolk Counties, has a population of approximately 2.86 million people. 218 The region’s most significant industry cluster is life sciences and biotechnology, which, as of 2017, constituted 27.7 percent of New York State’s employment in that sector. Brookhaven National Laboratory in Upton, Cold Spring Harbor Laboratory in Huntington, Northwell Health in Great Neck and its research arm, the Feinstein Institute for Medical Research in Manhasset, as well as highly regarded institutions like Stony Brook University and Hofstra University, serve as the anchors of the industry cluster.

7.2.3.1. Cluster Overview Although only a small number of cybersecurity companies call the Long Island Region home, two of these companies were included in Cybersecurity Ventures’ Top 500 list in 2018:

• Verint Systems, Inc. (“Verint”) is headquartered in Melville (Suffolk County) and focuses on “actionable intelligence solutions.”219 Verint, a publicly traded company whose 2018 revenue was $1.135 billion, employs approximately 6,100 people across 35 domestic and international offices, according to the firm’s latest Securities and Exchange Commission filings.220 To date, K2 has not identified the number of individuals employed by the company on Long Island.

• Secure Decisions, a division of Applied Visions, Inc., is headquartered in Northport (Suffolk County). Founded in 1999, the company focuses on research and development for areas of “national security including information assurance, computer network defense, cybersecurity education, and application security,” per its website.221 Since 2011, the company has had a DHS contract to conduct research on software penetration testing under the DHS’s Science and Technology Directorate, per a company press release.222 In 2015, the company spun out Code Dx, a suite of tools that helps “software developers and security analysts find, prioritize, and visualize software vulnerabilities.”223 Applied Visions employs 70 people,224 but Secure Decisions appears to have a much smaller headcount; only eight individuals report current employment at the company on their LinkedIn profiles.

218 “Nassau population on rise, while Suffolk sees drop, census shows,” Newsday, March 22, 2018. 219 Form 10K, Verint Systems Inc. Filed with the Securities and Exchange Commission on March 28, 2019. 220 Form 10K, Verint Systems Inc. Filed with the Securities and Exchange Commission on March 28, 2019; Verint website, see: https://www.verint.com/our-company/global-locations/. 221 Secure Decisions website, see: https://securedecisions.com/. 222 “Secure Decisions Demonstrates Newest Software Penetration Testing Technology at Department of Homeland Security Cybersecurity Showcase,” Secure Decisions Press Release, March 19, 2019. 223 “Long Island Cybersecurity Firm Pops Up On Northrop Grumman's Radar Screen,” Forbes, November 9, 2016. 224 See: https://www.sbir.gov/sbc/applied-visions-inc.

Privileged and Confidential 43

Cybersecurity Ventures, a market research firm that focuses on the cybersecurity industry, is also based in Northport.225 The Long Island Region has, however, experienced losses in the cybersecurity and homeland security industries. After its acquisition by Northrop in 1994, Grumman Aerospace Corporation, which had employed more than 20,000 people in the Long Island Region, closed almost all of its Long Island offices and labs. The company now has about 400 workers on Long Island.226 Similarly, CA Technologies, a multibillion dollar publicly traded software company that marketed several cybersecurity products, was headquartered in Islandia (Suffolk County) until 2014 when the company moved to Manhattan.227 In November 2018, the company was acquired by Broadcom, Inc. (“Broadcom”) and shortly thereafter, Broadcom laid off close to one-third of the company’s remaining employees at the Islandia facility, which had numbered around 1,000.228 Perhaps the most tangible indicator of the challenge the region has faced in attracting companies in these industries is the defunct Applied Science Center of Innovation and Excellence in Homeland Security Research (“the Center”), a public-private partnership between New York State and Northrup Grumman, the anchor tenant of the Center, in Bethpage (Nassau County).229 The facility, which opened in March 2010, was established as an incubator that would attract companies specializing in homeland security products.230 Secure Decisions, mentioned above, moved to the site in May 2011. 231 By 2014, however, Northrup Grumman had vacated the facility (about 20 percent of the property) and moved staff out of state.232 The Center ultimately defaulted on its mortgage and Nassau County purchased the building for $6.4 million in February 2017.233 Despite these industry exits, elected officials and industry leaders met in November 2017 to discuss how the “250 aerospace and defense contractors on Long Island” could better serve the needs of prime defense contractors like Boeing, Raytheon, and Lockheed Martin, per media reports. 234 And, the Long Island Region’s 2018 Progress Report identifies cybersecurity as a “new emerging field in the region.”235 The report goes on to outline efforts to improve the region’s academic offerings for cybersecurity, including a third cyber lab facility at Hofstra University called the Hofstra Cybersecurity Innovation and Research Center, a partnership between the university’s school of business and school of engineering, as well as a cybersecurity lab at Suffolk County Community College, both of which would be established through a combination of public-private funding. The Long Island Region Economic Development Council requested $250,000 in funding for the Hofstra project from the REDC and received $200,000, per the REDC 2018

225 “LI cybersecurity firm sees explosive growth as industry expands,” Newsday, December 16, 2018. 226 “Iconic companies of LI's past live on in their descendants,” Newsday, June 4, 2017. 227 “CA Technologies quietly moves headquarters to Manhattan,” Newsday, June 4, 2014. 228 “Broadcom to lay off 262 former CA Technologies workers in Islandia,” Newsday, November 16, 2018. 229 “Homeland Security Center Comes to Bethpage,” Bethpage Tribune, March 17-23, 2006. 230 “NY homeland security center opens,” Associated Press, March 5, 2010. 231 “Secure Decisions Takes Residence at the Morrelly Homeland Security Center,” Secure Decisions Press Release, May 17, 2011. 232 “County to offer free Wi-Fi if there’s a LIRR strike,” Franklin Square-Elmont Herald, July 11, 2014. 233 “Nassau pols vote to spend $6.4M on Morrelly Homeland Security building in Bethpage,” Newsday, February 8, 2017. 234 “Aerospace and defense contractors to gather at Tilles Center,” Newsday, November 27, 2017. 235 “Completing the Puzzle,” See: http://regionalcouncils.ny.gov/sites/default/files/2018-10/LongIsland2018ProgressReport.pdf.

Privileged and Confidential 44

Awards Booklet.236 The region also requested $400,000 for the lab at Suffolk County Community College and was awarded $200,000.237 In addition, Stony Brook University opened a National Security Institute (“NSI”) in 2014; as of 2017, NSI was conducting more than $10 million in cybersecurity research through federal grants and private industry.238 The New York Institute of Technology (“NYIT”) opened a cybersecurity lab in 2017, which was partially funded by Empire State Development.239 NYIT has the support of private industry to include the participation of company executives on the college’s Executive Advisory Board.240 The focus on improving cybersecurity programs in academia is intended to remedy the talent gap in the region, a deficiency noted by the Long Island Region Economic Development Council. The executive summary of the Long Island Region’s 2018 Progress Report notes that the region’s greatest challenge is a “shortage of talented tech and other workers” and a skills gap between the people Long Island has and the jobs that are available, which is partially a product of a housing gap in the region.241 Cybersecurity and homeland security companies currently operating in the region have easy access to customers, either locally in the region, via the Long Island Rail Road into New York City, or, for more distant customers, via New York City’s many airports.

Western New York Region The Western New York Region is comprised of five counties: Allegany, Cattaraugus, Chautauqua, Erie, and Niagara. The region’s economic center is Buffalo, whose population, as of the 2010 census, was 258,000, including an overall 1.13 million people in the MSA.242 Buffalo is the second most populous city in New York State after New York City.

236 2018 Regional Economic Development Council Awards, see: https://regionalcouncils.ny.gov/sites/default/files/2018- 12/2018REDCAwardBooklet.pdf. 237 2018 Regional Economic Development Council Awards, see: https://regionalcouncils.ny.gov/sites/default/files/2018- 12/2018REDCAwardBooklet.pdf. 238 “National Security Institute Opens with Cybersecurity Experts Panel,” Stony Brook University News, September 24, 2014; “Securing Cyber Everything: CEAS and Brookhaven National Lab Researchers Strategize about Computer and Online Security,” Stony Brook University News, February 2017, see: https://www.stonybrook.edu/commcms/ceas/news/2017/february/Securing%20Cyber%20Everything.php. 239 NYIT website, see: https://www.nyit.edu/engineering/cybersecurity_at_nyit. 240 NYIT website, see: https://www.nyit.edu/engineering/cybersecurity_at_nyit. 241 “Completing the Puzzle,” See: http://regionalcouncils.ny.gov/sites/default/files/2018-10/LongIsland2018ProgressReport.pdf. 242 U.S. Census Bureau, 2010 Census.

Privileged and Confidential 45

The region’s 2018 Progress Report identifies three sectors on which the region is focusing: advanced manufacturing, health and life sciences, and tourism.243 The cybersecurity or homeland security industries are not mentioned.

7.2.4.1. Cluster Overview In and around Buffalo – the seat of Erie County – there are elements that could lead to a cybersecurity or homeland security industry cluster, particularly in the academic arena.

• The School of Engineering and Applied Sciences at the University of Buffalo (“UB”) began a cybersecurity program in 2008 that has been recognized for its excellence and has more than a dozen research areas related to cybersecurity and technology.244 In September 2018, UB’s Center for Excellence in Information Systems, Assurance, Research and Education was awarded $2.39M to “train future cybersecurity experts” from the National Science Foundation.245 However, programs like these are unlikely to yield direct injections of talent in the region because students are required to work for the federal government or other government agencies for two years after graduation.

• St. Bonaventure University (“SBU”) – a 90-minute drive from Buffalo in Cattaraugus County – offers a bachelor of science degree in cybersecurity, as well as an online master of science program.246 In April 2018, SBU opened a research center called the Western New York Cybersecurity Research Center, with support from partnerships in Japan and New Zealand.247 Its director is an Iranian émigré hired with the explicit directive to build the school’s ability to partner with and provide services to businesses in the region, as well as government agencies. The research center uses machine learning, data mining and opinion mining to perform research, develop new technologies and produce intellectual property.248 In partnership with Silo City IT, a Buffalo-based managed security service provider specializing in artificial intelligence-based solutions, the research center is also establishing a Security Operations Center (“SOC”) to train students in real time cybersecurity work for various businesses.249

A source familiar with the SBU’s cybersecurity program indicated that while the quality of the students being trained at the university is high, the source cautioned that the region is so remote that there will not be a need for this level of talent in the vicinity.

The region’s most notable provider on the homeland security side is Moog, Inc. (“Moog”), which is located in East Aurora, a suburb of Buffalo. Moog designs and manufactures precision control components and

243 “Seven Years of Transforming our Region: A Strategy For Prosperity,” see: http://regionalcouncils.ny.gov/sites/default/files/2018- 11/WNYREDC%202018%20Progress%20Report%20FINAL3.pdf. 244 University of Buffalo website, see: http://engineering.buffalo.edu/computer-science-engineering/research/research- areas/computer-security-and-information-assurance.html. 245 “UB prepping new wave of cybersecurity experts,” Buffalo Business First, September 4, 2018. 246 St. Bonaventure University website, see: https://www.sbu.edu/academics/computer-science/cybersecurity. 247 “St. Bonaventure dedicates new WNY Cybersecurity Research Center,” The Evening Tribune, April 25, 2018. 248 “St. Bonaventure dedicates new WNY Cybersecurity Research Center,” The Evening Tribune, April 25, 2018. 249 “St. Bonaventure dedicates new WNY Cybersecurity Research Center,” The Evening Tribune, April 25, 2018.

Privileged and Confidential 46

systems and sensor and surveillance systems for the defense industry, among other products. 250 The company globally employs more than 10,000 people.251 The Western New York Region is also home to the Niagara Falls Air Reserve Station, an air force reserve command station located in Niagara Falls that, as of February 2017, employed 3,000 people and is Niagara County’s largest employer.252 There is a dedicated effort to encourage businesses to locate or relocate to the Buffalo-Niagara area,253 including through 43North, a startup competition in Buffalo that is funded by the public Buffalo Billion Initiative, the New York Power Authority, and private corporate sponsors. Since 2014, 43North has invested $5 million a year into a total of 44 companies, which have gone on to raise more than $200 million and create “more than 350 local jobs,” per 43North’s website.254 None of the competition winners thus far are adjacent to the cybersecurity or homeland security industries.

250 Moog website, see: https://www.moog.com/about-us/space-defense-group.html. 251 Moog website, see: https://www.moog.com/about-us/components-group/aspen.html. 252 Niagara Falls Air Reserve Station, see: https://www.niagara.afrc.af.mil/; “First of new tanker planes arrives at Niagara Falls air base,” The Buffalo News, February 2, 2017. 253 Invest Buffalo Niagara, see: http://buffaloniagara.org. 254 43North website, see: https://www.43north.org/competition/.

Privileged and Confidential 47

8. New York Challenges

As part of K2’s outreach to industry insiders, we sought to gather intelligence on the challenges faced by the cybersecurity and homeland security industries in general, and the challenges to prospective development in New York State specifically. • Sources characterized the shortage of qualified cybersecurity professionals as the most pressing challenge to the cybersecurity industry’s growth, and noted that development of new cybersecurity or homeland security clusters – especially in Upstate New York – would require a dedicated, multidisciplinary effort, anchored by state leadership.

• When the discussion moved to Upstate New York, sources consistently delineated challenges that included the perceived poor quality of life, lack of public transportation to major development hubs, and lack of local industry awareness about cybersecurity, as well as a general pessimism about the economic prospects for Upstate New York.

8.1. National Shortage of Cybersecurity Talent Multiple sources working in senior roles within the cybersecurity industry were united in their assessment that one of the major challenges to the growth of the cybersecurity industry nationally is the shortage of qualified cyber professionals: one source working in economic development in New York State referred to the situation as a “war for talent,” while another cybersecurity executive pointed to media reports claiming that several hundred thousand cybersecurity jobs are unfilled in the United States every year. Multiple cybersecurity executives reported that as a result of the shortage, companies are interested in partnering with academic institutions to increase the supply of talent or, alternately, create their own cybersecurity training programs.

• One source stated that large companies such as Booz Allen Hamilton and Lockheed Martin have developed strong relationships with academic institutions that serve the dual purpose of (1) developing a pipeline of talent, and (2) influencing the type of courses offered at the institutions. The source cited one major company that reportedly funds a dormitory for students who study in a dedicated cybersecurity program and receive preferential internships at the company.

The same source noted that students are increasingly demanding college programs that can connect them with real-world work experience. The source told K2 that there is a lot of competition in the university community for cybersecurity program resources, and that the source expected small colleges to struggle to compete in this environment.

8.2. Pessimism about Upstate New York Sources cited several systemic challenges that New York State would need to overcome to establish cybersecurity or homeland security clusters in Upstate New York, not least of which is overcoming the pessimism about the economic prospects of the region. When asked about the potential of building a cybersecurity cluster in Upstate New York, one investor stated, “It is not going to happen,” while a cybersecurity educator based in the region commented that it was hard to imagine Upstate New York as such a hub. This source pointed to the vitality of New York City and its

Privileged and Confidential 48

nexus to business as still dominant and echoed comments by other sources that it is hard for companies to overcome the value of face-to-face meetings with customers. Multiple additional sources mentioned this challenge. One source, who works in economic development, noted that New York State has a public relations challenge in terms of the upstate-downstate dichotomy. A second source said that New York City has its own “gravitational pull” that is hard to compete with, while a third source told K2 that it is hard to incentivize talent to move away from New York City to Upstate New York.

Perception That Quality of Life Upstate Lags Behind New York City Multiple sources focused on regional economic development and cybersecurity education in the state noted that one of the challenges in fostering economic development in Upstate New York is the perceived poor quality of life in terms of housing, entertainment, and the overall style of living. • One source acknowledged that Upstate New York has a better cost of living than New York City or similar cities, but that the state needs to have the necessary infrastructure in place to attract and support talent. The source further stated that in addition to employment opportunities, young professionals are looking for good restaurants, coffee shops, and cultural institutions; as well as supporting municipal infrastructure such as rail lines and other services that can make a city attractive. The source cited the isolation that could be felt in many places and noted that potential residents wanted high-speed rail access so that travel to places like New York City for weekend trips was a possibility.

• Another source said that the difficulty in convincing people to move or stay in Upstate New York made it hard for companies to hire talent, and noted that not everyone likes the slow pace of life in the region.

• One source stated that the interest in denser “downtown” living options presents a problem for Upstate New York. The source stated that growth in at least one upstate city had been stymied by the lack of people living downtown, which meant the city effectively shut down at 5pm. The source told K2 that hundreds of downtown housing units were now coming online or planned in that city and others like it, the idea being that if people live downtown the amenities and “atmosphere” will follow.

• This sentiment was echoed by multiple sources who spoke to the factors that influence where cybersecurity and homeland security companies are located. A senior executive at a cybersecurity startup located outside New York City said that proximity to a city attracts junior employees, while a source in the venture capital community noted that the urban lifestyle is a big part of a pitch by companies, and is also used to offset the downsides of higher costs of living in urban areas.

Lack of Transportation to Major Urban Centers Consistent with the theme of a lack of infrastructure hampering development in Upstate New York, one of the most common challenges cited by sources was the paucity of public transportation options linking cities in Upstate New York to major population centers that could drive development. • One executive who has spent time in Upstate New York cited transportation as a significant issue, noting that the lack of a rail line in many locations was difficult. A source working to establish a cybersecurity program in the western region of New York State reiterated that sentiment, noting

Privileged and Confidential 49

that there is no passenger train station and airport within the vicinity of the source’s institution and as a result, transportation to regional population centers, let alone New York City, is difficult.

The sense of isolation connected to many upstate locations also reportedly impacts calculations regarding funding and the recruitment of talent. • One investor noted that as a “capitalist” based in New York City, his firm was not going to take the “long way” to find investment opportunities because it did not have to; it could take the short way because the industry existed right at home in New York City.

• A senior executive at a cybersecurity startup based outside of New York City said that the lack of efficient upstate-downstate transit is a challenge. The executive noted that it is hard to recruit talent to work in a city in the tri-state area that has easy access to New York City, let alone Upstate New York.

• A source who works in economic development in New York State noted that transportation is a particular problem with the most sought-after talent demographic: millennials. Per this source, many millennials do not have drivers’ licenses and a car is often the only transportation option in many upstate locations. Local transportation issues have been partially remedied by the advent of ride-sharing services in Upstate New York. In 2017, New York State passed legislation that legalized ride-booking services like Uber and Lyft. Within one year of the law’s passage, more than 150,000 people signed up to drive for Uber and Lyft in Upstate New York and Long Island, according to a report in the Times Union.255 A general manager for Lyft in Upstate New York remarked in the report, “[Ride-sharing] really does shape the way the community commutes or drives or lack thereof.”256 A source who works in economic development in New York State also mentioned Uber as a relatively new option for commuters in Upstate New York.

Customer Education Required in Upstate New York Sources who work in the cybersecurity industry in New York State also noted that there could be a local demand issue caused by a lack of knowledge in the business community concerning the cyber risks their companies face and their need for cybersecurity services.

• One source said that it could be a challenge in Upstate New York to place cybersecurity graduates with jobs locally, as businesses there reportedly do not understand how cyber vulnerabilities affect their companies. The source noted the level of understanding was very low in the region, and that their biggest challenge was to find a local industry that understood its cybersecurity risks.

New York State’s Corporate Tax Structures are a Disincentive Some sources pointed to New York State’s tax structure as a potential deterrent to doing business, although others indicated the perception that New York State is expensive may be overstated. • Several sources working in cybersecurity education pointed to New York State’s tax structure as being a challenge to business development in the state. One source noted that the tax breaks in Texas, for instance, look tempting from the business creation standpoint, and another noted that

255 “Lyft, Uber mark a year of upstate ride-sharing,” Times Union, July 1, 2018. 256 “Lyft, Uber mark a year of upstate ride-sharing,” Times Union, July 1, 2018.

Privileged and Confidential 50

although there are some tax incentives in upstate economic zones they are not in line with what would be attractive to bringing a company into the local economy.

• These comments could be balanced by perspectives from other sources that economic incentives were typically a “wash.” One source at a development organization in New York State noted, for example, that businesses want to locate in New York State when they have a reason to do so, whether it be supply chain issues or because they see it as a strategic location. They do not come to New York State because of low costs. Per the source, businesses are aware that operating in New York State can be expensive, both because of the high cost of labor and because of the tax structure.

Privileged and Confidential 51

9. New York State’s Strengths

Sources also identified several areas in which New York State held a competitive advantage compared to other states in attracting cybersecurity and homeland security development.

9.1. Market Share Argument First and foremost, the size and scale of the New York State economy was noted to be a major strength in attracting business in the cybersecurity and homeland security industries.

Location of Major Industries Drives Demand In the cybersecurity sphere, New York is a national leader in two of the most critical industries for cybersecurity services: the financial services industry, which is reported as the largest non-government cybersecurity market in the United States; and the healthcare industry, which has been forecast as the fastest growing segment of the cybersecurity market in the United States.

9.1.1.1. The Finance Industry – Cybersecurity’s Largest Market Sources who work in both venture capital and cybersecurity education noted that New York’s role as a major banking center was a key advantage for the state that should be leveraged for development efforts. Even beyond New York City, a source working in cybersecurity education noted that there was an opportunity with the banking and insurance industries in Buffalo, for example, as companies in those sectors have interest in giving internships – and ultimately jobs – to cybersecurity-oriented students. Public reporting supports the idea that financial services institutions are a major and growing purchaser of cybersecurity services. According to media coverage of a report published by international market and technology research firm Homeland Security Research Corp., in 2015 the United States financial services cybersecurity market reached $9.5 billion, “making it the largest non-government cybersecurity market.” 257 The report concluded that this market exceeds “$77 billion in cumulative 2015-2020 revenues.”258 Bank of America’s chief executive officer Brian Moynihan told media in 2015 that the bank would spend $400 million on cybersecurity that year. The same year, J.P. Morgan Chase & Co. (“J.P. Morgan”) announced that it would spend $500 million on cybersecurity in 2016.259 A 2016 Forbes article went on to say that J.P. Morgan, Bank of America, Citibank and Wells Fargo “are collectively spending over $1.5 billion to battle cybercrime.”260 J.P. Morgan’s 2018 annual report stated that the bank had spent nearly $600 million on cybersecurity and had over 3,000 employees working on the issue.261 Likewise, a December 2018 article in American Banker stated that some of the large banks had increased their spending to almost $1 billion per year.262

257 2015 Cybersecurity for Banks Report, see: https://cybersecurityventures.com/cybersecurity-for-banks-report-q3-2015/. 258 2015 Cybersecurity for Banks Report, see: https://cybersecurityventures.com/cybersecurity-for-banks-report-q3-2015/. 259 “Why J.P. Morgan Chase & Co. Is Spending A Half Billion Dollars On Cybersecurity,” Forbes, January 30, 2016. 260 “Why J.P. Morgan Chase & Co. Is Spending A Half Billion Dollars On Cybersecurity,” Forbes, January 30, 2016. 261 Form 10-K, JP Morgan Chase & Co., filed with the Securities and Exchange Commission on February 26, 2019. 262 “Financial Firms to further Increase Cybersecurity Spending,” American Banker, December 3, 2018.

Privileged and Confidential 52

9.1.1.2. The Healthcare Industry – Cybersecurity’s Fastest-Growing Market While the financial services cybersecurity market is the largest private sector market, the healthcare industry market may be poised for the most significant growth. As a share of the nation's Gross Domestic Product (“GDP”), healthcare has become the second largest sector of the United States economy, accounting for 18 percent of GDP in 2017. 263 The industry faces significant cybersecurity threats: • Personal health information is reportedly 50 times more valuable on the black market than financial information, another commonly targeted data type, according to Cybersecurity Ventures.264 • An infographic on cybersecurity in healthcare published by Symantec Corporation, a software company that provides security solutions, shows that healthcare industry companies on average devote less than 6 percent of their IT budget to cybersecurity.265 Likewise, according to a 2018 report published by market research firm Black Book Market Research LLC, data security programs in the healthcare industry are often “underfunded and understaffed.”266 According to a press release regarding a 2018 report published by market research company MarketsandMarkets, Inc., the healthcare industry is expected to achieve the highest compound annual growth rate of any cybersecurity industry vertical between 2018 and 2023.267 The healthcare sector is also vital to New York City’s economy, accounting for more than 500,000 jobs. 268 Of the largest employers listed in Crain’s New York 2018 list, 30 percent came from the city’s health systems (Northwell, NYC Health and Hospitals, Mount Sinai, Montefiore, NYU Langone and New York- Presbyterian), which together represent over 215,000 jobs.269

New York’s Unique Threat Landscape In the homeland security space, New York remains an epicenter of security threats as well as the vanguard for defending against them. The existing homeland security threat landscape was redefined by the terrorist attacks of September 11, 2001, and as stated by former New York Police Commissioner Ray Kelly in a 2013 speech to the Council on Foreign Relations, the threat to New York is omnipresent, with images of the World Trade Center and New York City regularly being displayed on jihadist websites and al Qaida publications. 270 The state’s cyber infrastructure is a natural target as well.

263 See: https://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and- Reports/NationalHealthExpendData/NationalHealthAccountsHistorical.html. 264 2019 Cybersecurity Almanac, see: https://cybersecurityventures.com/cybersecurity-almanac-2019/. 265 Cybersecurity in Healthcare, Semantec Corporation, see: https://www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study- en.pdf. 266 “State of the Healthcare Cybersecurity Industry 2018 User Survey Results,” Black Book Market Research, May 2018, see: https://blackbookmarketresearch.com/uploads/pdf/2018%20Black%20Book%20State%20of%20the%20Cybersecurity%20Industry% 20&%20User%20Survey%20Results.pdf. 267 “Cybersecurity Market worth $248.26 billion by 2023,” Marketsandmarkets.com press release, September 21, 2018, see: https://www.marketsandmarkets.com/PressReleases/cyber-security.asp. 268 See: https://www.nycedc.com/industry/healthcare. 269 See: https://www.crainsnewyork.com/data-lists/8846/employers. 270 “Assessing the Terror Threat to New York City,” Council on Foreign Relations, September 9, 2013, see: https://www.cfr.org/event/assessing-terror-threat-new-york-city.

Privileged and Confidential 53

9.1.2.1. Federal Homeland Security Funding Data from DHS indicates that New York receives approximately one quarter of DHS grant money, more than any other state.271 FY2018 DHS allocations are broken down in the following table; in FY2018, New York received almost $340 million in DHS funds:272

DHS Grant Program (FY2018) All States (Total) New York California Texas

State Homeland Security $402,000,000.00 $76,930,000.00 $59,235,000.00 $20,591,000.00 Program

Urban Area Security Initiative $580,000,000 $178,750,000.00 $122,700,000.00 $39,050,000.00

Operation Stonegarden $85,000,000.00 $2,935,186.00 $11,400,000.00 $30,218,753.00

Emergency Management $350,100,000.00 $15,278,109.00 $27,827,857.00 $20,667,921.00 Performance Grant

Tribal Homeland Security Grant $10,000,000 --- $797,000.00 --- Program

Nonprofit Security Grant Program $50,000,000.00 $15,960,511.00 $5,311,581.00 $1,600,000.00 – Urban Areas

Nonprofit Security Grant Program $10,000,000.00 $516,804.23 $517,304.00 $672,188.28 - State

Transit Security Grant Program $88,000,000.00 $28,662,125.00 $13,096,615.00 $542,905.00

Port Security Grant Program $100,000,000.00 $20,371,093.00 $18,290,798.00 $10,424,976.00

Intercity Bus Security Grant $2,000,000.00 $216,743.00 $57,096.00 $222,568.00 Program

TOTAL $1,677,100,000.00 $339,620,571.23 $259,233,251.00 $123,990,311.28

% Federal Funding --- 20.25% 15.46% 7.39%

To date, DHS has allocated the following “preparedness” grants for FY2019; New York has received approximately $271 million in DHS funds this year:

DHS Grant Program (FY2019) All States (Total) New York California Texas

State Homeland Security Program $415,000,000.00 $76,930,000.00 $62,011,000.00 $20,591,000.00

Urban Area Security Initiative $590,000,000 $178,750,000.00 $123,900,000.00 $44,750,000.00

Emergency Management Performance Grant $350,100,000.00 $15,033,121.00 $27,741,329.00 $20,848,936.00

271 United States Department of Homeland Security, Federal Emergency Management Agency, Grants Programs Directorate Information, Bulletin No. 433, August 24, 2018; United States Department of Homeland Security, Federal Emergency Management Agency, Grants Directorate Information, Bulletin No. 440, April 12, 2019. 272 Note that the FY2018 table does not include the following DHS grant programs: Intercity Passenger Rail Program – Amtrak, Assistance to Firefighters Grants, Staffing for Adequate Fire and Emergency Response Grants, Fire Prevention and Safety Grants, Presidential Residence Protection Assistance Grants.

Privileged and Confidential 54

DHS Grant Program (FY2019) All States (Total) New York California Texas

Nonprofit Security Grant Program - State $10,000,000.00 $250,000.00 $300,000.00 $400,000.00

TOTAL $1,365,100,000.00 $270,963,121.00 $213,952,329.00 $86,589,936.00

% Federal Funding --- 19.85% 15.67% 6.34%

New York’s Economic Clout – A Force Multiplier The sheer size of the New York economy makes it a major player in the cybersecurity and homeland security industries, as New York State public and private sector entities can serve as both provider and consumer of related services. According to New York State’s 2018 Financial Condition Report, the state’s GDP was over $1.5 trillion, 8 percent of the United States total. Only California and Texas have larger economies.273 The financial services industry made up 29 percent of New York State’s real GDP; followed by professional and business services (13.7 percent); transportation, trade, and utilities (13.5 percent); and government (10.6 percent).274

9.1.3.1. Projecting Growth In the cybersecurity sphere, publicly reported numbers point to significant spending and growth in the years to come. According to a 2017 report by market research firm DiscoverOrg, New York City-based companies spent as much as $145.5 billion on IT and technology services that year, ranking New York City first in the country, and more than the next three cities – Chicago, Illinois ($52.0 billion); Dallas, Texas ($45.5 billion); and Houston, Texas ($41.1 billion) – combined.275 According to a 2019 report by the Boston Consulting Group, studies vary as to estimates of the percentage of IT budgets dedicated to cybersecurity: a PricewaterhouseCoopers study estimates 3.7 percent, a Gartner study estimates 5.9 percent, and a Forrester study estimates 10 percent.276 A May 2019 Deloitte study also indicates that financial institutions spend on average 10 percent of their IT budgets on cybersecurity. 277 A 2018 Accenture study examining the cybersecurity preparedness of New York City companies stated that almost half of respondents noted that their organizations were making “transformational investment[s]” in

273 2018 New York State Financial Condition Report, Economic and Demographic Trends, see: https://www.osc.state.ny.us/finance/finreports/fcr/2018/economic.htm; “How each US state’s economy measures up to countries around the world,” Business Insider, June 2, 2018. 274 2018 New York State Financial Condition Report, Economic and Demographic Trends, see: https://www.osc.state.ny.us/finance/finreports/fcr/2018/economic.htm. 275 “Top 10 U.S. Markets for IT/Tech spending,” DiscoverOrg.com, May 8, 2017, see: https://discoverorg.com/blog/top-10-us- markets-for-it-spending/. 276 “Are You Spending Enough on Cybersecurity?” Boston Consulting Group, February 20, 2019, see: https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity.aspx. 277 “Pursuing cybersecurity maturity at financial institutions,” Deloitte.com, May 1, 2019, see: https://www2.deloitte.com/insights/us/en/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html.

Privileged and Confidential 55

cybersecurity.278 According to the Accenture report, executives indicated that an average of 22 percent of their company IT budgets were dedicated to cybersecurity, and 31 percent of executives expected their companies to “more than double” cybersecurity investment by 2021. 279

9.1.3.2. Per-Employee Cybersecurity Spending In February 2019, the Boston Consulting Group published a report entitled: “Are You Spending Enough on Cybersecurity?” 280 This report cites a study from Gartner that companies spent $1,178 annually per employee on cybersecurity.281 A Deloitte study published in May 2019 reported that large banks were spending up to $3,000 per employee on cybersecurity; the average spending for financial institutions is reportedly $2,300 per employee.282

9.2. Diversity of Talent Pool Sources also noted that New York State has the potential to offer a pipeline of diverse talent to the homeland and cybersecurity industries, both of which traditionally struggle to attract individuals from under- represented groups nationally.

• One source working in economic development in New York State noted that they often highlight the diversity of upstate regions, pointing to Utica by way of example. The source noted that one- third of Utica’s population are refugees, 36 languages are spoken at the local high school, and the region also benefits from the presence of well-trained military veterans who come through Fort Drum, a United States military reservation in Jefferson County, New York, and are available to enter the work force following their military service.

• A source who works in cybersecurity education at a SUNY school noted that 51 percent of the student body at their institution consists of traditionally under-represented populations, and that their focus was to diversify the cybersecurity field and give opportunities to students who otherwise would not receive them.

9.3. Affordable Cost of Living and Talent Multiple sources noted that Upstate New York’s affordability could be a significant asset. This aligns with comments by other sources who discussed how technology-centric companies look to lower-cost regions to house certain engineering or other back office functions.

278 “Can NYC continue to lead the way in cybersecurity?” Accenture.com, October 9, 2018, see: https://www.accenture.com/us- en/insights/security/nyc-continue-lead-way-cybersecurity. 279 “Can NYC continue to lead the way in cybersecurity?” Accenture.com, October 9, 2018, see: https://www.accenture.com/us- en/insights/security/nyc-continue-lead-way-cybersecurity. 280 “Are You Spending Enough on Cybersecurity?” Boston Consulting Group, February 20, 2019, see: https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity.aspx. 281 “Are You Spending Enough on Cybersecurity?” Boston Consulting Group, February 20, 2019, see: https://www.bcg.com/publications/2019/are-you-spending-enough-cybersecurity.aspx. 282 “Pursuing cybersecurity maturity at financial institutions,” Deloitte.com, May 1, 2019, see: https://www2.deloitte.com/insights/us/en/industry/financial-services/cybersecurity-maturity-financial-institutions-cyber-risk.html.

Privileged and Confidential 56

• One source who works in economic development in New York State noted they sell Upstate New York on the basis that you can obtain an educated workforce for a relatively low cost, the price of land is low, and it is “friendly” and not part of the New York City “ideology.”

• A source who works in cybersecurity education at a SUNY school stated that the affordability of smaller places could be an asset to draw both innovators and skilled personnel. As a counterargument to those who say that non-established urban areas will not be able to compete with major cities, the source pointed to the problems that Palo Alto, California is reportedly now facing after pricing itself out of competitiveness. The source noted that big players in the technology sector were now opening branches in more affordable areas.

The same source said that the question is not whether places like Buffalo can compete with New York City, but whether they have to.

• A source in economic development in New York City told K2 that the affordability pitch is not relevant with the New York City Region. The source noted that the homeland security and cybersecurity sectors are naturally developing in the city, as a result of all major companies investing in cybersecurity, for example. The source stated that companies coming to New York City do not talk about the difficulty of doing business, the need to find cheap office space, or the tax structure; such companies want to be close to the buyers and know they have to be in New York City to grow their business in the region.

9.4. Potential to Expand Existing Hotspots Sources also pointed out that New York State has several existing hotspots of growth which could be leveraged into homeland security or cybersecurity clusters.

• One source who works in cybersecurity education at a SUNY school pointed to the infrastructure that has been developed by the United States Air Force around Rome as a hotspot.

• A source working in the economic development sector in New York State also pointed to the Griffiss Business and Technology Park (“GBTP”) in Rome as an example of successful development, noting that GBTP is at 99.9 percent occupancy, building a new $10 million space, and already thinking about expanding. The same source noted that both existing and new businesses are willing to make long-term investments at GBTP, with talent as the primary attraction. The source described the area around Rome as an epicenter of high-skilled talent with businesses understanding that if they can bring on college students as interns, they can turn them into full-time employees at a lower cost.

As with most successful clusters, the source noted that GBTP creates synergies. As an example, the source noted a new company might be interested in locating to GBTP because of the opportunity to work with companies already located there.

• Another source in economic development in New York State said that they are seeing positive growth in Ithaca and Buffalo, along with locations along the New York State Thruway with companies like SRC, Inc., Lockheed Martin, and Saab growing in leaps and bounds. However, the source stated that a side effect of this growth was increased competition over talent and a concern on the part of small companies that they will lose their employees to larger companies that can offer higher salaries.

Privileged and Confidential 57

The New York State Thruway corridor was also cited by the source in cybersecurity education at a SUNY school, referenced above, who pointed to the gaming companies being established in Troy and Schenectady as potential hotspots of growth. The source noted that even though these companies are gaming-focused, drawing technical personnel to one area encourages brainstorming and ideas, and creates the potential for spin-off companies in other high-tech fields.

Privileged and Confidential 58

10. Development Opportunities

In the context of our discussions, multiple sources discussed ideas for development models that could be applicable in the context of attracting more cybersecurity and homeland security investment to New York State.

10.1. State-Sponsored Technology Testbed One source in the venture capital community noted that the objective of any company is to take a solution and demonstrate that the solution works and can scale. The source stated that many large banks and corporations have already developed their own in-house technology laboratories that allow them to bring in technologies and test how they perform within their existing IT infrastructure. The source told K2 there could be an opportunity for New York State to develop a corporate or state-sponsored center of excellence that companies in the area could leverage as a testbed for evaluating the viability and scalability of solutions before pushing them into the marketplace. The source also said that upstate regions could be particularly advantageous because the cost of talent there would be significantly lower than in locations such as New York City. In a related comment, another source noted that the startup community in particular needs affordable places to experiment and to fail. The source said that most ideas do not work, and it is not sustainable to have the pressure of New York City overhead while trying to get an idea off the ground.

10.2. Apprenticeship Laboratory A senior executive at a startup focused on cybersecurity training noted that New York State could have an opportunity to leverage its SUNY system to launch a Virtual Cybersecurity Apprenticeship initiative to target the cybersecurity skills gap. Although cybersecurity talent is not limited to hard-core coders – cybersecurity firms need a range of skills and disciplines – one of the prevalent issues with regard to the talent shortfalls in the industry is the disconnect between open positions and the skills that graduates are bringing to the workforce. Virtual apprenticeship laboratories at SUNY campuses could mitigate that challenge by connecting industry directly with students, enabling the former to shape the skills and knowledge base students develop during their studies. These students would then serve as a local and convenient pipeline of talent for New York- based companies.

10.3. Leveraged Purchasing Power A venture capital source in New York described an experience in a neighboring state with a technology venture fund that had been jointly initiated by the state’s economic development council and local corporations that wanted to encourage development. The source noted that in that instance, there had been a lack of cooperation between the state and the economic development council to leverage the state’s purchasing power as a consumer of services. The source stated that in the cybersecurity industry, many services had been commoditized, and so if the state expressed a preference for buying from companies that developed or tested their products in laboratories within New York as a “New York-certified solution,” that would be compelling.

Privileged and Confidential 59

The source said that this local pedigree could also be leveraged by companies in the cybersecurity sector when going to market, especially given ongoing concerns about overseas products and their ability to be hacked or altered by foreign governments. Certifying products as verified, secure, and domestically produced could be a significant selling-point.

10.4. Star Power The venture capital source also raised the Cold Springs Harbor Laboratory template as a possible model. The source noted that there was no organic reason to have a major biotechnology hub in the middle of Long Island, but that there was a local decision to build a world-class facility and recruit a major researcher as an anchor. The source suggested that a similar model could be applied to the cybersecurity sector.

10.5. Cultural Re-Branding One source working in cybersecurity education at a SUNY school pointed to Austin, Texas as a model of a city that had succeeded in using the annual South by Southwest (“SXSW”) Conference & Festival to change the perception of the city from “weird” to “creative.” The source noted it as an example of a non-technical cultural event (historically focused on music, film, and interactive media) that draws in technical people with a creative bent.

10.6. Tax Credits & Other Economic Incentives One source discussed the power of combining a significant pool of capital with tax credits as a driver for economic development. The source noted that Georgia has a 30 percent tax credit for the entertainment industry and now captured a bigger portion of the industry than Los Angeles. Maryland recently enacted two tax credits: one to promote investment in cybersecurity companies and the other to encourage “small businesses to purchase cybersecurity products or services from Maryland-based businesses.”283 According to the Baltimore Business Journal Online, the legislation was pioneered by the Cybersecurity Association of Maryland through a collaboration between the private sector and legislators.284

Another source stated that the Enterprise Investment Scheme and Seed Enterprise Investment Scheme in the United Kingdom were successful in increasing overall startup investment in London. The programs offered tax relief incentives for investors in early-stage startups in an effort to stimulate increased entrepreneurship.

10.7. Legislative Action Another source noted that New York could expand its cybersecurity industry through legislation that would encourage companies to seek cybersecurity services. Currently, New York has two primary cybersecurity requirements, a data breach notification law and a financial services cybersecurity standards regulation. These laws could be considered “backward looking” or “punitive.” New York State could instead stimulate a cybersecurity industry by working to create a legal framework that better incentivizes businesses to purchase cybersecurity services.

283 “Opinion: New MD. Cyber tax credits a big win on two fronts,” Baltimore Business Journal Online, May 10, 2018; see also: http://commerce.maryland.gov/fund/programs-for-businesses/cyber-tax-credit. 284 “Opinion: New MD. Cyber tax credits a big win on two fronts,” Baltimore Business Journal Online, May 10, 2018.

Privileged and Confidential 60

Cybersecurity Requirements for Financial Services Companies In “Defining Cybersecurity Law,” Jeff Kosseff, an assistant professor of cybersecurity law at the United States Naval Academy, 285 identifies two types of state-level statutes and regulations that govern cybersecurity: data security statutes and data breach notification statutes.286 The first of these, data security statutes, Kosseff notes “are largely punitive, carrying the threat of large fines, consent decrees, or lawsuits.”287

New York State’s “Cybersecurity Requirements for Financial Services Companies,”288 promulgated by the Department of Financial Services in 2017, are no exception. These regulations require licensed banking, insurance, and financial services companies to enact certain policies, including multi-factor authentication, data retention limits, encrypting non-public information, and establishing certain written policies to promote cybersecurity best practices. 289 Fines for noncompliance are undefined by the regulation, 290 but commentators have noted that “fines for DFS regulatory violations can range from a few thousand dollars up to $75,000 or higher, and these fines can be imposed on a daily basis.”291

Data Breach Notification Laws Kosseff explains that the second category of state cybersecurity legislation, data breach notification laws, apply “based on the residency of the individuals.”292 A company facing a breach, therefore, must comply with the state laws of the individual whose personal data was extracted. 293 According to the National Conference of State Legislatures, “All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information.”294

New York State’s Notification of Unauthorized Acquisition of Private Information law295 and Article II of the New York State Technology Law296 govern data breach notifications in New York State for private and government entities, respectively. These laws define a “breach of the security of the system” as “unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information…” 297 and require covered entities

285 Jeff Kosseff, United States Naval Academy, see: https://www.usna.edu/CyberCenter/People/Biographies/Kosseffbio.php. 286 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March, 2018): 1010-1026. 287 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March 2018): 1014. 288 23 NYCRR 500. 289 23 NYCRR 500. 290 23 NYCRR 500.20. 291 “Are The New York Cybersecurity Regulations to U.S. Equivalent of GDPR?,” Above The Law, April 9, 2019, see: https://abovethelaw.com/2019/04/are-the-new-york-cybersecurity-regulations-the-u-s-equivalent-of-gdpr/?rf=1. 292 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March, 2018): 1014. 293 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March, 2018): 1014. 294 National Conference of State Legislatures, Security Breach Notification Laws: http://www.ncsl.org/research/telecommunications- and-information-technology/security-breach-notification-laws.aspx. 295 N. Y Gen. Bus. Law § 899-AA. 296 N. Y. State Technology Law § 208. 297 N. Y Gen. Bus. Law § 899-AA(1)(c); N. Y. State Technology Law § 208.

Privileged and Confidential 61

experiencing such a breach to notify affected persons in writing or on the phone unless it would cost the entity more than $250,000, in which case it can email or conspicuously post notification of the breach.298

While it is plausible that data breach notification laws would incentivize companies to purchase cybersecurity services, Kosseff notes the opposite may be true. He specifically cites a study that found “more than 25% of U.S. adults had received a data breach notification in the previous year, and nearly 90% of them continued to conduct business with the company that sent the breach notice.”299

Opportunities for Forward-Looking Legislation In “Defining Cybersecurity Law,” Kosseff characterizes data security laws and breach-notification statutes as “backward looking” and states that “[a] move toward forward-looking laws is consistent with an emphasis on a cybersecurity legal framework that emphasizes cooperation between the government and the private sector. 300 Kosseff writes that “few U.S. cybersecurity laws provide companies with incentives to adopt adequate cybersecurity safeguards.”301

One new law exemplifies a forward-looking approach to cybersecurity legislation. On November 2, 2018, the State of Ohio put into effect a novel law that incentivizes businesses to engage in cybersecurity best practices: this law, the Ohio Data Protection Act, affords covered entities that experience a data breach an affirmative defense against tort claims arising therefrom if the covered entity complies with one of ten industry-recognized cybersecurity programs.302

New York State could help cybersecurity companies grow by enacting legislation that would incentivize businesses to purchase their services. Kosseff writes that incentives would be particularly useful to small and midsized companies, as those “often do not have the resources to have even a dedicated information- security staffer” but “constitute the majority of all cyberattack victims.”303

298 N. Y Gen. Bus. Law § 899-AA(5); N. Y. State Technology Law § 208. 299 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March 2018): 1014, citing Ablon, Lillian et al., “Consumer Attitudes Toward Data Breach Notifications and Loss of Personal Information.” Rand Corp. 13, 26-27 (2016), at https://www.rand.org/pubs/research_reports?RR1187.readonline.html. 300 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March 2018): 1030. 301 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March 2018): 1028. 302 See: https://iapp.org/news/a/analysis-ohios-data-protection-act/; O.R.C. §§ 1354.01-1354.05. 303 Kosseff, Jeff. “Defining Cybersecurity Law.” 103 Iowa Law Review 985 (March 2018): 1028.

Privileged and Confidential 62

11. Conclusion: Dedicated Statewide Development Effort Required

Sources asserted that the effort to establish new cybersecurity or homeland security clusters in New York State would require a focused, multidisciplinary effort. • One senior cybersecurity executive stated that it would be possible for a cybersecurity or homeland security cluster to develop, but it would be an “uphill battle” for any location outside of a major metropolitan area, which offers multiple employment options for skilled workers. The source continued that to create or promote a cluster, a long-term, dedicated effort with a substantial amount of attention and monetary support is needed. The source also noted that the development of a cluster in one location may be perceived to come at the expense of another area.

• One source noted that the Syracuse region started an initiative to build capacity in cybersecurity training but cautioned that just “churning out jobs” in cybersecurity was not sufficient for the region’s needs. The source noted the program would need more structure to be effective because students who graduate from these programs are not ready to take on senior roles at cybersecurity companies and a company cannot be staffed with only recent graduates.

State-Level Leadership is Necessary to be Competitive One source noted that other states seem to be focusing a lot of effort to develop their cybersecurity industry – with programs like CyberMaryland, CyberCalifornia, and CyberAlabama cited as examples – and they were not aware of any similar initiative in New York State.

• A source who works in cybersecurity education at a SUNY school described the funding environment for the cybersecurity program in which the source works as “abysmal” and that the program does not get “clear or coordinated” resources from the university or from SUNY more broadly. The source also asserted that the ups and downs of state funding are particularly problematic, creating the need to search for other funding sources for more stability.

This source further suggested New York State should work more closely with academic institutions to ensure offerings are in line with job requirements. Another source in cybersecurity education said that their organization has little coordination with state-level government on the academic side.

Opportunity for Impact Multiple sources said that they would like to see more state-level leadership in order to keep pace with the efforts of other states. • In the cybersecurity space, a source stated that development agencies in New York State could make an impact by marketing such services at the grassroots level with local chambers of commerce and other business organizations.

• Another source noted there is a potential for growth among middle-market customers, stating that these customers are underserved by the cybersecurity market generally.

Privileged and Confidential 63

• A third source stated that they would market the affordability of Upstate New York, focus development efforts on creating the supporting infrastructure to entice talent, and create a series of incentives and amenities like housing to encourage companies and talent to move there.

Privileged and Confidential 64