IQT turns to old school shaking-and-breaking with Veracode investment

Ernie8Salesman(Written August 14th, 2008 as part I of a two-part post for Plausible Deniability, the blog of The 451 Group’s Enterprise Security Practice. Read Part II here)

In late July, binary code analysis-as-a-service provider Veracode announced that it had received an investment from In-Q-Tel, the not-for-profit that serves as the venture arm of the Central Intelligence Agency.

This is a two part blog about IQT, its investment in Veracode (and what I think is IQT’s future), and then how IQT and the CIA intend to compete in an intelligence community atmosphere whose political winds are shifting like Dick Nixon’s eyes at a tough press briefing. To be fair, whether Veracode works or not, in fact the specifics of the Veracode investment are less interesting to us than the apparent shift in investment strategy at IQT.

Many people sort of wink knowingly when they hear about IQT, but don’t really have a sense of what the thing does, or in fact, its successes to date. The interesting thing, which we will go into in a bit, is that for the most part, IQT – which sounds really spooky and security-ish, has invested in hugely successful companies that could not be less directly related to information security.

Like OpGen, which does single molecule DNA analysis technology to identify and analyze microorganisms. The closest it gets to something like IPS is, well, IPS, or Infinite Power Solutions, which makes thin-film energy storage devices for microelectronics. It’s not like it’s a bunch of guys dressed like Lefty skulking around corridors in Silicon Valley saying, “Psssst! Hey Bud…Wanna take some NRE money?”

IQT exists to determine an answer the question, ‘Is it possible to solve [problem set here]?’. If the answer is, ‘yes’, IQTE’s job is to identify fiscally viable, practically capable, innovative private organizations which might be able to solve the problem at hand. By providing availability to these technologies, often by repurposing existing ones to accomplish things outside thre scope of their original design, IQT will increase the capabilities of its main customer, the CIA.

So going out on a long, unsupported limb, we think that the Veracode investment is the first in what will be a string of more traditional infosec investments, especially in the areas of digital identity and access control technologies addressing the concepts of digital persona. And we think that this is being driven in part by a several-years’ long political climate change that has led money and influence away from the CIA.

More on that next week.

By the way, IQT has not spoken to me about this issue other than typically flacky guff about the Veracode investment, to wit:

“…We have relatively recently expanded our internal organization in terms of the technology practice, derived from the specific problems we see; we spend lots of time examining not just the technical capabilities but the company itself. Our selection of Veracode speaks for itself; as a strategic investment firm it’s there to meet a strategy.” Blah, blah, blah [blah, blah, blah added].

IQT is, intriguingly, a 501(c)(3) not-for-profit organization, meaning, I suppose, that donations to it are tax deductible. I’ll try to donate fifty bucks and blog about how that works out, and what kind of newsletter I get for it.

Its activities are unclassified, and the company only deals with open source (in the spook sense, not the licensing sense) stuff.

Corona_spysat_camera_systemThere are some fascinating documents available on the CIA’s website about IQT’s history and on IQT’s website about the organization and how it has been operated, especially including a report excoriating the handwringing at the CIA as it tried to get past its, ‘Private sector? Pah! We made CORONA! We can read the gender of a newt from nine miles in space!’ attitude.

In the past, this has often not been a case of information security in a standard sense of the phrase. Still, the perception of IQT as a ‘security’ investor remains.

When the investment in Veracode was announced, many felt that it was par for the course – code analysis, security, CIA… All goes hand in hand.

Except that for most of its nearly ten year history, IQT has been anything but an investor in information security companies. Sure, since its inception it’s made investments in lots of things that seem cloak and dagger. Keyhole, the satellite imagery and 3-D Earth visualization company, was an early investment (in 2003 my accountant, reviewing my expenses, saw a credit card charge to ‘Keyhole’ and asked me if I was trying to write off a visit to a strip club); it ended up becoming Google Earth.

Many other investments are in areas like zoom lens development, chemical analysis tools, entity extraction and semantic analysis stuff. An analysis of the investments that the, uh, firm, has made since its inception under the George Tenet-led CIA of 1998 shows that most of the investments are of the build-a-cooler-mousetrap variety for things that seem decidedly bookish.

Of its 76 investments, IQT has made ten in what I would consider to be classic infosec investments. The other 66 investments have been spread across IQT’s other practice areas: Application Software and Analytics, Bio, Nano, and Chemical Technologies, Communications and Infrastructure and Embedded Systems and Power.

In-Q-Tel’s Digital Identity and Security group invests and seeks technologies in the truly hot if not downright sexy areas of identity management and access control as well as risk analysis capabilities, system design and analysis tools and policy definition and management. The investments have been:

  • 3VR Security (wicked-cool video facial recognition, like, ‘Show me where this guy has been on every camera you have’ kind of recognition – you have to watch the demo);
  • A4Vision (facial biometric and camera tracking systems technology acquired in January 2007 by BioScrypt, which itself was acquired in January, 2008 for $44.3m by L-1 Identity Solutions, Inc;
  • ArcSight (the enterprise security information management vendor which has since, of course, gone public and whose stock has recently recovered from elephant-tranquilizer-territory);
  • PKI and ID infrastructure vendor CoreStreet;
  • Encryption vendor Decru (bought by Network Appliance, Inc for $272.1m in June, 2005);
  • Master data management vendor Initiate Systems (whose $26m series F round takes total funding to about $61m);
  • Awesome-cool ‘where’s-that-RF-device?’ vendor Network Chemistry, which sold its security assets to Aruba in July 2007 and got waaaay pissed off with us when we priced that deal at $3m;
  • SRD Software (if you thought RSA’s Verid is spooky you should talk to these guys; it was acquired in January, 2005 by IBM for $69m);
  • and, of course, Veracode.

But the Veracode investment is interesting. The core technology of Veracode’s on-demand service was developed in 2002 at @stake, the pen testing and assessment firm acquired for $49m by Symantec in April, 2004. Want to know what’s also interesting? IQT President and CEO Chris Darby was Chairman and CEO of @stake. And the Veracode investment comes three months after the appointment by IQT of Dan Geer as its Chief Information Security Officer.

Now, Geer is a plain-spoken star in the security world. He was CTO at @stake (and a gazillion banks) before a much celebrated and reviled paper declaring that Microsoft was a national security threat hastened his departure; to quote another former @Staker, ‘It’s hard not to suck deep, deep down when you are Microsoft Windows’). Geer has also worked at Verdasys and on a host of other projects and organizations (more on him and some of those other projects tomorrow).

Based on what I know of IQT and of Geer (IE’ve never met Darby but I think Geer is a truly honorable guy), I don’t believe that there is much connection that Geer is on the board of Veracode and the IQT investment in Veracode. We understand that IQT has actual conflict-of-interest firewalls that are taken seriously by the firm, so we don’t believe Geer would have been involved in the investment decision on the IQT side). I am much more willing to believe, based on IQT’s investment history and the people involved that these guys simply knew that the stuff was out there to meet the specific requirements that were presented, and that Darby and Geer would naturally have said, ‘Oh yeah, that stuff – you wanna talk to the guys at Veracode.’ As I said, maybe I am being a sucker, but I think not.

For Veracode, the cachet of the investment is PR no one can buy, and the cache of having sold stuff to the CIA will be on its own enough to open doors at other government agencies (especially, one would assume, the three-letter kind). And for reasons I will get into tomorrow, I think that the statement I made earlier – that it is the first in what will prove to be a series of straight-up infosec and ID and Access management-related investments – will prove true.

Part II