Stolen credit card numbers. Stolen passwords. The personal information of about 4 million federal workers hacked. We know all too well that computers are dreadfully insecure. And all too often, the people who could do the most to help make them more secure are stuck in academia with little connection to the real world.
That's the argument, at least, of computer scientist Jean Yang, a PhD student at MIT's Computer Science and Artificial Intelligence Laboratory, where she works on a privacy-centric programming language called Jeeves. She says she's seen an amazing amount of security research come out of her lab in areas ranging from new encryption techniques to vulnerability detection systems. The problem is that little of this work ever finds its way into the real world.
And it's not just MIT. Researchers from around the world publish new work almost daily. So she and her friend and fellow PhD student Frank Wang, a member of the student-led venture capital firm Rough Draft Ventures, started The Cybersecurity Factory to encourage academics who research computer security to start companies to commercialize their work.
In techie-speak, The Cybersecurity Factory is a startup accelerator that offers mentoring and education to newly founded security companies---plus a $20,000 seed investment from Highland Capital to help them get off the ground. The first two companies just started in the organization's pilot program late last month.
Like other startup incubators and accelerators, the Cybersecurity Factory will host lectures, Q&A sessions and "fireside chats" to help the first cohort learn the ropes of entrepreneurship. But security startups have a specific set of problems that other companies just don't have -- even many non-security focused business-to-business startups. "The clients need to trust you---really trust you---from day one," Yang says.
To help startups figure out how to foster that trust, the Cybersecurity Factory team has lined up a host of mentors and speakers with deep expertise in the security niche, including OK Cupid and Keybase co-founder Max Krohn; Box's chief trust officer Justin Somaini; and Raj Shah, the senior director of strategy at Palo Alto Networks, one of the biggest names in security in Silicon Valley.
The founders of the first two companies accepted into the Factory---Oblivilock and Aikicrypt---say that they want the chance to validate their ideas to ensure that they are in fact useful outside of academia.
"In research, it's easy to devote all your time to a problem that doesn't have a real world application," says Oblivilock co-founder Chris Fletcher.
Both companies are working on ways to secure data stored in the cloud but are approaching the problem from very different angles.
Aikicrypt is working on a new way to encrypt cloud data. Traditionally, if you want encrypt data in the cloud in such a way that the hosting provider can't read it, you won't be able search or operate on that data in any meaningful way without decrypting it first. That's fine for storage, but it's not a great solution for data that needs to be frequently used. Sergey Gorbunov says he and his co-founder, Alexey Gribov, have found an effective way to deal with this issue based on their academic work, and now they want to put that research into action.
Oblivilock, on the other hand, is trying to protect metadata stored in the cloud. For example, if you uploaded a genome sequence, you could encrypt that data, but there will still be metadata generated about which parts of the data you accessed and when. For example, someone could use that metadata to determine that you're worried that you might have cancer, Fletcher explains. The problem is that you can't encrypt metadata without making it unusable, he says. "If you encrypt a phone number, you can't dial it," he explains. "So instead of encrypting the number, we're obfuscating the numbers that you're interested in."
The two companies will spend the summer learning how to turn these ideas into businesses and, with any luck, go on to raise a larger round of funding. "Out goal is simply to bring more security companies into existence," Yang says. It's a humble goal, but one that couldn't be more timely.
