The race to build the Silicon Valley of cybersecurity

Cities and regions around the US are competing to draw business and brainpower in a market projected to top $160 billion by 2020.

A welder at an Alabama construction site. Photo used under Creative Commons license (Creativecommons.org).

William Franklin/Flickr/CC

March 25, 2015

Dozens of businessmen filed off luxury tour buses, huddling around the Army colonel who commands the sprawling Fort George G. Meade, Md., base that’s home to the National Security Agency and the US military's cyberwarfare command. He told them protecting the country from adversaries over computer networks is now just as crucial as on land, in air, sea, and space. It was hard to hear him over the sound of bulldozers and cranes clanking and screeching, building what will become a 750,000 square foot data center.

Yet this cacophonous scene was exactly what Jim Dinegar, chief executive officer of the Greater Washington Board of Trade, wanted the the 82 presidents of banks, construction magnates, realtors, and mortgage brokers he invited on his summer “Cyber Bus Tour” to see: That the US government is taking the threat so seriously that the base is razing the rest of its cherished 36-hole golf course to make way for more computing power for its missions.

Mr. Dinegar hopes the military's double-down on cybersecurity will convince the businessmen it’s worth supplying the influx of thousands of specialists to the relatively sparse Maryland area with everything from homes to dry cleaning and office moving services. After all, Dinegar’s top mission is to bring jobs and business to the District of Columbia, Northern Virginia, and suburban Maryland. He wants boomtowns. Cybersecurity, he says, will be the region’s golden ticket. “It’s an opportunity that’s bigger than anything I’ve ever seen.”

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

But Dinegar is facing stiff competition. He’s not the only one equating the country’s cyber insecurity with dollar signs.

While California’s Silicon Valley is the US technology capital, cities and states across the country are vying to dominate the booming market for actually securing that technology and information.

“What’s the next Silicon Valley for cybersecurity?” asks Peter Singer, a strategist who focuses on cybersecurity at the New America think tank in Washington. “This is one of the fastest growing industries – not just in the tech sector, but in the world.”

The global cybersecurity market was $67 billion in 2011 and is projected to grow as high as $156 billion by 2019, according to premium market research firm Markets and Markets. It will expand as more giants such as Sony Pictures Entertainment, Target, and Home Depot are hacked, consumers demand more and better security, and businesses grow more aware of the potential cost to their sales and reputation if they do not provide it.

Seeing a window of opportunity, state governments and pro-business groups from California to Texas and Florida are positioning themselves to win federal contracts and score venture capital investment. Some are going to extraordinary lengths to build what they call “a cybersecurity ecosystem.” They are commissioning economic impact studies, developing tax incentives to attract companies to their regions and even hiring PR firms to devise branding strategies. They are competing over government contracts, even investing in startups with money from state coffers. With as many as 300,000 cybersecurity jobs across the country unfilled last year, according to security company Symantec, they are crafting academic programs for public universities to win research grants and generate the next crop of highly skilled workers poised to make six figures– and stay local. 

While cybersecurity “is about digital systems and processes,” Mr. Singer adds, “there are still people behind it. The people, and companies they work for, have to physically be somewhere ... . Where will these people and firms be located? It’s not yet shook out where it will be.”

DC Metro: The federal government advantage

Airplanes hang from the ceiling at the Smithsonian National Air and Space Museum. Despite the heat, the nation's capital is a popular summer destination for tourists from America and around the world.
Melanie Stetson Freeman/The Christian Science Monitor

In a competition for cybersecurity business, the area around the nation’s capital has a huge advantage with the alphabet soup of government agencies, and concentration of military installations. For starters, there’s Virginia’s CIA and Pentagon; the District's FBI and Department of Homeland Security; and Maryland’s Fort Meade and the Defense Information Systems Agency.

Here’s the true power of geography in the beltway: Contracting. Federal contracts with the NSA, for instance, often have requirements that companies be within a few miles of their government customers paying them, Dinegar says. “Silicon Valley is a little bit more than five miles away,” he quips, noting that proximity requirements for contracts is a large part of why the National Business Park – some 2.3 million square feet of office space in Maryland – has been fully occupied and continues to grow.  

Aerial photograph of the National Security Agency at Fort Meade, Md.
Photo by Trevor Paglen used under Creative Commons license

So even as the traditional defense budget shrinks at the end of a decade of war in Iraq and Afghanistan, federal money for cybersecurity is increasing. The Pentagon’s requested $5.5 billion for its cybersecurity operations next year is up a whopping 30 percent from just two years prior; the department is on track to spend around $23 billion on it within five years. (The exact amount the intelligence agencies spend on cyber is unknown because it’s classified, but strategy consulting firm Avascent estimates the federal government spent $13 billion on cybersecurity-related contracts with companies for just the last fiscal year – and over half that was delegated by the intelligence community.)

And the flood of federal dollars is a strong factor as to why the Washington, D.C., area posted for more than 23,400 cybersecurity jobs last year – dramatically more than any other region, including the 12,700 posted in the San Francisco/San Jose area, according to a report from Burning Glass analyzing aggregate job postings.

Cybersecurity, says Jeffrey Wells, Maryland’s director for cyber development, “is just a piece of what Silicon Valley is doing, whereas here it’s our core ecosystem.” 

Garrison Commander Col. Brain P. Foley and other political constituents at Freedom Inn in Fort Meade.
Photo by Daniel Kucin Jr. from The Baltimore Sun.

There are some metrics that support this. In the ratio of cybersecurity jobs to residents by state, Virginia is No. 1, with 25 postings for cybersecurity jobs, ranging from network and information security to cryptography and malware analysis, per 10,000 residents. 

Maryland is second highest, with 18 posts per 10,000 residents.

To be a more formidable “Cyber Capital,” however, the two states and the district should band together, Dinegar argues, because right now each state’s respective assets “cancel each other out” as national leaders.

Silicon Valley, for instance, even has a catchy moniker, but “the Greater Washington region,” Dinegar says, does not “really roll off the tongue-- and [people] couldn’t really say anything about here other than that it is the home to government.”

To conquer the branding challenge, Dinegar hired a communications firm, Washington-based APCO Worldwide, to develop a comprehensive list of the entire region’s assets and develop a clear marketing plan to promote the region as, collectively, the national home for cybersecurity.

“How do you cut through the clutter and say, ‘Well, if you’re landing at BWI airport, then you’re minutes away from the heartbeat of Cyber Command, and if you land at Dulles Airport, you’re minutes away from the Northern Virginia technology corridor’?” Dinegar wants to know.

Economic and business organizations in the three states want the government to spend around $300 million to extend the routes of Maryland and Virginia’s commuter trains to allow more direct access between more traditionally remote tech hubs. Without a better cross-border transit system, Dinegar believes it may be difficult encourage the desired boom of highly-educated, young 20- and 30-somethings to live comfortably out in the suburbs, or commute in their apartments in big cities. The Greater Washington Board of Trade is trying to arrange uniform tax incentives across the Maryland, Virginia, and D.C. to attract new business to the region, either for companies that would relocate to the region or local startups that want to expand. Since they all have different tax structures, that also will be no easy feat.

Maryland & Virginia: Battle to claim the cybersecurity mantle

Photo by Taber Andrew Bain

But the biggest obstacle to those pushing a Greater Washington cybersecurity domination plan may be that elements within the state governments themselves are, by many accounts, obstructing this kind of kumbaya approach.

To them, it’s clearly a competition. “We are correct in calling Maryland the epicenter for cybersecurity,” says Mr. Wells, the Maryland director of cyber development, pointing to his state's “Cyber Maryland” initiative. Launched in 2010, it was the country’s first state-coordinated approach to harness federal, state, and local governments, private businesses, and academia to promote cybersecurity opportunities. But Karen Jackson, Virginia’s secretary of technology, does not believe her neighbor has it in the bag. “Virginia will come out on top,” Ms. Jackson says. “We’re nationally ranked as the best place to do business. That’s a national ranking that says we’re better than everyone else.”

Maryland and Virginia are busy luring jobs and contracts that could make them each No. 1. Jackson says she personally is working hardest on scoring the “Civilian Cyber Campus” that would be a new center that would consolidate civilians from the Homeland Security and Justice Departments onto one campus. Obama’s budget for next year requested $227 million for the center, though the location has not been named. “We are going to actively pursue any and all opportunities to bring additional cyber assets to the Commonwealth,” Jackson said. 

Compared to Silicon Valley, suburban Washington is not exactly known for its entrepreneurial spirit. But private businesses are crucial to create a successful cybersecurity business ecosystem. Some very successful security companies have sprouted up locally, including the Virginia-based Mandiant, which was acquired last year by FireEye for $1 billion last year; and the Maryland-based Sourcefire, which Cisco bought for $2.7 billion the year before. But East Coast cybersecurity companies are typically focused on providing services, not building products – and their returns tend to be far lower than on the West Coast. They are a little defensive about it.  

“Silicon Valley values return on investment much differently than we do on the East Coast,” says Wells. If big companies such as Facebook are going to spend roughly $19 billion for social media apps like WhatsApp but “spend $2 billion on a cybersecurity product that saves billions a year,” Wells said, “there’s a skewed proposition.”

This translates into more cross-border competition for companies. Maryland raised $84 million to invest inearly stage technology – including $5 million for cybersecurity – and offers a total of $4 million worth of tax breaks specifically for cybersecurity startups already in the state or who agree to locate there.

The competition scales down even to the county or city level. Montgomery County has created its own tax credit similar to the one at the state level. For instance, Maryland’s Montgomery County funneled $100,000 to lure a small Virginia cybersecurity startup, Mobile Systems 7. Representatives from the Arlington, Va., economic development council are staking out cybersecurity trade shows for companies looking to relocate, talking up the incoming secure dark fiber lines and tech zones geared toward attracting high tech firms with tax incentives.

Since Maryland and Virginia have each set aside millions of taxpayer money to bolster the creation of cybersecurity companies in their states, the competition is perhaps not so surprising. Each state wants to see return on their investment. “Our funders care very much about it, and they do look at it as zero sum,” says Rick Gordon of Mach 37, an accelerator designed to make local cybersecurity startups succeed, funded in part with $4 million in Virginia state money over two years. “If Maryland gets one of our businesses, they look at it as a loss.”

In the broader national competition, however, these competing incentives could prove counterproductive to unity advocates like Dinegar. “We’re like, ‘Stop! Stop arguing with each other! We’re collectively the home of cyber here in this region,’” Dinegar says. The competition between states, even counties, leaves the door open for other regions to steal business, he says. “Frankly, if we worked better together, we wouldn’t have Silicon Valley eating our lunch, or Austin, Texas, emerging as strong as they’re emerging. We are already home to cyber. I would say it’s ours to lose ... There’s plenty for everybody, so let’s not be greedy.”

San Antonio: Forget 'Alamo City.' This is 'Cyber City USA'

San Antonio's leaders have already claimed the title “Cyber City USA." And John Dickson wants to cement its position as other regions vie for the title.

That’s why Mr. Dickson, who chairs the cybersecurity task force at San Antonio’s Chamber of Commerce, went door-to-door in the halls of Congress this February to lobby senators and representatives from Texas to bring his city more business. San Antonio's military presence has created a critical mass of cybersecurity operations in the area. The Air Force’s Cyber Command; the unit charged with electronic warfare; and the NSA’s Texas Cryptologic Center, a former Sony chip fabrication plant that’s now a sprawling intelligence center, call the city home. Combined, the three centers are estimated to have a mission force of more than 6,000 personnel, making cybersecurity is a huge driver of the local economy.

So Dickson and six other San Antonians moonlighting as cybersecurity lobbyists had a clear set of asks for Congress. A principal at the Denim Group, a fast-growing firm in the city and a former Air Force officer himself, Dickson wants the military and NSA to delegate authority to local military and intelligence stations to be able to hire their own contractors.

Current contracting policy, Dickson says, means companies “have to make a pilgrimage to Maryland to win contracts, so it gives an advantage to contractors in the D.C. area.” More contracting authority locally, he says, would “level the playing field.” Also on the long-term wish list: A Department of Homeland Security regional center in the San Antonio area.

San Antonio's history with cybersecurity spans all the way back to the mid-1980s, when computer networks were just developing and the military stationed some of the earliest cybersecurity personnel in the city. Over time, the outflux of skilled personnel leaving the military and staying local has in part led to some advantages for the city: Close to 100 cybersecurity-oriented companies operate out of the city, according to a study by Deloitte commissioned by the San Antonio Chamber of Commerce to assess the city's cybersecurity assets. And San Antonio has the second-largest concentration of Certified Information Systems Security Professionals in the US, according to that report, an internal document previewed to Passcode. 

“Cybersecurity as an industry is still in its infancy, and San Antonio is among the elite locations poised for growth," the Deloitte report found. "Albeit lacking the youthful vibe of an Austin, San Antonio’s entrepreneurial strata, including cybersecurity, other information technology and biosciences, is sizable and growing. Local entrepreneurs claim the ability to entice essential employees from desirable employment centers like the D.C. area." 

The trick, Dickson says, will be figuring out how to make San Antonio stand out. “In all likelihood, McAfee and Symantec aren’t going to move to San Antonio in our lifetime,” he says. Nor will research and development work migrate from Silicon Valley and Boston. “What we do have is a lot of talented practitioners ... . There’s an entire squadron in the Air Force that does nothing but malware analysis. Those folks are starting to leave [the military] now.” The next evolution of the recruitment strategy, Dickson says, should be to encourage big companies to set up security network operations centers in the city and hire locals. Deloitte recommends San Antonio consider creating a dedicated cybersecurity economic development staffer to entice business and investment.

Meanwhile, the state of Texas is looking to San Antonio as a model for its bigger ambitions: An initiative called Cyber Texas. Brian Engle, the state’s chief information security officer who stepped down in February just before this piece published, says instigated a more coordinated approach to “hoist” itself into the national competition since October 2013. Texas already has 16 centers for academic excellence in cybersecurity, but lacked a coordinating initiative – even Mr. Engle’s own job did not exist.

Over the next three years, 90,000 veterans will return to the state, and Texas is building incubators for them to leverage their skills into cybersecurity jobs, especially through programs like Cyber Aces, developed by the SANS Institute, to train them in coding and network defense. Veterans, Engle says, “absolutely come with a skill set that is really highly related to cybersecurity, the understanding and protection of information and compartmentalization."

But the state’s big sales pitch revolves around taxes. “The lack of a state income tax makes living here very attractive for an individual,” Engle says. “The cost of living is dramatically lower.” Governor Rick Perry, who was replaced in the last election, toured the country to talk about how his state is “wide open for business” – which caught the ire of other players trying to build their own empires.

“He went up to Maryland and talked about how Austin was strong on technology… [saying] ‘We don’t charge taxes, and you should move out of Maryland’,” Dinegar says. “It was a pretty audacious move.”

The trick, Dickson says, will be figuring out how to make San Antonio stand out. “In all likelihood, McAfee and Symantec aren’t going to move to San Antonio in our lifetime,” he says. Nor will research and development work migrate from Silicon Valley and Boston. “What we do have is a lot of talented practitioners ... . There’s an entire squadron in the Air Force that does nothing but malware analysis. Those folks are starting to leave [the military] now.” The next evolution of the recruitment strategy, Dickson says, should be to encourage big companies to set up security network operations centers in the city and hire locals. Deloitte recommends San Antonio consider creating a dedicated cybersecurity economic development staffer to entice business and investment.

Meanwhile, the state of Texas is looking to San Antonio as a model for its bigger ambitions: An initiative called Cyber Texas. Brian Engle, the state’s chief information security officer who stepped down in February just before this piece published, says instigated a more coordinated approach to “hoist” itself into the national competition since October 2013. Texas already has 16 centers for academic excellence in cybersecurity, but lacked a coordinating initiative – even Mr. Engle’s own job did not exist.

Over the next three years, 90,000 veterans will return to the state, and Texas is building incubators for them to leverage their skills into cybersecurity jobs, especially through programs like Cyber Aces, developed by the SANS Institute, to train them in coding and network defense. Veterans, Engle says, “absolutely come with a skill set that is really highly related to cybersecurity, the understanding and protection of information and compartmentalization."

But the state’s big sales pitch revolves around taxes. “The lack of a state income tax makes living here very attractive for an individual,” Engle says. “The cost of living is dramatically lower.” Governor Rick Perry, who was replaced in the last election, toured the country to talk about how his state is “wide open for business” – which caught the ire of other players trying to build their own empires.

“He went up to Maryland and talked about how Austin was strong on technology… [saying] ‘We don’t charge taxes, and you should move out of Maryland’,” Dinegar says. “It was a pretty audacious move.”

California: Developing a cybersecurity-specific sales pitch

Photo by Nathan Congleton

While California has military installations, too, which garner government contracts, its real advantage over the East Coast comes from its lineup of commercial power players, from McAfee in Santa Clara to Symantec in Mountain View. “Silicon Valley is the hub for enterprise cybersecurity, where big businesses are coming up with better firewalls, because there are a lot of big tech businesses out there,” says venture capitalist John Backus.

The East Coast, explains Backus, the founder of New Atlantic Ventures, is the hub for research and development – cybersecurity work that’s still classified and may not show up inside the enterprise world for years – while the West Coast is the hub for commercialization. They specialize in taking small companies and making them, well, really big. When it comes to venture capital in security, California dominates the rest of its challengers, according to figures provided to Passcode by the National Venture Capital Association. In 2014, the highest-ever VC spending in the cybersecurity industry, California ate up $1.5 billion of the total $2.1 billion in cybersecurity dollars. 

This year, California's cybersecurity ecosystem got a big push on the academic side when the William and Flora Hewlett Foundation awarded the University of California, Berkeley, and Stanford University each with $15 million last fall to jumpstart cybersecurity policy analysis and new ideas in this field. In another boost for California's cybersecurity narrative, President Obama spoke at Stanford's summit in February, where he signed an executive order encouraging the private sector to share cyberthreat information with the government and other companies. 

Still, state officials know they have a long way to go to be universally considered the nation’s cybersecurity capital. California gets so much VC spending in large part because it is the center for venture spending overall, not necessarily because it has a unified cybersecurity sales pitch.

“There was a thought that companies were being recruited out of California, because there was nothing – no narrative – about cyber in California,” says Louis Stewart, who is California’s deputy director of innovation and entrepreneurship. So Gov. Jerry Brown, he says, commissioned a task force to “tell that story.”

The task force, led by the Department of Emergency Services and the Department of Technology, is working on a proposal for how to unify the state’s efforts on cybersecurity –and, of course, recommend a dollar figure to invest in it. One idea on the table: Talking to insurance companies to have them look at the level of cybersecurity in place at a company – and then offer them lower rates.

As the task force figures out how to harness its assets to woo cybersecurity businesses, the city of San Diego is not waiting around for its recommendations; it’s already making a strong play for the Cyber Capital title.

Ken Slaght, a former head of the Navy’s Space and Naval Warfare Systems Command, located in that city, has retired from the military to co-chair the San Diego’s Cyber Center for Excellence. It’s a public-private partnership to accelerate the city’s economy by harnessing its cybersecurity assets. Slaght, a retired rear admiral, says more than 6,600 people work in the cybersecurity industry in San Diego, including some 3,100 from his former military command, which administers hundreds of millions of dollars in contracts in this space. More than 100 small to medium size cybersecurity companies call the city home – but some local groups, Admiral Slaght says, estimate that number may actually be more than triple that size.

The San Diego center has made a running start. It’s entered into a formal partnership with the airport authority in San Diego to ensure the local airport complies with government-recommended NIST cybersecurity standard. Though “that takes a significant amount of work,” Slaght says, the center is doing its consulting “all pro bono” – a model for partnerships that might expand to other parts of the state. The corporate members of Slaght’s center will soon be able to post openings in a cybersecurity-specific jobs portal, likely through job site Career Builder, to attract talent from universities and companies to fill their openings.

This, too, the state government may replicate. “The state Cyber Task Force has already said, ‘We’re going to let you run the pilot, and if it works well we’re going to expand it to the state, and let agencies post jobs’,” Slaght said. So, after an expected $75,000 investment, the portal should be up and running by summer.

The investments, Slaght hopes, will pay off. The total economic impact of cybersecurity workers last year on San Diego was $1.5 billion – equivalent to the boons from hosting more than 3.3 Super Bowls or 8.5 Comic-Cons, he says. “Those are huge tourism drivers here,” Slaght says, “but if you add up what cyber could do, they almost pale in comparison.”

Florida: From 'sunshine state to 'cyber state'

Yes, he bolded, italicized and underlined that prefix for special emphasis, in the title of a report asking for $16.1 million every year from Florida’s board of governors to establish a center for cybersecurity. “One of a handful of states will emerge as the leader in cybersecurity and become the magnet that attracts the billions of dollars of private-sector and military spending that will be invested in this emerging field,” Mr. Sridharan wrote in the pitch, submitted to the board in December 2013. “Florida can become this leader.”

The sales pitch worked. With an initial investment $5 million investment from the state, Sridharan now directs the Florida Center for Cybersecurity, up and running since June. Headquartered at the University of South Florida, the center connects the state’s 12 public universities and its experts under one umbrella to expand academic curricula and score government grants in cybersecurity. The center will offer the state’s best resources – people and locations – when they submit proposals for contracts, instead of competing one against the other for the pot of cybersecurity grant money.

According to Sridharan at least, the NSA and DHS were into the idea: “They phrased it, ‘That’s a winning model.’ ”

Sridharan is well aware of the Greater Washington region’s squabbles over contracts and installations – and hopes it will work to his advantage. Government officials told Sridharan, in meetings to discuss collaborating with Florida on cybersecurity initiatives, that “there is this struggle and tug-of-war taking place” in the nation’s capital, he said.  “That is one of the reasons why, when we presented our business model to them, it really resonated with them,” Sridharan says.

Already, the new center hosted a big workshop – loaded with Washington types – to discuss the NIST roadmap for improving critical infrastructure cybersecurity in October. The university hosted 400 guests after it was selected by the White House as one of the locations to stream President Obama’s speech at Stanford University in February. Shuttling between Tampa and Washington, Sridharan is using these conferences and exercises led by the government to build relationships with various agencies with the expectation he will earn contracts in the future.

Companies can’t hire cybersecurity grads fast enough to fill the job deficit, and Sridharan wants them to pluck employees from Florida. Dubbed a center for academic excellence in cybersecurity, program enrollment has doubled from the first semester to the second. With thousands more certificates in cybersecurity predicted across the state under the new initiative, these Florida graduates, Sridharan expects, will enter the workforce prepared for six-figure-salary jobs – and the state predicts return on its investment through federal and industry R&D expenditures, patents and licensing revenues, and startup companies.

This is just the beginning for the Florida center’s state-of-the-art facility, replete with a screen that shows cyber attacks in real time. Sridharan is asking for a phased-in investment of $36.6 million to build it, complete with a government-approved secure facility to protect classified military or intelligence information and labs and its own data center. After all, Sridharan wants to collaborate with the military’s Special Operations Command and Central Command and other local military hubs.

Florida, at the outset, seems an unlikely contender to dominate the cybersecurity market; nine of the top 10 cities in the country known as hotbeds for identity theft are in Florida. Government officials often note, Sridharan acknowledges, “we have largest number of crooks in the entire country.” But he insists the fraud actually helps his case. “We really need [the Florida center] to address this problem in a big way.” 

Massachusetts: Leveraging academic brainpower

Massachusetts is a hub for security research and academic study across its many universities, from Harvard and Worcester Polytechnic Institute to MIT, the third recipient of the Hewlett Foundation's $15 million cybersecurity grant. An academic powerhouse, Massachusetts is the natural home for analysts and thought leadership in cybersecurity. Like California, Boston has the benefit of being an existing venture capital hub. Over the last five years, Massachusetts consistently falls just below California in terms of VC investment in cybersecurity firms, with anywhere from around $100 to 300 million spent per year. And the city of Boston alone came in seventh in the top 10 cities for cybersecurity job postings, according to the Burning Glass report.

There had been little indication that the state will take on a role in coordinating an umbrella network for public and private cybersecurity business, à la Maryland, but that could change soon.

Launched in 2011, the Advanced Cyber Security Center is a nonprofit consortium of universities, local government, and industry. ACSC's membership spans financial services such as the Federal Reserve Bank of Boston to pharmaceutical companies such as Pfizer Inc., and health insurance companies such as Blue Cross Blue Shield of Massachusetts. And the ACSC wants to build a Center for Excellence. The vision: Graduate and post-doctoral students, supervised by faculty, would work with cybersecurity companies on research products aligned with industry interests. It would include a physical center likely in downtown Boston and virtual capabilities to enable multiple universities to join in.

Charlie Benway, ACSC’s director, says industry partners have already promised they would triple whatever the state contributes to the project. To launch, the project will likely need around $10 million. Kickstarting this plan earlier this month, computer security company RSA's Brian Fitzgerald presented a broader plan for government investment in cybersecurity to the new governor, Charlie Baker. ACSC hopes it will invest millions of dollars into cybersecurity like the previous Massachusetts administration invested in life sciences. 

“We certainly think we have the resources and capabilities to be one of those centers of gravity [in cybersecurity],” Benway says. “We think we are one of the centers of gravity. We do have the right mix of assets and resources to be a national leader in cybersecurity.”

The challengers: Washington, Georgia, and Alabama

There’s also a smattering of other cities and states that could prove to be dark horses in the national cybersecurity race.

Washington State, for instance, boasts big companies in the Puget Sound area, starting with Microsoft and Amazon, and a constellation of defense installations and contractors. These are creating an outgrowth of cybersecurity startups in Seattle, says Ben Vaught, the communications director for the state’s chief information officer. “If you’re going to start a cybersecurity company, Washington state is the best place to do it, in terms of workplace availability and proximity to other folks working on similar issues,” he says. “There’s more people here that have cybersecurity experience than most of the other places in the nation.”

There’s also Georgia, which is a powerhouse in information security, a sector that generates a hefty $4.7 billion in annual revenue there. Home to the US Army Cyber Command and a National Security Agency cryptological center, The Technology Association of Georgia says the state has more than 115 information security companies – and major players like IBM and Dell SecureWorks have a significant presence or are headquartered there. Georgia is currently working on developing a cybersecurity tax incentive plan to attract more business, according to the Deloitte report commissioned by its competitor San Antonio.

Cyber Huntsville, a nonprofit organization of industry, government, and academic institutions, is an initiative by this Alabama city to, according to its website, make “Huntsville and the Tennessee Valley region a nationally and internationally recognized cyber leader.” The plan calls for Huntsville to focus on cybersecurity in the context of economic development, but it appears to be a far cry from the business attraction efforts already established or brewing in other states.

For now, Cyber Capital USA is anyone’s title to win.

Photo by Ben Lerchin

Being a first mover does not necessarily mean a city or state will have a definitive advantage, New America’s Peter Singer said.

“Philadelphia is, ultimately, the home of the computer, but Silicon Valley is the winner of the computer [industry],” he says.

There’s precedent for this as far back as the turn of the century. “Automobiles were made everywhere, from Long Island to Richmond, Va," Singer says. "Detroit is the winner of that revolution.”

Until one region comes out the winner, this will be the gold rush of the Digital Age – and not, necessarily, pushing out West.

Does your city or region have a plan to be the next hub for cybersecurity? Write the author at sorchers@csmonitor.com or tweet @SaraSorcher.