In June 2017, Russian hackers launched a malware attack on Ukraine called NotPetya. The attack, which locked users out of their own files unless they paid a ransom in bitcoin, was just one more tactic in the conflict between the two nations that had begun three years earlier. But viruses don’t respect borders, and this one spread far beyond Ukraine.
It infected computers in Europe and the U.S., and even in Russia itself. Mondelez (MDLZ), the giant global food company headquartered in Chicago, was hit hard. NotPetya disrupted e-mail and logistics and caused $100 million in damage. The White House called it “the most destructive and costly cyber-attack in history.” Total international destruction: $10 billion.
Nearly five years later, the Russians have invaded Ukraine and war is raging. Experts had been expecting more cyber devastation, but so far Russia has not knocked out Ukraine’s power grid or other important infrastructure.
“I think the biggest surprise to date has been the lack of success for Russia with cyberattacks against Ukraine,” Stephen Wertheim, a senior fellow at the Carnegie Endowment for International Peace, told Vox.
It’s not from lack of trying. The U.S. government’s Cybersecurity & Infrastructure Security Agency issued an alert disclosing that leading up to its invasion, Russia “deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable.”
Also surprising is that Russia has not successfully launched cyberattacks against the U.S., the U.K., Germany or other NATO allies. One reason is that NotPetya – as well as the WannaCry attack instigated the same year by North Korea – taught businesses and governments key lessons about protecting themselves.
Another is that the Russians know that the U.S. uses a strategy of deterrence, akin to its policy on the use of nuclear weapons, as a primary defense against a major attack. If Russia shuts down our power grid, or large parts of it, the U.S. has indicated it will respond massively, throwing the Russians into the cold and dark themselves, or worse.
Cybersecurity Sector Booms as Demand Grows
There’s no reason for us to be smug, though.
Don’t forget that Colonial Pipeline, the largest fuel network of its kind in the U.S., was breached last year, shutting off operations. It was caused by a single compromised password and could have been prevented by multifactor authentication, a basic cybersecurity tool that can involve simply sending the user a text with a code number. Colonial paid the Russian hackers a ransom of $4.4 million.
A vulnerability called Log4j in free software has led to attacks from hackers in Russia, China, Iran and other antagonists of the U.S. The Wall Street Journal reports “10 million attempts to exploit the Log4j vulnerability per hour in the U.S.” The CISA’s website carries a gigantic banner at the top that says “SHIELDS UP,” a warning that times are perilous.
In the cyber world, hackers always have the upper hand, but defenders are catching up. The companies that deploy the software, hardware, intelligence and training to thwart attacks have gotten better at what they do. Businesses know that they have to invest in cybersecurity or risk huge losses or outright failure.
As a result, the cybersecurity sector is booming. Gartner, the research firm, pegged global revenues at $150 billion in 2021, a 12% increase over 2020 and roughly double sales in 2017. Even before the Russian invasion, Fortune Business Insights was predicting spending would rise to $376 billion by 2029, an annual growth rate of 13%.
Nearly all of the internet giants, including Alphabet (GOOGL) and Microsoft (MSFT), offer cyber protection programs. Microsoft’s security revenues last year were $15 billion – more than any other freestanding company’s.
Pure Plays Among Cybersecurity Stocks
Among more focused opportunities, turn first to the largest such stock, Palo Alto Networks (PANW), with a market capitalization (shares outstanding times price) of $60 billion. Since NotPetya, revenues have tripled, and the company’s share price has more than quadrupled.
Palo Alto is known for its firewalls, which inspect internet traffic and protect against viruses, spyware and data leakage – as well as identify vulnerabilities. Like many cybersecurity stocks, Palo Alto is still unprofitable. But you’re buying a future in which what the company sells is an absolute necessity. (Stocks I like are in bold; data are as of April 8.)
Another larger cybersecurity company, Fortinet (FTNT), offers a wide range of tools, including intrusion-prevention and anti-malware software. Fortinet’s sales spiked 29% last year, and it made a small profit. Shares have risen nearly 20% since the war in Ukraine began, and the stock’s price-earnings ratio is 68, based on analysts’ forecasts for earnings for the year ahead.
Also among the larger companies is CrowdStrike (CRWD), which is especially adept at protecting endpoints – that is, devices such as smartphones and workstations that communicate with broader corporate networks. CrowdStrike’s revenue, nearly all of it from recurring subscriptions, soared 66% for the fiscal year ending January 2022. The stock has risen accordingly, but it is still worth a close look.
A recent update of the cybersecurity industry by securities firm Needham & Co. identifies Tenable Holdings (TENB) as the best way to play the convergence of information technology and operational technology.
For many firms, information technology, housed in the firm’s own computer systems or in the cloud, drives operational technology, or the functioning of its machines and other physical assets. This convergence is great for business, but it also leaves a company open to catastrophic attack. Tenable is unprofitable, and its market cap is more than 10 times its sales. But I view the risk as worth taking.
Tenable is also a potential takeover candidate in a sector that is consolidating. NortonLifeLock (NLOK), a powerhouse on the consumer side of cybersecurity, is awaiting regulatory approvals to complete its merger with Avast, a firm based in the Czech Republic that focuses on protecting small businesses. Norton has a solid franchise and provides good balance to faster-growing, more-expensive companies in the sector. Norton trades at a P/E of just 14.
Other companies I like (all have a market cap between $4 billion and $6 billion) include KnowBe4 (KNBE), whose shares are still about one-third below their all-time high; SailPoint Technologies Holdings (SAIL), which specializes in identity security; and Qualys (QLYS), with sales up nearly 50% over the past three years.
Among exchange-traded funds, consider Global X Cybersecurity (BUG), with an expense ratio of 0.5%. In 2020, its first full year, it returned 70.8%, and it gained another 13% in 2021. It’s breaking even so far in 2022. Palo Alto, Fortinet, CrowdStrike, Tenable, NortonLifeLock and Qualys are holdings, so the ETF provides a handy way to buy some of my favorites.
James K. Glassman chairs Glassman Advisory, A public-affairs consulting firm. He does not write about his clients. His most recent book is Safety Net: The Strategy for De-Risking Your Investments in a Time of Turbulence. Of the stocks mentioned, he owns Microsoft. reach him at James_Glassman@kiplinger.com.