Alex Trafton [00:00:00]:
In this kind of strategic tug of war, put the poll with China is how do you collect more of these countries that are democratic, like Australia, that have highly educated, highly technical workforces, get them inside the tent more and ease that trade and, and make it easier for them to access your markets and vice versa to increase cooperation, to increase the flow of capital, to increase innovation and to increase kind of military acquisition capabilities and and technological advancements.
Karissa Breen [00:00:47]:
Joining me today is Alex Trafton, managing director, National Security, Trade, and Technology from Ancura. And today, we’re discussing opportunities for Australian companies to work with the US defense. So, Alex, thanks for joining, and welcome.
Alex Trafton [00:01:00]:
Thanks for having me, Chris. Appreciate it.
Karissa Breen [00:01:02]:
With your view now, obviously, your accident, you’re based in the United States. So maybe give us an overview of how you see the cybersecurity world from your point of view from, you know, over in the US.
Alex Trafton [00:01:15]:
Yeah. And so I actually used to live in Australia, so I am used to being told I have an accident, so I’m not taking exceptions. The, yeah. So I guess it’s certainly my perspective anyway, is I tend to take a kind of a holistic view of, national security and, and certainly for the work we do. So for me, cybersecurity fits into that, right? So we deal, you know, a great deal with basically government regulation around, cybersecurity data privacy, export controls, foreign investment. So the way I see cybersecurity is really through the lens of government regulation and how that’s shaping, you know, market forces and how that’s shaping cybersecurity for both government contractors and industry. And there’s, there’s certainly plenty of things to talk about, but I think one thing you know, that is clear and I think specifically with reference to the us interaction with Australia that there is a very clear divide in the world between what I call team USA and, and, and team China. And cybersecurity is a piece of that.
Alex Trafton [00:02:23]:
You know, that conflict plays itself out in, in the cyber world, you know, from our perspective with what we work on, the US government is waging that war with a number of tools. Some of those are trade controls around hyper high performing computing, AI, quantum computing, dual use technologies, US munitions list, ITAR, military technologies, and, and foreign investment. So there’s a regime of, of restricting foreign investment in the US from strategic rival nations, which is similar to FIRB in the Australia context. There’s now a, well, in the US it’s called committee on foreign investment in the US CFIUS. And there’s also a reverse CFIUS, which is now proposing to restrict us investment in, in foreign countries. So, you know, this all kind of worse itself out, you know, in heightened animosity and tension, increased cyber activity, cyber threat activity from, from strategic rival nations, you know, like the Ukraine war has. And I think, you know, specifically in the Australian context, it kind of plays itself out with how the US engages in foreign policy and partnerships, how it chooses to share technology. How is it, how it chooses to address cyber threats and build cyber defenses.
Alex Trafton [00:03:37]:
I would say that there is certainly now enhanced enforcement and regulation push in the US the government has issued legislation. The president has issued executive orders. Federal agencies have gone into rulemaking to further regulate cybersecurity. So there is a lot more both preventive and reactive measures that have, but, you know, companies that in many ways, you know, part of the national cybersecurity strategy really was to address cybersecurity at the national level through things like, federal government acquisition. So we see a lot of rules around acquisition, cybersecurity performance in those contracts. We see enhanced enforcement, the department of justice, you know, issued its civil cyber fraud initiative, which intends to hold companies accountable and even individuals accountable for the failure to implement cybersecurity controls when under contract or in industry, when there are guardians and required to safeguard personal data or company data or national security sensitive data. So it’s an, it’s a, it’s an area I would just say, I guess there’s just an enhanced landscape of risk for companies, both from cyber threat actors and, and of risk for companies, both from cyber threat actors and and from government regulation and government, enforcement of those regulations.
Karissa Breen [00:05:01]:
So you said before what the UN’s choose to share technologies with. So, obviously, you’re aware of all the AUKUS initiative in Australia, US, UK.
Alex Trafton [00:05:12]:
Sure.
Karissa Breen [00:05:12]:
Do you think, though, from your point of view that people are seeing technologies, or do you think it’s still sort of emerging or what’s your view on that?
Alex Trafton [00:05:20]:
I think there’s competing equities, right? You know, technology controls in the international trade context exist in, in 2 places. 1 with the US department of state, which manages the international traffic and arms regulation, the ITAR, and with the US commerce department, which manages the commerce controlled list and the export administration regulations, or the EIR. When it says the, the commerce department has a, has a dual hat it’s it’s to promote us businesses abroad, but also to restrict the flow of dual use technologies to, to certain restricted countries. And so there’s competing equities, right? So I think there’s a strong American desire for trade, with our partners in clever countries. But I think at the same time, when those countries come into conflict with, with us national security strategy or national interests, that these agencies will restrict that trade in an effort to make these countries more amenable to, you know, American foreign policy strategy or to restrict access to critical US technologies, which provides qualitative edge, qualitative military edge or other other kinds of, technical advances and advantages over, over near peer adversaries. So it’s definitely been a, you know, a case of both. So at some level, the promoting trade with our partners, but also restricting trade, with partners who don’t, who don’t kind of, align as well with our our national foreign policy.
Karissa Breen [00:06:44]:
So when you say restricting trade, I’m assuming you’re talking about China and France anymore. Is this across the board?
Alex Trafton [00:06:51]:
Yeah. So so it can be across the board, but it’s very specifically targeted at China. I mean, China, you you know, the rivalry between the emerging rivalry between the US and China is the defining rivalry of this century. The way the rivalry between the Soviet union and the US was the defining rivalry of the last half of the 20th century. So, so yes, I mean, I think that that’s definitely the objective is to maintain our, both our military edge, but also our industrial edge over, over China into, into restrict that trade, right. Restrict access to high performance computing technologies, to semiconductors, to artificial intelligence, to stealth technology, to silent sub technology, things like that. You know, and the response from China is, you know, to close that gap, you know, to engage in intellectual property theft against us companies against us defense industrial base companies, the department of defense itself, and also our battle bilateral allies who, who will share defense projects with us. You know, the UK, Australia, Israel, things like that.
Alex Trafton [00:07:56]:
So, yeah, it’s a, it’s a multi multifaceted kind of piece of strategy.
Karissa Breen [00:08:00]:
We’ll come back to that, but before the, the, because obviously this there’s, there’s a lot going on here, but I wanna maybe now let’s flip it to opportunities for Australian companies to work in the US. Obviously, I’m based here in Australia. You can tell by my accent. But a lot of people that I speak to are like, hey. Like, I wanna go work with the US and how do I do that? And you guys have a lot more money and people, a lot more stuff going on. So it’s more appealing to Australian companies, but, you know, I wanna hear your thoughts on that before I go a bit deeper.
Alex Trafton [00:08:32]:
Sure. I so I think that, like, certainly the United States has the most robust defense industrial base, which is that sector of companies, which supply the department of defense with, with products and services. And I think that the US would love to expand that into foreign countries to the degree that it aligns with their security objectives and their national security. That’s right. And it doesn’t compromise the data and, and those acquisition programs that it, that it engages contractors to provide. So, so as far as they’re concerned, yes, they would love very much to, to include countries specifically close allies. And, and the AUKUS agreement does specifically address the, the kind of intermeshing and the expansion of the defense industrial base to include Australia. And of course the UK, you know, just the other day, we had the opportunity to speak with some members of the department of defense, you know, both in the DOD and contractors who, you know, are engaged in bilateral negotiations and multilateral negotiations with the UK, with Israel, with Sweden, with Australia to harmonize specifically the cybersecurity requirements that are required of US defense contractors to participate in that defense industrial base.
Alex Trafton [00:09:50]:
And, you know, certainly there are requirements near like the DSPF or similar in Australia, the central 8, you know, that too is true in the United States. We have very robust contracting requirements, certainly around cybersecurity and securing critical defense data that not classified. So we have classified requirements, but the unclassified data as well. And so, you know, those requirements may be foreign and alien to Australian companies. And so that’s where I think, you know, getting some perspective on how department of defense acquisitions work and specifically the cybersecurity programs, and program requirements work is, is important for those contractors to understand.
Karissa Breen [00:10:27]:
Okay. Operative word that you used was harmonized security requirements. So do you believe that that’s hard to do? I I asked this question because I’ve seen a lot of these little initiatives popping up, and people have the right attention. But, again, it’s hard. People are in different time zones, different parts of the world, different cultures, etcetera. So how do we actually harmonize this for this to work effectively So everyone is operating, you know, in in harmony.
Alex Trafton [00:10:55]:
Yeah. I I I think it’s it’s problematic in some ways. Right. And that there, you know, the cybersecurity requirements, you know, to kind of conduct a business as a, as a contractor or even a subcontractor with the department of defense are, are fairly stringent. There’s a requirement to implement the NIST special publication 80171, which relates to the protection of confidentiality of control and unclassified information. There’s obviously classified data security requirements. There are, as we mentioned, at the port control requirements, the ITAR that you that make, you know, can make trade difficult, harmonize those and say, what, you know, what in, in these countries are they doing that can be considered equivalent Because the, the US is certainly not interested in lowering the standard of protecting this data in order to ensure a foreign contractor gets access to the market. I think that one of the most impactful, rules that’s being made now in was with the Department of Defense.
Alex Trafton [00:11:53]:
It’s now with the Office of Management and Management and Budget, OMB, to be a final rule and regulation and contract clause is the cybersecurity maturity model certification. So, previously the United States, the DOD had allowed companies to self attest to the implementation of NIS special publication, 80171 and multiple audits and inspector general reports revealed that critical data continued to leave the defense industrial base and wind up in China with, with near copies of gen 5 fighter aircraft turning up in China. And that the self attestation, this self attestation regime that they had implemented was not sufficient. They had tried several other methods, spot audits by the department of defense and they weren’t working. So this cybersecurity maturity model certification, the CMMC is going to bring in a third party audit regime, which would be conducted by private sector companies that are certified by a, a, something called the cyber AB, which is a private sector nonprofit that essentially asked acts as a fiduciary of the department of defense in these audits. So I think that the negotiations with foreign countries are gonna need to address those specific equities that the, the department of defense feels that self attestation is not sufficient and that they want independent audits of that cybersecurity program that are a condition of participating in these acquisition contracts. So that may mean an equivalent program in those countries. It may mean that those countries need to stand up their own independent auditing firms, which can audit the CMMC in this special publication, 80171.
Alex Trafton [00:13:29]:
I don’t know where that lands. I do know that, you know, we have worked extensively with European and other defense contractors and, and that those, some of those projects were paused as their ministries of defense were engaged in those bilateral negotiations and multilateral negotiations. So I think the DID is definitely interested in in making that happen. I don’t know with Australia specifically where they are with that, but I do know in in certainly in the DSPF for Australia that this special publication, 80171 is one of the standards that’s accepted as an ICT security standard. So certainly that, that is a standard that’s not unfamiliar to to Australians or the, Australian Ministry of Defense.
Karissa Breen [00:14:09]:
So would you then also say, Alex, that this is just gonna take a little bit of time before companies like Australia, you know, are meeting the standards that you’ve you’ve spoken about? Obviously, we don’t want the US to lower their standards, etcetera. But when when do you believe we’ll get through this stage, in in your words, when we when we start to see that harmony or would this was this gonna take a lot longer than than people are sort of thinking? Because, again, like, the these things are not you know, we just turn them on like lights. Like, it does take a little bit of time, but I’m just curious because, again, geopolitical tensions are rising every day as we’re seeing. So So I’m really keen to get sort of a barometer from you.
Alex Trafton [00:14:47]:
Yes. Yeah. I mean, that’s a great question. I I right now, if an Australian company is is a, is a contractor, a defense contractor to the, to the US department of defense, you know, these are all enforceable through contract law, right? So they’ll sign a contract with the department of defense or with a US prime contractor, Lockheed Martin, Northrop Grumman. Right. And that company will then flow down these contract requirements. So currently the, the, the risk for these companies is limited to contract law, right? Is there privity of contract with the department of defense? Can they enforce it? Right. So, you know, is there going to be another mechanism of enforcing this? I don’t know if there can be, can there be another more of a gating mechanism, right? You have to prove that you can do it before you can enter into the contract.
Alex Trafton [00:15:31]:
That seems much more likely to me. My with looking at how long it’s taken for that to happen inside the United States, you know, this saga of protecting controlled and classified information, which is really the big weak spot in the defense industrial base, it started in 2010 with an executive order. 13 years later, we we’ve, we’ve had a standard for 80171 for 7 years. For 4 or 5 of those years, it was self attestation and this they’ve been trying to make this rule. It applicable to us companies. Right. And theoretically to any Australian company that would have that contract clause for cybersecurity. And it, you know, that’s another 3 or 4 years of rulemaking.
Alex Trafton [00:16:07]:
I mean, to FA to then, you know, establish multilateral or bilateral agreements may be many years in the future. So for the coming years, my expectation is that there may be an audit process there, but there’s still going to be exclusively contract mechanisms to enforce this. And it’s probably going to be the same requirements in this special publication, 80171. I don’t think the US is going to adopt or, or accept a foreign standard, because of the way US law works and that for the defense department must require that the national institutes of standards and technology NIST produce their cybersecurity standards. It is a law. They cannot use ISO 27,000 and 1. They can’t use any other standard. They have to use those from NIST, which is a function of the US commerce department.
Alex Trafton [00:16:56]:
So I don’t think that the US government is going to be able to lower that standard or even change that standard. And whether there’s reciprocal. It’s it’s unclear to me, you know, and there’s there’s certainly other issues at play. The the same contract clause that requires companies, defense contractors to implement 80171 also requires them to provide forensic access to the Department of Defense in the in the event of a cyber incident where US government, data is compromised or potentially compromised and foreign defense contractors are signing that now, but they really should be hesitating in doing because these systems may be comingled with sovereign defense programs in the UK and Israel and Sweden and Germany and in Australia. And does the Australian government really intend to permit, the US department of defense forensic access to potentially very sensitive Australian or, you know, whatever country it is, defense programs. And so there’s other considerations just beyond the standards. So the reciprocality would include, well, can the Australian government conduct forensic? You know, can the Australian government ensure media preservation and malware sampling is malware samples are sent to the US and the FBI and the NSA. So there’s a lot to negotiate there.
Alex Trafton [00:18:08]:
And, and I think that takes time. The government will, especially in the US in Australia too, but certainly in the US turns very, very, very slow.
Karissa Breen [00:18:15]:
So the timeline was 2010. Now at 2023, that’s 13 years. So it’s probably gonna be like a 20 year endeavor. I mean, obviously, like, we don’t know, but
Alex Trafton [00:18:25]:
Yeah. Yes. And it and it’s been a very painful saga. Right? And one of the, you know, initiatives that the government, so the government is you’re at one time saying we’re going to use procurement law to require contractors to do cyber security? How can we force people to do cybersecurity is the question, right? You know, at the same time, they’ve also engaged in the civil cyber fraud initiative, which in the US there’s a statute which is called the false claims act that if you lie to the government to get them to buy your services, that’s a false claim. And it’s a very, very expensive fine, you know, that relates to the cost of the products, the number of violations they have now begun, you know, false claims act. And it’s a whistleblower driven initiative, right? Because whistleblowers take home some percentage of the finding and the settlement. So the US government, the department of justice has been using this tool in the last 3, 4 or 5 years to hold defense contractors, but other contractors accountable for failure to implement cybersecurity. Right.
Alex Trafton [00:19:24]:
So there’s, there’s, there’s currently risk there. Right. I don’t know how that would work with a foreign contractor where, where the, you know, in the contract, the deciding law is going to be carried. I was at the US is that in Australia. Right. And the other thing is the US. I mean, this is very interesting and maybe tangentially related, but the US government has now started they’ve, they’ve realized that holding, you know, entities, companies accountable is, is only part of the, equation. It’s also they’re also coming after individuals.
Alex Trafton [00:19:54]:
You know, I think case in point is the chief security officer at Uber. And I, I don’t know if you track this case, but he’s actually ended up in jail for, for, or lying about ransomware payments and whether those were bug bounties or whatever. And you, you know, that’s a, that’s a major development as well in this process. And, and, you know, getting the, giving the, the threat actors, the attackers actually reduce prosecution or reduce sentencing to testify, you know, against the CSO was, was an interesting, development kind of tangentially related, but I think those are current enforcement mechanisms. So if we don’t see an immediate resolution to bilateral agreements, we don’t see an immediate resolution to an auditing standards, things like that. Yep. I’ll show him contractors who sign these, you know, defense federal acquisition regulation supplement clauses in their defense contracts, you know, are still subject to these risks, Right? These false claims risks, and and and many others.
Karissa Breen [00:20:50]:
Okay. I wanna get back just a second. You said false the the false claims act. So, again, people lying to the government about capability or whatever. So give me an example of what that would look like. So even saying someone claims, oh, we use machine learning, and they don’t? Is that considered then lying to the government?
Alex Trafton [00:21:08]:
Well, I mean, I I can certainly talk about the cases that have been made public. Right. And there was a large case. It was the Marcus versus Aerojet Rocket Dining and, and Marcus was a member of the cybersecurity team at Aerojet Rocket Diner, Rocket Dine made large rocket engines for the US government went in missiles and space aircraft and things like that. They had been telling the US government that they met the, at the time, what were the cybersecurity standards in their defense client? So Aerojet require acquired Rocketdyne in a merger. Rocketdyne had some serious issues with cybersecurity and this relator blew the whistle because they weren’t listening to him basically about how he thought they should with respect to remediating these issues. The case settled in summary judgment, and I think they paid $9,000,000 to the relator. The department of justice didn’t join the case, but what they said was very interesting false claim and, and you, you know, it has to be made knowingly.
Alex Trafton [00:22:12]:
And so how did they, how do they assume, or how do they think the company knew and the company had had incident response documentation from, from cyber incidents. They had had, pen testing reports showing that controls weren’t implemented. They had internal and external audit reports. And so what they told the court was that these are material and the question is inducement. Was the government induced falls under false pretenses to purchase these products? And could they prove harm? And they could prove harm because these were taken, you know, very sensitive information was actual traded most likely, and the government could prove that they were harmed and that the company did so knowingly. And the threshold was so low. Right. You know, thinking about that, a pen test report and identifies a a control that wasn’t implemented or was only partially implemented.
Alex Trafton [00:22:59]:
And then you went to the government and said, oh, we’re in compliance. And the government held that every invoice that they submitted after that time was a, it was an instance of a false claim and it’s $20,000 per instance. So if you’re invoicing the government, you know, 30, 40, 50 times a month, all of those fines we get to stack up. And so I think that what that case showed was how low the bar was right. For the government to consider you a bad faith act, or like it wasn’t that you lied about the existence of something. And there was just a a case of another false claims case, which the DOJ also did not join, but the, the relator continued to press the case was, you know, published, publicized with Penn state and they had done something very similar. They had essentially, according to the relator, this is an accusation, falsified internal cybersecurity assessment documents to improve their there’s there’s a requirement to submit a summary score of your implementation of NIST 80171 in that in a pinch, they falsified these documents. And that’s the claim of the relator.
Alex Trafton [00:23:59]:
It’s not been adjudicated in court, but that’s also, you know, I mean, you, you kind of fake us an assessment, you know, that’s a false claim. So the bar is really, really, really low to get in trouble. You know, there was yet another case that was related to, p PHI that a government contractor had 2 files, 2 files of us service members on a server that was unsecured. And they ended up paying $900,000 for that. And so the bar is just really extremely low. The re the question is, how do you get to the point where the department of justice is looking into your servers? Okay. I mean, you you probably have to screw up to get there, but but again, the bar is very, very low.
Karissa Breen [00:24:37]:
So then I guess you mentioned before, which is why they’re phasing out the self attestation side of things because people can’t be trusted because you’ve just rattled off 3 3 instances where people have lied or they falsifying things.
Alex Trafton [00:24:50]:
Mhmm.
Karissa Breen [00:24:51]:
Wow. Okay. That that’s that’s really interesting. I don’t get why you do that, though. Like, I I okay. I understand for monetary gain. I get that. But, again, like, you’re doing cybersecurity stuff.
Karissa Breen [00:25:05]:
So for me, it’s more than just a job. So there has to be level of integrity there, which is around protecting people if you don’t have any minimum sort of security, compliance at all. It just really goes against your whole mission. So I don’t kind of understand that.
Alex Trafton [00:25:23]:
Yeah. I I think look, I I think that there’s there’s when you run a company and you’re judged on financial performance, there becomes a competing set of incentives. Right? I mean, certainly, I’m in this job and and the rest of my team are in this job because one, you know, we like what we do, but also we kind of also, you know, believe that, you know, the national security of the United States is in, it’s very important. And then a lot of our engagement, certainly in the foreign investment world, we operate, you know, the company pays us, but we are an oversight fiduciary of the federal agencies. And so we work on their behalf frequently to kind of hold, make sure companies are being accountable and are being an operating with integrity and credibility. And we tell everybody who will listen to the account that the currency of the realm with the government is being a trusted partner and that the currency is, you know, credibility, accountability, and integrity. And I, and I think that companies, you know, in a, in a capitalist economy are sometimes incentivized to cut corners or to view things with rose colored glasses and to make decisions. And, you know, in the case of the Uber CSO that, you know, would violate maybe buy integrity, but into time may seem like good ideas, because they’re judged on, I don’t know, performance metrics that are different from mine potentially.
Alex Trafton [00:26:37]:
And so you would, you, you think about it and you go, man, that is, that is really dumb. You shouldn’t have done that. And then very obviously so, but at the time, you know, people tend to have, a very different opinion of what, of what, integrity might look like.
Karissa Breen [00:26:51]:
Yeah. Totally understand it, and and great points. So, hey, I now wanna focus on all the companies. You’ve listed as a fair few checks and balances if you wanna work with, like, you know, US defense, for example, where you sort of can’t just roll up there and begin working as you’ve clearly articulated today. But would you say now it’s maybe a deterrent because it’s gonna you know, the to get all of these checks and balances done, that’s gonna cost money. And, you know, it depends on the company. For the big company, of course, it’s different. If they’re multinational, of course, it’s different.
Karissa Breen [00:27:25]:
But these startup companies will scale ups.
Alex Trafton [00:27:27]:
Yeah. I mean, I think you’ve summarized in in a pretty short sentence there. The concern, not just for Australian companies, but for American companies. Right. I mean, I think that’s the, the, you know, when, you know, the way laws become regulation is through agency rulemaking, right? So they basically say the defense department shall protect our data. And then they go, the defense department shall go make a rule. And these are all products of those rules. These, these standard we have and, you know, in they’re required to take public comments and 80, 90% of the public comments are related to cost and burden.
Alex Trafton [00:28:04]:
This is very expensive. This is very hard. How do you expect us to do it? And I think that that’s a very salient question, right? That how does a small company may meet this requirement, right? That may even be a 3rd tier subcontractor that no one at the DOD even knows exist, not signed a contract with the DOD. It’s still subject to the requirements. A great question. And the answer from the federal government has been very clear we don’t care. You know, on the other hand, the I’ve I went to an acquisition conference for the DOD last year in San Diego. And, and there was 3 Admirals and a general on stage saying, screaming, we need small businesses in innovation to come to the US defense industrial base and work with the DOD.
Alex Trafton [00:28:45]:
When bill Clinton left office, there was over a 100 prime contractors, right? That those were large, you know, aerospace and defense contract companies that worked for the DOD. We’re down to about 6 today. So there’s just been a great deal of consolidation and that’s, that’s flowed innovation. So I think your point is exactly right. I, you know, if I, as a, as a forward thinking war fighter who has to deal with global threats that are potentially technologically sophisticated, that are extremely dangerous, And I need to keep my, my people alive. Like I want smart, capable, fast moving people to produce what I use to accomplish my mission. Right. Because my mission is to be fast, mobile and quit and, you know, all of those things.
Alex Trafton [00:29:29]:
And so the DOD, you know, obviously wants these companies to be involved. And so the question is, how do they do it? And I don’t think they have the answer. One, there are ways to get around certainly these requirements. There’s there’s, what’s called an OTA, which is other transaction authority where the DOD can identify high impact technologies and things like that, and kind of create a different avenue typically for smaller businesses to get acquisition contracts without all the burdens and keep in mind that we look at what’s in a federal contract and I’m sure it may be similar in Australia, but you have tons of required. The cybersecurity requirements are about a few of 100. You have, you have requirements on, you know, the cost accounting, right. Child labor certifications that you’re not using child labor. You name it, it’s in there, you know? You know, is there a small business owned by a minority? Is there new native Americans? Right.
Alex Trafton [00:30:21]:
All of those things come into play in contract. And so there’s a lot there that companies have to work with. And so for smaller companies, it’s, they don’t have counsel to review these things. Right. So they just, this sign them or they avoid them. And so they are these mechanisms for the department of this to engage, you know, highly mobile, highly agile tech companies. And there are, they are definitely doing outreach in Silicon valley and tech places. Right.
Alex Trafton [00:30:45]:
And I think that’s where an opportunity exists for Australian companies. Right. I mean, I think that the, that the US defense department would be very eager to work with, you know, high speed, high-tech companies from Australia. I mean, some that I’ve even even worked with we’ve, we’ve worked with tech companies from Australia trying to help them get into this market. Right. And, you know, great thinkers, obviously Australia is a, incredibly technologically advanced country, well educated population, hardworking, I mean, all the, all the, all the ingredients you need to be successful and productive, right? Certainly in this space. And it would be a shame if they weren’t, if the US weren’t able to benefit from that and vice versa, that the Australians weren’t able to benefit from, you know, American technological innovation. And I think that’s the problem that the US government needs to solve in this kind of strategic tug tug of war or put pull with China is how do you collect more of these countries that are democratic, like Australia, that have highly educated, highly technical workforces, get them inside the tent more, right.
Alex Trafton [00:31:45]:
And ease that trade and make it easier for them to access your markets and vice versa to increase cooperation, to increase the flow of capital, to increase innovation, and to increase kind of military acquisition capabilities and and technological advancements.
Karissa Breen [00:31:59]:
Okay. So a couple of things in there I wanna explore a little bit more, and just going back to your comment around innovation, that’s exactly well, that’s exactly gonna be my next question. So I wanna map out what’s going on in my mind because I think you you agree with this theory, which is okay. You see about innovation in Australia. They harp on a lot about innovation. But then, just hypothetically, it’s like, oh, well, no. We can’t work with you. You’re too small.
Karissa Breen [00:32:26]:
You haven’t got you haven’t been around for 7 years. Yeah. And then it’s like, oh, but we need to have diversity of thought. So then it’s like, well, we can’t do that because you’re not enabling us to do that. It’s gonna because I’ve been around for 6 months. You may have a better solution to perhaps a larger company, but they get overlooked. And then it’s like, well, the big companies just keep getting fed, and then the poor little companies
Alex Trafton [00:32:49]:
Mhmm.
Karissa Breen [00:32:50]:
Are just going this is what I’ve seen in the last 3 years, especially here in Australia. They’re not getting the VCs that care about security companies here in Australia. The money isn’t flowing here from a private equity point of view. So what that then look like?
Alex Trafton [00:33:05]:
Mhmm. That’s a great question. I mean, you know, I I’ve read the requirements, right, at least in the Australian legal world, to, to engage with the Australian defense industrial base. And it’s, it’s a track record of running a business, right? They want trusted partners. Oh, we need 7 years and we need, we need you to meet all these requirements and have these certifications and, and implement these standards. And you look at great technological advancements. It’s 3 guys in their mother’s garage with, with, I speak GPU. I mean, like those people aren’t going to meet the criteria.
Alex Trafton [00:33:39]:
Right. So I think the government is having the governments meet both Australia and United States are having to balance the requirements of, you know, being a fiduciary of their citizens data, their, you know, their national security and also, you know, getting innovative, people in, I mean, what’s, what’s been the result. And, you know, certainly there are defense focused venture capital funds in the US it’s, it’s a market we’ve tried to engage with and say, you know, how do you, you know, you can give them money, but how do you help them get access to the market if they don’t already have it? Right. Because that’s part of the piece in the, in the acute problem that you’ve described and well articulated that they don’t have access to that market. Right. And I think, you know, the, the US has solved some of that with different those OTAs and other transaction authorities and ways of acquiring those, systems. Right. You know, but specifically in, in the cybersecurity space, I mean, that’s another place where we need agile companies, right? We need diversity of products.
Alex Trafton [00:34:40]:
You know, a good company will run 2 types of firewalls, not just 1, right? I mean, so diversity of cybersecurity tools, diversity of cybersecurity services, the DOD definitely wants more cybersecurity personnel available as both employees and contractors. So how do they get that? Right. And it’s a, it’s definitely an acute problem. And I don’t, and I don’t know how they solve it. Right. W with kind of balancing the equities of security and fiduciary, you know, protectors, you know, fiduciaries of their citizens in terms of data protection. Right. And what’s one of the things that’s certainly happened in the United States.
Alex Trafton [00:35:11]:
And I described earlier was that consolidation of the market. So large companies can identify these companies that may be struggling to access the market and certainly acquire them, right. Or larger companies. And so what you have again is, is basically what’s going on throughout the US economy. Right. And I assume in Australia, maybe not as acute a problem, but certainly not peculiar to the US either is large, very wealthy companies are acquiring many, many more companies. And what you have is fewer and fewer companies deserve delivering more and more of the products and services consumed in the economy and certainly consumed by the governments. And I think that’s probably a general risk.
Alex Trafton [00:35:49]:
And I think it’s one of the outcomes of the problem you described is that some of these smaller companies never are able to scale before they can be acquired. And certainly the founders are incentivized to sell, you know, when they feel like they can make enough money. Right. So they’re not necessarily operating on the notion that I have to deliver this product, you know, as a small business to the defense department, that’ll change the world. Right. They’re thinking, well, we’ve got a $100,000,000 I’m I’m adding it. Right. And so, so there’s lots of competing incentives, I think is a problem.
Karissa Breen [00:36:17]:
Yeah. You’re so right. And I’m seeing that every day because, obviously, we get the notifications as a media company into our inbox. So I’m seeing it, like, every day a big company goes and acquires x company. Little companies, large and medium sized ones. So do you think it’s gonna get to a stage where we just have I don’t know. I’m just gonna make up a number. 20 or arbitrary number.
Karissa Breen [00:36:38]:
20 random, large, big companies that have just acquired all the little companies in between, or do you think there’ll still be a balance? Or what do you think?
Alex Trafton [00:36:47]:
Well, I mean, let’s I mean, let’s take cybersecurity as an example. I mean, we see companies doing major acquisitions. Right? Google bought Mandiant. Right? You know, Palo Alto does acquisitions, right? You just name the security company and you’d see a bunch of smaller companies being acquired, you know, in, at least in, in, in the US you know, for us with the cloud market, certainly, you know, Microsoft and Azure, you know, they’re very big in the defense space and they have a very impressive suite of tools and, and, you know, Google is trying to close that gap and they’re doing so just by acquiring the capabilities and trying to patch them together. Okay. So these are all companies that, you know, individually may have innovated or now right. Part of a part of a behemoth. Right.
Alex Trafton [00:37:26]:
Like, how does that end up? Yeah. I think that there is some, I, you know, you, you, it’s certainly, you know, they have antitrust laws to break up these, these companies, you know, they’ve threatened to do that to Amazon. They’ve threatened to do that to Microsoft. They threatened to do it to Google. I don’t think they’ve used antitrust now, but I think it does create a problem for diversity of thought, certainly in the cybersecurity space. Right? I mean, that, that I though that is a very hot market for acquisitions. And I think it’s, I don’t know if it stifles innovation, but it could.
Karissa Breen [00:37:53]:
Yeah. That’s that’s an interesting observation. So then just going back on that a little bit more, what about the intention? So, I mean, I work with all of that up. There are a lot of people in the start up sphere in this country, in in yours, in UK, etcetera. So do you think now people are just creating security companies with the intent of, I just wanna get an acquisition, like you said, a $100,000,000 amount. Sure. So then what does that then do for our actual ecosystem if you’re not building a company to change the world in in your words?
Alex Trafton [00:38:18]:
Yeah. That was my, I was at RSA conference in San Francisco. I don’t know, 18 months ago. I, you know, I go for meetings and I, I walked the floor to collect free shirts for the year. Right. The re up the wardrobe. And so I’m walking around, I’m seeing all of these companies and they’re all like M MDR companies or whatever MDX now. And it’s, and it’s, you know, dynamic software scanning and statics code analysis companies.
Alex Trafton [00:38:44]:
It’s all just different flavors. And they’re all there with venture capital money. Right. And none of these, the, most of these companies don’t, don’t make it right. They don’t, they don’t even get an exit. They just kind of go away because, you know, venture capital companies are incentivized right. To, to distribute risks. So they invest in 10 companies.
Alex Trafton [00:39:01]:
Let’s say they invest in cybersecurity sector. They invest in 10, 10 MDR solutions or MDX or whatever they’re calling it now. And they only need one of those to be a, to be a rocket success. The other 9 can, can wither and die and they still make enough money to kind of perpetuate their model. So you end up with a bunch of companies that may never had really a viable product or a viable business model. But, but that didn’t stop them from getting capital. And that was, you know, this collapse of the Silicon valley bank in the US. Right.
Alex Trafton [00:39:29]:
And I don’t know if you guys track this there. This was a very serious issue. It’s been a long time in the US since a bank became insolvent and and the federal government had to step in and it was, it was a very concern that would be a broader run on the banks. I mean, that was driven a lot by this culture of incessant serial compulsive serial investing in tech companies and specifically certain security companies that really didn’t ever deliver a lot of value. And so, you know, among other things, right. But that venture capital element that this bank served VC funds, that was their, one of their main businesses. And so that, that was, that was kind of a product of this culture of just, you know, compulsive serial investing in these companies. And, you know, maybe there’s a few there that, that, that, that don’t belong, you know, or more importantly, maybe there are companies that are great and they throw money at them and ignore them and never.
Alex Trafton [00:40:19]:
And they end up dying when they could have been revolutionary. So I, you know, could go either way, but I think it’s a real, it’s a challenge, you know, I don’t know. I think certainly the United States is a great, source of innovation, but that, you know, I don’t know if that’s an indefinite title. I don’t know if, if champion of innovation in the world, you know, the lead innovator is going to be true forever. We certainly have country, other countries, you know, trying to nip our heels, certainly the India and the subcontinent and China, you know, parts of Europe. You know, there’s certainly other, there are other very technical technocratic societies now that have, that have kind of industrialized and, and, and grown their economies and can kind of certainly start to challenge us. And I think that circling back to my original point, that’s part of right. This, this new technical technological cold war is that like, we’re realizing that, you know, our massive technical gap that existed in the eighties, right.
Alex Trafton [00:41:14]:
That doesn’t exist as much anymore. And what are we going to do to kind of maintain our edge? Right. Is it, is it more VC money? Is it DOD gets VC money or is it like we deny technology to our rivals? Like, but I think this kind of comes full circle to the problem of, you know, how do we maintain our qualitative industrial and military edge over rival nations? And, and, and that’s a collection of nations that includes what I consider Western, not pejoratively, but just the way in the parlance, right? Western democracies, New Zealand, Australia, United States, Canada, Western Europe, and probably Japan and South Korea. How do we maintain that, that those qualitative edges? And so I don’t know. And I think that’s a big problem, but I think these, these multilateral and bilateral agreements do a lot to ease the strain and lower the barriers to that cooperation and participation. That’s probably ultimately necessary.
Karissa Breen [00:42:09]:
Yeah. Those are great points. Look. I don’t know either. I think Tom will tell. Maybe they’re gonna bring a VC on the show and hear their thoughts. I remember whenever that’s their model, they’re gonna buy 10 horses, you know, back all of them, but only one’s gonna win. So look.
Karissa Breen [00:42:26]:
I don’t know. It’s it’s interesting. I think time will tell, but I wanna get your thoughts on this. Just my observation as an Aussie I was in the United States for a month last year, so in December. It was great. People were very lovely there, very nice. One of the things that was apparent is everyone in Australia here, like, at least the US in day to day conversations comes up multiple times a day. Not the other way around when you’re in the US.
Karissa Breen [00:42:52]:
Australia never comes up. Now I understand that wholeheartedly because you got everything there. So it’s like as Aussie companies coming into the US, I get that, but then, you know, how do we get, like, reciprocity with, you know, the US thing coming into Australia? Because, again, I rarely saw an Australian. I think I saw one family at Disneyland, and I was there for a month. People couldn’t guess my accent all of the time, or it just it’s just not a thing. So how does that then look coming from the other side of the coin of US companies coming here and, you know, deploying capability into Australia? And that does happen, but, again, it’s probably not the first thought for a lot of these US based companies.
Alex Trafton [00:43:39]:
I agree. It’s a good question in one. You know, right. I mean, this just kind of probably is an indicator of the, the solipsism of, of America. And I lived in Australia. Right. So, so I, I appreciate what an amazing country it is and beautiful, you know, landscape environment, people, economy. But yeah, I haven’t, I think given that so much thought, but it, but I, but I think that’s part of the point of some of these, these, you know, agreements and, and these, you know, certainly side cybersecurity cooperation agreements, and those are the cooperation agreements, right.
Alex Trafton [00:44:13]:
Is to kind of open to build that trust and open those markets. I think with respect to American companies, it’s it’s lowering right. The barriers to entry tax incentives are things that, you know, companies would look for. And you certainly have your own regime of foreign investment review, right? For, you know, we have CFIUS, you know, as these, I think as these cooperation agreements grow, I think as the United States really starts to realize what a critical partner Australia is, right? Their proximity to our, you know, Eastern rivals or Western rather depends on how you think about it. You know, their proximity, you know, their similarity in culture and government I think those those agreements tend to lower the barriers, right, to entry. And so hopefully, you know, the acquisition of US and British submarines, you know, leads to vice versa US investment in, in the Australian economy. But I don’t, you know, I don’t know what, like, I don’t know what those numbers are. Right.
Alex Trafton [00:45:13]:
Like, what is, what is like the, the amount of foreign investment from US into Australia now, was 10 years ago. I don’t know if it’s trending flat up or down. So I couldn’t, I probably couldn’t comment.
Karissa Breen [00:45:23]:
So is there any specific Alex you’d like to leave our audience with? Any closing comments or final thoughts? I know we’ve covered a lot of, topics today, and it was we could probably go home for a while, but is there anything that you’d like to leave everyone with?
Alex Trafton [00:45:37]:
Yeah. I mean, I I do think Australian companies that you’re thinking selfishly as an American, you don’t have a lot to offer specifically in the defense space. Right. And, you know, I would encourage, you know, Australian companies, Australian defense contractors to bid on and join right American acquisition contracts, the department of defense contract. Oh, we don’t need to urge them. Right. They’re probably, something they’re thinking about, but, but, you know, when doing so, you know, from small to large company, making sure that they’re really paying attention to the cybersecurity piece and operating in good faith when they’re implementing those things is really going to reduce the risk. And, and, you know, I think that’s it.
Alex Trafton [00:46:12]:
And also, you know, to be good, good partners. Right. And I think we, like, we could all, we could all learn from that, but also being good partners when they’re operating under these agreements, under export agreements, TAAs, things like that, that these companies are, you know, guardians and fiduciaries of our national security as well. And, and to take those kind of duties and obligations seriously. And I think, you know, that’s a big one. That’s, that’s counsel. We give American companies all the time, frankly, but, but yeah, but do encourage specifically Australian innovation and, and participation in our defense industrial base and our economy at large. Because I think that this, the partnership between Australia and United States is extremely critical for both countries at a time of growing both kinetic and cyber threats and partnership, you know, spans all of those.
Alex Trafton [00:46:55]:
And so I think it’s a good opportunity to your point to to grow trade, to grow, you know, bilateral economic relations and defense relations. So do absolutely encourage it.