Paul Kurtz, a former cybersecurity advisor to Presidents Obama and Bush, is a successful entrepreneur. His company, CyberPoint, reportedly offers security consulting services to the United States government, the United Arab Emirates, and a variety of domestic and overseas customers. Now his new startup, TruStar, is venturing into uncharted waters: anonymous sharing of cyberattack information by some of the world’s largest corporations.
When I spoke with Kurtz on the phone, he described his new company (cofounded with former eBay chief security officer Dave Cullinane) as an anonymous cyberattack report sharing platform. Cybersecurity teams at corporate or government clients fill out reports of attacks against their organization–anything from emails that attempt to “spearphish” information from executives to sophisticated attacks on servers–which are then stripped of identifying information by TruStar’s platform and re-sent to clients on an inbox-like dashboard. The goal, Kurtz says, is to give companies intelligence on attacks happening around the world…and to share intelligence that can help defend their systems.
“Doing this puts us in a much better place to turn the table on the bad guys,” he told Fast Company in a telephone conversation. “The bad guys have used anonymity for years, sharing data on exploits and treasures from exploits behind the scenes, while the good guys operate in their own separate silos. I think that is ready to change.”
In order to share information between, say, a stock exchange that’s systematically compromised by Russian hackers and public utilities whose control systems can be remotely accessed, Kurtz had to face an unusual challenge for his startup: getting the blessing of the Justice Department to operate.
Because TruStar has corporations working in the same field sharing intelligence with each other, the company volunteered to have the Justice Department ensure they were not running afoul of antitrust laws. The Justice Department ended up giving permission to TruStar to go ahead in October 2014–with the proviso that the company’s subscribers don’t share competitively sensitive information.
Although Kurtz declined to identify any of his customers, citing privacy concerns, he claims about 10 “low-number Fortune 500 companies” are already clients. These customers, Kurtz says, include companies working in the fields of finance, IT, transportation, and commercial services.
The major obstacle the company has to face is the obvious one: convincing secretive corporations to share information on hacker attacks with their rivals. This goes against decades of corporate logic; however, President Obama asked in early 2015 for companies to share information with each other in the wake of the Sony hack. TruStar hopes to ride this wave.
The startup also hopes Kurtz and Cullinane’s reputations will assuage potential clients. The mantra he kept repeating was “We provide anonymity.” Now, TruStar just has to reassure hundreds of potential customers that anonymous is anonymous, and that companies should indeed share information about hacker attacks.