In June 2017, Russian hackers launched a malware attack on Ukraine called NotPetya. The attack, which locked users out of their own files unless they paid a ransom in bitcoin, was just one more tactic in the conflict between the two nations that had begun three years earlier. But viruses don't respect borders, and this one spread far beyond Ukraine.
It infected computers in Europe and the U.S., and even in Russia itself. Mondelez (MDLZ), the giant global food company headquartered in Chicago, was hit hard. NotPetya disrupted e-mail and logistics and caused $100 million in damage. The White House called it "the most destructive and costly cyber-attack in history." Total international destruction: $10 billion.
Nearly five years later, the Russians have invaded Ukraine and war is raging. Experts had been expecting more cyber devastation, but so far Russia has not knocked out Ukraine's power grid or other important infrastructure.
From just $107.88 $24.99 for Kiplinger Personal Finance
Become a smarter, better informed investor. Subscribe from just $107.88 $24.99, plus get up to 4 Special Issues
Sign up for Kiplinger’s Free Newsletters
Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.
Profit and prosper with the best of expert advice - straight to your e-mail.
"I think the biggest surprise to date has been the lack of success for Russia with cyberattacks against Ukraine," Stephen Wertheim, a senior fellow at the Carnegie Endowment for International Peace, told Vox.
It's not from lack of trying. The U.S. government's Cybersecurity & Infrastructure Security Agency issued an alert disclosing that leading up to its invasion, Russia "deployed destructive malware against organizations in Ukraine to destroy computer systems and render them inoperable."
Also surprising is that Russia has not successfully launched cyberattacks against the U.S., the U.K., Germany or other NATO allies. One reason is that NotPetya – as well as the WannaCry attack instigated the same year by North Korea – taught businesses and governments key lessons about protecting themselves.
Another is that the Russians know that the U.S. uses a strategy of deterrence, akin to its policy on the use of nuclear weapons, as a primary defense against a major attack. If Russia shuts down our power grid, or large parts of it, the U.S. has indicated it will respond massively, throwing the Russians into the cold and dark themselves, or worse.
Cybersecurity Sector Booms as Demand Grows
There's no reason for us to be smug, though.
Don't forget that Colonial Pipeline, the largest fuel network of its kind in the U.S., was breached last year, shutting off operations. It was caused by a single compromised password and could have been prevented by multifactor authentication, a basic cybersecurity tool that can involve simply sending the user a text with a code number. Colonial paid the Russian hackers a ransom of $4.4 million.
A vulnerability called Log4j in free software has led to attacks from hackers in Russia, China, Iran and other antagonists of the U.S. The Wall Street Journal reports "10 million attempts to exploit the Log4j vulnerability per hour in the U.S." The CISA's website carries a gigantic banner at the top that says "SHIELDS UP," a warning that times are perilous.
In the cyber world, hackers always have the upper hand, but defenders are catching up. The companies that deploy the software, hardware, intelligence and training to thwart attacks have gotten better at what they do. Businesses know that they have to invest in cybersecurity or risk huge losses or outright failure.
As a result, the cybersecurity sector is booming. Gartner, the research firm, pegged global revenues at $150 billion in 2021, a 12% increase over 2020 and roughly double sales in 2017. Even before the Russian invasion, Fortune Business Insights was predicting spending would rise to $376 billion by 2029, an annual growth rate of 13%.
Nearly all of the internet giants, including Alphabet (GOOGL) and Microsoft (MSFT), offer cyber protection programs. Microsoft's security revenues last year were $15 billion – more than any other freestanding company's.
Pure Plays Among Cybersecurity Stocks
Among more focused opportunities, turn first to the largest such stock, Palo Alto Networks (PANW), with a market capitalization (shares outstanding times price) of $60 billion. Since NotPetya, revenues have tripled, and the company's share price has more than quadrupled.
Palo Alto is known for its firewalls, which inspect internet traffic and protect against viruses, spyware and data leakage – as well as identify vulnerabilities. Like many cybersecurity stocks, Palo Alto is still unprofitable. But you're buying a future in which what the company sells is an absolute necessity. (Stocks I like are in bold; data are as of April 8.)
Another larger cybersecurity company, Fortinet (FTNT), offers a wide range of tools, including intrusion-prevention and anti-malware software. Fortinet's sales spiked 29% last year, and it made a small profit. Shares have risen nearly 20% since the war in Ukraine began, and the stock's price-earnings ratio is 68, based on analysts' forecasts for earnings for the year ahead.
Also among the larger companies is CrowdStrike (CRWD), which is especially adept at protecting endpoints – that is, devices such as smartphones and workstations that communicate with broader corporate networks. CrowdStrike's revenue, nearly all of it from recurring subscriptions, soared 66% for the fiscal year ending January 2022. The stock has risen accordingly, but it is still worth a close look.
A recent update of the cybersecurity industry by securities firm Needham & Co. identifies Tenable Holdings (TENB) as the best way to play the convergence of information technology and operational technology.
For many firms, information technology, housed in the firm's own computer systems or in the cloud, drives operational technology, or the functioning of its machines and other physical assets. This convergence is great for business, but it also leaves a company open to catastrophic attack. Tenable is unprofitable, and its market cap is more than 10 times its sales. But I view the risk as worth taking.
Tenable is also a potential takeover candidate in a sector that is consolidating. NortonLifeLock (NLOK), a powerhouse on the consumer side of cybersecurity, is awaiting regulatory approvals to complete its merger with Avast, a firm based in the Czech Republic that focuses on protecting small businesses. Norton has a solid franchise and provides good balance to faster-growing, more-expensive companies in the sector. Norton trades at a P/E of just 14.
Other companies I like (all have a market cap between $4 billion and $6 billion) include KnowBe4 (KNBE), whose shares are still about one-third below their all-time high; SailPoint Technologies Holdings (SAIL), which specializes in identity security; and Qualys (QLYS), with sales up nearly 50% over the past three years.
Among exchange-traded funds, consider Global X Cybersecurity (BUG), with an expense ratio of 0.5%. In 2020, its first full year, it returned 70.8%, and it gained another 13% in 2021. It’s breaking even so far in 2022. Palo Alto, Fortinet, CrowdStrike, Tenable, NortonLifeLock and Qualys are holdings, so the ETF provides a handy way to buy some of my favorites.
James K. Glassman chairs Glassman Advisory, A public-affairs consulting firm. He does not write about his clients. His most recent book is Safety Net: The Strategy for De-Risking Your Investments in a Time of Turbulence. Of the stocks mentioned, he owns Microsoft. reach him at James_Glassman@kiplinger.com.
-
I'm want to give my 3 grandkids $5K each for Christmas.You're comfortably retired and want to give your grandkids a big Christmas check, but their parents are worried they might spend it all. We ask the pros for help.
-
If You're Not Doing Roth Conversions, You Need to Read ThisRoth conversions and other Roth strategies can be complex, but don't dismiss these tax planning tools outright. They could really work for you and your heirs.
-
Could Traditional Retirement Expectations Be Killing Us?A retirement psychologist makes the case: A fulfilling retirement begins with a blueprint for living, rather than simply the accumulation of a large nest egg.
-
5 Big Tech Stocks That Are Bargains Nowtech stocks Few corners of Wall Street have been spared from this year's selloff, creating a buying opportunity in some of the most sought-after tech stocks.
-
How to Invest for a Recessioninvesting During a recession, dividends are especially important because they give you a cushion even if the stock price falls.
-
10 Stocks to Buy When They're Downstocks When the market drops sharply, it creates an opportunity to buy quality stocks at a bargain.
-
How Many Stocks Should You Have in Your Portfolio?stocks It’s been a volatile year for equities. One of the best ways for investors to smooth the ride is with a diverse selection of stocks and stock funds. But diversification can have its own perils.
-
Why Bonds Belong in Your Portfoliobonds Intermediate rates will probably rise another two or three points in the next few years, making bond yields more attractive.
-
140 Companies That Have Pulled Out of Russiastocks The list of private businesses announcing partial or full halts to operations in Russia is ballooning, increasing economic pressure on the country.
-
How to Win With Game Stocksstocks Game stocks are the backbone of the metaverse, the "next big thing" in consumer technology.
-
5 Stocks to Own for DecadesBecoming an Investor Companies that can achieve spectacular business success are innovators with big ideas and mammoth potential markets.
