Hewlett Is Upping Its Bet on Cybersecurity. Is the Money Flowing in the Right Direction?

In April, the Hewlett Foundation announced an ambitious $20 million effort to bankroll work on cybersecurity by academics and policy groups, so that this crucial issue isn't left in the hands of government agencies and private contractors.

As we pointed out at the time, building up new fields is exactly the kind of thing that foundations do so well, especially ones like Hewlett, with deep pockets and long horizons. Hewlett's play on cybersecurity—an area largely neglected by philanthropy—struck us as a smart move, even if the actual impact was hard to predict. And we thought that before a wave of hacker attacks on large corporations, like Home Depot, and before the U.S. indicted five Chinese military hackers, in a move that fanned growing tensions with Beijing. 

Related: Can Hewlett Really Break New Ground With Its Cybersecurity Initiative? Looks Like It

Recent events may help explain why Hewlett's appetite for funding work on cybersecurity has grown in recent months. Recently, the foundation upended its original grantmaking budget, pledging $15 million apiece to MIT, Stanford, and UC Berkeley to establish a major academic initiative at each school to address growing cybersecurity concerns and threats.

With Hewlett’s $45 million pledge to a field that is largely considered to be in its infancy, its total commitment to cybersecurity work over five years has grown to $65 million—more than triple the amount originally pledged for this effort back in April. Hewlett is now far and away the largest philanthropic funder on cybersecurity issues.

It's worth pausing to juxtapose Hewlett's nimble opportunism here with its reputation as a rigid practitioner of "strategic philanthropy." After cybersecurity issues got exponentially hotter through the spring and into the summer, the foundation upped its bet in this area in a big way. 

Now, whether the foundation can achieve the goals of it cyber initiative is another question. A key objective is to raise the level of discussion of cybersecurity and create a more coherent field, much as nuclear security funders did in the 1980s when they bankrolled a host of academics and policy wonks to work on nukes. 

MIT, Stanford, and Berkeley will use their respective $15 million grants to create "campus-wide efforts to connect scholars across disciplines—including engineering, political science, economics, public policy, business, anthropology, information technology, and more—to work collaboratively on cybersecurity and policy problems." Presumably, as well, these efforts will connect up with work by government agencies, corporations, and think tanks. 

MIT will focus its efforts on bringing together scholars from engineering, social sciences and management in order to work on developing a better understanding of security behavior in large-scale digital systems. Stanford will focus on issues related to trust building and network governance. UC Berkeley will be exploring the various pathways the growing field of cybersecurity may take in the future, looking at the area from different angles through interdisciplinary research.

All that sounds useful and important, but one never really knows how campus investments like this will play out. Scholars and academic institutions often move at a glacial pace, and overhead costs can eat up a lot of grant money. Is handing $45 million to elite universities really the best way to respond to a threat that is rapidly growing and evolving? 

That's an interesting question. Hewlett's doing a good thing building up the academic cybersecurity field almost from scratch. But you have to wonder about the timetable for this particular issue—and what sorts of cyber catastrophes could unfold as the scholars Hewlett is bankrolling plod along in their usual maddening fashion. Entire new computer viruses can be invented and deployed in the time that it takes International Security to peer review a journal article. 

Just to be clear, Hewlett’s $45 million investment in university research isn't the only bet it's placing as part of its cybersecurity initiative. Since the program launched, the foundation has also awarded around $2 million in grants to think tanks such as the Center for New American Security and the Carnegie Endowment for International Peace. Additional such support may well be in the works. 

If we were writing the checks, we might reverse the order here: Giving the big money to policy shops that can move fast and smaller money for academic work. 

As it happens, though, the guy who is writing those checks—Hewlett president Larry Kramer—is a former academic who, most recently, was dean of the Stanford Law School. And in his view, mobilizing academic firepower is all-important in tackling cybesecurity threats: “Having these three universities on board, with their global reach and world-class faculties, is a huge step in addressing one of the defining challenges of our time,” Kramer said.

Related: From Bombs to Bytes: Hewlett’s Cybersecurity Grantmaking Jumps Off