Surge of Cybersecurity Bureaucracies Sparks Lucrative Opportunities For Industry

9 2,010

By Sandra I. Erwin

A cybersecurity gold rush is under way amid widespread confusion about how the federal government will oversee efforts to protect the nation’s computer networks. A flurry of new legislation has compounded the chaos as companies try to sort out what products and services various agencies will be acquiring.

An onslaught of proposed new laws and the creation of additional bureaucracies, such as the White House cybersecurity coordinator’s office and U.S. Cyber Command, have set in motion an industry scramble. Contractors are trying to make sense of the morphing regulatory and business landscape as they seek to tap into an $80 billion a year information-technology funding pool that, unlike other portions of the national-security budget, is expected to grow over the next five years.

Cybersecurity has been a significant source of business for the IT industry for many years — particularly from the Defense Department. But companies are forecasting growth in the coming years not just in military contracts but also in work with civilian agencies. Much of the legislation now moving through Capitol Hill will expand the role of the Department of Homeland Security in cyberwarfare, which should fuel contracting opportunities. The explosion of Web 2.0, cloud computing, social media and other Internet-based technologies has triggered a demand for encryption and firewall systems to shield government networks from intruders. As fears escalate, the industry is unleashing waves of new products and services that are now being marketed outside the traditional circle of military customers.

Reports of security incidents at federal agencies increased by more than 400 percent between 2006 and 2009, according to the Government Accountability Office.

In addition to benefiting from a greater demand for cybersecurity products, the industry projects its business will expand because there will be more agencies involved, often with overlapping functions. Cyberwarfare programs at the Defense Department are spread throughout the military services, several agencies and major commands. Internal competition is expected to intensify among organizations that don’t want to relinquish their turf. Another key advantage for the industry is that the government heavily relies on the private sector for technical expertise. The White House has launched a new initiative to speed up the hiring of in-house talent, but such programs could take years to achieve tangible results.

The U.S. government has a “desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute systems after an attack,” said a recent study by the Center for Strategic and International Studies.

Experts have questioned the government’s dependence on contractors as subject matter experts, which can create conflicts of interest. Industry often is put in a position to advise the government on how to defend networks, for instance, and at the same time companies worry about their job security and sustaining a revenue stream from government clients. Private companies own and operate about 85 percent of global networks, including those used by the military.

Howard Schmidt, White House cybersecurity coordinator, recently hosted a meeting with industry executives where he called for “partnering” between the public and private sectors in pursuit of better protection of the nation’s networks. Such rhetoric, however, ignores the reality that what may be in the government’s best interest may be detrimental to the industry’s bottom line, noted James Lewis, a CSIS analyst who specializes in cybersecurity.

Many companies distrust the government’s rhetoric about working in partnership, concluded an informal poll taken by retired Air Force Lt. Gen. Harry D. Raduege Jr., who co-chairs a cybersecurity commission under President Obama.

The environment today promotes dysfunction, rather than cooperation, said retired Air Force Gen. Ronald E. Keys, a senior advisor at the Bipartisan Policy Center. “You have the dysfunction of government bureaucracy, and you have the dysfunction of proprietary and profit motive,” he said at a recent conference hosted by the Washington D.C. Chapter of the Armed Forces Communications and Electronics Association.

Significant barriers stand in the way of public-private cooperation, experts said. No incentives exist for private companies to share sensitive information about the security of their networks.
Somehow, industry and government will have to find a way to reconcile competing interests, said Ellen McCarthy, president of the Intelligence and National Security Alliance. “It’s a delicate balance,” she said at the AFCEA conference.

Only the government has the power to offer incentives to the private sector, she said. It could offer tax breaks or safe harbors to companies willing to exchange information freely.

The contracting system encourages stovepipes and turf warfare rather than teamwork, said Guy Copeland, chairman of the Cross-Sector Cybersecurity Working Group, which brings together government and private entities for monthly discussions.

Any form of public-private teamwork will be tough to achieve when the government itself is so internally divided. The commander of U.S. Cyber Command, Army Gen. Keith Alexander, said his organization lacks comprehensive visibility of the entire Defense Department’s digital domain because military networks are not integrated. This limits Cybercom’s ability to prevent attacks, Alexander said. “We do not have a common operating picture for our networks,” he said recently. “We need to build that.” Plugging this gap will require not just new technology but also extensive coordination among the military services and other federal agencies, Alexander said.

Congress, meanwhile, is trying to boost the capabilities of the Department of Homeland Security to protect domestic networks and the national infrastructure.

Sen. Joseph Lieberman, I-Conn., who chairs the Homeland Security and Governmental Affairs Committee, is proposing the creation of a National Center for Cybersecurity and Communications within DHS. It would protect non-defense, public sector and private sector networks from cyberattacks. DHS already has this responsibility through a presidential directive, but has “insufficient authority to carry it out.” Lieberman said.

“For far too long our approach to cybersecurity has been disjointed and uncoordinated,” said Maine Sen. Susan Collins, the committee’s ranking Republican.

Amid such head-spinning legislative and bureaucratic upheaval, some contractors are taking a wait-and-see attitude.

“From an industry perspective: you have to watch what’s going on and figure out what you can provide,” said Paul Strasser, senior vice president of Dynamics Research Corp., a federal IT contractor.

Many companies are rushing to offer new products to the government without realizing that the bigger needs are in training and certification of IT personnel, he said in an interview. A new policy from the Office of Management and Budget requires annual reports to Congress of agencies’ compliance with the Federal Information Security Management Act. The Department of Homeland Security is hiring more contractors to help train managers to comply with the flow of regulations, said Strasser.

Companies that are able to provide those services will be rewarded, he said. In the federal cybersecurity world, often too much emphasis is placed on technology when in fact many security breaches occur because employees are not properly trained, he said. “We have to be careful that we don’t focus so much on the technology that we forget about the management and people side of the equation.”

One of the biggest vulnerabilities in government systems is that agencies use software applications, especially web-based, that are not secure, he said. “That’s pretty fertile ground that needs to be addressed.”

The need for this expertise only will become greater once the government starts moving to a new, more advanced category of Internet-based software which is known as Web 3.0. Cybersecurity firms seeking to capture that market will have to figure out how to build behavioral models to predict how intruders may hack into those systems.

Companies that have lived in the federal IT universe for some time are seeing a “second wind” in the cybersecurity market, said Jackson Shaw, senior director at Quest Software. “It’s not just the increased awareness, but also that the government is funding more of these big-ticket projects.”

Many of the lucrative cybersecurity jobs will not be designing flashy technologies but performing basic “blocking and tackling,” said Steve Lawrence, Quest’s vice president for federal sales. “We don’t do exciting stuff.”

Richard Schaeffer, information assurance director at the National Security Agency, said that 80 percent of intrusions could be prevented if the government did nothing but implement the best practices and tools available today. But it is hard for the government to do that, said retired Air Force Lt. Gen. Charles Croom, former director of the Defense Information Systems Agency, who now heads cybersecurity programs at Lockheed Martin Corp.

“Why aren’t we doing that?” he asked during a recent interview.

The biggest problem for the government is that networks are too big and unmanageable, Croom said. The Defense Department alone has 7 million users apread across 15,000 networks. None of these networks is connected to the others and the protection of the systems is carried out by individual agencies using outdated manual techniques. This is why Lockheed sees a growing market for automation software that can take the humans out of the cybersecurity loop, Croom said. That alone can take care of the 80 percent of the security needs, he said. “But no matter what you do you’re still going to have intrusions.”

The government has not been able to prevent attacks because it doesn’t know how to get ahead of the intruder, Croom said. “Today, we react. Everything is after the fact.” Lockheed, like other firms, is trying to capture new business in gaming, behavior analysis and pattern recognition that would give a network manager a reasonably accurate picture of where the next attack may come from. “We believe that can be done,” said Croom.

Lockheed also is pursuing federal cybersecurity dollars via a new product called “IronClad,” a USB flash drive that shrinks a laptop’s hard drive – including the entire operating system, software applications and files – into an encrypted thumb drive. It costs between $550 to $700 per unit. “We’ve built a smart network around each drive, so IT managers have round-the-clock control of and visibility into the status and security of every device,” Croom said.

The race for cyberdollars will only become more competitive as newcomers jump in and incumbent firms fight to preserve their advantage. That is a major concern for some contractors who worry that in this cutthroat environment it will be difficult to collaborate among agencies, commands and corporations to defeat a common enemy.

“Defense spends far too much money on contractors who do not ‘play well together,’” said a military contractor who was not allowed to speak on the record. Stovepipes are part of the culture in the federal government and its contractors, the source said, but it has gone too far. As agencies become more dependent on information networks, the culture is putting lives at risk. “I don’t want a soldier out there on the ground with a handheld device dialing into someplace that can be tracked, and he can get shot.”

Eric Beidel contributed to this report.

Email this article

Print this article

Reader Comments

Re: Surge of Cybersecurity Bureaucracies Sparks Lucrative Opportunities For Industry

No Cybersecurity Initiative - joined-up or disparate - can be expected to offer an acceptable return on the resources it would need to have assigned to it, until such time as the Internet's own eco-system is rebalanced so that it does not by default support and assist those attacking our security.

Attempts to breach cybersecurity are just one instance of the worldwide cybercrime problem, and need to be viewed as such. The low cost and ease of anonymous access to networks have facilitated an environment where e-criminals - both civil and foreign-governmental - can operate in sure knowledge of there being close-to-zero risk of their being identified and apprehended.

In "traditional" investigations, criminality is detected by finding something that is unexpected, or inconsistent with its environment. But investigating Internet crime is hampered because there is so much of it - the criminal actions are no longer the "exception", and a key problem for e-crime investigators is that there is now so much criminal activity that confuses their investigation because it is connected with a crime other than the one they are investigating.

The best analogy I can offer, is that trying to correct today's problems of cyber-security is rather like trying to run a hospital emergency-room without cleaners or disinfectants.

Yet it doesn't need to be like that. We allow new initiatives to be developed without those involved having an sufficient understanding of how today's 'net works; "understanding" here being in terms of the whole system, and not specific technicality. In many cases changes that are made to try to prevent cybercrime, actually drive the criminals into using more sophisticated techniques that make them more difficult to detect and exclude. So much activity that should be investigated and prosecuted can in reality only be disrupted, but those of us tasked with doing that are acutely aware that in the long run we risk making things more difficult for the forces of "good".

Consider, for a moment, the ubiquitous "botnet" - now used for mailing, hosting illegal content without risk of take-down, scanning anonymously for vulnerabilities, and attacking other networks: such botnets are made up almost exclusively of consumer computers, and every competent ISP that hosts consumers can detect with ease which of its customers are unwillingly contributing to the harm being done. But the business case for the ISPs to fix the problem is conspicuously absent and many follow the advice from their accountants by ignoring the problem (and often support their decision by quoting the warnings from in-house Counsel of the risks of their being sued if they interrupt the customer's service). All that could be corrected with some very simple changes to the existing law.

Given that "botnets" can nowadays be reasonably described as armaments, probably the most pressing need is for the United States to be defended against such external attacks, which would at the least involve meaningful discussions with the foreign governments involved.

Private-public partnerships already work as well as can be expected, but are hampered by existing legislation and lack of resources; however the nature of today's electronic crime is such that the current policing methods that are laid down, are simply not fit-for-purpose.

These are the areas that I believe need a full and skilful overhaul before further resources are expended on any new desire for cybersecurity.

Richard Cox on 09/05/2010 at 12:04

Re: Surge of Cybersecurity Bureaucracies Sparks Lucrative Opportunities For Industry

Many large companies with substantial government contracts, including my own, have been expending considerable effort in support of the public-private partners to work to make America safer relative to cyber risk, and to help address the long-term hard problems of cyberspace. We believe that the best companies can work in support of common national and international purpose, hopefully enhance the coordination, collaboration and information sharing, across government and with and across the private sector, and substantially grow corporate revenues and margins. We believe the public-private partnership has provided value and can be leveraged for even greater effect. It should no be abandoned or replaced.

I would like to see the public-private partnership help to strengthen mre markedly the coordination and strategic approach of the United States by finding ways to engage the private sector as a true partner in assessing and mitigating national cyber risk. One way to do this is for the interagency committee chaired by Howard Schmidt, the IPC, to invite representatives of the existing public-private partnership framework to participate in meetings of the IPC and its sub-working groups on a regular and ongoing basis. I hope other companies and associations and others will support this proposal to strengthen the public-private partnership and enhance strategic, national coordination.

It would be helpful if this formalized engagement could identify strategic national cyber priorities -- much like the best private organizations do to prioritize risk management relative to widely accepted standards and architecturally based principles -- such as risk, preparedness/response, malicious activity, and R&D, and articulate voluntary, major goals and objectives, and corresponding milestones and metrics that can resourced, tracked, and evaluated over time. The distributed nature of ownership and control across the private sector and government, requires such collaborative effort, both nationally and internationally. The need to have greater clarity (and visibility) of what the nation needs to worry about and what needs to be done about it and by whom, can help us with resource prioritization, promote transparency, drive progress, and enable more accountability.

We also need to continue to work in support of the most encouraging activities spearheaded by government or the private sector, of which there are many, with close cooperation between them. Positive examples include: (1) The DHS-led effort to create a National Cyber Incident Response Plan (NCIRP) to formalize and systematize creating a true cyber common operating picture and organized incident response capability, to include ongoing private sector involvement in the ops center, and in the steady state and incident/emergency governance structures; (2) the Cyber Storm exercise series that will test the NCIRP; (3) the inter-agency coordination being lead by the White House Cyber Coordinator (with a notable visible effort to create the National Strategy on Trused Identites); (4) the Defense Industrial Base Initiative (and expanding pilot program(s) led by DOD based on collaboration and information sharing with aerospace and defense companies; (5) the software assurance and supply chain efforts facilitated by DHS and DoD with strong private sector involvement; (6) the effots by NIST wih substantial inter-agency and private sector input to move from what has been criticized as a "paperwork exercise" (in some respects unfairly) to evolve the FISMA-certification and accreditation process for federal agencies to a risk management-centered construct based on real-time, continuous monitoring; (7) the work of DHS National Cyber Security Division (NCSD) to promote risk management processes across the agencies is admirably building on the work NIST; in addition, NCSD has collocated the US-CERT and communications (NCC) watch capabilities -- and strengthened the industrial control systems CERT, very positive developments toward bulding a common operating picture for cyber (8) the efforts of DHS and State and the White House coordinator's office to engage the private sector in international cyber efforts have been noteworthy; and a number of additional efforts.

There are a number of additional steps and initiatives that I think could resonate with government and the private sector and help enhance national cyber preparedness that are worthy of mention here; these are in the areas of innovation and malicious cyber activity.

In the cyber domain, there is perhaps a tragedy of the commons-like reality afflicting the nature and magnitude of innovation and research and development. Often governments and companies do not see the short-term business case to invest as necessary to adequately assess and mitigate risk. There are two key components for innovation in cybersecurity technology –the first is traditional research and development, and the second is new and emerging technology that is generally being advanced by small companies, often under the radar screen. The United States needs to do a better job in each area.

Regarding cyber research and development, it is critical to leverage and coordinate more effectively, the public-private partnership and the work of the White House (OSTP – the Office of Science and Technology) and DHS in leading the interagency committee that is tasked with Federal R&D coordination. These activities mneed to generate a visible, prioritized and resourced, national cyber R&D agenda and plan. This plan requires objectives, goals, and milestones so that research and research sharing can be resourced, shared, leveraged, and revised over time, with accountability for each critical step.

Second, I recommen a focused effort to find, incentivize, and use newer and more effective cybersecurity technologies, hopefully within an architectural construction that is consistent with national standards. There needs to be an initiative that is owned by a government agency, probably DHS, perhaps in partnership with GSA, to promote systematized information sharing across government (and with the private sector) regarding evolving security requirements and specific, existing and needed technologies to meet those and future requirements. This process should help inform the R&D requirements and priorities where current technologies cannot answer the mail.

It would be helpful if the government would consider establishing a program to work systematically across the departments to identify current and expected security requirements and share information regarding past/current experience with specific technologies that have been used by government agencies (what works and does not work, what are the specific specifications of the technology, what are the shortcomings). This information needs to be required reading by those who have technology needs, those who are involved in the process of seeking information and executing acquisition, and those who make buying decisions. In addition, significantly, the program should solicit information from companies on what they can contribute to meet the identified security requirements (and those that perhaps the government has not yet identified), and the technical specifications they can deliver.

This program will make it easier for government to find the most effective and efficient technologies to meet their identified needs and some they may not have thought of. It will make it easier for private companies who provide value to benefit in the marketplace, and for companies who want to achieve to know what they need to do in the areas of product development and research to increase their value and competitiveness. It would be helpful if a funding vehicle(s) could be established set up and run such a process, evaluate and pilot promising technologies, and accelerate introduction into government and technology transfer to the private sector. The nation needs to strengthen such technology innovation.

Regarding malicious cyber activity, I recommend that the United States collaborate across government (not just or principaly law enforcement)and with the private sector, undertake a new approach to the global problem of malicious cyber activity, because of the uniqueness of the cyber domain and the difficulty of identifying and punishing malevolent actors. In the cyber domain, there needs to be a greater focus on those actors and organizations who enable the malicious conduct to take place and the actors to act with near impunity.

An underlying problem in the cyber domain -- again unique in type or at least in extent relative to the other domains -- is that there are virtually no consequences for malicious activity in cyberspace, notwithstanding the substantial and admirable work of law enforcement around the globe. The traditional, often reactive law enforcement activities have been appropriately supplemented with some important proactive measures, such as awareness raising efforts and the promotion of adoption of the European Convention on Cybercrime, which seeks to encourage countries to put in place a robust fabric of civil and criminal provisions and a well-resourced, strong investigative, prosecution, and punishment regime.

In the United States, private companies have been encouraged to affiliate with public-private partnership organizations to raise awareness and understanding and encourage timely reporting of suspect activity (Infragard – FBI, Electronic Crimes Task Force – U.S. Secret Service). The Department of Justice, the FBI, and the Secret Service regularly reach out to components of the public-private partnership to encourage the private sector to participate in these programs and report suspect activity.

Accordingly, it is not fair to say that the cyber crime effort in the United States, at least, is entirely reactive and tactical. However, there is a failure to adequately approach the problem of malicious cyber activity in a strategic manner. The private sector should work with the government as a full partner in what should be a larger purpose than simply to identify, catch, prosecute, and punish malicious actors. A major initiative should be launched, beginning in the U.S., to work strategically to reduce the number, frequency, impact, and risk of malicious cyber activity. Again, the private sector should be a true partner in this effort, not just or primarily a one-way source of incident information to law enforcement.

In the short term, I recommend that a public-private task force be formed to prepare a strategy and implementation plan for pursuing this important purpose. One key aspect of this effort is the need to identify the most significant malicious actors and enablers in cyberspace. We should build on the model of the international, public-private collaboration on child pornography and learn from work of an organization like the National Forensics and Training Alliance (NCFTA.org).

In conclusion, the importance, nature, and complexity of the cyber domain requires that national and private sector leaders work together more strategically to better assess and mitigate risk and address the long-term hard problems that face the evolution of cyberspace and the opportunities that technologies can bring to nations and the citizens of the world. We can drive real progress in assessing and reducing cyber risk without eliminating opportunities for companies -- even government contractors -- to generate revenues.

Andy Purdy on 09/04/2010 at 15:56

Re: Surge of Cybersecurity Bureaucracies Sparks Lucrative Opportunities For Industry

Regarding Gen Keys quote: “You have the dysfunction of government bureaucracy, and you have the dysfunction of proprietary and profit motive”. I agree with the bureaucracy part but the "dysfunction of profit motive" words are quite scary coming from one who should know better. Removing the profit motive is the surest and fastest way of breaking down our incredibly talented industrial base. If and when that base ever falls, our national security goes with it. Do you think the Government has the skill set to actually produce real product? Not hardly. The retired General ought to know better. You've heard of capitalism, right? It’s why we have the best stuff.

mwd on 08/25/2010 at 17:32

Re: Surge of Cybersecurity Bureaucracies Sparks Lucrative Opportunities For Industry

I cannot express how proud I am for you to have published this article! It was a sincere pleasure speaking with you, and I hope this article raises eyebrows and makes waves throughout the community.

Clearly contractors have their place, and are indeed needed within the DoD. Unfortunately its within the Cybersecurity Operations realm where the turf wars are waged, and battles fought between companies bidding and contesting contract awards. The information that is supposed to benefit the customer does not flow freely between competing contractors within the same organization, all in an attempt to sabotage the competition while sucking the Government dry of dollars.

Lets not even discuss placing minimally qualified, and sometimes wholly unqualified individuals in privileged positions - a tactic that achieves at an empirical level, the fundamental goal of every contract company. Put a body in the slot so they can bill the Government and generate revenue with complete disregard of the productivity and impact that worker has on daily operations. It is literally a ponzi scheme of stupid.

Our military IT (generally speaking) is in a sad state of despair, and the only ones who know just how right the rope around DoD's neck is, are the contractors tightening the noose.

I worked in the USAF Integrated Network Operations and Security Center and observed this behavior repeatedly. I will be happy to speak to anyone with genuine and actual authority to address this issue directly.

I am prior service Air Force, always will be, and my affection for my Air Force will always supersede the profit-driven motives of corporations with a complete lack of integrity.

To close, contracting companies should be ashamed of themselves, absolutely ashamed for the dishonor and lack of integrity they bring in to an environment, where the culture of the customer is built on the same values said companies undermine on a daily basis.

The Train on 08/17/2010 at 21:17

Submit Your Reader's Comment Below

*Name
*eMail	The content of this field is kept private and will not be shown publicly.
*Comments
	Please enter the text displayed in the image. The picture contains 6 characters. *Characters
*Legal Notice	NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820. I have read the Legal Notice.