The federal government will spend about $10 billion on cybersecurity in fiscal year 2013. That number could grow to $13 billion in fiscal year 2014. For most federal agencies, cybersecurity is one hot-button issue that will not soon disappear. Determining what to defend against will play a large role in how much money the government must allocate toward cybersecurity.
Until recently, most government organizations have focused on manual and periodic monitoring and reporting for security management. This strategy was primarily driven by the Federal Information Security Management Act (FISMA), which had limited effectiveness in securing data despite the expense and efforts. Recent regulations now require federal agencies to implement continuous monitoring of their network operations. Periodic reports and certifications are not only expensive, but most evidence suggests that they do not improve an organization’s security posture.
Investing in continuous monitoring is an important step for government organizations, as hackers and hostile nations pose an increasing threat to the integrity of the United States’ critical infrastructure.
An emerging concern for government is the use of mobile devices and applications. “Bring your own device” strategies that have been implemented in various institutions have led to increased productivity but can also lead to increased security vulnerabilities.
As the use of mobile devices and the purchase of mobile applications grow in the coming years, hackers will alter apps that are considered safe and retool them with malicious code so unsuspecting users download them without hesitation. Additionally, malware authors have developed viruses and programs that can automatically purchase applications from an app store without the user’s permission or knowledge.
Botnets are another threat to government and corporate networks. A botnet is a computer that has been breached by a third party and is monitored and controlled from a remote location. An employee’s personal computer or laptop at work could be a botnet without him or her even knowing it. Most organizations with mature cybersecurity protocols can easily identify a botnet on their networks, and can quickly disable it and recover any lost data. However, “botmasters” will become more persistent and sophisticated, and will develop new techniques to reestablish control of botnets and continue to infect networks even after they are disabled.
Also on the rise is hacktivism, or attacks related to political or social purposes by activist organizations. Groups such as Anonymous have failed to develop more complex tactics and can now largely be countered. But terrorist organizations and nation states will develop more elaborate malware, worms and viruses that are not only capable of shutting down websites or revealing sensitive information, but also able to control machinery and entire buildings as well.
Moreover, recent reports have linked the Chinese government with hacktivist groups that create advanced persistent threats that infect and hide inside U.S. networks. These perils are evident in the Duqu, Flame and Stuxnet attacks.
Search engine optimization poisoning is another possible weapon. SEO is used by websites to improve online traffic to their sites. When a search is run on an engine such as Yahoo or Google, the results that wind up at the top have the highest SEO. Hackers use SEO poisoning to infect users through websites that are designed to look like credible sites. When the malicious site is unknowingly clicked on, the user’s computer may be infected with malware. For years, cybercriminals have crippled a user’s ability to securely search the web, but attacks will become more prevalent. Attackers will use more automated and complex methods to exploit the most popular keywords or news stories of the day.
To combat these threats, federal agencies are investing in products related to information assurance, information security and network operations. The Defense Department has spent nearly $9 billion over the past five years on these products and services alone.
Hundreds of funded programs and contract vehicles have emerged to address cybersecurity. The Department of Homeland Security issued a request for quotes in December 2012 for a blanket purchase agreement that will acquire continuous diagnostic and mitigation tools and continuous monitoring services. The deal will be worth $6 billion over five years and will acquire products and services related to vulnerability management, configuration management and software and hardware asset management.
The DHS contract is just one of many vehicles that will be employed by the federal government. The Defense Department’s preferred acquisition method is large multi-agency contracts, with nearly $4 billion in cybersecurity related purchases taking place over the last five years.
The Pentagon also spent billions of dollars across a number of indefinite delivery/indefinite quantity contracts, enterprise license and blanket purchase agreements related to cybersecurity. These include contracts awarded under the Air Force’s network centric solutions, the Army’s computer hardware, enterprise software and solutions and the Defense Department’s enterprise software initiative.
Additionally, agencies like the Defense Advanced Research Projects Agency (DARPA) are aiming to improve the government’s cybersecurity posture by leveraging small businesses and individuals rather than relying on traditional vehicles and programs.
For example, DARPA’s cyber fast track initiative is intended to shorten the time it takes to deploy new technologies by funding research performed by small businesses. DARPA funds research efforts by boutique security companies and individuals, and allows them to keep the intellectual property. These organizations could not pursue these efforts on their own because of the complexity, cost and time. And although DARPA announced that Cyber Fast Track will be ending in April, the agency has no shortage of funding to promote such programs.
DARPA, along with the Defense Information Systems Agency and the National Security Agency, spent upwards of $1.5 billion last year on cybersecurity products and services. The majority of these funds have been directed at traditional information-systems security programs that focus on protecting mission critical applications, data and networks.
Industry has recently witnessed several trends emerging in the defense sector, including an increase in the procurement of technology that enables tactical communication, interoperability and consolidation. Cloud and mobile solutions have seen an uptick in government buyers recently, but these technologies contain inherent security risks. Information-technology investments over the past year reflect these trends and needs, and agencies are recognizing and preparing for those risks.
Budgetary worries are another concern. A debilitating sequestration and continuing uncertainty about future funding put federal budgets in a choke hold and have left program management offices and contract offices reluctant to spend.
Regardless of the budgetary environment, agencies must still protect mission-critical data and systems. Defense agencies must still invest in products and services that encourage tactical communication, interoperability and consolidation. Despite wide and sweeping budget cuts across the government, the Defense Department did request $3.4 billion in cybersecurity funding for 2013 — a near 6 percent increase from 2012. The Defense Department is pursuing nearly 2,500 efforts related to cybersecurity.
Ten programs alone represent more than $6.6 billion in 2013:
• DISA – Defense Enterprise Computing Centers
• DISA – Global Command and Control System
• Army – Warfighter Information Network – Tactical
• Army – Network Enterprise Technology Command
• Navy – Consolidated Afloat Networks Enterprise Service
• Navy – Next Generation Enterprise Network
• Air Force – Base Level Communications Infrastructure
• Air Force – Air and Space Operations Center
• Medical Health System – Electronic Health Record Way Ahead
• Medical Health System – MHS Cyberinfrastructure Services
Some analysts have estimated cybersecurity market growth in the defense sector of nearly 10 percent over the next five years. Given the increasingly stringent budget environment, a more tepid growth is likely. But even with the most modest of projections, cybersecurity spending by the federal government is expected to surpass $14 billion by 2017.
Tim Larkins is a consultant for market intelligence at immixGroup Inc. He can be reached at Tim_Larkins@immixgroup.comPhoto Credit: Thinkstock