Security blanket

With federal government spending on cybersecurityset to sharply increase in the finalbudget submitted by the Bushadministration, contractors arelooking hard for fresh businessopportunities. Although opportunities arestarting to take shape, they are not as clear assome contractors would like.A dramatic rise in attention and federalfunding for cybersecurity and infrastructureprotection is expected in fiscal 2009. Recentdevelopments include: Cybersecurity has been a national securityconcern for more than a decade, but publicattention has skyrocketed with reports of datalosses and cyberespionage. In 2007, Congressheard accounts of foreign hackers breakinginto the networks of military agencies anddefense contractors and stealing hugeamounts of sensitive data. Such attacks likelywill intensify this year, according to aDecember report from the SANS Institute.With billions of dollars in thepipeline, more contracting work issure to follow. But details arefuzzy because much of the new work will occurin the classified arena and cybersecurity contractshistorically have been difficult to chart."It is pretty clear there are dollars there forcybersecurity, but how quickly will there be aspending plan? I'm not sure," said ScottHastings, former chief information officer atDHS and now a partner at Deep Water PointLLC, a consulting firm in Washington. "One ofthe challenges will be defining the problem.""I am sure there will be an expansion ofbusiness related to cybersecurity, but we cannotsee all the budget numbers," said RayBjorklund, senior vice president at FedSourcesInc., a research firm in McLean, Va. Someclassified budget figures will leak out to themedia, but some will not.Confusing matters is the fact that some peopleview federal cybersecurity as everything thegovernment does to protect its systems and networks,and others say cybersecurity only occursat a higher level and involves protecting criticalnetworks, the Internet and civilian infrastructures,such as energy plants and oil pipelines.There also might be arguments among the military,intelligence agencies and DHS over whogets the increases in cybersecurity.Cybersecurity might be a hot topic inCongress, but there is a chill in the airregarding some discussions of the topic. Forexample, Rep. Bennie Thompson (D-Miss.)strongly criticized the promotion of DHSCIO Scott Charbo to be undersecretary ofNational Protection and Programs, overseeingcybersecurity."Given his previous failings as chief informationofficer, I find it unfathomable that youwould invest him with this authority,"Thompson wrote to DHS Secretary MichaelChertoff. "This decision raises concerns aboutthe seriousness and credibility of the administration'sinitiative."Thompson also reiterated concerns he firstmade public in September about evidence ofChinese hackers penetrating networks set upby contractor Unisys Corp. in connection withan IT contract with the TransportationSecurity Administration. Unisys officials said at the time that they hadfollowed all security protocolsand made theappropriate reports.Thompson has asked thedepartment's inspectorgeneral to investigate.DHS responded Feb. 13 witha letter of praise for Charbo and alist of his accomplishments. "The letter hasnot alleviated our concerns," said DenaGraziano, a spokeswoman for Thompson.Privately, some insiders close to the situationsay it is a frustrating example of how a cybersecuritybreach can become mired in politics.Even with the high-profile increases inspending, the overall picture of cybersecuritycontracting is still unclear because much of thework will be classified. Budgets for such initiativesare notoriously difficult to pin down."The classified nature of the new directivemakes it a bit tough to sort out exactly wheremoney will be spent," said Jeremy Grant, seniorvice president at the Stanford Group Co.investment research firm. "Formal fiscal 2009IT security numbers released by the Office ofManagement and Budget show only a 9.8 percentincrease, but the fact that a lot of thiswork will be done in classified agencies suggeststhat there is a much bigger number thathas yet to be revealed."Despite President Bush's lame-duck status,Congress is likely to agree with the new cyberpriorities, at least partially, experts say,because the cyberthreat has grown dramaticallyand many Democratic leaders have beencalling for more attention to cyberpriorities for several years.Lawmakers are also consideringa new approachto the FederalInformation SecurityManagement Act tomake it more performance-orientedand less focused onpaperwork."We support tweaks toFISMA to strengthen informationsecurity," said TimBennett, president at the Cyber SecurityIndustry Alliance, a coalition of organizationsand corporations. The alliance also backs thespending increases."Clearly, we are all seeing increasing awarenessof the growing threat to our networks,and the government is responding to that,"Bennett said.Although spending on cybersecurity is likelyto increase, it might be difficult to immediatelyspot many of the gains in contracting.That is because IT security projects often arefolded into larger projects. Aside from thebasic computer and network protections,which have mostly been accomplished already,cybersecurity work has been viewed in termsof subcontracts to larger IT contracts. Thatcould change as more dollars begin to flow,with larger systems integrators emphasizingtheir cyberabilities.The 2009 budget is likely to include fundingfor software and support along with legal andinvestigative assistance. It also might pay forcounterattacks in cyberspace and conventionalmilitary responses. A portion of the fundingcould help support the Air Force's new CyberCommand, for example."Cybersecurity is a problem that requires asolution beyond an infrastructure fix," saidRichard Colven, vice president of executiveprograms at research firm Input Inc., ofReston, Va."Our adversaries have become more sophisticated,"Bjorklund said. "To be able to protectagainst threats in this cyber environmenttakes more money."As the complexity of cybersecurity increases,it is possible that systems integrators willtake a more comprehensive approach, headded. Several major federal contractors haverobust cybersecurity units, and that emphasisis likely to grow, he said."Systems integrators will have to becomemore comprehensive and integrated in theirapproach," said Chris Campbell, a senior analystat Input. "I haven't seen it yet, but it couldhappen." That trend would signal a changefrom the government's piecemeal handling ofcyber concerns in the past, he said.