Cyberspace Guards Quietly Snuff Out Hacker Attacks

Proliferating hacker attacks have spawned a lucrative new marketplace for experts who can instantly and quietly defend corporate computers from attacks by online spies, thieves and joyriders.

"There's more business than any one of us can go after," said Alan Fedeli, who runs IBM Corp.'s Emergency Response Service, based in Sterling Forest, N.Y.

"This is an evolving business, the leading edge of a recognized business service," said Ed Hart, director of Science Applications International Corp.'s Center for Information Protection, based in McLean, Va.

The Computer Emergency Response Team at the Pentagon-backed Software Engineering Institute, Pittsburgh, has signed up almost 20 Fortune 500 companies for its emergency CERT Affiliates Program, generating revenue of almost $400,000 a year, said Jay Douglas, a business development manager at the institute.

Both SAIC and IBM help protect computer networks owned by Fortune 100 companies, including banks, insurance firms and manufacturing companies. However, neither Fedeli nor Hart would release their revenues or the identities of their clients.

Revenue should grow as much as 30 percent per year, although most income will come from consulting services rather than emergency responses, predicted Fedeli. SAIC's security-related revenue doubled in 1996 and should double again in 1997, said Hart, the former deputy director of the National Security Agency, based in Fort Meade, Md. The agency is responsible for protecting the government's classified national security data.

Even if growing rapidly, the emergency-response market is only a sliver of the overall computer-security business, which is expected to take in a total of $17 billion between 1996 and 2000, according to the Gartner Group, a consulting firm based in Stamford, Conn. Thus, most revenue earned by SAIC and IBM's units comes from pre-attack consulting, said Hart and Fedeli.

Many firms sell consulting services, design security products and operate 24-hour help lines for clients who buy their software and hardware. However, very few firms offer instant support to clients that use other firms' computer hardware and software.

For example, SAIC worked with a client to identify within 24 hours one of the client's employees whose actions threatened the company's revenues and reputation, said Hart.

This promise of instant response has its price. One employee at IBM's Emergency Response Service skipped his 30th birthday party and another had to cancel a West Coast marketing trip to quickly defeat an Internet hacker's attack on a client company, said Fedeli. "For us, [paying the price] was a no-brainer," he said.

Bob Fish, vice president for business development at the WheelGroup Corp., a security company founded last year in San Antonio by eight ex-Air Force security experts, says his employees "are on pagers all night, all week ... so we can fly them out [to a client] anytime."

However, much of the emergency work can be handled by offering advice over the telephone or by long distance monitoring of devices such as the company's Netranger hacker-alert product, he said.

IBM and SAIC lead the pack in instant response, say industry officials, and are followed by CERT and others such as the WheelGroup.

Executives from these four rivals are confident that revenue will rise and point to surveys showing increased numbers of hacker attacks on corporations' computer systems. For example, one survey showed that 58 percent of 236 companies polled by Warroom Research Inc., based in Baltimore, had been hit by hackers in the previous 12 months. Some 57 of the companies were broken into at least 11 times during that period.

Hackers who broke into corporate networks installed online eavesdropping devices called "sniffers," copied secret passwords, inserted destructive computer viruses and stole secret business data, said the study, released Nov. 21.

One-third of the attacks cost the victim company at least $1 million to repair, said the survey.

Clients, such as banks, manufacturers or insurance companies, sign IBM, SAIC and the others because they want to tap their wide experience, said Fedeli. The security experts at IBM are familiar with many hacker techniques used against many varieties of computers and software, each of which have their weaknesses and strengths, said Fedeli.

Also, companies don't have the time -- or the desire -- to ask for help from law-enforcement authorities such as the FBI, said industry executives.

According to Hart, 99.99 percent of clients just want SAIC "to put the fire out," and may later consider calling in the police.

Even after a hacker attack is defeated, companies normally don't want to call in the police for fear of damaging their customers' confidence and sparking a malpractice suit against the company's directors, said Mark Lasch, a lawyer at SAIC's Center for Information Protection. "All the incentives are against reporting" the hacker attacks publicly, he said.

No company wants to broadcast security problems, but many will ask for quiet advice from CERT, IBM and SAIC, said executives. "The non-disclosure agreements that we have in place [with our clients] are longer than our contracts," said the WheelGroup's Fish.

IBM and SAIC quietly share information about hacker attacks with 50 other companies, universities and government agencies that are members of the CERT-sponsored Forum of Incident Response and Security Teams, or FIRST.

Invited members include security centers in Germany, Israel and Italy, as well as New York financial firms Goldman, Sachs &amp Company and J.P. Morgan. FIRST also includes many infotech firms such as Sun Microsystems Inc., Mountain View., Calif., and Sprint Corp., Kansas City, Mo., which want to know of any security flaws affecting their products.

FIRST's top-level committee is chaired by Ken VanWyk, the technical director of SAIC's emergency response center.

Other industry-backed coordination groups are run by the National Computer Security Association, based in Carlisle, Pa., and by Donn Parker at SRI's office, based in California.

The degree of cooperation between competitors is surprising, said Fedeli, but is partly explained by the companies' common interest in making the Internet work safely.

"It is in our broader interest, and the community's interest, to eliminate the reasonable ease of [hacker] break-ins," said Fedeli, whose parent company generates much revenue from selling information services, software and hardware to the fast-growing Internet marketplace.