Special Report

The emergence of the Internet along with moves by elected leaders in both the legislative and executive branch has put pressure on government CIOs to rapidly modernize their mission-critical systems without putting at risk some of the nation's most sensitive information.

Between Vice President Al Gore's National Performance Review (NPR), released in 1993 to streamline government operations, and legislative measures to streamline procurement, such as the Clinger-Cohen Act passed in 1996 to compel departments to behave more like companies in the area of IT purchases, federal officials have clearly been challenged to move fast. But this challenge has also created an unprecedented opportunity for hardware vendors, software developers and professional services providers who specialize in information security.

According to the Office of Management and Budget (OMB) overall security market expenditures by the federal government were $665 million in fiscal year 1996 (October 1995-September 1996).

Interestingly, OMB expects to see a small drop in security expenditures in FY97, to $638 million, but thereafter, analysts at Input, the Vienna, Va.-based market research consultancy, expect the numbers to grow each year, reaching $827 million by 2002, representing a compound annual growth rate (CAGR) of 5.31 percent.

Putting the security numbers in some perspective, total FY96 contracted information technology expenditures- for hardware, software and services-were $22.3 billion in 1996, with expenditures forecasted to reach $30.1 billion in 2002, for a 5.93 percent CAGR.

But, future security spending isn't expected to follow a straight-line growth path. Rather, the annual growth rate is expected to accelerate. Input forecasts annual growth rates to be 2.94 percent from FY98-FY99, 6.79 percent from FY99-FY00, 7.38 percent from FY00-FY01, and finally, 8.3 percent from FY01-FY02. That acceleration trend is due to forecasted growth in federal electronic commerce initiatives.

Budget Constraints

But achieving these milestones is not a given. Looming over security expenditure decisions are budget concerns. According to analysts, lack of financial resources is the primary reason agencies aren't doing everything they need to do on security right away. Committing more money to security means less money for other areas of an agency's budget. That is why Brian Haney, a senior analyst at Input, says that we can expect to see "consistent but not phenomenal growth" in security spending.

Many industry players agree with his assessment. "Although C2-type compliance has been mandated since 1992 by law, most federal agencies have not been provided with adequate resources," says Robert Greenwald, government territory manager for Jupiter, Fla.-based Command Software Systems.

"We have been in regular contact with scads of civilian and defense organizations, and regardless of the need or the regulation requirements, the resources have just not been there to put the stuff in place," he says.

Jose Prats, MIS director with Newington, Va.-based Solunet, concurs.

"We have seen budget constraints play a role in deploying inadequate security solutions," he says.

"Most manufacturers' security features are an added cost item. It is something that the government has to deal with while they look for the lowest price that they can get the job done for. And sometimes you do see them scrape some of the costs from security," says Prats.

Indeed, too many procurements fail to take the full strategic security issues into account sufficiently on the front end, says Bob Campbell, Solunet's federal sales manager.

"Security is all too often an afterthought. Almost always, we sell the remote access product server, and then-if we sell security at all-it is the following year. While there is not necessarily a cost penalty associated with making security purchases later rather than up front, you do-in the meantime- have that hole in security," says Campbell.

This is not the case for agencies like the National Security Agency or the Department of Defense, whose MIS staffs are very aware of security and view it as an integral part of their operations.

"But most of the civilian agencies, like Transportation and Customs, whose workforce often deals with material that is not top secret, don't understand the risks," says Prats. "The information they work with may not be classified, but they are working with sensitive information. I mean, even if it is e-mail, you don't necessarily want somebody looking at the Secretary of Transportation's messages," he says.

Demand Drivers

Nevertheless, demand by the federal government for security products and services is on the rise, and will in fact accelerate as demand drivers take hold.

The much-heralded NPR was designed to modernize the way the government does business and to make the government more efficient. Toward that end, individual departments and agencies are making more documents available electronically. For example, the Department of Justice's Bureau of Prisons electronically shares large amounts of classified information on inmates with states, parole officers and individual prison authorities, to name a few.

That data, of course, needs to be secured, a task that is made more interesting as it moves over private, semi-private as well as public networks. And the Internet is a medium that all government CIOs are eyeing hungrily.

On-line procurement has been one of the biggest ways agencies have implemented reforms. As Input's Brian Haney puts it, "You see more and more RFPs (requests for proposals) coming out electronically."

"When you go across the Internet with anything, it is open to public view because there is no proprietary network to lock somebody out," says John Balena, general manager of Houston, Texas-based BMC Software's federal office.

"So whenever you get into exchanging money, where you are using either account numbers or credit cards or things like that, you need to protect that information from being intercepted and used illicitly. The General Services Administration has credit cards at users' disposal with some pretty high credit limits-from $25,000 to as high as $250,000. The GSA is basically mandating with all new schedules they negotiate, that people move to electronic invoicing and controls," he says.

"This is all part of the federal government's cost and paper-work reduction strategy," says Carl Coken, manger of business development with BMC Software. "By law, they have to make all information on RFPs publicly available and easily accessible. Because the Internet is so prevalent now, they are trying to do as much as possible via the Internet," he says.

Other agencies are looking to share sensitive information-like individual social security benefits-with tax payers.

"That might not be electronic commerce in the way that we normally think about it," says Coken. "But you still want to give users and tax payers secure access to that data, and you want to make sure that if they are requesting information that is personal in nature, that proper security and authentication procedures are in place," he says.

The Threat From Within

While the Internet has created lots of new interest in security, it should be noted that most of the break-ins or breaches of security continue to be more of an internal-not external- issue.

The very nature of the PC operating systems that are increasingly characterizing the federal desk-top environments do not lend themselves to being secured.

"That means that a secure sub-system has to be added to these machines," says one vendor who asked to remain anonymous. "And that is where agencies are most vulnerable. It is clear that a higher than recognized number of people inside federal agencies have the ability to gather intelligence for sale. And some are doing just that. Take the Navy's Walker family for instance. This is a clear example of people with security clearances who sold intelligence continually for a decade for pretty small sums of money," he says.

"There is a definite need for work station-based as well as network-based approach to security," says Command Software's Greenwald.

"Government agencies have been buying lots of firewalls, which is important to cover a wide range of 'outside-in' penetration threats. And that is good. But when you consider the fact that corporate and industrial espionage is surely going to be on the increase, the risk of loss from within may be greater than it is from outside the organization. It is really necessary for agency budgets to take this threat into account."

Hot Security Technologies

Consequently, the "inside-out" approach to securing government data promises to be the next great wave of opportunity for security vendors.

"The new market that we are excited about is the VPN [virtual private network] environment," says Ken Newcomer, vice president of government systems division with Germantown, Md.-based V-One Corp.

"Once you put a firewall in place and are able to connect to the Internet to communicate securely, the next requirement is to communicate effectively to that firewall. That is how you can bring in remote government employees, trading partners, other government agencies or constituents," he says.

He expects to see demand grow for products that will help government users leverage workgroup software across a number of firewalls in a secure environment. "We are working with a large DoD intelligence organization that has a need to share a database of information with employees throughout the DoD and even some of the civilian agencies. But the sensitivity of the data is such that they need to be absolutely sure that the people looking at that data are who they purport to be. They need to authenticate that person very strongly using a digital token or a smart card, in conjunction with a personal identification number or code," he says.

As applications roll out to support intranets and extranets, the increasingly mobile government workforce will also be looking for security mechanisms that can follow them around.

According to Tony Quatrrone, federal district sales manager for Ft. Lauderdale, Fla.-based Racal Data Group, that means tokens and hardware based security equipment will have to come down in both price and size, without affecting network access itegrity.

"There is a growing opportunity to bring the physical information security devices down to smaller, less expensive form factors that are just as effective from security standpoint as current offerings. In addition to cost, field operators want to simply blend in with their surroundings, and do not want to have extra devices to attach to their lap tops when they are on the road," he says.

Market Components and Growth Prospects

IT security expenditures, as reported by agencies to the OMB, are split into three categories: professional services, equipment and software products, accounting for FY96 expenditures of $195 million, $407 million and $63 million, respectively.

Professional services can be further divided into three categories:

• Consulting,
• Education and training
• Software development
  (different from the software
  products category mentioned above).

Consulting includes feasibility studies, risk analyses, security plans and system audits. Education and training basically entails raising agency awareness that security should be considered, especially regarding electronic delivery of documents.

The third, and largest portion of professional services, is software development, which largely includes re-engineering existing software to make it security compliant, for example, by scaling current applications to make them meet security requirements.

The largest component of security purchases, equipment expenditures include processor based equipment used to protect automated information systems, for example, protection of equipment in case of fire and locking systems to prevent theft.

Software products consist largely of commercially available software, an example of the government's initiative to purchase more commercial off-the-shelf (COTS) software.

Breaking out the growth rates of the three security components to FY02 shows that professional services will more than double the expected growth rate of the equipment segment, 8.44 percent CAGR versus 3.83 percent CAGR to FY02, according to Input. Software products are expected to grow at a 2.64 percent CAGR.

Yet, many agencies simply do not have the in-house expertise to address increased security demands from these new phenomena. An additional problem is posed by rapidly changing technology, which makes it difficult to forecast and respond to future security demands.

Analysts say that agencies are shying away from a band-aid approach to security issues of simply buying all new hardware, which may be obsolete in a few years. Thus, the anticipated faster-than-average growth rate for the professional service component of federal security needs.

Prepared by the firm WNB of Washington, DC 202/833-9738