A Boom for Computer Security

Tucked away in territory known mostly for good trout fishing, Secure Computing Corp. of Roseville, Mont., has quietly made itself into the world's largest computer security products and services company.

When news surfaced earlier this year that intruders had been combing the Internet to intercept user passwords, the National Security Agency called Secure Computing. Within hours the caretaker of encryption technology in Fort Meade, Md., had ordered $500,000 worth of security gear.

That and other such orders -- many fueled by reports of security breaches on the rapidly commercializing Internet -- have helped boost the firm's contract backlog to nearly $30 million. The company, which produces a range of computer access control and Internet security devices, will nearly double revenues to about $15 million in 1994 and plans to boost employment to 141 -- up from 60 in January 1993.

Lou Brown, one of the Washington area's most respected and successful high-tech entrepreneurs, has put his money behind the firm. And Secure Computing has reeled in venture backing from Grotech Partners and Corporate Venture Partners. The company could sell stock to the public within a year.

Secure Computing is growing at unparalleled speed, but many of its competitors also are finding that data paranoia can be readily mined for gold. Two or three years ago, the nature of the computer security business would have made public offerings unthinkable. Hundreds of homegrown operations run by ex-spies and hackers struggled to convince the world that precious data was in danger of falling prey to forced digital entry, phone outages and other assorted cyber-catastrophes.

Most of these companies emerged following the 1987 Computer Security Act, which mandated a minimum "C-2" level of security for all government agencies. "C-2 by '92" was the motto, and security firms thought they would quickly cash in.

But it simply didn't happen. Shrill and often alarmist marketing techniques turned off many potential customers. Few companies or government agencies were willing to buy security features that often meant an additional 5 to 10 percent on a system's sticker price -- not to mention an additional layer of complex procedures for employees to navigate.

Back then, companies survived on consulting jobs for the intelligence community. Product sales, particularly those embedded in software rather than hardware, were negligible.

That's not the way it is anymore. High profile security breaches such as the New York World Trade Center bombing and consistent phone network outages, meanwhile, have conditioned the public for security-related marketing pitches.

Meanwhile, the astounding growth of the once- academic Internet may be the greatest security market enhancer. Fear of Internet security breaches and industrial espionage is on the rise, particularly after an incident earlier this year where "sniffers" placed on the Internet reportedly purloined hundreds of user passwords. By one estimate, 1.2 million computers have been broken into in the last four years. And that's just the number of reported cases.

Chuck Stuckey, president and CEO of Security Dynamics, another IPO hopeful, predicts marketwide movement towards stock offerings. "There may be some interesting opportunities [to go public] in the next year to 18 months," he said.

Security Dynamics is a 60-man computer security firm in Cambridge, Mass. specializing in computer-user authentication. Founded in the mid-1980s, Security Dynamics -- with $7 million in venture capital -- hopes to parlay a 35 percent annual growth into a date with public markets.

"The market is finally beginning to pop," said Jay Wack, vice president for marketing at 18-man TECSEC, another potentially hot computer security entrant based in Vienna, Va. Last week the company lifted the sheet off its VEIL product, which spent nearly four years in R&ampD. The philosophy behind VEIL, like that of most commercial computer security products today, is to protect the information itself -- regardless of the communication medium it travels over or through.

This information is protected with any of a number of encryption techniques, readily available now free on Internet or for a fee from commercial providers such as RSA Data Security Inc. Those with the keys to unlock the encryption -- whether they are private individuals or government agencies, as is the case with the Clipper system -- can then gain access.

TECSEC, like Secure Computing and many others, believes it is well positioned to ride the market surge. The key will be combining a variety of security techniques from its own R&ampD labs and from other companies -- access control, user authentication, encryption -- and putting them into a cheap, relatively user-friendly package. Certainly, the company boasts the proper pedigree. Its founder, Ed Scheidt, is also the creator of the Cryptos statue that sits in front of CIA headquarters -- a statue etched with an encrypted message by Scheidt that has yet to be cracked.

While the company barely broke $1 million in revenues in 1993, it anticipates dramatic growth to $5 million in sales for 1994.

Even today, a major computer market research organization like Dataquest has no market analyst watching the computer security trade, though it employs hundreds of specialists to follow just about everything else. But that seems likely to change. "Whether you agree with it or not," the Clipper chip controversy has thrust the issue of computer security onto the front pages of nearly every major newspaper and magazine, said Stuckey of Security Dynamics.

"Before, closed [computer] systems were minimally open. Today, open systems are minimally closed," said Wack.

When a user logs on the Internet to send a message or file from, say, Tysons Corner, Va., to London, the information takes any of a number of routes on the thousands of separate networks that make up the Internet. If it fails to reach the destination one way, it tries another and another and another until it succeeds. That attribute makes the Internet a powerful communications medium. It also means that messages travel through a myriad of hubs connecting networks to reach its destination, and users have no way of knowing in advance which route the information takes. The hub sites are where danger of information pilfering lurks -- and commercial users of Internet are beginning to realize that potential.

That realization should be enough to drive at least 20 percent yearly market growth, or about $500 million in annual revenues in the next year, said Secure Computing's Kermit Beseke.