Cybersecurity Law Sparks New Business

Companies that provide information security services are beginning to reap the benefits of a little-noticed cybersecurity law that took effect in November 2000 and is now exerting its influence over federal agencies throughout the government.The Government Information Security Reform Act, or GISRA, requires federal agencies to assess the security of their non-classified information systems. More important from an enforcement perspective, the law requires every agency to provide a risk assessment and report on the security needs of its systems.The reports have to be included in every agency's budget request submitted to the Office of Management and Budget for the upcoming fiscal year.While the act primarily pulls together long-standing requirements in a number of federal regulations, there is something new and significant in the law, said Tom Hart, director of information assurance, information security engineering at GRC International of Vienna, Va., an AT&T company."For the first time, teeth have been added," he said.Until now, "there has been no strict enforcement for requirements for security," Hart said. "Hence, most organizations have not really seen the need to comply. There was no business impact in not complying, other than the [security] risk itself."Because the new act ties the report to the budgeting cycle, agencies that are less than thorough in their assessments ? or that do not appear to be taking information security seriously ? risk having funds cut in the budgeting process.With government agencies forced to take action, information technology companies specializing in information security are gearing up to provide the necessary services. Those companies include GRC International Inc., KPMG Consulting Inc., Network Security Technologies Inc. and Symantec Corp.There is not a lot of detailed information about how much the federal government spends on information security. Information assurance, a broader market segment that incorporates security, is estimated to grow 15 percent to $1.95 billion in fiscal 2002, according to market research firm Federal Sources Inc. of McLean, Va."The government agencies do spend significant funds on their whole Internet infrastructure, [but] the cost of securing it is a very small piece," said Vince Steckler, vice president of public sector for Symantec of Cupertino, Calif. "The security component tends to be anywhere from 5 percent to 20 percent of a project."GISRA represents an important business opportunity for KPMG Consulting, said officials with the McLean, Va., firm. Felipe Alonso, a partner in the company's information risk management practice, and Mark Tashakori, a senior manager there, said the provisions of the act are a necessary prerequisite for advances in e-government."By taking action proactively now, the government is trying to create the trust in the community that will support e-government," Alonso said. KPMG is working with the departments of Energy and Justice to fulfill the GISRA requirements, he said.Tashakori said KPMG is looking to help its government clients understand the reporting process to expedite their compliance. The firm also wants to take a leadership role in governmentwide information security by organizing a roundtable gathering of key players in federal agencies and documenting their practices, he said.Network Security Technologies of Reston, Va., also is taking on GISRA-centered projects for some of its federal clients, said Bob Wrede, vice president of government services for the company, which also calls itself Netsec. Agencies are approaching the company through word-of-mouth referrals as agency security officials compare notes regarding who has done well on the new risk assessment and security reports required by GISRA, he said.Terry Antonacci, Netsec's director of government services, said the increased attention to information security has bolstered specialized firms such as Netsec, because agencies are realizing managed services can provide 24 x 7 security, but at costs that are spread out among many customers.The new law also is encouraging the government to address security issues at the beginning of a project instead of after systems become operational.But GISRA is not an unalloyed blessing, either for agencies or for prospective contractors. As frequently happens with congressional legislation, the new law did not include funding to take on this new reporting requirement.Wilmatine Slaughter, spokeswoman for the Office of Inspector General at the Energy Department, said that to carry out the reporting requirements of GISRA, the inspector general is using resources that otherwise would be used to look into waste, fraud or abuse."We consider this to be an important and potentially valuable effort. However, the evaluation and audit required by the act are extremely labor-intensive. The scope is extensive, and reporting schedules are compacted," Slaughter said.Experts disagree as to whether Congress will provide additional funding to cover GISRA's information security requirements."The act definitely implies the funding will be provided to address [security] problems," said KPMG's Alonso. "You've got the opportunity this year to justify asking for the funds to address those issues."Netsec's Wrede agreed. "I don't think Congress is going to say, 'OK, give us your budget request, and we're going to pull the money from somewhere else in your program.' I think they'll come up with additional money," he said.Bill McSweeney, president and chief executive officer of Amitex Corp. in Chicago, said that is wishful thinking."What the act says is you have to devote resources you already have to this," McSweeney said. "If you can show you've done this and done it effectively, your budget increases will reflect that. ... If you don't do it, [you] might face budget cuts."Paul Kayatta, president of government markets for Global Crossing Ltd. of Beverly Hills, Calif., agreed with McSweeney. Kayatta, who holds a seat on the President's National Security Telecommunications Advisory Committee, said GISRA is a legislative means of pursuing goals the committee has laid out."Funding needs to be addressed. It's not unlike the Y2K issue not too long ago. There was a fundamental interest but not a lot of funding," Kayatta said.The importance of effectively implementing GISRA cannot be overstated, industry officials said."We understand the importance of it. We also understand it's our personal information being protected ? or in many instances, not protected," said GRCI's Hart. Bob Baker, principal information assurance analyst with GRCI, said: "We're interested in this, in part, not just because it's our business, but as citizens and with a keener sense of the risk."And the global reliance on Internet communications makes the federal government the ideal ? or necessary ? test case, Kayatta said."This is a tremendous opportunity for industry for two reasons. One is that the government itself is a user, a prime user," he said. "But it also provides great credibility as they extend this capability out into the commercial world. ... If it meets government requirements, that's a good first step" for business.