Cybersecurity needs outpace funding
'Sizeable' business may lie ahead for companies<@VM>Flooded market swamps state CIOs
- By William Welsh
- Jul 31, 2003
Delaware's CIO Tom Jarrett sends bimonthly reports to state lawmakers of the threats the state's computer systems face and what it will cost to protect them. "I need to make sure that the people who fund us know it's a constant battle," he said
Henrik G. de Gyor
"Cybersecurity is a very tough sell. CIOs recognize that and push as hard as they can [for funding]." ? Matt DeZee, vice president of digital government for American Management Systems Inc.
In January, Tom Jarrett, Delaware's chief information officer, began distributing bimonthly reports to state policy-makers that describe the threats the state's computer networks face and the costs of protecting them.
The reports list specific steps taken by department employees to neutralize viruses, worms and Trojan Horses that attack the state's computers and networks. The numbers are compiled into charts for easy reference, and used in budget hearings and briefings to justify funding for computer security.
"I need to make sure that the people who fund us know it is a constant battle," said Jarrett, who heads up the Delaware Department of Technology and Information. "One day's loss of the state network could be unbelievably costly."
State CIOs such as Jarrett are determined to harden computer networks in the face of increasing efforts to breach network security and deface systems both internally and externally.
Despite dwindling state budgets, they are reaching out to agencies and departments through education and training to increase awareness of what is at stake. They are also conducting security assessments to determine the type and amount of work that needs to be done across the enterprise of state government.
"Cybersecurity is a very tough sell," said Matt DeZee, vice president of digital government for American Management Systems Inc., Fairfax, Va. "CIOs recognize that and push as hard as they can [for funding]."
[IMGCAP(2)]Of the $41.4 billion that state and local governments are expected to spend on IT in 2003, they will allocate 3.2 percent -- about $1.3 billion -- for cybersecurity products and services, according to the research and consulting firm Gartner Inc., Stamford, Conn.
Efforts to improve electronic security at the state government level have met with varying degrees of success in the aftermath of the Sept. 11, 2001, terrorist attacks. Some states are still in the initial stages of addressing the matter through security audits and vulnerability assessments, while a number of states have awarded master service agreements that essentially prequalify companies for specific computer security tasks, analysts and industry officials said.
On the whole, states are not spending enough on cybersecurity, said John Pescatore, Gartner's research director for Internet security. The amount states are spending on firewalls and intrusion detection systems is on par with other industry sectors, but their spending on vulnerability assessments and security audits is below other sectors, he said.
The upshot is that states should do more frequent external security audits and vulnerability assessments, Pescatore said. To fix the problems that are uncovered, agencies will need to rely heavily on private-sector security firms, he said.
While the federal government has spent heavily on cybersecurity over the past decade, state government has not, said analysts and industry officials. But this doesn't mean that states don't understand the problem, said Jeffrey Johnson, AMS' vice president of enterprise security.
"States are just now starting to get their money into these budget pools," he said. "They are where the federal government was 10 years ago. That means they can't go anywhere but up."
In many instances, information security firms and systems integrators are installing only "the bare bones" of computer security for state government at this time, said Michael Gibbons, managing director in the federal services practice of BearingPoint Inc., McLean, Va.
But the next several years are expected to produce "sizeable opportunities" for companies to assist in designing and implementing recommendations stemming from the security assessments in progress around the country, said Robert Jervay, a principal with the security services practice at New York-based Deloitte Touche Tohmatsu.
"It's a firmly committed group," he said, referring to prospective customers in the state government market.
Cybersecurity typically involves two related streams of work, Gibbons said. The first entails the design and implementation of the basic security technologies, such as firewalls, intrusion detection systems and access controls, he said.
[IMGCAP(3)]The second involves due diligence, or proof of security, he said. The Federal Information Security Management Act of 2002 requires the federal government to set standards to certify and accredit the security of systems by identifying risk, writing security plans and testing the technical controls to make sure systems operate in a secure manner.
It also involves wireless security and authentication solutions that identify users, analysts and industry officials said.
The certification and accreditation process will be "in full swing by 2004," giving state and local government an easy framework to follow, he said, Gibbons said.
States may not be able to wait that long.
Pescatore said computers and networks at the state government level are far more vulnerable to defacement and attack than federal systems, because state government provides more electronic services directly to businesses and citizens.
"Since the states are doing more interesting things [online], they have more exposure," he said.
AMS holds master service agreements to provide information security services for several states, including Georgia, Kentucky and Texas, said AMS' Johnson. Company officials expect specific security tasks to result from those contracts similar to a security assessment AMS is performing for California's Stephen P. Teale Data Center under a contract announced in July.
BearingPoint has provided security certification and accreditation for the National Institutes of Health and departments of Education and Veterans Affairs, Gibbons said.
The company also has developed a cybersecurity offering for local governments that addresses the matter from both a technical and governance approach, he said.
To improve Delaware's cybersecurity, Jarrett earlier this year had the Department of Technology and Information deploy sniffer software to make sure that agencies were not "running wide open" with wireless fidelity networks, or WiFi, that would leave state systems vulnerable to hacker and virus attacks.
The department is now shifting its focus to improving internal security with the same degree of attention, he said.
"There is probably a higher risk of intrusion problems internally than externally. It's something we need to do a better job on," he said. "Network security is an ongoing battle. You don't just fix it today."
Staff writer William Welsh can be reached at firstname.lastname@example.org.
Following the terrorist attacks of Sept. 11, many companies became security experts overnight. They didn't really fool anyone, though, said Gerry Wethington, president of the National Association of State Chief Information Officers of Lexington, Ky. But their entry into the market made the jobs of the state CIOs harder by forcing them to meet with far more companies than usual when looking for a particular offering, Wethington said last month at a cybersecurity roundtable discussion among federal and state officials in Washington.
Utah CIO Val Oveson agreed. With so many voices and options for information security on the market, sifting through that information has become a major task for state CIOs and state technology offices, he said. Instead of pandering to new entries in the field, states CIOs "want to find out who has been doing [information security] over the long run," he said.
Still, state CIOs generally feel obliged to meet with such companies, especially when the company is based in their own states, said Tom Jarrett, Delaware's CIO.
For the most part, states are avoiding products and solutions that are untested in the market, he said.
"We don't have the money to look at innovative [approaches] right now," Jarrett said. "We would like to get to a point where we can look at leading-edge stuff, but for now we are looking for companies with a proven track record and solutions."
But government contractors with information security experience have seen security contracts going to companies lacking experience. Some companies have practically given away the work in order to get their foot in the door and establish their security credentials, said Jeffrey Johnson, vice president of enterprise security with American Management Systems Inc., Fairfax, Va.
Agencies trying to keep costs down awarded such companies the contracts, only to find they did a poor job, Johnson said. But agencies have learned from their mistakes, and are now relying on market analysts for advice on security strategy and purchases, he said.
A topic of discussion among government and industry officials is whether people or companies should be certified to do information security work for the government. States are leaning toward requiring the certification of people working for contractors, while the federal government favors certifying companies, according to government and industry officials.
Michael Gibbons, managing director in the federal services practice at BearingPoint Inc., McLean, Va., noted that the National Institute of Standards and Technology is developing a methodology for evaluating and identifying companies that have credible skills and abilities in information security.
Small companies and security startups are going to find it extremely difficult to get traction in the state market this year, said John Pescatore, Gartner Inc.'s research director for Internet security.
In the current budget environment, states want to deal with a smaller number of larger companies, he said. For example, some state and local governments are purchasing security solutions from companies that provide their network servers, such as Microsoft Corp. of Redmond, Wash., or Cisco Systems Inc. of San Jose, Calif., he said.
Oveson said there comes a point in time when the customer needs to stop meeting with companies and simply issue the request for proposal. "You need to find the funding source and go after [the project]," he said.