|
“Potential Movement in Federal Cybersecurity Toward
Commercial Firms”
By: Edward P. Moser
The cybersecurity market for the Department of Homeland Security (DHS) and
Department of Defense (DoD) has traditionally been dominated by the large,
established defense contractors. Indeed, after 9-11 firms such as Northrop
Grumman and Lockheed Martin accelerated their efforts in this field.
Raytheon, for example, established a homeland security division in 2002.
“You still see a pretty significant reliance on system integrators,” said
Shannon Kellogg, Director of Government and Industry Affairs for Bedford,
MA-based RSA Security (Nasdaq,
RSAS). “And many of the defense contractors
are updating their technology lab processes to also get to emerging
technologies earlier.”
However, a trend may be emerging toward greater use by DHS, DoD, and other
IT security-conscious agencies of the more commercially IT outfits such as
Adobe Systems, Inc. and nCipher. “We are starting to see a stronger push in
certain agencies – particularly in the DoD, intelligence and DHS communities
– to have direct contact with innovators,” said Kellogg, “to get access to
emerging technologies earlier in the procurement process.”
As security agencies strive to rapidly and cost-effectively plug
much-criticized holes in their IT applications and infrastructure, they may
regard commercial companies as better suited to offer solutions more cheaply
and in a faster time frame. “When an agency needs to deploy an identity and
access management solution ‘yesterday,” said Kellogg, “then they often work
with RSA Security and our professional services group to get the solution
that they need deployed immediately.”
Another example of such a firm is Belcamp, MD-based SafeNet Inc. (Nasdaq,
SFNT), a data encryption specialist. On September 30, DoD and SafeNet shook
hands on a $150 million contract for the firm’s Link Encryptor, on top of an
earlier order of 2,000 of the units.
“Protecting the infrastructure today,” said Chris Feede, senior vice
president and general manager of SafeNet’s enterprise security division,
“demands products and technologies that are similar to those found in the
high-end commercial security community. This includes infrastructures that
encourage remote accessing, incorporate public networks, and enable a high
degree of information sharing -- not characteristics of typical, closed
traditional defense networks.”
“We meet the government's requirements,” Fedde continued, “by merging our
commercial expertise in modern network protection with appropriately scaled
security. The needs are for sensitive but unclassified, classified, and
mixed mode -- we apply the appropriate products and techniques to deliver
the best of commercial and true government-grade security.”
SafeNet focuses on identity protection, information sharing, and integrated
network security, according to Fedde, as well as on communications security.
Its federal clients include federal agencies in the civilian, intelligence,
and defense spheres.
Certainly, by many measures, the security agencies can use additional help
in addressing their cybersecurity challenges.
Over the past two years, various federal investigations have sharply
criticized DHS for incompatible IT systems and for inadequate planning
regarding the handling of computer security-related emergencies. And during
a congressional hearing in June, Rep. Christopher Shays (R-CT) complained to
Secretary of Homeland Security Michael Chertoff that, “Developers who try to
give innovative concepts to DHS are rebuffed, while the department spends
millions buying marginal technology from big defense contractors.”
Another example of a firm with mostly commercial clients that is moving into
the security realm is Cambridge, UK-based nCipher (London Stock Exchange,
NCH), a provider of cryptographic security for web services, online banking
and payment, digital rights management, and databases. Among its clients are DoD, Volvo, Deutsche Bank, and Microsoft.
nCipher focuses on securing an organization’s most critical data through its
SecureDB database encryption application, and by managing the secret keys
found in security infrastructures. SecureDB aims to enable users to encrypt
the most sensitive information in a company’s database, such as specific
columns in a database, leaving non-sensitive information unencrypted.
In July, the Republic of Ireland’s Department of Defence selected SecureDB
to safeguard sensitive database information. At the time of contract
signing, Commandant Mark Staunton, Applications Manager of the Irish Defence
Forces, noted: “As we have transitioned from closed private networks to a
more open IP-based infrastructure, we identified the requirement for a
highly secure database security that would work well within our existing
application base.”
Specifically, the nCipher database helps integrate Oracle applications with
the Forces’ internally developed personnel management system. “It provides
us with an off-the-shelf database encryption solution,” stated Staunton, who
described “flexible and cost-effective” benefits that “allow us to protect
our most critical information with minimal degradation in performance and
without the burden of resourcing in-house development tasks."
“The Irish Defence Forces decision to deploy an encryption solution at the
database level reflects an increasing trend among major organizations
worldwide," said Ciarán Stapleton, sales director at nCipher. “It provides
additional levels of access control and selective encryption of only the
information designated as being sensitive, directly within a variety of
market leading databases."
Any trend toward greater use of commercial firms may aid the government’s
stated need to bring greater efficiencies, greater standardization, and less
redundancy to its IT services. In August, Federal Computer Week reported
that OMB is examining consolidation into service centers of some
agency-specific security tasks, including incident response, situational
awareness, and selection of security-related products. (Defense and
intelligence agency taskings might be excluded from such a scheme, however.)
An alternative to off-the-shelf commercial products as well as the systems
of major defense firms may be open source software. This spring DoD renewed
for two years a digital certificates contract, for an undisclosed amount,
with Red Hat (Nasdaq,
RHAT), the provider of open-source Linux applications.
Certificate System software issues certificates placed in the digital ID
cards of Pentagon workers, according to CNET, for accessing computers and
buildings. The Defense Information Systems Agency (DISA) contract will cover
between 12 and 38 million certificates. Red Hat acquired the software from Netscape
of America Online.
Identity validation seems to be a particularly popular application for
commercial vendors. Redwood City, CA-based Tumbleweed Communications Corp. (Nasdaq,
TMWD), a provider of secure email, file transfer, and digital certificates,
has seen its federal revenues soar in the past two years. Clients include
the US Army for its Online Certificate Status Protocol application and DoD’s
DISA, which has procured Tumbleweed’s secure file transfer product.
A more commercial approach to procurement could entail greater security
risk. As a report by HSARPA, DHS’s Advanced Research Projects Agency, puts
it: “General purpose computers are increasingly being used for
mission-critical tasks…These trends permit companies to leverage advances in
commercial technology and more closely integrate business and production
activities …However, there is a concern this has come at the price of
increasing the vulnerabilities of these systems.” Evidently, a happy medium
between more security and the benefits of commercial systems is required.
Assuring security in commercially oriented, interoperable systems will
remain a challenge. Still, with the government driven by necessities to cut
costs, increase standardization, and quicken the adoption of critical
technologies, it seems likely that any trend toward procurement by the more
commercial IT firms will deepen.
“We see a strong need,” said RSA’s Kellogg, “for strong authentication, Web
access control, to control the authenticated users’ access to the networks
that they are supposed to have access to, and [enabling of] real-time
information sharing in multiple environments.”
“Network security,” emphasized Fedde, the SafeNet vice president. “is a
maturing set of products and technologies in the high-end commercial
security community. Time and experience has made them cost effective,
scalable, and moderately easy to implement to commercial expectations.”
“The defense community hasn't matured these attributes but has built
products and technologies that address uncompromising needs for security.
Our particular advantage is the merging of the two.”
Author’s Data
Edward P. Moser
2116 Arlington Terrace
Alexandria, VA 22303
moseredward@juno.com
Edward P. Moser: Freelance Journalist
Mr. Moser's writing credentials include: written three published books,
presidential speechwriter, Co-author of published book "Secure Internet
Practices", editor/writer at National Academy of Sciences for
congressionally mandated, published books, Finding Common Ground: US Export
Controls, and The Government Role in Civilian Technology, on weapons of mass
destruction and on trade in high tech goods, published articles in Wall
Street Journal, Washington Post, Pharmaceutical Technology, Boston Globe,
and written video scripts for the US Navy .
Disclaimer:
www.InvestorIdeas.com/About/Disclaimer.asp,
www.HomelandDefenseStocks.com/Companies/HomelandDefense/Disclaimer.asp
©Copyright InvestorIdeas 2005
|
|
