As the U.S. government goes on a cyberdefense spending spree, major government contractors are beefing up their network security expertise so they can get in on the action.
Slideshow: Technology from the federal government
Lockheed, Boeing, Raytheon, SAIC and other big government contractors have been creating their own cybersecurity divisions, hiring network security staff or buying up smaller security firms to augment their own credentials.
"Everybody smells money here," says Stephen Kent, chief scientist at BBN Communications, who has worked on government network security for more than 30 years. "The size of the business could be enormous."
Market Research Media recently issued a report that projects government cybersecurity spending growing at 6.2% per year to a total of $55 billion over the next six years. Other published estimates put that spending at $11 billion to $13 billion in 2013 alone, setting off a rush among providers to bid for their share.
Some defense contractors have extensive network security experience under their belts, Kent says, and others are trying to acquire it. There will likely be projects for both kinds of firms, he says.
Contractors that have worked on classified security projects before are familiar with the unique threats that states pose to the U.S. government that differ from the kinds of threats that corporations generally face. These contractors have expertise that is a natural fit for protecting the government networks most likely to be targeted, such as those in military and intelligence agencies, he says.
Other segments of the government that are involved in more mundane activities face the same mainstream challenges as corporate America. "Many parts of government networks are analogous to commercial networks, others are not," he says.It is unlikely that corporations will be soon tapping these government and military contractors for their services or new technologies, say John Pironti, the president of network security consulting firm IP Architects.
The cultures of private industry and government are vastly different, Pironti says. Private firms want speed in their security projects - looking to hire consultants, plan the work and execute the plan quickly.
In government the process generally takes longer, projects tend to be on the largest scale and one goal is to wind up with systems that can be readily replicated over and over, he says.
"In commercial it's all about efficiency. In government it's about structure and consistency," Pironti says. Large agencies want to be able to build the same defenses everywhere, and simple enough to be run by relatively low-level staff. "They want the most efficient, cost effective, lowest-common-denominator operations" he says.
One longtime government contractor, Lockheed, has rolled cybersecurity components into its government contracts for years. Securing the data involved in government projects has become a component of each contract, says Eric Cole, Lockheed's chief scientist and a senior fellow at the firm. "Implementing cybersecurity is ingrained," he says.
Many of the tools the company uses are the same as the commercially available ones used by corporations. If commercial products don't meet the need, the company will develop its own, but doesn't market them, Cole says.
That's not to say that government-developed technologies don't emerge into commercial markets. BBN's Kent cites firewalls, intrusion-detection systems and certain types of encryption such as SMIME as being the product of government research.
Sometimes such technologies are kept secret by government but later developed independently by private researchers. Famously, the Diffie-Hellman cryptographic key exchange was developed by a British intelligence agency but kept classified even after it was published publicly.
Cole says that Lockheed doesn't market its security expertise separately, but has seen more government requests for proposals for data-loss prevention, handling threats and methods of performing penetration testing. "Down the road as this area continues to grow, we might move into that," he says.
The flip side of this is that sometimes government contractors buy up commercial security firms for their expertise but continue to sell the commercial products. This is the case with Raytheon's purchase of Oakley Systems in 2007, which still sells its SureView network monitoring and forensics software.
The software was developed to discover insider threats in defense networks, says Derek Smith, president of Raytheon Oakley Systems. "When we joined Raytheon, the idea was to take lessons learned in the defense environment into the critical infrastructure providers in the fortune 100 and say 'here is military-grade insider-threat technology.'"
Some of the government work falling under the cybersecurity umbrella is for implementing industry standard security measures, Kent says. This can be done by contractors known as body shops because they can provide the bodies needed to carry out tasks agencies choose to outsource.
Much of the government's cybersecurity work will be implementing what are considered industry best practices that might not yet be adopted in government networks, IP Architects' Pironti says. It will go a long way toward improving security, but won't require radically new technologies. "It's not as 'Mission Impossible' as you might think it is," he says.