DoD Cybersecurity Spending: Where’s the Beef?
As the US defense budget is seeing targeted cuts, one area that seems to be getting more money is cybersecurity. The US military has announced plans to spend billions on technology to secure its networks.
In response to this shift in priorities, traditional defense contractors, such as BAE Systems, General Dynamics, Lockheed Martin, and Northrop Grumman have been on a buying spree, snatching up cybersecurity firms left and right. At the same time, a number of these companies have proven vulnerable to cyber attacks themselves, with some analysts seeing a tie to a security breach at RSA, which provides technology for remote access of employees to their corporate networks.
This article examines this shift in the US defense industry and defense spending regarding cybersecurity. In particular, the article examines where the money being earmarked for cybersecurity is going and what kind of initiatives are being undertaken by the US military.
Prime Contractors Go Cyber Shopping
To cash in on the increased spending on cybersecurity, a number of big defense contractors acquired many cybersecurity firms over the last few years. BAE Systems for example has spent billions of dollars gobbling up firms. In 2011, BAE Systems acquired Norkom Group, a Dublin, Ireland-based cybersecurity firm, for around $344 million. This followed the acquisitions of US-based Detica for around $1 billion; the Danish ETI A/S for $212 million; and Australian firm stratsec.net for $23 million.
Early in 2011, Raytheon won a bidding war to acquire for $490 million Applied Signal Technology, a Sunnyvale, Calif.-based provider of cybersecurity and intelligence services to the military. The company’s products include secure broadband network communications; cyber intelligence systems, software and analytics to address cyberspace threats; electronic warfare solutions; and other capabilities that enable military customers to detect, evaluate and respond to cyber threats. It will be will be integrated into Raytheon’s Space and Airborne Systems business. Raytheon beat out Cobham, L-3 Communications, and Science Applications International Corp. to acquire Applied Signal. Raytheon had earlier purchased BBN Technologies.
Likewise, Boeing has made several acquisitions in the cyber sector, including the $775 million purchase of Argon ST, a supplier of military cybersecurity and C4ISR systems, in 2010. Both Lockheed Martin and Northrop Grumman CEOs have expressed their interest in scooping up more cybersecurity firms.
Now that the defense industry has positioned itself in the cybersecurity market, the US Department of Defense wants to expand its cooperation with cybersecurity contractors to improve defenses for military computers and networks.
The Pentagon is looking to reduce the lag time between development of new cybersecurity technology and its deployment, said Robert Butler, deputy assistant secretary of defense for cyber policy. Speaking to reporters at an October 2010 Washington briefing, Butler said that DoD also wants to promote supplier diversity to improve competition and guard against compromise of the supply chain.
Butler said that the Pentagon also plans to screen cybersecurity components and subcomponents better and to manage the risks involved in the manufacturing processes.
Where’s the Money Going?
Not only are defense contractors positioning themselves for cybersecurity business, but also the Pentagon has indicated it plans to spend a lot more on cybersecurity despite cuts in the overall budget.
“Some things are going to be eliminated, some things are going to be reduced and some things are going to be increased. I think cyber is one of the ones that we are going to more likely increase than decrease,” William Lynn, US deputy secretary of defense, told Bloomberg in a May 2011 interview.
In its FY 2012 budget proposal [PDF], the Pentagon said it plans to spend $2.3 billion on cybersecurity capabilities. It said the money would go toward programs like the new US Cyber Command, construction of a Joint Operations Center for Cyber Command at Ft. Meade, Md., $500 million for new related technologies, and funds for training and improved situational awareness.
However, the Air Force said that it would spend $4.6 billion alone in FY 2012 on cybersecurity. In response to this discrepancy, NextGov queried the Pentagon and they came up with a revised figure of $3.2 billion in cybersecurity spending department-wide, including the services. The Pentagon attributed the discrepancy to the Air Force including a broad range of spending not directly related to cybersecurity and information assurance, such as IT infrastructure.
There has been problems with fuzzy definitions before, particularly between the terms “information assurance”, the more traditional Pentagon phrase, and cybersecurity. Information assurance includes “measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation,” according to the Defense Acquisition Guidebook (DAC).
By contrast, cybersecurity is a much broader, more amorphous term; it is difficult to find a DoD definition of the term. The Obama administration’s cybersecurity legislation proposal [PDF], submitted to Congress on May 12/11, defines cybersecurity services as “products, goods, or services intended to detect or prevent activity intended to result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system.” Cybersecurity threat is defined as “any action that may result in unauthorized access to, exfiltration of, manipulation of, or impairment to the integrity, confidentiality, or availability of an information system or information stored on or transiting an information system.”
This confusion about definitions could lead to discrepancies in budget figures as well as problems with the procurement process. “The flaws in the definitions will follow into the procurement cycle and you will end up with the government buying maybe what it doesn’t need,” said Robert Burton, who served as the top career federal procurement official in the White House Office of Federal Procurement Policy during the George W. Bush administration.
“When people can’t even agree about the most basic terminology, you know there is going to be a lot of confusion,” said Noah Shachtman, a nonresident fellow at the Brookings Institution and a contributing editor at Wired magazine. “The chances there aren’t billions of dollars in redundancies are slim to none.”
If we stick to the figures the Pentagon provided to NextGov, which were revised from the original figures given in the FY 2012 budget documents, we get the following breakdown.
- Defense agencies, which include Defense Advanced Research Projects Agency (DARPA), the Defense Information Systems Agency (DISA), and the National Security Agency (NSA), are asking for $1.6 billion: $1.076 billion for information systems security programs, $19 million to shore up cybersecurity in the defense industrial base, $37 million for public key infrastructure (also known as digital certificates) to improve network security, $198 million for cybersecurity initiatives, and $274 million for other programs.
- Army is asking for $432 million: $224 million for information systems security programs, $13 million for improving the cybersecurity of the defense industrial base, $195 million for other Army programs.
- Air Force is seeking $440 million: $339 million in information systems security programs, $24 million for the defense industrial base, $39 million for public key infrastructure, $19 for cybersecurity initiatives, and $19 million for other Air Force program.
- Navy is asking for $347 million: $249 million for information systems security programs, $3 million for the defense industrial base, and $95 million for other Navy programs.
- Other spending includes $159 million for the new US Cyber Command, $26 million for the Defense Cyber Crime Center, and $258 million for various science and technology cyber efforts.
It appears that the bulk of the Pentagon’s spending on cybersecurity is going to traditional information systems security programs, a total of $1.9 billion. DoD information systems are defined by the DAC as “entire infrastructure, organization, personnel, and components for the collection, storage, processing, maintenance, use, sharing, dissemination, disposition, display, or transmission of information.”
Protecting these systems is the bread and butter of most traditional cybersecurity firms–firms which the big defense contractors are busy buying up. So they should be well positioned to cash in on this spending.
By contrast, DARPA is looking to spend millions on advanced cybersecurity programs: $24 million for the Cyber Genome project, which is designed to identify malicious code; $6.5 million Crowd-Sourced Cyber, which focuses on crowd-sourced approaches to cybersecurity; $4.67 million for Cross-Layer Network Security, which will improve network security through the use of multiple networked layers; $20 million on Resilient Networks, which would develop routing and switching software to respond to cyber attacks; $15.83 million for Cyber Camouflage, Concealment and Deception, which would develop network deception techniques; and $12 million on Cyber Inside Threat (CINDER) to combat insider threats to networks.
These initiatives will require specialized knowledge on the part of contractors, as well as a strong research and development department. These programs might not be lucrative ground for traditional firms; universities might be more likely beneficiaries of these efforts.
US Cyber Command
In May 2010, the Pentagon stood up the US Cyber Command to coordinate defenses of DoD military networks and to conduct “full-spectrum military cyberspace operations…in all domains.”
US Cyber Command is headed by Gen. Keith Alexander, who is also NSA director, and reports to the US Strategic Command. Service elements of the US Cyber Command include the Army Cyber Command, the 24th Air Force, the Navy’s Fleet Cyber Command, and the Marine Forces Cyber Command.
While the US Cyber Command’s role in defending DoD networks has not been controversial, its effort to expand its authority into defending civilian critical infrastructure has generated controversy and brought it into direct conflict with the Department of Homeland Security (DHS).
In September 2010, Alexander proposed expanding the US Cyber Command’s authority to take on the broader role of protecting US critical infrastructure networks and systems. Alexander told a House panel that the White House was examining the legal authority needed for the Cyber Command to take on this broader role in defending cyberspace.
The general said that the US critical infrastructure – for example, energy, utilities, public transportation, banking, and chemical industries – is increasingly dependent on networks and thus increasingly vulnerable to cyber attack.
In response, DHS Secretary Janet Napolitano stressed in a December 2010 speech that the US cybersecurity effort to protect civilian critical infrastructure should be led by a civilian government agency, not by the military or by the private sector alone.
“Now, there are some who say that cybersecurity should be left to the market. The market will take care of it, and there are some who characterize the Internet as a battlefield on which we are fighting a war. So it’s the market or the war. Those are the two analogies that you hear. Not surprisingly, I take a different position. In my view, cyberspace is fundamentally a civilian space, and government has a role to help protect it, in partnership with responsible partners across the economy and across the globe.”
In calmer moments, both Alexander and Napolitano admit that protecting US civilian critical infrastructure needs to be a coordinated effort among DoD, DHS, and private industry.
In March 2011 testimony to the House Armed Services Committee, Alexander said the cyber command plans to develop a hardened IT infrastructure that involves the use of cloud computing and thin-client networks. This would involve the moving of programs and data away from desktops to a centralized configuration that would enable tighter controls over network access and reduce vulnerabilities.
Alexander told lawmakers:
“This architecture would seem at first glance to be vulnerable to insider threats–indeed, no system that human beings use can be made immune to abuse–but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data.”
Cybersecurity firms could have a role in helping the US Cyber Command implement this hardened IT infrastructure concept, particularly cloud computing and thin-client providers.
Contracts have already been awarded by the command to help it establish its current facilities. For example, in 2010 Booz Allen Hamilton received a $14.4 million contract to build the command’s control center, and Integral Systems won a contract to provide commercial satellite geolocation services for the command’s Global Satellite Communications Support Center. The center, located at Peterson Air Force Base in Colorado, monitors commercial satellite communication teleports to detect deliberate interference with the satellites.
Pentagon’s Cyber 3.0
Another initiative that could take the Pentagon more into the private sector is Cyber 3.0. In February 2011, Lynn launched Cyber 3.0 as a public-private partnership with industry. In a speech to the RSA Conference, he identified three primary threats to US government and private sector networks:
“To date the most prevalent threat has been the exploitation of our networks. By that I mean the theft of information and data from both government and commercial systems…More recently, a second threat has emerged: the disruption of our networks. This is where an adversary seeks to degrade or deny an important government or commercial network…The third and most dangerous cyber threat is destruction, where cyber tools are used to cause physical damage.”
Lynn explained that the Cyber 3.0 strategy is based on five pillars: cyberspace is a new domain of warfare; DoD must apply active network defenses; critical infrastructure must be secure; collective cyber defenses are needed with allies; and private sector resources must be utilized by the military.
“The threats we face in cyberspace target much more than military systems. Cyber intruders have probed many government networks, our electrical gird, and our financial systems. Secure military networks will mean little if the power grid goes down or the rest of the government stops functioning,” Lynn said.
“Cyber defense is not a pure military mission, like defending our airspace, where the primary responsibility lies with the military. The overwhelming percentage of our nation’s critical infrastructure – including the Internet itself – is largely in private hands. It is going to take a public-private partnership to secure our networks,” the deputy secretary of defense said.
Lynn explained that for a public-private partnership to be successful, a number of avenues of cooperation should be pursued: information sharing between the military and industry, working to reverse the technological advantage held by intruders seeking to penetrate networks, exchange of cybersecurity technologies between private industry and the military, and extending active military defenses to critical infrastructure.
Active defenses include such initiatives as Einstein 3, which is a network intrusion detection and protection system developed by NSA to protect federal government networks. Einstein not only detects when an attackers is trying to gain access to a network, but also takes immediate automated action to prevent the attack. DHS is seeking $233.6 million in FY 2012 spending to fund deployment of Einstein 3 through the federal government.
“Owners and operators of critical infrastructure could benefit from the protections that active defense provide. We have the technology and know-how to apply them in civilian contexts. The real challenge at this point is developing the legal and policy framework to do so,” Lynn said.
The Pentagon also plans to add $500 million in new research spending in cyber defense technologies with a focus on cloud computing, virtualization, and encryption processing, Lynn said.
The Pentagon’s effort to expand its authority into private sector cyber defense is likely to open up more opportunities for cybersecurity firms and their big defense firm owners to win DoD contracts for critical infrastructure protection.
Is the Boom a Bust?
Not everyone is convinced that DoD cybersecurity spending is going to be a boom for defense firms. In a Forbes magazine blog, Loren Thompson, chief operating officer at the Lexington Institute, argued that DoD cybersecurity business will not live up to expectations for a number of reasons.
First, the billions ($2.3 billion or $3.2 billion, take your pick) the Pentagon expects to spend on cybersecurity in fiscal year 2012 is just a drop in the bucket of the Pentagon’s overall budget request of $553 billion. “With every major contractor in the business straining to get a piece of this relatively small pie, the prospects for making a killing are not high,” Thompson said.
Second, cybersecurity threats are diverse and evolving, which will make it hard for defense contractors to establish durable franchises. In the usual scenario, defense contractors win a contract to supply a major weapon system over a number of years. But in cybersecurity realm, the threats change on a weekly basis. “The dynamism of cyber threats combined with the slow pace of federal acquisition procedures is a prescription for continuous frustration among contractors,” he said.
Third, there are relatively low barriers to entry for the defense cybersecurity market. Niche firms can compete with the heavy hitters for business if they have a solution to an urgent problem. “Some of the bigger companies in the defense business aren’t accustomed to having so many competitors jostling for attention,” Thompson noted.
Fourth, demand for talented cybersecurity experts far exceeds the supply, so companies are bidding against each other to get the scarce expertise. In addition, gaining security clearances for foreign nationals with the cyber expertise will be a challenge for defense companies. Thompson noted that Lockheed Martin probably has a leg up in this area since it already has a large federal cybersecurity business.
Fifth, there is variability in federal government management quality in the cybersecurity space. “These problems are most apparent at the program manager level, where middle-level executives may lack the experience to select among competing solutions to a problem,” he said, adding that non-competitive compensation offered by the government compared to private industry exacerbates the problem.
“So far, these various drawbacks have not discouraged big contractors from continuing to pursue cyberwarfare opportunities. The most aggressive players at present seem to be Raytheon, Science Applications International, General Dynamics and Lockheed Martin, but other players like BAE Systems and Boeing are rapidly bulking up,” Thompson said.
Despite skeptics’ misgivings, there is no question that the Pentagon is increasing its spending on cybersecurity products and services. It’s up to the vendor community to go after those opportunities and make sure they enjoy the boon, and not experience the bust.
Selected Contacts As of June 2011
- Terry Collins, chief operating officer, Argon ST (Boeing), tel: 703-322-0881
- Richard Colven, US country manager, Detica NetReveal (BAE Systems), tel: 646-216-2143
- Susan Maraghy, vice president of homeland security and information technology, Lockheed Martin, tel: 703-413-5910, email susan.a.maraghy @ lmco.com
- Lt Gen Robert E. Schmidle Jr., deputy commander, US Cyber Command, email robert.schmidle @ usmc.mil
- Mike Papay, vice president of cyber initiatives, Northrop Grumman, email CyberGroup @ ngc.com
- William Van Vleet, president of Raytheon Applied Signal Technology, tel: 408-749-1888
- DID – Cyberwar: Pentagon Takes On Cyber Enemies, Other Agencies
- US DoD – Cybersecurity Website
- US STRATCOM – US Cyber Command Fact Sheet
- NextGov (May 20/11) – Tighter Defense Budget May Mean Tighter Cybersecurity
- C4ISR Journal (May 12/11) – Rethinking Cybersecurity
- Bloomberg (May 12/11) – Cyber Security May Gain in Pentagon’s Budget Review, Lynn Says
- Forbes (May 9/11) – Cyberwarfare May Be a Bust for Many Defense Contractors
- Reuters (May 8/11) – Defense Budgets to Aid IT, Cybersecurity Firms
- Nextgov (March 29/11) – Defense Funding for Cybersecurity Is Hard to Pin Down
- InformationWeek (March 21/11) – Cyber Command Pursues ‘Defensible’ IT Architecture
- CSO (Feb 16/11) – DoD: Military Must be Capable Within ‘Cyber’ Domain
- Fierce Government IT (Feb 16/11) – Cybersecurity runs deep in fiscal 2012 budget request
- Cybersecurity News (Feb 15/11) – US Deputy Defense Secretary Reveals ‘Cyber 3.0’ Details
- Wired.com (Feb 14/11) – DARPA Gets Big Bucks for ‘Cyber Tech’ (Whatever That Means)
- Reuters (Dec 7/10) – Applied Signal auction ignites cybersecurity M&A
- The Street (Nov 19/10) – Defense Companies to Get Cyber Boost
- GovConExec (July 15/10) – The Cyber Arms Race: Building a Cybersecurity Capability through Acquisition
- AFPS (Feb 4/10) – Cybersecurity Seizes More Attention, Budget Dollars