Show Me The Money

The security arm of American Management Systems (AMS) in Fairfax, Va., is spending much of its time these days in "education and awareness mode," says Kristin Parker, director of information security for the $1.2 billion technology-consulting firm. "We're figuring out who is in charge of appropriating the money in the various agencies and what it will be spent on. We're doing due diligence for clients, so when they have the money, they will know who to trust."

Parker and other technologists inside and outside of government say it will be mid-2003 before federal, state and local agencies figure out exactly how they want to spend new money devoted to homeland-security technology. But solution providers shouldn't wait until then to assess the opportunities.

Solution providers specializing in security technology and services can expect renewed demand for virtual private networks (VPNs), public key infrastructure (PKI), identity- management packages, intrusion-detection systems, encryption tools and even firewalls as agencies add protective layers at the departmental level. There also will be a call for security-management systems that keep track of policies and procedures to make sure that configuration changes, new applications and new users don't degrade security.

Insiders also expect consulting services to be in high demand because government agencies don't typically have the internal expertise to apply holistic protection to network assets. These services range from vulnerability assessments to surveillance of physical data centers.

"I see a convergence of some of the physical and cyber pieces of security," says Daryl Eckard, director of security and privacy for the U.S. government solutions group at EDS. Consulting firms like EDS "don't typically have a lot of expertise in physical security, so we'll probably subcontract it," he says.

EDS' approach underscores the importance of partnerships to address the expanding security needs of government. Agencies will likely favor contractors they've worked with in the past, but those vendors and solution providers will need help to address their blind spots, says Douglas Brouillette, chief security consultant at Intergraph Solutions Group, the professional services arm of Intergraph in Madison, Ala.

"You'll see a significant amount of partnering and teaming, because no one has all the areas of expertise," says Brouillette, a computer-intelligence expert and retired U.S. Army colonel.

Think Locally

AMS' Parker, who says she used to work at "one of those three-letter agencies," expects many of the new homeland-defense dollars to trickle down to state and local governments. State agencies really are the first line of defense against terrorism threats, she says, pointing to their control of the police and highway patrol, health care and even the movement of hazardous materials.

"States track citizens," she says. "Think about how much power the DMV [Department of Motor Vehicles will have in the future."

The importance of local authorities isn't lost on those who head the technology infrastructures at the state level.

The states, most of which are suffering through budget shortfalls, haven't made it a priority to update their data-security technology, says Matt DeZee, CIO for the South Carolina government. "But I think they are now," he says.

The challenge for the states is to place controls on computing infrastructures that for decades were operated by scores of state agencies rather than one central IT organization, says DeZee, who served as the CIA's director of computing infrastructure for two years before joining the South Carolina government last year. In his state, there are 85 different agencies, and only 13 are cabinet agencies controlled by the state government. It's even difficult to figure out how much the state spends each year on IT, he says, though he says it spends about $250 million per year on new projects.

DeZee, who also heads the security and reliability committee for the National Association For State Chief Information Officers (NASCIO), doesn't see terrorism as the top threat to state data centers. "When you think about cyberterrorism, there isn't much to gain by going into the South Carolina Department of Revenue," he says. Still, he's grateful there is now a broader awareness of the need to secure state systems.

And DeZee plans to take advantage of that awareness, with the help of solution providers. He relies heavily on consultants and integrators. "It's difficult for state agencies to recruit and retain security experts because we can't pay them market-value salaries," he says. He also favors small integrators over big ones because he wants specialists.

"When you go to the EDSs and CSCs of the world, the gamble is that you're paying an awful lot of money for a generalist," he says.

Most states plan to add layers of firewalls at the departmental level, DeZee says, to better protect sensitive data from outsiders. He also sees growth in encryption tools and intrusion-detection systems to create audit trails when penetrations are attempted. And he's interested in automated vulnerability-assessment services that look for application holes on a daily or weekly basis.

Federal Support Urged

VPN and PKI technologies are vital if federal law enforcement and regulatory agencies want to share more information with local authorities, DeZee says. VPNs can provide one-to-one encrypted tunnels between, say, the South Carolina government and the FBI, he says. And PKI and identity-management systems validate the identity of individuals handling sensitive law enforcement data.

However, DeZee is counting on federal support for VPN and PKI technologies because he doesn't believe state legislatures will pay for them. "States care about protecting their own data,Social Security numbers and driver's license information," he says. "We just don't have the money to say we need a few extra hundred thousand dollars to set up a VPN to share information with the FBI. Our legislators will say, 'So what?' It's politically easier to say we need encryption technology to protect our data."

The FBI and Office of Homeland Security wouldn't comment on their data security plans.

Larry Kettlewell, chief security officer for the Kansas state government, points to trends other than the terrorism threat as drivers of new security installations. Specifically, the Health Insurance Portability and Accountability Act of 1996 calls for the protection of personal health data, phased in over many years. Also, mandates at the federal and local levels to make more government services available online, an effort called E-Gov, places additional burdens on state governments to secure Web portals that pull data from various back-end systems.

"I'm looking for technologies that will automate our ability to audit, index and control the assets we have," Kettlewell says. He worries the state has lost track of computing assets inventoried during Y2K remediation. Every system that isn't tracked represents an opening for hackers.

Drew Koellmer, business development manager for Rutter Networking Technologies, a Woburn, Mass.-based VAR that does roughly half its business selling security solutions to state and local governments in Massachusetts, says he has seen an uptick in demand for NetIQ's Security Management and Administration solution, which allows users to set their own security policies and enforce them.

"They want us to work with them to implement policies and configure the software to alert and report on what it sees going on in their environments," Koellmer says.

The Government Information Security Reform Act, in place for more than a year now, requires agencies to perform self-assessments of their systems for vulnerabilities, points out John Lainhart, a partner at PricewaterhouseCoopers Consulting and former inspector-general for the U.S. House of Representatives.

These self-assessments can be farmed out, and many times they are, Lainhart says. "A number of agencies, because they don't have the expertise in-house, have RFPs out there asking for help from businesses to do these assessments," he says.

Experts advise solution providers to focus on the application layer rather than network security. The action is at the application layer because that's where all the data integration needs to take place among the many agencies that have to come together to combat terrorism. It's also where there are opportunities to help governments overcome business-process and cultural hurdles to sharing information. This area represents enormous growth in consulting revenues.

AMS' Parker also points out that applications are, in a way, a final frontier for security because each packaged application has its own set of limitations and vulnerabilities. "Oracle has its own set, [Microsoft Windows has its own set, SAP has its own set, and so do PeopleSoft, Siebel and even Dell and Compaq," Parker says. Each application category and vendor package represents a niche for security consultants, she says.

Choose a niche now if you want to get in on the renewed interest in government data security. As slowly as the opportunity is building, it may disappear as quickly. n

David Joachim is a business and technology writer in Port Jefferson, N.Y. E-mail him at [email protected].