Cyber Security, The Corporate Business Opportunity

One person's problem is another's solution.

Lockheed Martin is one of the world's largest defense contractors. It is also a victim of cyber attack. Instead of trying to damp down reporting about that series of hacks in fear of what it might do to its reputation, the company has used the experience to bolster its business by selling its analysis of the event, its precedents and its after-effects as a case study of what to expect and how to prevent it from happening to others.

In so doing, Lockheed and some of its similarly situated competitors, like Raytheon, have not only established themselves as experts in the field, but have used their most favored contractor status with the US government to gain access to classified data which further secures their competitive advantage.

As cyber attacks have multiplied against banks, pharmaceutical companies, oil exploration companies, electric utilities, tech firms and virtually any other business with intellectual capital worth stealing, the business of providing cyber security has grown apace. While specialists in the tech community originally dominated the profession, the scale, intensity - and value - of the data compromised have made this a market of sufficient size to attract global corporations with the wherewithal to hire and compensate accordingly.

The coevolutionary nature of cyber security and cyber attack assure that the threat and the business will continue to escalate. For some this is an assault on the nation's - or their businesses' integrity. For others it is simply a new growth market with lots of upside. JL

Chris Strohm reports in the Washington Post:

Lockheed Martin Corp. and Raytheon Co. are vying with telecommunications companies to defend banks and power grids from computer attacks, in a program that gives them access to classified U.S. government data on cyber threats.

President Barack Obama’s Feb. 12 cybersecurity executive order authorized the Department of Homeland Security to let new companies get the government intelligence. Obama and U.S. officials have said sharing classified threat data with companies is essential to help prevent cyber-attacks that could cause deaths or economic disruption.

So far, the two defense contractors have signed up for DHS’s Enhanced Cybersecurity Services program, joining previous participants AT&T Inc. and CenturyLink Inc.

Under the program, the companies are provided -- free of charge -- computer threat “signatures,” such as timestamps and coding used in attacks, which have been obtained by the National Security Agency and other agencies. The companies can use this intelligence to strengthen cybersecurity services they sell to businesses that maintain critical infrastructure.

“The demand is there. I think the priority is there, and the threat is serious,” Steve Hawkins, vice president of information and security solutions for Raytheon, said in an interview.

Cybersecurity Market

Defense contractors like Raytheon view cybersecurity as a growing business as Pentagon spending stalls or declines on more traditional military programs, Hawkins said. Raytheon, of Waltham, Massachusetts, has acquired 12 companies specializing in cybersecurity since 2007, he said. The acquisitions include Greer, South Carolina-based Teligy Inc. in October, which specializes in wireless cyber protection, and Herndon, Virginia- based Trusted Computer Solutions Inc. in November 2010, which specializes in network security.

“We work with literally every organization across the government as well as many Fortune 500 companies,” Hawkins said. Raytheon now wants to “make cybersecurity affordable to medium- and small-sized businesses.”

The Homeland Security department determines which companies qualify as “commercial service providers.” To be eligible, companies must be able to safeguard classified information, have employees with security clearances, and be positioned to provide cybersecurity services to businesses, Darrell Durst, a vice president of cyber solutions at Bethesda, Maryland-based Lockheed said in an e-mail.

Lockheed, the nation’s largest contractor, already provides cybersecurity services to corporate and government clients and will use the new program “to offer additional cyber services to a broader set of customers,” Durst said.

‘Business Opportunity’

Raytheon and Lockheed signed agreements with DHS within the past two weeks to join the program. So far, CenturyLink and Dallas-based AT&T, the biggest U.S. telephone carrier, are the only other approved providers.

“While it is a business opportunity, we also see it as vital to the continued economic vitality of the U.S.,” Diana Gowen, a senior vice president for Monroe, Louisiana-based CenturyLink, said in an e-mail.

The broader dissemination of cyber-threat data “in a controlled fashion is a good thing” and can “help assure that more companies have access to information for protecting their systems,” said Jessica Herrera-Flanigan, a partner with Monument Policy Group, a lobbying firm, and former Democratic staff director of the House Homeland Security Committee.

Defense contractors have worked with the Pentagon for years in using classified intelligence, and letting them “become involved more broadly with processing cyber threat information should aid in efforts to bolster the program,” Herrera-Flanigan said in an e-mail.

Providers Multiply

The creation of a market based on classified U.S. cyber threat data follows Congress’s failure in November to pass legislation requiring companies operating critical infrastructure to adopt cybersecurity standards.

Obama issued the executive order last month expanding DHS’s cybersecurity services program to boost protections for vital U.S. facilities, such as power grids, financial institutions and air-traffic control networks. DHS decides which infrastructure companies can contract with the cybersecurity providers, which can then use the government’s intelligence to scan their networks for the threat signatures and provide defenses.

There could eventually be dozens of commercial service providers from a variety of industries, Bruce McConnell, cybersecurity counselor at the Homeland Security Department, said in an interview. “I think you will see other companies get into this business,” he said.

Information Sharing

Companies can get cyber threat information directly from DHS without using a commercial service provider if they have the proper security controls, McConnell said.

The commercial service providers can voluntarily share cybersecurity information with the government, according to Homeland Security.

Any data exchanged between government and service providers must be aggregated, anonymous and statistical, such as “the timestamp of the cyber event, the indicator that was involved, and the identification of the critical infrastructure sector of which the affected company is a member,” according to DHS.

Company names of victims or other identifiable information will not be shared, the department said.

The American Civil Liberties Union and other privacy groups have raised concerns in the past about companies sharing cybersecurity-related information with the government.

“A key question is how to balance the need for better, more timely cybersecurity information with other needs such as protection of privacy and civil rights as well as legitimate business and economic interests,” the Congressional Research Service wrote in a March 1 report, which was obtained and published by the Federation of American Sciences.