Cyberwarfare May Be A Bust For Many Defense Contractors May. 9 2011 - 2:20 pm | 2,411 views Posted by Loren Thompson
http://blogs.forbes.com/beltway/2011/05/09/washingtons-cyberwarfare-boom-loses-its-allure/ As federal spending on national security has leveled off in recent years, big defense contractors have worked hard to secure a role in one of the few market segments expected to keep growing: cyberwarfare. It’s a relatively new field where the terminology hasn’t stabilized yet, but for the purposes of this posting, cyberwarfare means three things: attacking enemy networks, exploiting enemy information flows, and defending friendly networks. Most of the money Washington is currently spending on cyberwarfare goes to the latter activity — securing friendly networks — but offensive activities seem to be growing faster over time. They’re really just different sides of the same coin, since it’s hard to be good at defending computer networks if you don’t have a thorough understanding of how to attack them. The cyber goldrush was sparked in 2008 when President Bush signed two directives establishing a Comprehensive National Cybersecurity Initiative in response to the growing number of digital assaults on federal networks. The initiative was a signal to industry that a new demand driver had appeared in the marketplace just as everyone was getting ready for a prolonged downturn in military purchases. Seeing few other domestic opportunities on which to place bets with the cash they had accumulated during flush years, military contractors poured into the cyberwarfare field, building operations centers, purchasing niche players, and competing aggressively for contracts. The thinking was that cyber threats would keep proliferating for the foreseeable future, and defense companies were more likely to have the necessary clearances and market knowledge to compete in cyberwarfare than outsiders like Google or Microsoft. No doubt about it, the cyberwarfare market has grown fast, helped along by an Obama Administration commitment to expand and refine the digital security efforts of its predecessors. Within months after taking office, President Obama established an executive-branch cybersecurity coordinator and a new Cyber Command colocated with the super-secret National Security Agency at Fort Meade, MD. NSA does most of the government’s eavesdropping, so putting the command nearby and making its head the same general who runs the spy agency was a no brainer: NSA already had the ability to monitor internet traffic for hackers and other malefactors. Setting up the new command, staffing components from each military service, and implementing more stringent network security procedures at each federal agency will generate about $9 billion in federal outlays this year. Additional billions will be spent on classified programs to probe and monitor foreign networks, such as those in China. But even as the government’s cyberwarfare effort expands, some industry executives are beginning to wonder just how lucrative this new opportunity is likely to be. They already know it can’t fill the revenue hole created by cancellation of dozens of weapons programs in recent years, and now they’re starting to suspect the cyber field is so hyper-competitive and volatile they can’t even count on it for significant earnings anytime soon. Once you get past all the fashionable rhetoric about information-age warfare and anarchy on the web, it’s easy to see why they might be having second thoughts. Let’s consider the many ways in which the cyberwarfare market should raise red flags for investors. The first thing to understand about the cyberwarfare market is that, at least by federal standards, it just isn’t very big. The $9 billion being spent this year on so-called information assurance and security activities is barely one day of federal spending at present rates, and it is fragmented among numerous agencies. It’s true that the lion’s share of funding goes to the Department of Defense, which oversees additional billions spent on network attack and exploitation, but in an organization that annually passes out $400 billion in contracts, it still doesn’t amount to much. Market research firm Input projects federal cybersecurity funding will increase 9% annually through 2015, but the government is entering a period of severe fiscal austerity and there are many other claimants for government dollars. With every major contractor in the business straining to get a piece of this relatively small pie, the prospects for making a killing are not high. A second problem with the cyberwarfare business is that threats are diverse and continuously evolving, which means it is hard for contractors to establish durable franchises. When companies compete to build military hardware, they expect that once a contract is won they will be the sole supplier of a weapon system for a decade or longer. But in cyberwarfare the government’s needs keep changing because new threats emerge on a weekly basis. For instance, the deluge of WikiLeaks that has embarrassed policymakers in recent months has shifted attention from keeping hackers out of networks to keeping information in, which turns out to be a rather different challenge. The dynamism of cyber threats combined with the slow pace of federal acquisition procedures is a prescription for continuous frustration among contractors. A third issue facing companies pursuing cyberwarfare opportunities is the relatively low barriers to entry in the current market. That’s probably less true in the offensive segment of the market, where activities are so secret that companies must have special qualifications to bid, but on the defensive side of the ledger there are dozens of contractors and new niche players are constantly emerging. The cyberwarfare space is still wide open to any company that comes up with a point solution to an urgent problem, which means yesterday’s winners can turn into today’s losers. That’s good for aggressive, agile companies like Raytheon that are willing to take risks and buy up niche players as they prove themselves, but some of the bigger companies in the defense business aren’t accustomed to having so many competitors jostling for attention. A fourth and related problem in the cyberwarfare space is the shortage of available talent, particularly in network attack and exploitation skills. The cyberwarfare market grew so fast that it outstripped available labor pools, so companies now find themselves bidding against each other and the federal customer for scarce skills. It’s not that finding cyber specialists is hard, but securing the necessary clearances (foreigners need not apply) and keeping them trained so they can respond to the latest requirements is a constant challenge. This probably works to the advantage of Lockheed Martin, which is the biggest player in the federal information services market, because it has the mass and resources to keep up with changing needs, but for smaller players it’s a big problem. Lockheed has recently won several major cyberwarfare awards at the expense of competitors, and seems to be a preferred destination for many specialists in the field. A fifth difficulty in the government cyberwarfare market is the variability of management quality from agency to agency on network-related matters. Industry insiders generally agree that the National Security Agency has the greatest depth and breadth of expertise, because it has been working cyber issues far longer than other agencies. Executive expertise at the Department of Defense is more uneven, and at the Department of Homeland Security it is frequently deficient. These problems are most apparent at the program manager level, where middle-level executives may lack the experience to select among competing solutions to a problem. The job classification process and compensation levels prevailing in the federal civil service are not well suited for putting the best people into positions overseeing cyberwarfare work. A final, chronic defect in the cyberwarfare market is the loose coordination of federal efforts to secure networks, not just between agencies but even within them. For example, at the same time that the Navy has stood up a cyber command to protect its warfighting nets, it has begun implementing a new information architecture called the Next Generation Enterprise Network likely to be more vulnerable to hackers and spies. The new network replaces a single system integrator with multiple teams of contractors who must compete annually for work, creating the kinds of seams and discontinuities intruders might seek to exploit. The fact a military service that invented the concept of network-centric warfare could pursue such an architecture at this late date suggests that in some parts of the federal government, nobody is really in charge of cyber policy or has the authority to mandate security standards. So far, these various drawbacks have not discouraged big contractors from continuing to pursue cyberwarfare opportunities. The most aggressive players at present seem to be Raytheon, Science Applications International, General Dynamics and Lockheed Martin, but other players like BAE Systems and Boeing are rapidly bulking up. In other segments of the national-security marketplace, two or three of these companies would eventually emerge as the dominant players, and the rest would move on. But cyberwarfare isn’t like other market segments — it is still in flux, and may remain that way for a long time to come. That means even if government spending on cyberwarfare keeps growing, some players straining to get into the business are not going to be happy with how this new opportunity works out. _______________________________________________ Infowarrior mailing list [email protected] https://attrition.org/mailman/listinfo/infowarrior
