Help in a dangerous world

As they press ahead with Web-based initiatives, government officials are finding that the Internet is fraught with peril.

"The environment is getting a lot more dangerous," said Jeffrey Hunker, dean of the Heinz School of Public Policy and Management at Carnegie Mellon University.

Threat sources now include not just traditional hackers but also sophisticated foreign intelligence and criminal operations, and the number of security incidents "is growing exponentially," said Hunker, who until January served as the senior director for critical infrastructure at the National Security Council.

In practical terms, those incidents are "increasing at a rate that is far beyond the ability of commercial and government organizations to address them," said Matthew Kovar, a senior analyst at the Yankee Group.

Already straining to improve security with limited resources, federal agencies are expected to increasingly rely on managed security service providers to protect their information technology infrastructures.

Pegged at $450 million last year, revenue from managed security services is expected to surge to $2.6 billion by 2005, according to the Yankee Group.

The three largest customers of those services are the financial, health care and government sectors, said Greg Coticchia, senior vice president and chief operating officer of TruSecure Corp., one of many companies crowding into the managed security service marketplace.

The vendors provide services such as managing and monitoring firewalls, intrusion-detection systems and antivirus programs.

Firewall management is the biggest seller, accounting for 60 percent of the market, but intrusion detection "has the potential to be as large if not larger," Kovar said. While firewalls filter access to systems, intrusion-detection systems provide "information about malicious activity riding over those systems," he said.

Security incident reports jumped from 9,859 to 21,756 between 1999 and 2000, according to the CERT Coordination Center, a federally funded research and development center operated by Carnegie Mellon University.

And as the number of incidents has grown, so has their severity, said Arvind Narain, senior vice president of Internet product and service delivery at Network Associates Inc.

During the past two years, information systems were imperiled by a succession of increasingly serious events, including distributed denial-of-service attacks, the I Love You, Anna Kourni.kova and SirCam viruses and the Code Red worm.

The ability of organizations to address those threats is hobbled by "a shortage of qualified security experts," said Ken Ammon, chief executive officer at Network Securities Technology Inc. (Netsec), an information security company.

Even with the IT market downturn, "the competition for highly trained information assurance professionals remains very, very keen," added Phillip Lacombe, president of infrastructure and information protection at Veridian Information Solutions.

It is a competition the government is unlikely to win. The government pay scale is not likely to attract skilled security personnel, said Sallie McDonald, assistant commissioner of information assurance and critical infrastructure protection at the General Services Administration.

A private security company can also offer "a better, more interesting career track" than federal agencies, added Allen Vance, director of product offerings at Internet Security Systems Inc.

To make matters worse, the round-the-clock demands of the online world are stretching the limits of existing agency expertise. "They are struggling to find the resources to provide management for all day, every day," said Jim Allen, manager of security professional services at Verizon Federal.

As they toil to meet current demands, agencies are being pressed to improve security by policy and legislative initiatives that have been developed in the past few years, including Office of Management and Budget Circular A-130, the President's Commission on Critical Infrastructure Protection, Presidential Decision Directive 63 and the Government Information Security Reform Act, said Lacombe, who was the executive director of the commission before joining Veridian.

Forging "a pretty strong policy statement" regarding the need for improved security, those initiatives are "driving federal agencies to make investments in infrastructure protection," he said.

In fact, Lacombe noted that officials at the Department of Veterans Affairs, with help from Veridian, are using the requirements in the initiatives to assess their "cybersecurity situation and devise a strategy to improve it."

Even with those initiatives, agencies are not rushing to outsource their security. "There has been a wait-and-see attitude," said Bob Wrede, senior vice president of government professional services at Netsec.

Government reticence is "really not surprising," said Amit Yoran, president and chief executive officer of RipTech Inc. "Historically, security has been thought of as something that should be done in-house." He said federal agencies have tended to "insource" rather than outsource security skills, preferring "to pay for bodies to use on site."

In fact, vendors report that many government agencies are using their services for in-house support.

"We have contractors in-house doing work for us over and above what our government staff is able to do," said Bruce Brody, associate deputy assistant secretary in the VA Office of Cyber Security. They may be doing "a little bit of localized firewall management or intrusion detection in the Los Angeles or Dallas area."

In the next few years, Brody plans to expand the use of managed security service providers as the agency works to centralize the control of the security technologies as much as possible. That would involve outsourcing at least some security functions.

"This cannot be done tomorrow," Brody said. "There is a right and a wrong way to do it. There are many issues to deal with."

For instance, there is the question of security clearances. "You need to make sure that contractors do background investigations of their employees," he said.

Vendor credentials must also be scrutinized. "A lot of companies claim to have talent in this area, and in some cases, it is merely a claim," he added.

Brody is compiling those and other criteria as he develops a new multiple-award contract offering managed security services. "It will be the mandatory vehicle for my office and the preferred contract vehicle for the rest of VA," he said.

Today, managed security services are available from several sources, including the Defense Information Systems Agency's Information Assurance/Information Technologies Capabilities contract and GSA's Federal Supply Service schedule and Safeguard program.

McKenna is a freelance writer based in the San Francisco Bay area.