The most notorious breach of a security company came early this year after an executive at HBGary Federal, a relatively small consultant eyeing a government contract, boasted publicly of his ability to unmask the members of Anonymous. In response, hackers made off with a large trove of the company’s e-mail messages and dumped them online, exposing details of its business transactions.
Greg Hoglund, who is the chief executive of HBGary, the parent company that owns a minority stake in HBGary Federal, said that the breach was the result of “a human mistake” and that his firm, along with other security companies, had fortified their systems since then.
“It was a wake-up call for the entire security industry,” Mr. Hoglund said. “It probably needed to happen. I wish I didn’t have to be the sacrificial lamb.”
As unlikely as it may seem, HBGary Federal still has a contract to help an unnamed federal agency sniff out spies inside its organization. And HBGary continues to sell its software, intended to ferret out the circumstances of a network intrusion.
For its part, ManTech posted a vague statement on its site last Friday after the Anonymous attack, saying that it addresses threats to its information systems and pointing out the obvious: “All organizations attract cyber threats in our highly networked world.”
An academic who studies computer security, who declined to be named because he consults for the government, described the Anonymous attacks on security companies in blunt terms: “They’re pulling their pants down publicly.”
The spate of attacks — and the fear of more — could actually end up buoying the fortunes of the global security industry. A nationwide survey of company technology managers, conducted by Forrester Research, found that computer security had increased as a share of the total information technology budget of companies, to 14 percent this year from 8.2 percent in 2007. Of those surveyed this year, 56 percent said it was a high priority to “significantly upgrade.”
“The landscape is more menacing now,” said Eve Maler, principal analyst for security and risk at Forrester. “Even the most experienced practitioners are in the process of upping their game.”
All of the major defense and intelligence contractors have expanded their digital security wings in recent years. They are simply following the money. The business of security for government agencies is growing by an enviable 9 percent a year, according to the research firm Input/Deltek. Federal government contracts alone amount to over $9 billion today and are projected to grow to $13.3 billion by 2015. “Cybersecurity,” Deltek concluded in a recent report, “is somewhat immune to spending and budget cuts.”
For better or worse, said Jonathan L. Zittrain, a Harvard Law School professor, securing the Internet has been largely left to private players — and even government information is increasingly guarded by private companies, whose actions can be difficult to monitor and hold accountable.
“In the absence of larger public order, we’ve seen do-it-yourself approaches: the technologically savvy can configure their own firewalls, and corporations can try to buy security,” he said. “But this can be as figuratively dicey as trying to get and maintain security contractors in Baghdad immediately following the fall of Saddam Hussein.”