President Obama’s plan to beef up the federal government’s cybersecurity efforts will likely give a boost to providers of information security technology. But data security experts have their doubts about the overall long-term benefits of the approach outlined last Friday.
By placing a new focus on cybersecurity, the Obama administration will increase the government’s spending on information security products and services.
Companies that provide the full gamut of information security technology — including intrusion detection, encryption, and malware protection — as well as companies that provide cybersecurity services to the government, are likely to see a financial boost from the Obama plan.
"We have been highlighting for some time that Symantec and McAfee as likely to get the most benefit," says Rob Owens, senior research analyst at Pacific Crest Securities. "You’re also going to see some of the smaller vendors in this space, like Sourcefire and ArcSight also get some benefit. That’s more a function of their overall government mix. We also like some services companies, with SAIC, NCI being our favorites."
Owens points out that the Obama plan continues the efforts of Comprehensive National Cybersecurity Initiative (CNCI), which was put in motion last year by the Bush administration to improve how the federal government protects sensitive information from hackers and nation states trying to break into agency networks.
He says these companies started seeing benefits from CNCI earlier this year. After Obama’s plan is put in place, Owens believes the trend of increased information security spending by the government will last for the next four to five years.
"Our federal systems are significantly lacking," he says. "At the end of the day, we haven’t been spending enough. We’ve seen material intrusions from hacking groups and foreign nations in our federal systems. There’s a lot of money being spent to shore up these systems."
But the focus on technology spending and responding to intrusions is exactly what worries John Pescatore, vice president and research fellow at Gartner.
"The biggest danger is mistaking more spending on security for higher levels of security," he says. "In reality it’s quite often the opposite. Big global companies that have the best security track record aren’t always the ones who spend the most on security."
Instead, Pescatore says a better approach is for the government to accelerate the market for better security through leading by example. He points to the Office of Management and Budget’s recent security directives as a model.
"A couple of years ago, there was a highly publicized case where a Department of Veterans Affairs laptop was stolen, and about 27 million records were exposed," he says. "OMB came out with mandates that all government agencies must put encryption on laptops. That was an example of, 'OK, the government’s buying it.' Now all of a sudden there are a lot more suppliers, a lot more competition, and the price for encryption has dropped."
Threat Detection vs. Prevention
Noting that information technology is an essential aspect of everyday life, Obama will appoint a cybersecurity coordinator — or so-called cybersecurity czar — who will integrate all cybersecurity policies for the government. Those chores are currently spread out among disparate agencies, including the FAA, FBI, and the Department of Homeland Security.
The coordinator, expected to be named this week, will be a staff member of the National Security and National Economic councils. (The administration’s "Cyberspace Policy Review" is available for download on the White House’s Web site.)
Bruce Schneier, chief security technology officer of BT, notes that many details have yet to be determined, including how much money will be committed to the effort and the nature of cybersecurity coordinator’s role.
"The problem we’ve had with previous cybersecurity czars is that they had no budgetary authority, so all they could do was cheerlead and cajole," he says.
Security analysts also expressed doubts about the national security focus of the position. Pescatore acknowledges responding to threats from foreign nations is important, but he believes the coordinator’s role should be to drive better levels of security throughout the federal government.
"President Obama appointed a chief information officer and a chief technology officer for the government, which is what most private industry companies have. The third thing most private companies have is a chief information security officer," he says.
"Where’s the operational leader within the government who’s going to make sure what’s put in that IT budget is increasing security versus simply saying let’s buy more security products?" he adds. "That’s why a czar in a national security-centered thing, as far as being the operational leadership, doesn’t make sense."
Obama’s plan also calls for strengthening public-private partnerships, with the government collaborating with private companies to "find technology solutions that ensure our security and promote prosperity."
The vast majority of information networks are privately owned. But Schneier isn’t convinced that the government will be able to get private companies to participate without offering incentives or introducing new legislation.
"Companies will jump on board to the extent that it benefits their bottom line," he says. "If you tell the chemical industry that they must secure your networks to a certain level, they’re not going to jump on board. If you tell them, 'Here are your tax breaks,' then they’ll say, 'Great, I'm on board."
Nonetheless, security experts say the fact that the Obama administration is making cybersecurity a priority is a positive development. Pescatore says it’s likely that proposed legislation will be put on a faster track, such as the Information and Communications Enhancement Act, which revises the Federal Information Security Management Enhancement Act of 2002.
"It would put the government’s security requirements into every government contract, so that would help drive suppliers to the government to higher levels of security," Pescatore says.
Martin Libicki, senior policy analyst at the RAND, notes that it will be months before Obama’s plan will be fully implemented, and years before research and development efforts will be realized.
"This is the start of a process," he says, "it’s by no means the culmination."
Rob Owens of Pacific Crest Securities does not own shares in SYMC, MFE, FIRE, ARST, SAI, or NCIT.