With federal government spending on cybersecurity set to sharply increase in the final budget submitted by the Bush administration, contractors are looking hard for fresh business opportunities. Although opportunities are starting to take shape, they are not as clear as some contractors would like.

A dramatic rise in attention and federal funding for cybersecurity and infrastructure protection is expected in fiscal 2009. Recent developments include:

• Proposed spending on information technology security in fiscal 2009 is $7.3 billion, 10 percent more than in 2008.
• Financial support for a new classified White House cybersecurity directive signed by President Bush in January and to be carried out by intelligence agencies could be in the $6 billion range each year. The initiative could include more aggressive actions to monitor the Internet and block and disable cyberattackers.
• The Homeland Security Department’s National Cyber Security Division is slated to receive $293.5 million for enhancing the protection of federal networks. This includes additional funding for the U.S. Computer Emergency Readiness Team.
• The Air Force expects to pick a permanent location for its Cyber Command by December. It has released a wish list of projects totaling $399 million.

Cybersecurity has been a national security concern for more than a decade, but public attention has skyrocketed with reports of data losses and cyberespionage. In 2007, Congress heard accounts of foreign hackers breaking into the networks of military agencies and defense contractors and stealing huge amounts of sensitive data. Such attacks likely will intensify this year, according to a December report from the SANS Institute.

With billions of dollars in the pipeline, more contracting work is sure to follow. But details are fuzzy because much of the new work will occur in the classified arena and cybersecurity contracts historically have been difficult to chart.

“It is pretty clear there are dollars there for cybersecurity, but how quickly will there be a spending plan? I’m not sure,” said Scott Hastings, former chief information officer at DHS and now a partner at Deep Water Point LLC, a consulting firm in Washington. “One of the challenges will be defining the problem.”

“I am sure there will be an expansion of business related to cybersecurity, but we cannot see all the budget numbers,” said Ray Bjorklund, senior vice president at FedSources Inc., a research firm in McLean, Va. Some classified budget figures will leak out to the media, but some will not.

Enemy at the gates
Confusing matters is the fact that some people view federal cybersecurity as everything the government does to protect its systems and networks, and others say cybersecurity only occurs at a higher level and involves protecting critical networks, the Internet and civilian infrastructures, such as energy plants and oil pipelines.

There also might be arguments among the military, intelligence agencies and DHS over who gets the increases in cybersecurity. Cybersecurity might be a hot topic in Congress, but there is a chill in the air regarding some discussions of the topic. For example, Rep. Bennie Thompson (D-Miss.) strongly criticized the promotion of DHS CIO Scott Charbo to be undersecretary of National Protection and Programs, overseeing cybersecurity.

“Given his previous failings as chief information officer, I find it unfathomable that you would invest him with this authority,” Thompson wrote to DHS Secretary Michael Chertoff. “This decision raises concerns about the seriousness and credibility of the administration’s initiative.”

Thompson also reiterated concerns he first made public in September about evidence of Chinese hackers penetrating networks set up by contractor Unisys Corp. in connection with an IT contract with the Transportation Security Administration. Unisys officials said at the time that they had followed all security protocols and made the appropriate reports.

Thompson has asked the department’s inspector general to investigate. DHS responded Feb. 13 with a letter of praise for Charbo and a list of his accomplishments. “The letter has not alleviated our concerns,” said Dena Graziano, a spokeswoman for Thompson.

Privately, some insiders close to the situation say it is a frustrating example of how a cybersecurity breach can become mired in politics.

Even with the high-profile increases in spending, the overall picture of cybersecurity contracting is still unclear because much of the work will be classified. Budgets for such initiatives are notoriously difficult to pin down.

“The classified nature of the new directive makes it a bit tough to sort out exactly where money will be spent,” said Jeremy Grant, senior vice president at the Stanford Group Co. investment research firm. “Formal fiscal 2009 IT security numbers released by the Office of Management and Budget show only a 9.8 percent increase, but the fact that a lot of this work will be done in classified agencies suggests that there is a much bigger number that has yet to be revealed.”

Despite President Bush’s lame-duck status, Congress is likely to agree with the new cyber priorities, at least partially, experts say, because the cyberthreat has grown dramatically and many Democratic leaders have been calling for more attention to cyber priorities for several years.

Lawmakers are also considering a new approach to the Federal Information Security Management Act to make it more performance- oriented and less focused on paperwork.

“We support tweaks to FISMA to strengthen information security,” said Tim Bennett, president at the Cyber Security Industry Alliance, a coalition of organizations and corporations. The alliance also backs the spending increases.

“Clearly, we are all seeing increasing awareness of the growing threat to our networks, and the government is responding to that,” Bennett said.

Although spending on cybersecurity is likely to increase, it might be difficult to immediately spot many of the gains in contracting.

That is because IT security projects often are folded into larger projects. Aside from the basic computer and network protections, which have mostly been accomplished already, cybersecurity work has been viewed in terms of subcontracts to larger IT contracts. That could change as more dollars begin to flow, with larger systems integrators emphasizing their cyberabilities.

Big-picture approach
The 2009 budget is likely to include funding for software and support along with legal and investigative assistance. It also might pay for counterattacks in cyberspace and conventional military responses. A portion of the funding could help support the Air Force’s new Cyber Command, for example.

“Cybersecurity is a problem that requires a solution beyond an infrastructure fix,” said Richard Colven, vice president of executive programs at research firm Input Inc., of Reston, Va.

“Our adversaries have become more sophisticated,” Bjorklund said. “To be able to protect against threats in this cyber environment takes more money.”

As the complexity of cybersecurity increases, it is possible that systems integrators will take a more comprehensive approach, he added. Several major federal contractors have robust cybersecurity units, and that emphasis is likely to grow, he said.

“Systems integrators will have to become more comprehensive and integrated in their approach,” said Chris Campbell, a senior analyst at Input. “I haven’t seen it yet, but it could happen.” That trend would signal a change from the government’s piecemeal handling of cyber concerns in the past, he said.

Alice Lipowicz (alipowicz@110govinfo.com) is a staff writer at Washington Technology.