By: Tony Romm and Jennifer Martinez
May 30, 2012 12:42 AM EDT
As Congress boosts spending on cybersecurity and mulls over new data safety requirements on private industry, some companies stand to get rich.
Lockheed Martin, Boeing, Northrop Grumman and other defense and tech companies have been lobbying Capitol Hill about the growing cyberthreats to national security and corporate America, but they also make millions of dollars each year selling a variety of cybersecurity programs, tools and solutions to government and business.
Some lawmakers say the legislative push has spawned a “cyber-industrial complex.”
“I believe these bills will encourage the development of an industry that profits from fear and whose currency is Americans’ private data,” said Sen. Ron Wyden (D-Ore.), speaking on the Senate floor last week in opposition to pending cybersecurity legislation. “These bills create a cyber-industrial complex that has an interest in preserving the problem to which it is the solution.”
The online threats of the digital age — stolen state secrets, hacked personal computers and more — may pose serious, real and novel challenges to the federal government and private sector alike.
But the reaction to those threats has been far more old school: Companies in several different industries are aggressively playing the legislative lobbying game as part of their larger market strategy.
And it’s paying off in millions of dollars of federal contracts alone.
Lockheed Martin earlier this month won a key contract to assist with the Pentagon’s Cyber Crime Center for more than $400 million. In March, Northrop Grumman landed a $189 million cybersecurity contract to strengthen cyberprotections across the Department of Defense and the intelligence community over three years. Meanwhile, Booz Allen Hamilton last year was awarded a cybercontract with the Navy that stands to bring in $189.4 million over five years.
In the past few months, Congress has hit the gas pedal on efforts to set down new security rules that could govern critical infrastructure maintained by private industry, like power plants and water systems, as well as federal computer systems. Lawmakers are also weighing the ways in which industry and the federal government can more easily share classified and unclassified information about emerging threats ahead of a crippling attack.
It isn’t clear what shape — if any — a cybersecurity reform law may take. But the uncertainty is in part driving companies to throw considerable resources at their Washington operations, hoping to shape a final measure in a way that benefits their businesses while avoiding costly mandates and strict new regulations.
Utilities are engaging members of Congress on the security requirements that could fall on so-called critical infrastructure, while tech companies like Google, Microsoft, Intel and Amazon are mostly plugged into the debate over information shared about cyberthreats. Even Facebook is an ardent supporter of the Cyber Intelligence Sharing and Protection Act, the controversial House information-sharing bill. They all have a stake and represent different sides in the debate, as potential subjects of any new regulation.
But a prominent group lobbying lawmakers is contracting companies and others that work in defense and infrastructure. And some of those players would very likely be called on to work with the federal government and other entities on improving the security of computer systems.
Federal lobbying disclosures show a number of companies — including Raytheon, Lockheed Martin and Boeing — are devoting some of their big Beltway resources to talking up regulators about cybersecurity funding for the Defense and Homeland Security departments.
Those agencies’ appropriations bills touch on a number of elements that matter to the companies but they also contain key funds for cyber and IT programs. And each company boasts growing, billion-dollar businesses in the areas of information technology and system security, and services a number of federal clients.
Deltek, a government consulting firm, predicted at the end of last year that federal spending on cybercontracts could surge, from roughly $9.2 billion to $14 billion from fiscal years 2011 to 2016.
A spokeswoman for Lockheed Martin said the company “is supportive of overall cybersecurity legislation and has been particularly supportive of CISPA due to the fact that information sharing is critical to improved security for our nation.” The representative declined further comment.
Boeing was not available to comment on its work, and Raytheon declined to comment on its lobbying activities. Northrop Grumman also did not comment.
There’s a clear business rationale for this sort of power play: Computer attacks on federal systems are on the rise, with attacks on government data in particular up 650 percent over the past five years, a Government Accountability Office report found in 2011.
At the same time, federal cybersecurity spending is one of the few budget areas expected to see increases over the next few years. The Obama administration hoped to boost DHS cybersecurity spending by more than $300 million in 2013, bringing it to more than $769 million, and both the House and Senate appropriation committees are in line to deliver an amount close to that mark. The Pentagon, meanwhile, is requesting bumping 2013 funding to $3.4 billion for the U.S. Cyber Command, which coordinates cyberdefenses for the U.S. and its allies. Cybercom funding is forecast to total $18 billion from 2013 to 2017.
Those trends have galvanized the market for cybersecurity services, even as the federal government aims to slash IT spending in the coming years. John Slye, Deltek’s senior principal research analyst, said companies are looking “where there’s opportunity to sustain themselves” — and that area could be cybersecurity.
Others are taking their message directly to lawmakers and their staffs.
Symantec, the security software firm, plans to hold a briefing in the coming days on Capitol Hill, where it will tout its new report on an uptick in cybersecurity threats while highlighting the work the company does to block bad code, phishing attacks and more.
The company is a critical provider of cybersecurity services to federal and enterprise users and it has testified on the Hill in support of some information-sharing legislation. The company hasn’t weighed in individually on the Senate bills. It is a member of the Information Technology Industry Council, however, which made favorable statements on both of the upper chamber’s measures.
Symantec did not respond to requests for comment on this story.
Certainly, “the cyber-industrial complex” didn’t emerge overnight. As tracked in a 2011 report by Jerry Brito and Tate Watkins, both at the Mercatus Center at the George Mason University School of Law, the community has been particularly active over the past two years.
That’s especially evident in the case of Booz Allen Hamilton. While it may not devote millions to lobbying, the firm does have Mike McConnell, the former director of national intelligence under President George W. Bush, on its leadership team.
Booz Allen Hamilton last year announced it was awarded a contract to support the Space and Naval Warfare Systems Center Pacific with cyberscience, research, engineering and technology integration. The contract has a value of $71.5 million over two years and a potential value of $189.4 million over five years.
“With thousands of experienced cyberprofessionals, Booz Allen Hamilton continues to provide integrated, multidisciplinary solutions to the complex challenge that is cybersecurity,” said Bob Noonan, senior vice president of Booz Allen Hamilton, in the company’s news release.
Booz Allen Hamilton did not respond to a request for comment.
The possibility of new regulation or funding allocated to federal cybersecurity initiatives could only create more potential profits. New mandates on federal computer systems could translate into a new interest in purchasing contracts on cybersecurity and IT, for example. And any effort to facilitate information sharing could lead to a rush to build the infrastructure that allows for data to be circulated on a secure basis.
Some cybersecurity experts say the influence of industry is overstated, given the serious threats to computer systems today.
“You can’t escape the implication of self-interest” of companies that are lobbying both for and against stepped-up cybersecurity rules, said Jim Lewis, a cybersecurity specialist at the Center for Strategic and International Studies.
But, he added, “there is a real threat. How much more evidence do we want?”