In the seemingly implausible new Bruce Willis action movie, Live Free or Die Hard, terrorists hack through the government's computer security and into the systems that control America's road traffic, aviation, financial markets and government -- crippling the economy and sparking mass hysteria.
Implausible, sure – especially the part where Bruce kills a helicopter with a car.
But recent data breaches show how vulnerable government computers are to exploits or attacks. As the federal government works to improves its IT security and address those breaches, systems integrators (SIs) and analysts say there will be growing opportunities for the channel.
"The government is taking a proactive stance on protecting the information that's in their security systems," said Rob Hile, vice president of business development for Adesta, an Omaha, Neb.-based SI.
There's also been plenty for the government to react to. In May 2006, a burglar stole a Department of Veterans Affairs laptop that contained the
Just this month, a cyberattack led the Pentagon to take 1,500 Department of Defense computers offline. And a Congressional committee learned of a January breach at the Los Alamos Nuclear Laboratory, where officials wrote about classified nuclear weapons secrets over an unsecured email network. Another breach occurred at Los Alamos in October.
"This is an ongoing problem," said Amy DeCarlo, a principal analyst for Current Analysis in Sterling, Va.
Live Free or Die Hard is based on a hacker attack, but in real life, data loss prevention is the government's top security concern, DeCarlo said. Thieves and terrorists could use lost or stolen information to commit identity theft, shut down the economy or compromise national security. If Federal Aviation Administration data fell into the wrong hands, for example, "there's a potential to really do serious harm to airline travel," DeCarlo said.
Government agencies have security guidelines in the Federal Information Security Management Act, which DeCarlo likened to the Payment Card Industry Data Security Standard for retailers, and agencies have been making more frequent risk assessments. Thanks to the emergence of mobile devices, there is also more focus on a multi-layered security approach that protects both the network and the host, DeCarlo said.
Those factors and others will lead the federal government to spend $6 billion on IT security this year, according to a study by government analyst firm Input, which predicts that spending to reach $7.4 billion by 2012.
The implementation of the Federal Information Processing Standards publication 201 (FIPS 201), which mandates smart card technology to control access to federal government facilities and networks, will have another "dramatic" effect on business for Adesta and other SIs, Hile said. But it won't be until the cards are issued -- six to 12 months from now -- that those benefits are realized, he said.
"We're not seeing a lot of business yet," he added. "We're just hearing a lot of talk."
The federal government still has significant work to do in other areas as well, according to a recent survey by Telework Exchange, an Alexandria, Va.-based group that studies federal IT security. Just 48% of federal employees surveyed said their agency offered training after the VA's laptop incidents, and 16% said their agency did nothing in response.
The survey also found that 13% of employees said they had no data encryption on their laptops, up from 11% before the VA breaches.
Another opportunity for the channel, besides selling and deploying IT security, is in educating agency employees about the systems they already have in place, DeCarlo said -- especially because human error is one of the major causes of data breaches.
"A lot of agencies have a lot of technology that they're not necessarily using properly," DeCarlo said.
The channel opportunities are not limited to companies that work with the federal government. Adesta does much of its business with what Hile calls "quasi-government" agencies: ports, dams and highway authorities.
Adesta's clients, with some highly visible targets, put an emphasis on the convergence of physical and IT security. They tell Hile, "If something happens, we need to know about it quick, and we need to respond to it," he said.