Cyber security is not just simply an information security issue for government CIOs and agency IT departments. With numerous recent incidents of cyber-crime happening within agencies - data breaches with citizen & employee data exposure and scenarios involving malicious malware such as ransomware - agencies that store, maintain and share sensitive data must focus on having the best possible data and security management to prevent (or at least mitigate) cyber-attacks, scams and accidental security breaches due to user error. As a response to the more recent attacks, the federal government decided in February 2015 to create a new intelligence unit to track and share intelligence on cyber threats and attacks across different agencies.
At the state, local & education (SLED) levels of government, agencies are also paying attention and working to improve security protocols especially with the ever increasing security vulnerabilities from newer technologies such as mobile devices, wearable technologies and the Internet of Things. For example, a recent audit at five state agencies in Washington state revealed that the areas with the highest noncompliance risk involved application security, data security and operations management. Areas of vulnerability were also found in their underlying infrastructure. According to the Auditor’s Office, there were seven issues “deemed a critical risk, meaning that the effect would be wide and ‘almost certain to be exploited.’ Another 12 were found to be of high risk, meaning they could be exploited by an attacker with minimal skills.” The state agencies in the audit have either fixed or are working on these risk issues.
The Agencies Investing in Cyber Security
Many other state and local agencies are actively doing what they can to combat cyber-crime. Onvia has a large database of procurement activity from more than 80,000 SLED entities in the U.S. According to Onvia’s Project Center, there are close to 500 recently published and open bids & RFPs SLED projects with “cyber security” in the title: 366 at the state level, 43 for cities & towns and 40 for special districts such as water ports, mass transit and utilities entitites. Adding in other keywords relating to cyber security in a project title (such as "anti-virus", "malware", "encryption", "cloud security", "firewall" and "authentication") results in nearly 9,000 projects published in the last year: 3,192 at the state level, 2,790 for county and 1,129 for cities & towns. In addition, Onvia’s Term Contract Center revealed over 2,000 active term contracts, over half (1,482) are for state agencies, 298 at the county level and 248 for cities & towns.
Leading the way in number of opportunities appears to be state agencies, particularly in higher education where the risks of data breaches from malware or unintended end-user disclosure are tremendous. Jonathan Rajewski, Computer Forensic Professor at Champlain College explains in a blog post that higher education institutions are “vulnerable to losing valuable intellectual property such as patents awarded to professors and students, as well as personal information of students, faculty and staff.” Examples of purchasers include Community College of Rhode Island that purchased web malware protection for $83,244 from Presidio Networked Solutions in August 2014. San Jose/Evergreen Community College District in California purchased a firewall system for $201,214.80 (plus tax) with Dasher Technologies in October 2014. Old Dominion University in Virginia purchased malware detection appliance & support from FireEye in December 2014.
Cyber security procurement activity is also happening at a variety of SLED agencies across the country. Buyers include:
- City of Lynchburg in Virginia (population of 71,282)
- City of New York in New York (population of 8,274,527)
- Marion County in Florida (population of 324,857)
- Los Angeles County in California (population of 9,878,554)
- St. John the Baptist Parish School District in Louisiana
- Special district Allegheny County Port Authority in Pennsylvania
A Variety of Cyber Security Term Contracts Available
Opportunities for vendors in the cyber security market frequently cross over from the IT/Telecommunications sector into business & consulting services, as well as insurance & financial services as agencies work to bolster not only security of their IT infrastructure as a whole, but also application specific security for their most sensitive systems. Cyber security projects also include a variety of products and services for endpoint protection, data loss prevention, data backup & disaster recovery through cloud services and/or servers, onsite management, personnel training and compliance. Examples of recent awards and term contracts from Onvia’s Term Contract Center are:
The City of Albuquerque awarded CDW Government with a one-year term contract ending in June 2015 worth $37,333.96 for Trend Micro anti-malware technical account management services and maintenance.
The Michigan Department of Technology, Management and Budget awarded Novacoast a three-year term contract ending in August 2017 worth $712,153.08 to provide a 24x7x365 real time monitoring and log analysis system from Symantec to give the State a clear picture of potential cyber security threats and levels of risk.
The City of Los Angeles in California awarded CPARS Consulting $98,977 a six-month term contract to provide planning, design, development and coordination services for the Emergency Management Department's Emergency Operations Center which includes a “Tabletop Exercise (TTX)” to simulate a cyber-terrorism attack on the City's systems and test the City's coordination and implementation of prevention, preparedness, response and recovery plans and capabilities pertaining to a significant cyber event or a series of events.
Forecasting the Future of Cyber Security Spending
According to a recent Government Technology article by Dan Lohrmann, the Chief Security Officer & Chief Strategist at Security Mentor, Inc., cyber dangers are on the rise. Lohrmann writes that “it is clear that the dollars spent, problems encountered and attention given cyber has virtually doubled in 2014.” This suggests there will be an increased demand in the public sector for cyber-related products and services. Looking to the future, Onvia’s Spending Forecast Center reveals agency plans for the next several years including:
The Metropolitan Water District of Southern California Capital Investment Plan for FY 2015/16 includes a $1,128,100 project for IT Infrastructure Reliability--Business Systems Cyber Security Upgrades. “Cyber security is high priority … Maintaining a secure computing environment requires regular enhancements and upgrades to Metropolitan's IT information security infrastructure to ensure protection against continually evolving cyber threats. New vulnerabilities are identified on a regular basis and require ongoing efforts to analyze risks and to implement countermeasures to protect against them to maintain the security and reliability of our systems. Upgrades to reduce cyber security risks for Metropolitan's SCADA system by implementing additional countermeasures are needed to help protect against unauthorized access and to help ensure that Metropolitan’s SCADA system used to control the flow and treatment of water is adequately protected from cyber threats.”
In Colorado, the City of Fort Collins’ adopted budget for 2015-16 includes $250,000 for cyber security risk and vulnerability management including consulting assistance, staff training and tools necessary to further improve cyber security program capabilities and better protect “mission-critical” information systems: “Utility Services recognizes the importance of maintaining a holistic set of business process controls and technical safeguards to ensure the confidentiality, integrity and availability of information maintained by various information systems that support critical Utility Services functions. Cyber security threats are constantly changing and becoming more difficult to protect against. Cyber security program best practices include periodic vulnerability assessments by independent security experts, ongoing continuous improvement of business processes, and security training to keep staff skills up to date with changing technologies and emerging cyber risks.”
In Atlanta, Georgia, the Metropolitan Atlanta Rapid Transit Authority adopted Operating & Capital Funds Budget for FY2015 has a $2.5 million project planned over the next 3 years: “The scope of this project is to implement Authority approved guidelines and procedures recommended by NIST 800-82 for Industrial Control Systems (ICS) in which: (1) Builds a culture of cyber security integrated within control systems, (2) Assesses and monitors risks, (3) Develops and implements risk reduction and mitigation measures, and lastly (4) Manages incidents in an effective manner.”
Finding Opportunities in the Cyber Security Market
Cadie Thompson reported for CNBC that 2014 was the “year of cyberthreats” adding that this has been a great year for cyber security firms and companies offering cyber-insurance: “Business is booming and stock prices are shooting upward. Security start-ups are also getting a massive boost in funding.” Even still, there may be some hesitation by agencies to allocate funds towards cyber security due to budget constraints. Philadelphia Commissioner Charles Ramsey was quoted in a Police Executive Research Forum paper published in April 2014 saying cyber security isn’t often a priority within police departments: “Until there is a major incident, it’s difficult to have the kind of IT budget necessary to develop a strong cybercrime program and protect our own systems.” In fact, recent victims of ransomware attacks that will certainly change the priority of cyber security in at least two police departments are the Swansea Massachusetts Police Department and the Dickson County Sheriff’s Department in Tennessee.
With the ever increasing sophistication of cyber-crime and security risks that come with newer technologies, cyber security is important to keep government data and their constituents’ information secure. Onvia’s suite of government procurement intelligence tools indicates more and more agencies will allocate budgets for cyber security to improve their networks; agencies will preemptively improve their IT infrastructure security rather than wait for an incident to happen. Onvia’s look into projects, term contracts, budgets and capital improvement plans provide evidence that vendors can look forward to more opportunities to win business in the cyber security SLED market.