As we enter the month of November, it is worth noting that here in the U.S. we have just wrapped up the seventh annual National CybersecurityAwareness Month. The various efforts espoused by the Department of Homeland Security focus primarily on the individual user. These efforts and others like it hopefully have led tosome changes. One question, though, is how to drive similar change and innovation in the commercial sector.
Over the past couple of days I attended a SINET event (see http://www.security-innovation.org/). SINET exemplifies one interesting development that I have been noticing over the past year involving “cross pollination” between different stakeholders. The event focused on security innovation via increased interactions between government and commercial entities. While new commercial-government business models are being defined, the need to make initial connections has been recognized for some time and SINET has been helping to build those bridges.I would contend this cross pollination, in combination with greater security awareness, presents a unique opportunity for the cybersecurity community.
To help understand this whole phenomenon, consider the following factors:
- for many years, commentators have talked about the importance of public/private partnerships in the area of cybersecurity
- critics frequently point to the government contracting process as one area having a detrimental effect on security and in need of extensive improvement (due, in part, to the time it takes to get through the process)
- commercial security technology often developed in non-U.S. jurisdictions and/or by technology start ups cannot be brought into the government, even though the government would benefit from such technology
In light of these conditions, several groups have begun looking at the traditional models for getting appropriate technology into the government and how those models can be tweaked. We are beginning to see some interesting results.
In the government contracting space, the ultimateissue becomes how torapidlybring promising startup cybersecurity technology to bear on the immediate problems that the government is facing. Often, barriers exist that prevent these startups from being able to do business with the government, including, for example, a lack of cleared personnel or no readily available government contracting mechanism. Even if the typical government contracting process were to be used, the solution might not be ready in time to meet the government requirements.
To help overcome this problem, innovation programs currently under development would allow startups with interesting technology to fast track their way into the government. Let’s work through a hypothetical. Suppose the government has an immediate problem with a particular type of rootkit and their current cybersecurity providers have not been able to help. Let’s further suppose that a U.S.-based startup that has a development center somewhere in another country has a radically new approach to handle rootkits but, because of the citizenship of its developers, cannot sell into the government. Even if it had a vehicle to sell into the government, it still might not be able to modify its product to meet the government’s requirements because those requirements are classified. What’s our innovative cybersecurity startup to do?
Well, the barriers facing the startup may be disappearing. Work underway right now in various branches of the government focusing on driving innovation could open the doors formerly closed to rapid deployment of technology developed by startups. Using less traditional but well established contracting mechanisms and relationships with entities who can accommodate the quick turn requirements of the government, startups may soon be able utilize “innovation brokers” that will provide substantive services to both the startup and the government. Not only are such arrangements attractive to the government, the startups, and the brokers, they also have attracted the attention of the venture capital community. Once seen as a liability, most in the venture capital community now see having the government as a customer as a good thing.
Although the projects that they will support require fast turnaround, setting up the infrastructure, confirming the authorities, and attracting the various stakeholders for such arrangements takes time. If, however, these and other programs like them do catch on, perhaps we could be sitting here next November talking about their successes and possibly even discussing something like InternationalCybersecurityInnovation Month. Wouldn’t that be nice?