Vendors find security is a tough nut to crack

Doing business with the government, always difficult and expensive, is getting even more difficult in the security area, some industry executives say.Government agencies have been so overwhelmed by proposals for securing critical infrastructures that the new Homeland Security Department is setting up a technology clearinghouse.Just finding out what the government needs is a challenge in itself, said John C. Hermansen, chairman and chief executive officer of Language Analysis Systems Inc. of Herndon, Va.'The government has been very difficult to deal with in the last 18 months,' Hermansen said, although for years his company has produced name-recognition and analysis tools for intelligence and border-control agencies. Government business still accounts for about 75 percent of the company's revenue, he said.'After Sept. 11 we had good friends in the agencies who said, 'I can't talk with you any more,'' he said.'I'm sure that happened,' said Robert E. Suda, assistant commissioner for IT solutions in the General Services Administration's Federal Technology Service. 'People are being a lot more cautious who they talk to and what they talk about.'That's partly because of security concerns, Suda said, and partly because agencies are busy changing the way they do business.'I probably have 15 phone calls a week and five or six industry partners coming in my door to talk about what they are doing,' Suda said. 'You only have so much time.'Sallie McDonald, FTS' assistant commissioner of information assurance and critical infrastructure protection, said vendors had certain expectations after Sept. 11.'There was an expectation that government would be buying all sorts of security systems,' McDonald said. 'Government has not had the money to buy security that vendors thought it would have.'She said that the creation of HSD coupled with security requirements from the Office of Management and Budget will mean some increase in security spending, but that neither agencies nor vendors should expect much.'We have a war that we're planning, and wars cost money,' she said. 'The president is keeping domestic spending flat.'Most spending for IT security will have to be carved out of existing budgets, she said, and 'the wise CIO is looking at shifting money' from other program areas.Navigating the maze of certifications required to sell to government also is daunting, said Eric Uner, co-founder of Bodacion Technologies LLC of Barrington, Ill. Bodacion is piloting its Hydra secure Web server, which it claims is invulnerable to all known hacks and will be commercially available this spring.'The first step is getting to know what the hurdles are,' Uner said. 'The cost is extremely significant. For Common Criteria Level 4 [international security certification], it probably approaches $1 million.'Uner said his company was lucky to be shepherded through certification by interested agencies because 'the claims we are making are so outrageous' that agencies are eager to see validated results.But he also questioned the usefulness of certification programs such as the Common Criteria and Federal Information Processing Standards, 'mainly because the certificates are misunderstood and misinterpreted.'FIPS certification, required for government cryptographic tools, requires use of government-approved algorithms, which meant that Bodacion could not submit its proprietary Biomorphic cryptography, Uner said.'Unfortunately, we had to reduce our security for the government compared to what we can offer commercial customers,' he said.Uner said he prefers the National Security Agency's Security Proof of Concept program, which validates vendor claims rather than certifying to government standards.Finding government customers is even more difficult for small vendors, Suda said, 'because of all of the centralized procurement. At FTS we are trying to get more of them in.'Hermansen argued that the government 'does not know how to work with small businesses. The bureaucracy is not suited for dealing with them. We have been pushed to the brink of going out of business several times in the last 18 years' by inept handling of contracts.'New business is always tough to get,' Suda acknowledged, 'but it is doable. It comes down to a question of relationships,' which he said are easier for small businesses to develop at the field level than at the headquarters level. Partnering with large integrators can be effective in shooting for business at the headquarters level and from centralized procurements, he said.Once a vendor, large or small, gets official attention, the key to doing government business is 'being able to show how you make a difference,' Suda said.