Security companies squeeze inside the beltway

Well-heeled representatives from companies such as Raytheon, and IBM have long wandered the halls of the U.S. Congress, cultivating close relationships with lawmakers and their staff. But these days, old-line defense and technology contractors are jockeying for lawmakers’ time and attention with a hoard of newcomers: Computer security companies.

Sensing a new government focus on cybersecurity, or simply hungry for a piece of the domestic security pie, leading IT security companies, including Symantec, RSA Security, Network Associates Inc. (NAI) and Computer Associates (CA) have launched or boosted their Washington, D.C., operations in the past two years and hired insiders to represent them on Capitol Hill.

Symantec, of Cupertino, Calif., is typical of IT security companies that are increasing their profile inside the beltway. The company hired its first government relations manager, Tiffany Jones, one year ago, said Adam Rak, director of government relations at Symantec.

Symantec added Jones’s position because it needed someone to interact with legislators and staff “day-to-day,” and “educate” lawmakers and their staff and to be a “resource” on cybersecurity issues, Rak said.

Symantec is concerned about a number of issues that could affect its business. For example, Symantec wants to make sure that federal legislation does not outlaw software that it installs on its customers’ computers to prevent virus outbreaks or check for and distribute anti-virus software updates, he said.

Like Symantec, CA beefed up its Washington, D.C., presence in the last year and wants to do a better job of translating government requirements into the company’s products, according to Ron Moritz, chief security strategist at CA.

Among other things, CA created a new Senior Vice President of Public Affairs position in the last year and hired a veteran public affairs expert, William Warren, to fill the position, Moritz said.

CA senior executives including President and CEO Sanjay Kumar and Russ Artzt, executive vice president of the company’s eTrust security brand, have been spending more time in Washington, D.C., and the company recently held a board meeting and leadership conference there with presentations by federal officials and other luminaries, Moritz said.

RSA Security has had an office in Washington, D.C., for many years, but added a new Director of Government Affairs position in September, said Shannon Kellogg, who holds that position.

“It’s the evolution of the marketplace,” he said. “There are more opportunities for companies like ours and an increasing awareness of (cybersecurity issues).”

Kellogg said his role in Washington, D.C., is to be RSA’s liaison to government agencies and to the Congress, tracking security policy issues such as identity theft and domestic security, as well as “business” issues like expensing stock options.

Being in Washington, D.C., also allows Kellogg to work with a host of other industry groups that work within the Beltway, such as the Business Software Alliance (BSA), the Information Technology Association of America and the recently-formed Cyber Security Industry Alliance (CSIA), he said.

That last group was launched in February and will lobby government on behalf of its members, currently 13 IT security companies including CA, NAI, Symantec, Check Point Software Technologies Ltd., RSA Security Inc. and others, said Paul Kurtz, executive director of the CSIA.

Kurtz is just two weeks into his job and is currently CSIA’s sole employee, but he’s already well-versed in Washington, D.C., cybersecurity policy. An 18-year veteran of government service, former National Security Council member and a former Special Assistant to the President under Presidents Clinton and Bush, Kurtz helped write the National Plan to Secure Cyberspace.

CSIA staff will work on Capitol Hill as well as with regulatory agencies and foreign governments on clarifying federal policy on software vulnerability disclosure and compliance to regulations such as Sarbanes-Oxley Act of 2002 and Gramm-Leach-Bliley Act of 1999. Many of those laws were written without input from the IT security industry, even though they contain provisions that bear directly on cybersecurity, he said.

While Kurtz is registered as a lobbyist, many of those working on Capitol Hill for IT security companies don’t use the “L” word or consider themselves lobbyists. However, almost all of those interviewed for this story acknowledge that lobbying is part of their job, either directly or through organizations like the CSIA.

“It depends on how you define lobbying,” Rak said. “I advocate for public policy in the interest of my company and the security industry.”

“I see it as a type of lobbying,” said Katie Ignaszewski, director of government affairs for Internet Security Systems of Atlanta. “I strongly rely on (IT industry) associations. If they’re lobbying, well, I guess that’s why we’re a member.”

Ignaszewski, who holds a position ISS created in January 2003, was a political fund-raiser for six years in Washington before moving into government affairs for Technet, and then for ISS.

She says that being in Washington, D.C., isn’t a requirement, but that it helps companies like ISS stay on top of issues such as funding for research and development and policy regarding vulnerability disclosure.

For those working on Capitol Hill, the presence of IT security companies and the formation of the CSIA are evidence that the private sector is responding to federal government demands for a more coherent information security policy, said Bob Dix, staff director of the U.S. House Committee on Government Reform Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census.

The chairman of that subcommittee, Representative Adam Putnam of Florida, is a key figure for many of the IT security companies working on Capitol Hill and has aggressively pursued cybersecurity issues in hearings, speeches and other events, according to Dix and others.

Putnam also got the attention of IT security companies after he sponsored a bill called the Corporate Information Security Accountability Act of 2003, which would have mandated independent security audits for information security at publicly-traded companies and prod the U.S. Securities and Exchange Commission (SEC) to develop specific IT security audit standards, Dix said.

The proposed legislation was never passed, but it did raise concern in the private sector about the federal government mandating IT security policy, he said.

“The private sector said ‘We can do this on our own,'” he said.

The result was the Corporate Information Security Working Group, a public-private partnership that brought together 26 representatives from academia and industry, including the U.S. Internet Service Providers Association, the BSA, and the U.S. Chamber of Commerce, Dix said.

The group met for three months and submitted a set of recommendations to Putnam in March on adding information-security guidelines for federal laws like the Clinger-Cohen Act of 1996, providing incentives to businesses for IT security and increasing user education and training on cybersecurity issues, he said.

The work with Putnam is an excellent example of how having a presence on Capitol Hill is paying dividends for IT security companies, Ignaszewski said.

“In the end we were able to dodge a bullet here in terms of regulation,” she said. “It was an excellent exercise in not having a reactive piece of legislation and in relations between the private sector and a congressman.”

Fear of regulation is driving many of the IT security companies, said James Lewis, a senior fellow at the Center for Strategic and International Studies (CSIS) in Washington.

After dismissing the federal government in the 1990s as “too slow and too dumb” to play a role in the IT industry, companies are waking up to the fact that the government is more actively overseeing the information economy and that they have to pay attention, he said.

“We’ve seen impatience in Congress and the Executive branch translate into legislation and regulation, and that’s driving companies to pay more attention,” he said.

Given the share of the nation’s IT infrastructure that is in private hands, a healthy involvement by private sector companies in shaping IT security legislation is appropriate, said CSIS’s Lewis.

However, the government must also be willing to put aside the wishes of private companies when it considers the security of critical infrastructure such as mass transportation, electrical power and telecommunications, he said.