Government May Lose Out on Cybersecurity Ideas from Small Businesses, House Panel Told
Small businesses face barriers to selling cybersecurity services to the federal government, managers of such companies said at a hearing Wednesday of the House Armed Services Subcommittee on Terrorism, Unconventional Threats and Capabilities. Chair Loretta Sanchez, D-Calif., agreed it’s tough for companies with limited money to break into the Washington government market and asked for specific suggestions “about what we might change."
Sign up for a free preview to unlock the rest of this article
Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!
The “best ideas” come from small businesses, but it’s often “impossible” for them to work through the government acquisition and procurement process, said Rep. Adam Smith, D-Wash. He complained about “excessive reliance” on contractors, which he said has reduced the number of government acquisitions people who are talented and knowledgeable.
Only small businesses “have the audacity and impetus to challenge the status quo” and introduce innovative cybersecurity products, said Roger Thornton, founder of Fortify Software. But the government is an “extraordinarily difficult labyrinth to navigate for the small businessman,” said Richard Lee, an independent consultant who used to work for the government on acquisitions. So the government tends to rely on cybersecurity products from large companies, which have less incentive to innovate, he said.
It takes a “significant investment” for small businesses to get their software certified, and getting security clearance requires a sponsor, said John Ricketson, CEO of Dejavu Technologies. Setting up government programs to offset those costs and establishing a government intermediary to validate technology could foster innovative products for the government from small businesses, he said. It’s tough for a small company to be accepted by the government without a champion inside it or the sponsorship of a larger company that can push them inside, said Lee. And small businesses have trouble understanding government acquisition, evaluation and certification, he said. “Programs are in place” to attract smaller companies to the government market, but additional education may be needed, said Thornton.
Cybersecurity remains a major national challenge, executives said. Thornton’s company commonly finds “thousands” of critical vulnerabilities on networks it analyzes, he said. “Breaches will happen,” said Ricketson. “They are inevitable.”