cybersecurity a community approach - 20151109

Colorado Springs Cybersecurity Market Strategy - November, 2015

A Community Focused Approach to Cybersecurity Excellence

Mayor's Vision: Colorado Springs

will be the Cybersecurity Capital of the World

Submitted by

Frank Backes, CEO

Braxton Science & Technology Group

6 North Tejon Street, Suite 220

Colorado Springs, CO 80903

[email protected]

Phone: 719-380-8488

mailto:[email protected]


Introduction

Data transport and security plays a significant and increasingly important role in our personal

lives, businesses, and national security. The Internet has become the backbone of data

transport and security supplemented by networks used for banking, government, industry,

commercial, and civil systems. Virtually all businesses communicate internally and with their

suppliers and customers via the Web and email, and the US Government increasingly

communicates with citizens by online means. The rest of the developed world is in a similar

position, and much of the developing world is catching up fast.

Colorado Springs’ political leadership recognizes the importance of cybersecurity to our nation

and has determined it is highly desirable that our community has a strong, productive and

competitive cybersecurity industry, based on existing local resources, historical experience,

inherent knowledge, skills and capability. Colorado Springs finds itself in an enviable place

when considering where the US Government and Industry should invest in cybersecurity

capability. Several pillars differentiate and define our community’s ability to deliver on the

Mayor’s vision, “Colorado Springs will be the Cybersecurity Capital of the World”, as follows:

1. Headquarters Air Force Space Command – Organize, Train and Equip role for Space

and Cyber.

2. United States Northern Command (USNORTHCOM)

3. North American Aerospace Defense Command (NORAD) and NORAD

4. Schriever Air Force Base - Command and control for over 170 Department of Defense

warning, navigational, and communications satellites

5. Army Space and Missile Defense Command

6. Cheyenne Mountain Air Force Station

7. Joint Functional Component Command for Integrated Missile Defense (JFCC IMD)

8. Missile Defense Agency


9. US Air Force Academy – Future home of the Air Force Cyber Innovation Center (AFCIC)

10. UCCS, a world-class university capable of delivering education and research

11. Catalyst Campus for Technology Innovation – An industry-driven workforce

development, research, development, and operations facility focused on Cybersecurity

12. Commercial industry leaders in cybersecurity (FedEx, Oracle, root9B, MainNerve,

Progressive, and many others)

13. Home to more than 200 Aerospace and Defense industry companies with a vested

interest in the cybersecurity capabilities of our community

These community pillars are the pathway to Colorado Springs’ ‘brand’ in the cybersecurity

market. When combined and directed in a coordinated strategy, we have the opportunity to build

a successful, competitive and knowledge-based industry to exploit the undoubted need for

cybersecurity in the US and other countries. These pillars also represent the three required

elements for successful technology market leadership and economic sustainability.

1. Academic research and education

2. Industry expertise and investment

3. Operational customer base and revenue (Military and Commercial)

The Cybersecurity market is highly fragmented and heterogeneous. Its structure is complex and

not widely understood. In particular, there is considerable confusion and uncertainty regarding

the market dynamics for cybersecurity, in terms of demand, competitiveness and government’s

role in facilitating a strong cybersecurity capability for the nation. This white paper will strive to

clarify this market and describe how the technology pillars in our community can unite to

become the cybersecurity capital of the world.


Defining Cybersecurity Markets

The market structure and supply chain depend on the nature of the business being protected,

the extent of exposure to potential threats, and the value of an attack for the cyber-criminal. For

this report, we identified five separate and distinct submarkets, each of which has different end-

user organizations and supply chain players. Crossover between supply chains in the

submarkets is not straightforward.

The five submarkets are:

The Colorado Springs community has organizations that represent both customers and

suppliers of products and services in each cybersecurity sub-market. The sophistication,

motivations, and funding of cyber-criminals is the primary characteristic this paper is using to


differentiate each of these cybersecurity submarkets. The categories of cyber-criminals

considered are:

Terrorists Competitors/Corporate Espionage

Organized Crime Foreign Entities

Activists/Hacktivists Organizations Foreign Nation-states

Insider Threats Independent Hackers

Nation-states, terrorists, hackers and organized crime are the cybersecurity villains that

everybody loves to hate. While there is no doubt these cyber-criminals are a force to be

reckoned with, insiders, current and former employees are increasingly a risk to many

organizations.

The Consumer and Small Business sub-market have cybersecurity needs, but these are less

sophisticated primarily due to the funding and type of cyber-criminal targeting this market

segment. The submarket for small businesses and consumers is aggregated here because the

supply chains serving their needs for products and services are similar. The cyber-criminals

focused in this market are operating mostly as individuals and command limited funding for their

capability.

The Business and Enterprise cybersecurity market is oriented around large commercial

enterprises securing their day-to-day business. This includes banks, telecommunications

companies, utility and energy firms, manufacturers and retailers, and its constituency comprise

the largest firms operating in the US. Some of these firms have a role to play in the nation’s

critical national infrastructure, but the nature of the threat is less than that for intelligence and

defense organizations. The cyber-criminals we find in this market include competitors, insiders,

independent hackers, organized crime, and hacktivists. These criminals can be well funded and


are looking for significant results and return for the risk they are taking in attacking a business or

enterprise.

The Industrial market segment includes Civil, Utility, Healthcare, Energy, Justice Systems, and

others: this submarket incorporates all the other government-funded cybersecurity tasks. It

includes security of health and education data, crime and criminal justice information, as well as

more run-of-the-mill (but essential) national infrastructure systems. As an example, one of the

most publicized cybersecurity attacks of all time were major breaches that occurred in 2014,

successfully accessing US government databases holding personnel records and security-

clearance files containing sensitive information of about 22.1 million people, including not only

federal employees and contractors but their families and friends. It is believed by US officials

that the attack was sponsored by China who was conducting a form of traditional espionage.

The Military and Intelligence submarket is focused on securing national assets, weapon

systems, the nation's secrets, and involves security and intelligence agencies. It incorporates

the most advanced (and most secret) cybersecurity technologies available. The attacks in this

market come from all players in the cyber-criminal spectrum. While terrorist groups and nation-

state backed cyber-criminals have significant funding and the most sophisticated capabilities,

insider threats have proven to be challenging to detect and mitigate but have had devastating

impacts. The Edward Snowden incident is a good example of the impact a single insider threat

can have.

In response to nation-state, terrorist, and sophisticated competitors engaged in industrial

espionage the Ethical Offensive Cyber market has grown significantly. This is an arena that

requires technical, ethical, cultural, and legal expertise to be combined with products, services

and operational expertise to achieve the intended outcomes without breaking US constitutional

and international laws.


The purpose of identifying these five separate submarkets is not to silo these markets, or draw

hard and fast lines between them. In fact, there is a degree of crossover between buyers in the

submarkets in our model. The purpose is to identify the differences in supplier structures that

feed each of the submarkets and address them in reference to the value proposition that the

Colorado Springs community has to offer. From a supplier point of view, it is vitally important to

understand the characteristics of each particular market.

Selling into the defense and intelligence sub-market is entirely different than doing business with

small businesses and consumers, just as selling into large enterprises is different than selling

into the public sector (even beyond the defense and intelligence elements). The sophistication

and scale of the cybersecurity requirements, the credentials and clearance requirements, and

the way in which each submarket procures cybersecurity capability are all substantially different

in each sub-market. Suppliers to the cybersecurity market, therefore, need to understand the

dynamics of their particular target market. The Colorado Springs community must use this

information to adjust its strategies in developing and branding a cybersecurity economic

foundation.

Understanding Technology Creation & Revenue Lifecycle

The maturity of cybersecurity solutions can be assessed using traditional product development

lifecycle analysis. It is imperative that we understand the economic impact to our community in

each phase of the technology maturation process in order to prioritize and coordinate our

economic development activities. The first phase of technology development is focused around

education and fundamental research. The funding for fundamental research comes through

government grants and industry investments. These initial grants and investments are a fraction

of the funding that will be allocated to a new technology as it matures into a revenue generating


product. Once the basic principles have been studied, practical applications can be applied to

the initial findings from research.

The technology development phase is started when practical applications align with customer

demand. This is when the funding profile for technology development starts to

include additional industry and customer based funding. Generally both

analytical and laboratory studies are required at this phase to see if a

technology is viable and ready to proceed further through the

development process. The technology development

phase includes the creation of prototypes that can

be used to verify the technology application to the

specific target markets and customer

requirements. Once the proof-of-

concept technology is

validated additional funding from industry and customers can occur. Representatives from the

funding sources will require that the working model or prototype be demonstrated in a real world

environment to maintain the funding stream. When the technology has been applied to revenue

generating products or services it is ready for delivery to the cybersecurity market. Customer

demand and the ever changing threat environment represented in the cybersecurity market

cause the timeline for new cyber security technologies and products to be extremely short.

Some cybersecurity products go from concept to deployment in less than 6 months.

Colorado Springs will have to create an entrepreneurial, flexible, and supportive business

environment in order to capture the national and international revenue sources from

fundamental research through produce sales and essential in branding our community as a

market leader in cybersecurity.


Three Pillars of Economic Sustainability in Colorado Springs

Academic Research and Education

Academic research and education is a foundational component of the economic sustainability

model recommended in this white paper. Our community has two excellent, internationally

known, universities: the US Air Force Academy (USAFA) and University of Colorado at

Colorado Springs (UCCS). By coordinating activities at these two universities we can address

the need for fundamental technology research and education in all five cybersecurity

submarkets.

UCCS can address the needs of the Consumer, Small Business and Large Business markets

while sharing technologies in the Industrial market with the USAFA. The USAFA is addressing

the needs of the Industrial, Defense and Intelligence, and the Ethical Offensive Cyber markets

through the creation of the Air Force Cyber Innovation Center (AFCIC). The AFCIC can uniquely

address the complex requirements associated with cybersecurity research for defense and

intelligence customers because of their specialized experience, access to cleared personnel

and secure facilities. The AFCIC is teaming with Catalyst Campus to create a bridge from

military-based fundamental research to industry-based applied research that will lead to

government and commercial cybersecurity architectures, products, and services.

Industry Expertise and Investment

Industry expertise and investment in our community can be delivered through the Catalyst

Campus. Catalyst Campus is building a unique Cyber and Space applied research and

development (R&D) laboratory/operations center in downtown Colorado Springs that can

operate as the hub for industry engagement in our community’s cybersecurity strategy. Catalyst

Campus is a collaborative ecosystem where industry (small business to medium sized entities,


start-ups, etc.) workforce development and venture capital intersect with the diverse resources

of Southern Colorado to create community, accelerate economic development and stimulate job

growth. Catalyst Campus is home to the following organizations and facilities:

1. Center for Technology, Research and Commercialization (C-TRAC) - A 501c3 non-profit

technology transfer and commercialization office that advances technology from industry

partners, the military, the government and/or other advanced industries through state-of-

the-art laboratories and operations center.

2. Southern Colorado Technology Alliance (SCTA) - A 501c6 non-profit membership

organization that caters to the needs of Southern Colorado’s aerospace, defense and

technology companies and provides mentorship and business opportunities for new

small businesses and entrepreneurs.

3. A collaborative environment with shared resources and small business support services

to stimulate innovation, advancement and job growth for Advanced Industries

(specifically aerospace and defense, cyber, software development, technology and

advanced manufacturing).

4. Catalyst Campus – Industry-driven education that supplies a trained and ready

workforce specific to Southern Colorado’s needs and future government contracts.

5. Applied research and development labs through a non-profit community “collaboratory”

to train the latest cybersecurity, software technologies, and programming languages.

Operational Customer Base and Revenue

The operational customer base and revenue needed to complete the third pillar of our economic

sustainability for cybersecurity ecosystem in Colorado Springs will come from our existing

military and commercial community partners. One source of research funding sponsored by the

U.S. Government is the Small Business Innovation Research (SBIR) and Small Business


Technology Transfer (STTR) program. This program is designed to serve the technology needs

of the USG and tap into innovative small businesses. These programs, together with the people

who manage them, accomplish this as part of the USG technology development efforts to

identify and provide advanced, affordable, and integrated technologies. For example, the Air

Force Research Laboratory (AFRL) executes the SBIR and STTR programs for the Air Force.

Over $3 million in research funding

from AFRL has already been

committed to be implemented in the

laboratories and operations center on

the Catalyst Campus. In addition,

Catalyst Campus has identified an

additional $20 million in SBIR Phase 3

funding in the planning stages that may

be awarded to Colorado Springs

headquartered companies in the near future.

The maturity of cybersecurity solutions, like many technologies, can be assessed using

Technology Readiness Levels (TRL) analysis. TRL is a type of measurement system used by

government programs to assess the maturity level of a particular technology. Each technology

idea is evaluated against the parameters for each technology level and is then assigned a TRL

rating based on the maturity of the technology. There are nine technology readiness levels. TRL

1 is the lowest and TRL 9 is the highest. When a technology is at TRL 1, scientific research is

beginning and those results are being translated into future research and development. TRL 2

occurs once the basic principles have been studied and practical applications can be applied to


those initial findings. TRL 2 technology is very speculative, as there is little to no experimental

proof-of-concept for the technology.

When active research and design begin, a technology is elevated to TRL 3. Generally both

analytical and laboratory studies are required at this level to see if a technology is viable and

ready to proceed further through the development process. Often during TRL 3, a proof-of-

concept model is constructed.

Once the proof-of-concept technology is ready, the technology advances to TRL 4. During

TRL 4, multiple components are tested with one another. TRL 5 is a continuation of TRL 4;

however, a technology that is at TRL 5 is ready for more rigorous testing using simulations that

are as close to representative of real world application as possible. Once the testing of TRL 5 is

complete, a technology may advance to TRL 6. A TRL 6 technology has a fully functional

prototype or representational model.

TRL 7 technology requires that the working model or prototype be demonstrated in a real world

environment. TRL 8 technology has been tested and "operationally qualified" and it is ready for

implementation into an already existing technology or technology system. Once a technology

has been "operationally proven" during a real mission, it can be called TRL 9. The TRL model

for assessment can also be used to understand the sources, timing, and magnitude of revenue

associated with a new technology.

The Air Force supports transition from basic research to capability delivery through the

Commercialization Readiness Program (CRP). Whether you are a SBIR/STTR veteran or have

just received your first Phase I contract, you should already be focused on achieving technology

transition and commercial success. The primary objective of the CRP is to accelerate the

transition of SBIR/STTR-developed technologies into real-world military and commercial


applications. To achieve these goals the CRP team gets involved early and stays engaged

throughout the process.

Conclusion & Recommendations

This white paper has identified cybersecurity markets that the community of Colorado Springs is

in a position to lead on a national and international scale. Three pillars of critical capability and

resources already exist in our community. Today these critical community resources operate

independently and occasionally in competition with one another. If Colorado Springs is going to

achieve the vision for the future laid out by Mayor John Suthers, we will need to coordinate our

activities and develop brand recognition nationally and internationally in the cybersecurity

market and submarkets identified in this white paper.

Recommendations

Set up a Mayor sponsored task force chartered to coordinate the activities of our critical

community resources capable of delivering on the cybersecurity vision of the future. The

members of this task force should be the contributors and stake holders in the Mayor’s vision:

1. City Official tasked with implementation of the Mayor’s vision

2. A representative from the Colorado Springs Regional Business Alliance who speaks for

local industry

3. A representative from UCCS responsible for the cybersecurity strategy

4. A representative from the USAFA responsible for the implementation of the AFCIC

5. A representative from Catalyst Campus Center for Technology, Research and

Commercialization (C-TRAC)

6. An economic sustainability expert from the community

7. A representative from the local Military


Some of the efforts this task force should focus on are:

1. Develop a branding and marketing strategy for the City of Colorado Springs that clearly

identifies our community as an ideal place to start and grow a cybersecurity business.

2. Coordinate research opportunities from DoD, Homeland Security, NASA, Intelligence

Agencies, and Commercial Companies with a focus on capturing funding and investment

for cybersecurity projects to be executed locally.

3. Work through the Colorado Springs Regional Business Alliance, local investors and

business owners to put a strategy in place to develop, acquire and grow cybersecurity

companies establishing or moving their headquarters and research and development

activities to Colorado Springs.

4. Encourage teaming and cooperation between academia, industry, and government in

our community to speak in one voice with one vision.

Colorado Springs will be the Cybersecurity Capital of the World

cybersecurity a community approach - 20151109

Documents