In recent years, Bethesda-based defense contractor Lockheed Martin has watched cyberattacks on its network grow, not only in number but in sophistication — including one that gained public attention in 2011.
The contracting giant has invested significantly in defending its networks, but at the same time has turned that cyberdefense into a product that can be sold to government and commercial customers.
Lockheed — which wouldn’t discuss who might have committed the 2011 cyberattack, though some have speculated it was China — isn’t alone. Defense and intelligence contractors from Boeing to KEYW are pitching the technology and processes that they use to guard against hackers to others, hoping that their own experience will prove to be a valuable selling point.
“Lockheed Martin is such a large target for many types of adversaries . . . so we have a very robust set of information that we use internally,” said Chandra McMahon, the company’s corporate information security officer. “This intelligence that we’ve gathered — [we’re] able to package it and provide it to other customers.”
The move can also help companies refine their products, allowing them to test in real time and make improvements.
Lockheed ramped up its internal cybersecurity infrastructure about a decade ago “out of necessity,” because there was little on the market that met the company’s needs, said Rich Mahler, who runs the unit tasked with packaging the company’s internal cybersecurity practices and intelligence for sale to others.
In parallel, he said, Lockheed began developing similar technologies and services for its customers, which include government agencies as well as commercial firms.
“We look at [Lockheed’s cybersecurity] and say, ‘What are the best practices? What are the lessons? What are the areas where we had to make investment ourselves because there was nothing on the market?’ ” Mahler said.
For contractors it can be an obvious way to turn internal investment into revenue. Lockheed, which maintains a cyber center in Gaithersburg, purposely mixes its internal security team with Mahler’s group to ensure that employees seeing the problems faced by customers can help improve Lockheed’s internal blockades — and vice versa. The company counts among its commercial customers energy firms Idaho Falls Power and NOVEC, the Northern Virginia Electric Cooperative.
Cybersecurity, unlike, say, tanks or missiles, is proving to be an area in which defense contractors are finding that their expertise may translate well to commercial use. Companies such as Fairfax-based ManTech International and McLean-based Booz Allen Hamilton have been looking beyond the government market to a diverse group of commercial businesses in need of protection from malicious hackers. Key target industries generally include financial services, energy, utilities and transportation.
Some companies are hoping that treating themselves as a customer can help make that leap.
Boeing, which maintains its cybersecurity center in Annapolis Junction, relies on the same cybersecurity product it sells to others. Bryan J. Palma, vice president of security and information services in Boeing’s information solutions unit, said he treats Kevin Meehan, the company’s chief information security officer in charge of Boeing’s cybersecurity, like “any other customer.”
But unlike other customers, discussions about the product can be more candid.
“It allows us to be able to go to Kevin . . . and get unvarnished feedback about what works or doesn’t work,” Palma said. “It’s hard to get a customer to really tell you what they think.”
The move is part of a broader effort to move Boeing into a more commercial approach. Palma himself comes from that part of the technology world; he previously worked as PepsiCo’s chief information security officer.
Boeing is focusing on a more commercial-like set of cybersecurity products and services, meaning products and services that use one platform rather than specially developed technology that has to be built anew for each customer.
“We want to sell that one product many times,” Palma said.
Hanover-based cybersecurity firm KEYW also is drawing on its experience as it prepares to enter the commercial market. The company previously only sold to the government but made the move to expand into commercial cybersecurity last year with two acquisitions and the establishment of a commercially focused unit.
KEYW has been its own first customer for the commercial product, dubbed Project G, said Leonard E. Moodispaw, KEYW’s chief executive. AT&T is one of the company’s early adopters.
“If you’ve got the best around, you want it on your own networks, and what’s a better test bed?” he said.
Moodispaw said the company has already learned through its own experience, has improved the product and is now working with the first group of commercial users.
Jessica Herrera-Flanigan, a partner at Monument Policy Group, said many cybersecurity companies are as much targets of hackers as their customers, making their own security practices and procedures critical.
“It does help to show that the product is being used effectively if you haven’t been compromised,” she said.