Why Don't Defense Contractors Do Cyber?
Going on eight years now, Raytheon has been mounting a strategic campaign in cyber security. This past April, the company spent $1.7 billion on Austin-based Websense, the 13th cyber business it has purchased since October 2007 (Defense Mergers & Acquisitions Daily, 20 April 2015). In Forbes, defense industry booster Loren Thompson called the transaction “bold”—the value roughly matched that of the 12 preceding deals. That pattern suggests that Raytheon has been learning along the way how to build a successful business. More recent evidence was Raytheon’s selection this month as a finalist in DARPA’s Cyber Grand Challenge, in which some of the top teams in the US have been working to create self-healing code. As Byron Callan of Capital Alpha Partners wrote, that alone “suggests it's doing something right,” whatever misgivings investors and their analysts may have had about Raytheon's long-running strategy.
But as the Wall Street Journal recently headlined, Raytheon is getting in “as rivals bail.” Just this year, several large defense contractors have announced exits from at least commercial cyber. ManTech just sold its operations to CounterTack (seeDM&AD, 15 July 2015). CSC is splitting into government and commercial halves. Thompson recently reported how BAE Systems will retain cyber capabilities related to its own weapons, but will otherwise “sell most service lines”. TheWashington Post observed this week that Lockheed Martin is keen on healthcare, but on 20 July, the company announced “a strategic review” of its information technology business. And just this past Thursday, Doug Cameron reported in theWSJ that L-3 Communications “may also sell or spin off its $1 billion cybersecurity unit.”
Plenty of big defense contractors sell products meant for land, sea, air, and space. Lockheed, for one, is bidding on the Joint Light Tactical Vehicle, is a prime contractor for Littoral Combat Ships, runs the massive Joint Strike Fighter program, and builds GPS satellites. This last item is the closest it comes to a commercial product. Marketing acumen in one military realm, however, is arguably portable to others. In Buying Military Transformation (Columbia University Press, 2006), Peter Dombrowski and Eugene Gholz argued that the big exisiting contractors would continue to “lead military-technology development, even for equipment modeled on the civilian Internet.” With cyber security per se, that’s clearly not happening.
Raytheon thought enough of its contrarian position to make a major marketing fuss over cyber at the Paris Air Show. As Raytheon CEO Tom Kennedy toldBreaking Defense that week, other “CEOs are shaking in their boots” about their companies’ vulnerabilities—regardless of their line of work. Michael Daley, Raytheon’s CTO for cyber, explained that “80 percent of critical infrastructure is in the hands of private companies, and the government customer is leaning toward buying commercial solutions”. There’s clearly technical overlap.
As Byron Callan noted after the Websense announcement, Raytheon’s leadership also “seemed well aware of the cultural differences between defense and commercial” markets. That might explain Lockheed’s allergy: healthcare is heavily regulated, but cyber moves far faster than fighter jets. The clock-cycle of the commercial customers and the miscreants attacking them every day may be too much for management at many big contractors, which have spent decades developing not just technology, but bureaucratic structures to match those of their customers.
Regardless, if the innards of electronic networks constitute a fifth and fierce domain of conflict, then it’s remarkable how many big contractors are surrendering their positions. In the long run, as Callan went on, commercial needs “may prove a bigger driver of change in cyber markets, and that dynamic could degrade defense-only strategies”. That would be bad for business. But if rapid adaptability and flexibility are the surest guarantors of technological superiority in any domain, then America’s big contractors are departing the field. We’ll wait to see if that’s good or bad for security.
James Hasík is a senior fellow at the Brent Scowcroft Center on International Security.