An Ounce of Prevention
However, anti-virus products from those companies havent prevented spyware from infecting machines on the DISA network. "People are bringing in things from home, installing freeware. Its a big problem," said Eric Sites of Sunbelt Software Inc., one of the companies that are bidding on the contract.Symantec and McAfee both declined to comment on the SDEP solicitation. DISAs original specifications for anti-virus protection, which are now 3 years old, failed to anticipate the spyware problem or the need for anti-spyware features, Simmons said. "If you look at what was available in anti-virus in 2002, spyware was the purview of very few people who were very forward looking in terms of vulnerabilities and threats," he said. Part of the problem is the fast pace of change in malicious code, compared with the rather slow pace of government IT procurement, said Simmons. "For 25 years, DOD has been visionary in terms of what to try to do with technology, but contracting and program management methods tend to take time to catch up with technology," he said. However, the I-Assure contract is flexible enough to allow the government to address shortcomings in its IT security coverage, he said. "The beauty of the I-Assure approach is that the government can say Heres a contract, go find me the best of breed spyware solution," Simmons said. Symantec, McAfee, Computer Associates International Inc. and dedicated spyware vendors Webroot and Sunbelt Software are bidding for the anti-virus work, said Moll. Whatever anti-spyware technology is selected will have to work with existing anti-virus software used on military systems, which would seem to tip the scales in favor of anti-virus companies such as Symantec, said Simmons. However, DISAs specification for anti-spyware may give the edge to stand-alone products such as Webroot and Sunbelt over security suite providers such as Symantec, McAfee and Trend, Simmons acknowledged. "[DISAs Strategic Command] did their own due diligence and tested spyware solutions available in the August-September 2004 time frame. The requirements they scoped out were developed around those technologies," he said. Webroot CEO Moll was optimistic, though he said Symantec is using aggressive pricing and other techniques to win the governments anti-spyware business. "I think Webroot is nicely positioned. Weve made it over enough hurdles with compliance. Were in a nice position," Moll said. The government is currently testing the anti-spyware products from the vendors against its STIG (Security Technical Implementation Guide), a kind of checklist to determine whether they comply with military standards for application security and interoperability. To read more about the FBI and the Secret Service relying on the private sector for help in tracking down phishing sites, click here. STIG compliance testing was scheduled to be complete by the end of May, when a winner or winners are expected to be announced. However, with testing ongoing, it could be months before the DOD selects an anti-spyware vendor, Moll said. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"If you look at the problems in the corporate environment with spyware and vulnerabilities, the same things are there in everything that the federal government or the DOD is doing, with the added component of top secret networks," said Tom Simmons, director of federal programs at Trend Micro, which is bidding for the SDEP work.