American Bar Association guidelines on Cyber Security standards
Cybersecurity A Community Approach - 20151109
1. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 1
A Community Focused Approach to
Cybersecurity Excellence
Mayor's Vision: Colorado Springs
will be the Cybersecurity Capital of the World
Submitted by
Frank Backes, CEO
Braxton Science & Technology Group
6 North Tejon Street, Suite 220
Colorado Springs, CO 80903
frank.backes@braxtontech.com
Phone: 719-380-8488
2. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 2
Introduction
Data transport and security plays a significant and increasingly important role in our personal
lives, businesses, and national security. The Internet has become the backbone of data
transport and security supplemented by networks used for banking, government, industry,
commercial, and civil systems. Virtually all businesses communicate internally and with their
suppliers and customers via the Web and email, and the US Government increasingly
communicates with citizens by online means. The rest of the developed world is in a similar
position, and much of the developing world is catching up fast.
Colorado Springs’ political leadership recognizes the importance of cybersecurity to our nation
and has determined it is highly desirable that our community has a strong, productive and
competitive cybersecurity industry, based on existing local resources, historical experience,
inherent knowledge, skills and capability. Colorado Springs finds itself in an enviable place
when considering where the US Government and Industry should invest in cybersecurity
capability. Several pillars differentiate and define our community’s ability to deliver on the
Mayor’s vision, “Colorado Springs will be the Cybersecurity Capital of the World”, as follows:
1. Headquarters Air Force Space Command – Organize, Train and Equip role for Space
and Cyber.
2. United States Northern Command (USNORTHCOM)
3. North American Aerospace Defense Command (NORAD) and NORAD
4. Schriever Air Force Base - Command and control for over 170 Department of Defense
warning, navigational, and communications satellites
5. Army Space and Missile Defense Command
6. Cheyenne Mountain Air Force Station
7. Joint Functional Component Command for Integrated Missile Defense (JFCC IMD)
8. Missile Defense Agency
3. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 3
9. US Air Force Academy – Future home of the Air Force Cyber Innovation Center (AFCIC)
10. UCCS, a world-class university capable of delivering education and research
11. Catalyst Campus for Technology Innovation – An industry-driven workforce
development, research, development, and operations facility focused on Cybersecurity
12. Commercial industry leaders in cybersecurity (FedEx, Oracle, root9B, MainNerve,
Progressive, and many others)
13. Home to more than 200 Aerospace and Defense industry companies with a vested
interest in the cybersecurity capabilities of our community
These community pillars are the pathway to Colorado Springs’ ‘brand’ in the cybersecurity
market. When combined and directed in a coordinated strategy, we have the opportunity to build
a successful, competitive and knowledge-based industry to exploit the undoubted need for
cybersecurity in the US and other countries. These pillars also represent the three required
elements for successful technology market leadership and economic sustainability.
1. Academic research and education
2. Industry expertise and investment
3. Operational customer base and revenue (Military and Commercial)
The Cybersecurity market is highly fragmented and heterogeneous. Its structure is complex and
not widely understood. In particular, there is considerable confusion and uncertainty regarding
the market dynamics for cybersecurity, in terms of demand, competitiveness and government’s
role in facilitating a strong cybersecurity capability for the nation. This white paper will strive to
clarify this market and describe how the technology pillars in our community can unite to
become the cybersecurity capital of the world.
4. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 4
Defining Cybersecurity Markets
The market structure and supply chain depend on the nature of the business being protected,
the extent of exposure to potential threats, and the value of an attack for the cyber-criminal. For
this report, we identified five separate and distinct submarkets, each of which has different end-
user organizations and supply chain players. Crossover between supply chains in the
submarkets is not straightforward.
The five submarkets are:
The Colorado Springs community has organizations that represent both customers and
suppliers of products and services in each cybersecurity sub-market. The sophistication,
motivations, and funding of cyber-criminals is the primary characteristic this paper is using to
5. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 5
differentiate each of these cybersecurity submarkets. The categories of cyber-criminals
considered are:
Terrorists Competitors/Corporate Espionage
Organized Crime Foreign Entities
Activists/Hacktivists Organizations Foreign Nation-states
Insider Threats Independent Hackers
Nation-states, terrorists, hackers and organized crime are the cybersecurity villains that
everybody loves to hate. While there is no doubt these cyber-criminals are a force to be
reckoned with, insiders, current and former employees are increasingly a risk to many
organizations.
The Consumer and Small Business sub-market have cybersecurity needs, but these are less
sophisticated primarily due to the funding and type of cyber-criminal targeting this market
segment. The submarket for small businesses and consumers is aggregated here because the
supply chains serving their needs for products and services are similar. The cyber-criminals
focused in this market are operating mostly as individuals and command limited funding for their
capability.
The Business and Enterprise cybersecurity market is oriented around large commercial
enterprises securing their day-to-day business. This includes banks, telecommunications
companies, utility and energy firms, manufacturers and retailers, and its constituency comprise
the largest firms operating in the US. Some of these firms have a role to play in the nation’s
critical national infrastructure, but the nature of the threat is less than that for intelligence and
defense organizations. The cyber-criminals we find in this market include competitors, insiders,
independent hackers, organized crime, and hacktivists. These criminals can be well funded and
6. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 6
are looking for significant results and return for the risk they are taking in attacking a business or
enterprise.
The Industrial market segment includes Civil, Utility, Healthcare, Energy, Justice Systems, and
others: this submarket incorporates all the other government-funded cybersecurity tasks. It
includes security of health and education data, crime and criminal justice information, as well as
more run-of-the-mill (but essential) national infrastructure systems. As an example, one of the
most publicized cybersecurity attacks of all time were major breaches that occurred in 2014,
successfully accessing US government databases holding personnel records and security-
clearance files containing sensitive information of about 22.1 million people, including not only
federal employees and contractors but their families and friends. It is believed by US officials
that the attack was sponsored by China who was conducting a form of traditional espionage.
The Military and Intelligence submarket is focused on securing national assets, weapon
systems, the nation's secrets, and involves security and intelligence agencies. It incorporates
the most advanced (and most secret) cybersecurity technologies available. The attacks in this
market come from all players in the cyber-criminal spectrum. While terrorist groups and nation-
state backed cyber-criminals have significant funding and the most sophisticated capabilities,
insider threats have proven to be challenging to detect and mitigate but have had devastating
impacts. The Edward Snowden incident is a good example of the impact a single insider threat
can have.
In response to nation-state, terrorist, and sophisticated competitors engaged in industrial
espionage the Ethical Offensive Cyber market has grown significantly. This is an arena that
requires technical, ethical, cultural, and legal expertise to be combined with products, services
and operational expertise to achieve the intended outcomes without breaking US constitutional
and international laws.
7. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 7
The purpose of identifying these five separate submarkets is not to silo these markets, or draw
hard and fast lines between them. In fact, there is a degree of crossover between buyers in the
submarkets in our model. The purpose is to identify the differences in supplier structures that
feed each of the submarkets and address them in reference to the value proposition that the
Colorado Springs community has to offer. From a supplier point of view, it is vitally important to
understand the characteristics of each particular market.
Selling into the defense and intelligence sub-market is entirely different than doing business with
small businesses and consumers, just as selling into large enterprises is different than selling
into the public sector (even beyond the defense and intelligence elements). The sophistication
and scale of the cybersecurity requirements, the credentials and clearance requirements, and
the way in which each submarket procures cybersecurity capability are all substantially different
in each sub-market. Suppliers to the cybersecurity market, therefore, need to understand the
dynamics of their particular target market. The Colorado Springs community must use this
information to adjust its strategies in developing and branding a cybersecurity economic
foundation.
Understanding Technology Creation & Revenue Lifecycle
The maturity of cybersecurity solutions can be assessed using traditional product development
lifecycle analysis. It is imperative that we understand the economic impact to our community in
each phase of the technology maturation process in order to prioritize and coordinate our
economic development activities. The first phase of technology development is focused around
education and fundamental research. The funding for fundamental research comes through
government grants and industry investments. These initial grants and investments are a fraction
of the funding that will be allocated to a new technology as it matures into a revenue generating
8. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 8
product. Once the basic principles have been studied, practical applications can be applied to
the initial findings from research.
The technology development phase is started when practical applications align with customer
demand. This is when the funding profile for technology development starts to
include additional industry and customer based funding. Generally both
analytical and laboratory studies are required at this phase to see if a
technology is viable and ready to proceed further through the
development process. The technology development
phase includes the creation of prototypes that can
be used to verify the technology application to the
specific target markets and customer
requirements. Once the proof-of-
concept technology is
validated additional funding from industry and customers can occur. Representatives from the
funding sources will require that the working model or prototype be demonstrated in a real world
environment to maintain the funding stream. When the technology has been applied to revenue
generating products or services it is ready for delivery to the cybersecurity market. Customer
demand and the ever changing threat environment represented in the cybersecurity market
cause the timeline for new cyber security technologies and products to be extremely short.
Some cybersecurity products go from concept to deployment in less than 6 months.
Colorado Springs will have to create an entrepreneurial, flexible, and supportive business
environment in order to capture the national and international revenue sources from
fundamental research through produce sales and essential in branding our community as a
market leader in cybersecurity.
9. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 9
Three Pillars of Economic Sustainability in Colorado Springs
Academic Research and Education
Academic research and education is a foundational component of the economic sustainability
model recommended in this white paper. Our community has two excellent, internationally
known, universities: the US Air Force Academy (USAFA) and University of Colorado at
Colorado Springs (UCCS). By coordinating activities at these two universities we can address
the need for fundamental technology research and education in all five cybersecurity
submarkets.
UCCS can address the needs of the Consumer, Small Business and Large Business markets
while sharing technologies in the Industrial market with the USAFA. The USAFA is addressing
the needs of the Industrial, Defense and Intelligence, and the Ethical Offensive Cyber markets
through the creation of the Air Force Cyber Innovation Center (AFCIC). The AFCIC can uniquely
address the complex requirements associated with cybersecurity research for defense and
intelligence customers because of their specialized experience, access to cleared personnel
and secure facilities. The AFCIC is teaming with Catalyst Campus to create a bridge from
military-based fundamental research to industry-based applied research that will lead to
government and commercial cybersecurity architectures, products, and services.
Industry Expertise and Investment
Industry expertise and investment in our community can be delivered through the Catalyst
Campus. Catalyst Campus is building a unique Cyber and Space applied research and
development (R&D) laboratory/operations center in downtown Colorado Springs that can
operate as the hub for industry engagement in our community’s cybersecurity strategy. Catalyst
Campus is a collaborative ecosystem where industry (small business to medium sized entities,
10. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 10
start-ups, etc.) workforce development and venture capital intersect with the diverse resources
of Southern Colorado to create community, accelerate economic development and stimulate job
growth. Catalyst Campus is home to the following organizations and facilities:
1. Center for Technology, Research and Commercialization (C-TRAC) - A 501c3 non-profit
technology transfer and commercialization office that advances technology from industry
partners, the military, the government and/or other advanced industries through state-of-
the-art laboratories and operations center.
2. Southern Colorado Technology Alliance (SCTA) - A 501c6 non-profit membership
organization that caters to the needs of Southern Colorado’s aerospace, defense and
technology companies and provides mentorship and business opportunities for new
small businesses and entrepreneurs.
3. A collaborative environment with shared resources and small business support services
to stimulate innovation, advancement and job growth for Advanced Industries
(specifically aerospace and defense, cyber, software development, technology and
advanced manufacturing).
4. Catalyst Campus – Industry-driven education that supplies a trained and ready
workforce specific to Southern Colorado’s needs and future government contracts.
5. Applied research and development labs through a non-profit community “collaboratory”
to train the latest cybersecurity, software technologies, and programming languages.
Operational Customer Base and Revenue
The operational customer base and revenue needed to complete the third pillar of our economic
sustainability for cybersecurity ecosystem in Colorado Springs will come from our existing
military and commercial community partners. One source of research funding sponsored by the
U.S. Government is the Small Business Innovation Research (SBIR) and Small Business
11. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 11
Technology Transfer (STTR) program. This program is designed to serve the technology needs
of the USG and tap into innovative small businesses. These programs, together with the people
who manage them, accomplish this as part of the USG technology development efforts to
identify and provide advanced, affordable, and integrated technologies. For example, the Air
Force Research Laboratory (AFRL) executes the SBIR and STTR programs for the Air Force.
Over $3 million in research funding
from AFRL has already been
committed to be implemented in the
laboratories and operations center on
the Catalyst Campus. In addition,
Catalyst Campus has identified an
additional $20 million in SBIR Phase 3
funding in the planning stages that may
be awarded to Colorado Springs
headquartered companies in the near future.
The maturity of cybersecurity solutions, like many technologies, can be assessed using
Technology Readiness Levels (TRL) analysis. TRL is a type of measurement system used by
government programs to assess the maturity level of a particular technology. Each technology
idea is evaluated against the parameters for each technology level and is then assigned a TRL
rating based on the maturity of the technology. There are nine technology readiness levels. TRL
1 is the lowest and TRL 9 is the highest. When a technology is at TRL 1, scientific research is
beginning and those results are being translated into future research and development. TRL 2
occurs once the basic principles have been studied and practical applications can be applied to
12. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 12
those initial findings. TRL 2 technology is very speculative, as there is little to no experimental
proof-of-concept for the technology.
When active research and design begin, a technology is elevated to TRL 3. Generally both
analytical and laboratory studies are required at this level to see if a technology is viable and
ready to proceed further through the development process. Often during TRL 3, a proof-of-
concept model is constructed.
Once the proof-of-concept technology is ready, the technology advances to TRL 4. During
TRL 4, multiple components are tested with one another. TRL 5 is a continuation of TRL 4;
however, a technology that is at TRL 5 is ready for more rigorous testing using simulations that
are as close to representative of real world application as possible. Once the testing of TRL 5 is
complete, a technology may advance to TRL 6. A TRL 6 technology has a fully functional
prototype or representational model.
TRL 7 technology requires that the working model or prototype be demonstrated in a real world
environment. TRL 8 technology has been tested and "operationally qualified" and it is ready for
implementation into an already existing technology or technology system. Once a technology
has been "operationally proven" during a real mission, it can be called TRL 9. The TRL model
for assessment can also be used to understand the sources, timing, and magnitude of revenue
associated with a new technology.
The Air Force supports transition from basic research to capability delivery through the
Commercialization Readiness Program (CRP). Whether you are a SBIR/STTR veteran or have
just received your first Phase I contract, you should already be focused on achieving technology
transition and commercial success. The primary objective of the CRP is to accelerate the
transition of SBIR/STTR-developed technologies into real-world military and commercial
13. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 13
applications. To achieve these goals the CRP team gets involved early and stays engaged
throughout the process.
Conclusion & Recommendations
This white paper has identified cybersecurity markets that the community of Colorado Springs is
in a position to lead on a national and international scale. Three pillars of critical capability and
resources already exist in our community. Today these critical community resources operate
independently and occasionally in competition with one another. If Colorado Springs is going to
achieve the vision for the future laid out by Mayor John Suthers, we will need to coordinate our
activities and develop brand recognition nationally and internationally in the cybersecurity
market and submarkets identified in this white paper.
Recommendations
Set up a Mayor sponsored task force chartered to coordinate the activities of our critical
community resources capable of delivering on the cybersecurity vision of the future. The
members of this task force should be the contributors and stake holders in the Mayor’s vision:
1. City Official tasked with implementation of the Mayor’s vision
2. A representative from the Colorado Springs Regional Business Alliance who speaks for
local industry
3. A representative from UCCS responsible for the cybersecurity strategy
4. A representative from the USAFA responsible for the implementation of the AFCIC
5. A representative from Catalyst Campus Center for Technology, Research and
Commercialization (C-TRAC)
6. An economic sustainability expert from the community
7. A representative from the local Military
14. Colorado Springs Cybersecurity Market Strategy - November, 2015 Page 14
Some of the efforts this task force should focus on are:
1. Develop a branding and marketing strategy for the City of Colorado Springs that clearly
identifies our community as an ideal place to start and grow a cybersecurity business.
2. Coordinate research opportunities from DoD, Homeland Security, NASA, Intelligence
Agencies, and Commercial Companies with a focus on capturing funding and investment
for cybersecurity projects to be executed locally.
3. Work through the Colorado Springs Regional Business Alliance, local investors and
business owners to put a strategy in place to develop, acquire and grow cybersecurity
companies establishing or moving their headquarters and research and development
activities to Colorado Springs.
4. Encourage teaming and cooperation between academia, industry, and government in
our community to speak in one voice with one vision.
Colorado Springs
will be the Cybersecurity Capital of the World