From: Financial Times

By Carola Hoyos in London

The end of a decade of war and prosperity is proving transformative for the weapons trade as cash-strapped governments are cutting military budgets while defence contractors are shedding jobs and warning of shrinking revenues.

So it is with fortuitous timing – at least for defence companies – that a new enemy is emerging on the world’s stage.

Cyber attacks by well-resourced, highly capable and relentless, usually state-sponsored attackers – so called advanced persistent threats – are growing.

The best known example is Stuxnet, which was aimed at Iran’s nuclear centrifuges and is widely believed to have been developed by the US or Israel, neither of which have confirmed their involvement.

But dozens of similarly specifically targeted attacks have infiltrated the systems of a growing number of government agencies and companies, including defence contractors Northrop Grumman, Lockheed Martin and L-3 Communications, and natural resource companies, such as BHP Billiton.

The F-35 jet fighter programme was infiltrated in 2009. Defence contractors, including BAE Systems, say they are targets of constant attacks and, in fact, use that as a marketing point when selling their cyberdefence services.

Collecting precise data on such attacks is difficult because governments and companies are reticent to admit they have been compromised.

Financial regulators have yet to force companies to disclose their vulnerabilities despite their huge potential financial and reputational harm.

“Never before has there been such a time in IT where there was such pressure to adopt new technology practices whilst trying to deal with such a significantly sized security issue,” James Lyne, director of technology strategy at Sophos, the UK’s largest cyber security company, said in a recent speech.

China is seen as the major sponsor of high-level cybercrime involving the theft of sensitive commercial and government information. Last week a US Congressional report by Northrop Grumman, the defence contractor, noted China’s cyber prowess also posed a military threat.

Jamie Shea, Nato’s deputy assistant secretary-general for emerging security challenges, said: “Clearly in the future all conflicts are going to involve people trying to disrupt the information technology systems, which are not only necessary for communication, but also for the operation of highly sophisticated weapons systems, most of which these days are computer driven.”

To address that new frontier, Nato last week signed one of the most ambitious cyberdefence contracts ever to secure its network across 50 sites and 28 member countries.

Robert Lentz, former deputy US assistant secretary of defense for cyber, identity and information assurance, says defence companies’ access to sensitive contracts such as that of Nato – won by Finmeccanica and Northrop Grumman – gives them a vaunted position in a market that is growing in the public and private sector.

“Defence ministries are the pacesetters to implement the visions and showcase capabilities that work,” he says. “Often times they can become the trusted adviser of the entire public sector and then at the same time the public sector and the critical infrastructure sectors are communicating and collaborating more than they ever have.”

By now almost all the major defence contractors have a cyber element.

Much of the mergers and acquisitions activity over recent years has involved defence companies buying knowhow or the access to new markets. Jane’s Defence calculates that about 14 per cent of defence acquisitions had cyber as their target last year.

In Europe, BAE Systems, Ultra Electronics and Qinetiq have the highest cyber exposure but for most of the group the per cent of revenue they get from cyber remains solidly in the low single-digits.

As their understanding of the market matures, defence companies are beginning to specialise their offering and spread out from their traditional defence customers to other government departments and industry.

Nevertheless, cyber is not the cure for all the defence companies’ traditional ills.

Even Lawrence Prior, executive vice-president at BAE, cautions against breathless excitement.

“There is so much hyperbole around the market. It’s a good market. There’s real growth. But it’s high single-digit, low double-digit growth depending on how you segment the market. It’s not triple-digits growth. This isn’t venture-backed, light-your-hair-on-fire growth.”

Meanwhile, cyber margins are usually well below those companies make for building and servicing defence equipment and parts.

To improve on them, companies such as BAE’s Detica are moving increasingly into offering products, rather than acting largely as consultants.

In doing so, they will have to adapt to a faster moving, more dynamic business than they are used to, says William Beer, PwC’s director of the information and cybersecurity practice.

But, he added: “If they [defence contractors] make the jump into the private sector, they stand a good chance of shaking things up and really, really enhancing everything we do.”