Outdated Defense by Design
The U.S. government is expected to allocate $18.78 billion for cybersecurity investment in 2021.
While it’s true that we have tons of defensive technology that can prevent conventional cyberattacks and detect many network intrusions, we have not successfully integrated these into a unified armament designed for active defense.
We have spent over $80 billion developing this stuff and almost all of it is used for perimeter, network or endpoint defense. We have a handful of products that can identify certain forms of anomalies on our networks and we have some that are trying to predict attacks before they occur. But the nature of all this technology is passively defensive.
Less Than 10% of Budget for Cybersecurity
On the other hand, the Defense Department base budget is $636.4 billion and throw in an additional $69 billion for DoD Overseas Contingency Operations.
Even though the DoD budget is allocated for national emergency and war-time readiness, other agencies get some overflow. The State Department ($20.5 billion), the Department of Homeland Security ($54.8 billion), the FBI ($9.7 billion) and the National Nuclear Security Administration ($19.7 billion).
Net, net, we will spend only 9.6% of our Federal IT budget collectively on cybersecurity this year and while an epidemic of cybercrime cost the global economy over $500 billion last year with an average cost of $21.22 million per breach, the majority (53%) of businesses in the U.S., U.K. and Germany report (PWC) being ill-prepared for a cyberattack.
This of course, makes no sense.
Attackers Have the Upper Hand
After all of that spending, we don’t have an integrated and unified capability to mount a continual recon defense and we don’t seem to be able to successfully seek out intruders who have penetrated our networks. We have hundreds of point-specific products that can detect anomalies in various ways, yet most of them are holistically ineffective and have demonstrated that they can be bypassed with minimal skill.
The effect of today’s malware attacks are amplified by our increased connectivity and expanded attack surfaces while our current defense effect is not, so the result is a high degree of leverage in the hands of the attackers, with little or none in the technology of the defenders.
A Proposal for Neuberger
If I’m Anne Neuberger, I would be arguing that our Federal budget for cyber is at least 10X too small and that our spending now is too widely dispersed with zero accountability.
I would also argue that it is time for the federal government to step in and impose not just regulatory guidelines and penalties for organizational non-compliance but very specific organizational, technological and process requirements that every registered business in the U.S. must follow. This architectural requirement should be a simple component of organizing and operating a business in the U.S., not unlike the act of incorporation itself, establishing a cap table, appointing officers, or the requirement to pay taxes on earnings according to a very specific code. Try entering an SEC regulated domain sometime, or getting your product approved for consumption by the FDA, or undergoing an OSHA audit. There are rules and there are reasons.
A Framework for Fundamental Security
All businesses should be forced to demonstrate that they have implemented a set of very specific fundamental cybersecurity protections. Not just guidelines, but an architectural framework that is not dissimilar to our building codes which require plumbing, electrical, foundations and framing; all in accordance with very specific specs.
The framework should minimally include the elements of Zero Trust, intelligence, analytics, distance and competency, all of which are represented by known technologies and processes available today.
Intelligence needs to source both internally and externally. Sharing would be nice but probably near to impossible. Analytics needs to be based in technologies that can ingest, aggregate and correlate disparate data and find connections that are undetectable by human analysts. Distance involves layers of security that guarantee cybersecurity battles are kept as far from the core as possible. Sometimes called defense-in-depth, distance is about putting multiple obstacles in between our core assets and the threat vectors that cyber attackers employ to penetrate. Competency involves educated, trained and skilled human resources that should be required to certify in their sub-fields.
We don’t allow hospitals to operate without MDs, nor do we allow security broker/dealers to function without licenses. You would think that the protection of privacy, intellectual property and our electrical grid are somewhere in the value ballpark alongside healthcare and financial fraud.
A Giant Leap Forward From Where We Are
There are many more components of a national cybersecurity architecture, but just getting these four in place would be an impressive start and a massive improvement over the current version of state-led initiatives that are based on vaguely defined guidelines attached to punitive fines for non-compliance which result in a check-box mentality and insufficient defenses for everyone concerned.
I also suspect a national cybersecurity program with specific architectural requirements would not encounter much pushback in light of the current cybercrime epidemic. Unlike taxes, S-1s and 10-Ks, the incentives for cooperative participation would simply be national pride, increased security and freedom.
Once upon a time, that was enough.