Recently I posted Jeremiah Grossman on Justifying Security Spending. Yesterday I read Noah Schachtman's article Jets vs. Grunts in Pentagon Spending Showdown. I realized DoD (and really any other global military) has the same problem facing digital security practitioners: how do you justify security spending? DoD spending doesn't make the country richer. As I've said elsewhere, spending on security only makes security vendors richer. (See Security ROI Revisited for my reference to the broken window fallacy. By the way, if you are a politically-minded first-time blog visitor, you can forget about posting comments. This blog is for digital security; I'm not taking political sides here.)
One major difference between digital security justification and military justification is the latter's emphasis on threats, especially their capabilities and intentions. We are not worried if the United Kingdom builds a 5th generation fighter aircraft. We are worried if China, Russia, or Iran does. You don't see discussions of vulnerabilities, e.g., "we have to do something about the exposures and vulnerabilities in our domestic fuel storage facilities that allow 5th generation fighters to bomb them!" Instead the conversation focuses on designing, building, and deploying fighters that can deter or destroy enemy fighters. This is the case because a national military is in a position to take these actions, unlike the owners of the fuel storage facilities.
Also notice that owners of domestic fuel storage facilities are not buying their own fighter aircraft to defend their assets. Obviously, you might think. Well, not if you are a digital security practitioner. We're expected to protect all of our assets, against any range of threats, with little to no help from the governments we elect to "provide for the common defense." I mentioned this last year in US Needs Cyber NORAD.
Until this situation changes you can expect me to point out the absurdity of our situation. Maybe in 25 years we'll look back at this time as the "Wild Cyber West" that it is.
Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.