Monday, December 22, 2008

Justifying National Security Spending

Recently I posted Jeremiah Grossman on Justifying Security Spending. Yesterday I read Noah Schachtman's article Jets vs. Grunts in Pentagon Spending Showdown. I realized DoD (and really any other global military) has the same problem facing digital security practitioners: how do you justify security spending? DoD spending doesn't make the country richer. As I've said elsewhere, spending on security only makes security vendors richer. (See Security ROI Revisited for my reference to the broken window fallacy. By the way, if you are a politically-minded first-time blog visitor, you can forget about posting comments. This blog is for digital security; I'm not taking political sides here.)

One major difference between digital security justification and military justification is the latter's emphasis on threats, especially their capabilities and intentions. We are not worried if the United Kingdom builds a 5th generation fighter aircraft. We are worried if China, Russia, or Iran does. You don't see discussions of vulnerabilities, e.g., "we have to do something about the exposures and vulnerabilities in our domestic fuel storage facilities that allow 5th generation fighters to bomb them!" Instead the conversation focuses on designing, building, and deploying fighters that can deter or destroy enemy fighters. This is the case because a national military is in a position to take these actions, unlike the owners of the fuel storage facilities.

Also notice that owners of domestic fuel storage facilities are not buying their own fighter aircraft to defend their assets. Obviously, you might think. Well, not if you are a digital security practitioner. We're expected to protect all of our assets, against any range of threats, with little to no help from the governments we elect to "provide for the common defense." I mentioned this last year in US Needs Cyber NORAD.

Until this situation changes you can expect me to point out the absurdity of our situation. Maybe in 25 years we'll look back at this time as the "Wild Cyber West" that it is.


Richard Bejtlich is teaching new classes in DC and Europe in 2009. Register by 1 Jan and 1 Feb, respectively, for the best rates.

1 comment:

Roland Dobbins said...

Yes, and with a 'Cyber'-NORAD, it'll be just about as effective as NORAD were on 9/11, or as they would've been during, say, the 1992 Los Angeles riots, which is a much closer analogy to our seemingly permanent state of security emergency than to the type of mission NORAD are supposed to perform.

The US military have a horrifying tooth/tail ratio, have proven signally unable to grasp 3GW, much less 4GW (which is essentially what the miscreants are practicing), and are in no way, shape, form or fashion equipped to deal with protecting privately-owned and -operated network assets - they're struggling to protect their own assets. Furthermore, even if they were supremely competent in this area of expertise (which they aren't), suggesting that the US military or similar organization should take up such a role is like saying that the best way to combat urban crime is to station a light infantry division or two in each major metropolitan area, with soldiers responsible for basic law enforcement, checking paperwork, et. al.

The military simply aren't intended for such a task, and would end up as a sort of 'cyber'-Stasi - something politicians of any stripe would love to be able to justify on 'national security' grounds. Precisely the sort of thing prohibited by Posse Comitatus, and for good reason.

A much better approach is the Swiss model, wherein responsible adults receive training, then are sent home with their automatic weapons and bandoliers, ready to swing into action as needed. A well-informed, well-'armed' citizenry is what's needed, not the leaden hand of the DoD. And, no, I'm not talking about offensive actions, which you've also suggested in the past - given the subversive, false-flag nature of the online threat, offensive actions would only cause extensive collateral damage and leave the actual attackers unscathed.

The military/offensive model is just not appropriate, and I really wish you'd reconsider your support for such ineffective, counterproductive measures. The cure you propose is far, far worse than the disease.