The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

What About the Other 11 Months?


October is "officially" National Cyber Security Awareness Month. Whoopee! As I write this, only about 27 more days before everyone slips back into their cyber stupor and ignores the issues for the other 11 months.

Yes, that is not the proper way to look at it. The proper way is to look at the lack of funding for long-term research, the lack of meaningful initiatives, the continuing lack of understanding that robust security requires actually committing resources, the lack of meaningful support for education, almost no efforts to support law enforcement, and all the elements of "Security Theater" (to use Bruce Schneier's very appropriate term) put forth as action, only to realize that not much is going to happen this month, either. After all, it is "Awareness Month" rather than "Action Month."

There was a big announcement at the end of last week where Secretary Napolitano of DHS announced that DHS had new authority to hire 1000 cybersecurity experts. Wow! That immediately went on my list of things to blog about, but before I could get to it, Bob Cringely wrote almost everything that I was going to write in his blog post The Cybersecurity Myth - Cringely on technology. (NB. Similar to Bob's correspondent, I have always disliked the term "cybersecurity" that was introduced about a dozen years ago, but it has been adopted by the hoi polloi akin to "hacker" and "virus.") I've testified before the Senate about the lack of significant education programs and the illusion of "excellence" promoted by DHS and NSA -- you can read those to get my bigger picture view of the issues on personnel in this realm. But, in summary, I think Mr. Cringely has it spot on.

Am I being too cynical? I don't really think so, although I am definitely seen by many as a professional curmudgeon in the field. This is the 6th annual Awareness Month and things are worse today than when this event was started. As one indicator, consider that the funding for meaningful education and research have hardly changed. NITRD (National Information Technology Research & Development) figures show that the fiscal 2009 allocation for Cyber Security and Information Assurance (their term) was about $321 million across all Federal agencies. Two-thirds of this amount is in budgets for Defense agencies, with the largest single amount to DARPA; the majority of these funds have gone to the "D" side of the equation (development) rather than fundamental research, and some portion has undoubtedly gone to support offensive technologies rather than building safer systems. This amount has perhaps doubled since 2001, although the level of crime and abuse has risen far more -- by at least two levels of magnitude. The funding being made available is a pittance and not enough to really address the problems.

Here's another indicator. A recent conversation with someone at McAfee revealed that new pieces of deployed malware are being indexed at a rate of about 10 per second -- and those are only the ones detected and being reported! Some of the newer attacks are incredibly sophisticated, defeating two-factor authentication and falsifying bank statements in real time. The criminals are even operating a vast network of fake merchant sites designed to corrupt visitors' machines and steal financial information.   Some accounts place the annual losses in the US alone at over $100 billion per year from cyber crime activities -- well over 300 times everything being spent by the US government in R&D to stop it. (Hey, but what's 100 billion dollars, anyhow?) I have heard unpublished reports that some of the criminal gangs involved are spending tens of millions of dollars a year to write new and more effective attacks. Thus, by some estimates, the criminals are vastly outspending the US Government on R&D in this arena, and that doesn't count what other governments are spending to steal classified data and compromise infrastructure. They must be investing wisely, too: how many instances of arrests and takedowns can you recall hearing about recently?

Meanwhile, we are still awaiting the appointment of the National Cyber Cheerleader. For those keeping score, the President announced that the position was critical and he would appoint someone to that position right away. That was on May 29th. Given the delay, one wonders why the National Review was mandated as being completed in a rush 60 day period. As I noted in that earlier posting, an appointment is unlikely to make much of a difference as the position won't have real authority. Even with an appointment, there is disagreement about where the lead for cyber should be, DHS or the military. Neither really seems to take into account that this is at least as much a law enforcement problem as it is one of building better defenses. The lack of agreement means that the tenure of any appointment is likely to be controversial and contentious at worst, and largely ineffectual at best.

I could go on, but it is all rather bleak, especially when viewed through the lens of my 20+ years experience in the field.  The facts and trends have been well documented for most of that time, too, so it isn't as if this is a new development. There are some bright points, but unless the problem gets a lot more attention (and resources) than it is getting now, the future is not going to look any better.

So, here are my take-aways for National Cyber Security Awareness:

  • the government is more focused on us being "aware" than "secure"
  • the criminals are probably outspending the government in R&D
  • no one is really in charge of organizing the response, and there isn't agreement about who should
  • there aren't enough real experts, and there is little real effort to create more
  • too many people think "certification" means "expertise"
  • law enforcement in cyber is not a priority
  • real education is not a real priority

But hey, don't give up on October! It's also Vegetarian Awareness Month, National Liver Awareness Month, National Chiropractic Month, and Auto Battery Safety Month (among others). Undoubtedly there is something to celebrate without having to wait until Halloween. And that's my contribution for National Positive Attitude Month.


Posted by Daniel Faigin
on Sunday, October 4, 2009 at 12:27 PM

Ah, the nostalgia for 15 years ago, when we could just get by with a single Computer Security Day.

Posted by Rob
on Sunday, October 4, 2009 at 08:04 PM

I share your frustration. At least we are spending money on exhibits related to the subject—

Actually, the Spy Museum is a private entity and not government funded. —spaf

Posted by David Thornton
on Friday, October 16, 2009 at 09:43 PM

I see the problem as one of interest.  The cyber villains enjoy what they do.  It is a form of escape and recreation.  Who will not devote endless time, energy, and resources doing what they love? 

And these people NETWORK the best with other people who enjoy the same thing.  Information, such as techniques, is freely shared with other enthusiasts. 

Cyber villainy becomes sort of a collective consciousness where the goal becomes more important than the individual.

Therefore, it is easy to see how the government and law enforcement cannot keep up.  Normal people and entities have competing priorities which tax resources.

With that said, it is hard to determine the lead agency when a firm commitment has not been established.  By firm, I mean a clear definition of the problem and what it will truly take to combat it.

When reviewing your Take-Away list, here are my comments:

-The government can only indicate “awareness” as no immediate solution appears even possible
-Criminals are without a doubt outspending in all categories of time, energy, and resources
-To be “in charge of organizing the response” would require proper qualification of which nobody obviously rises to the surface
-Titles mean nothing… only proven results do
-In my observations, the only “priority” of law enforcement is one of revenue generation.  The main criminals who get attention are white collar criminals where successful action results in monetary fines and sanctions.  This is true in even the most simple example of police speed traps with 20 officers lined up on 1 freeway ramp to “shoot fish in a barrel” while other less lucrative crimes are occurring unchecked within the city.
-School and Education are not synonymous.  Education has also given in to the race for money as the priority.  Attendance appears to be the main measure for whether an educational institution is meeting expectations.  Over the last 2 decades, Federal matching dollars are primarily determined by attendance over performance in primary and secondary schools.  By the time students reach universities, now, they are poorly prepared to meet the standards necessary to compete with the world leaders.  Subsequently, university standards have dropped to match the poor preparation.  If not, less than 20% would be able to graduate with a degree.

How is that for “awareness?”

Posted by nikon kameratasche
on Friday, October 23, 2009 at 06:20 AM

Let the hackers give free run and destroy our systems with viruses. It might change the situation and next whole year will be called National Cyber Security Awareness Year.lolz

Posted by Tony Murphy
on Sunday, November 1, 2009 at 01:44 AM

No you are not cynical. Realistic to a fault. While the ‘cybercriminal’ is gaining the upper hand with increasingly sophisticated attacks and methods bureaucracy has us sitting on our hands. The successful attacks that are publicized I fear pale in comparison to attacks on sensitive government and private networks that are not common knowledge.

Posted by Jocuri
on Saturday, November 7, 2009 at 06:13 AM

I must say I agree with you on this. Nice and very useful blog, by the way.

Leave a comment

Commenting is not available in this section entry.