December 22, 2020

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

President-elect Joe Biden’s response to the  Russian cyber-attack, that could turn out to be the most serious security breach since World War II, was his vow that “I will not stand by idlily in the face of cyber assaults on our country”

Two very big thumbs up for this pledge

And now for an even more penetrating, and potentially hopeful insight from Mr. Biden…When he was Vice-President Mr. Biden was known to make this comment “Don’t tell me what your priorities are. Show me your budget and I’ll tell you what your priorities are.”

Now that comment – if followed though by the incoming President – will be far more impactful than his vow. With due respect, we might now say to Mr. Biden, don’t tell us you are not going to stand idlily by while we are being constantly attacked in cyber space – show us your cybersecurity budget and we can tell you if it’s really a priority.  As it should be.

In this space Mr. Biden will have a great deal of work to do.  The fact is that the US government has been addressing cybersecurity on the cheap and our lack of investment is now showing.

In previous posts we have provided details on the some of this.  We have noted that cybercrime generates multiple trillions of dollars a year and we provide the FBI with about a half billion (that’s single billion – and not a whole billion – half that, and actually less than half) to combat cyber-crime. Current federal spending on education is roughly $ 70 billion, with only $90 million of that being invested on STEM. On the other hand, China’s budgetary spending on education is $520 billion We have quoted Jim Lewis at CSIS noting the Chinese are outspending the on advanced technology US by a ratio of 1000:1

Policy makers have for years pilloried the private sector for under-investing in cybersecurity while failing to adequately fund the institutions they are responsible for – national defense, law enforcement, education (especially STEM) or to provide subsidies to fill the thousands of cybersecurity positions we have had vacant for nearly 20 years.  

Despite the fact that it is the government’s constitutional responsibility to protect the general public from criminals and nation state attackers  it is the private sector that primarily provides for their own cyber defense. A recent comparative analysis of spending on cybersecurity by Forbes concluded  “as a result of government inaction, private sector companies have been forced to take cybersecurity more seriously and, according to some projections, will spend over $1 trillion on digital security globally through 2021..”   

These estimate when weighed against actual government spending and budget projections appears to be quite accurate. Total federal appropriations on cybersecurity in fiscal year 2017, the last year for which we have final data, was$27 billion about half of which goes to the military which, as the recent events prove, has provided marginal assistance to the general public from cyber-attacks. The 2020 federal budget proposes a 4.7% increase in federal spending on cybersecurity.

In contrast, “According to Gartner, US private sector spending on cybersecurity in 2020 will be $124 billion, nearly 5 times the federal investment, Even operating off a much larger base than the federal government, the percentage increase in private sector spending will be 8.7%  –  nearly double the federal increase. 

DHS, the federal agency that is charged with cybersecurity for the entire non-military portions of the government as well as the private sector, has an annual budget of just over $1 billion dollars, roughly equivalent to what a couple of larger banks spend. The automotive industry alone plans to spend nearly $5 billion on cybersecurity this year – that is one industry sector spending five times the entire DHS cyber budget. Thus, by Mr. Biden’s measure, it is the private sector, that values cybersecurity many times more than the government.

Moreover, as the National Infrastructure Protection Plan (NIPP) points out, the private sector security spending is appropriately focused on security at a commercial level. That will not accommodate our national security needs. This is what led the former Director of the Cybersecurity Infrastructure and Security Agency (CISA) Chris Krebs, to describe, “gap” in our nation’s cyber defense between what the private sector can be expected to provide for commercial purposes and what the government is now providing for national security and crime fighting.

The bad guys have now stepped in to fill the gap

The cyber investment gap manifests itself in a different sense when US spending on cyber is compared with that of our major adversaries. China, for example has allocated billions of dollars for investment for research and acquisition of advanced technologies that are key to future economic growth including semiconductors 5G, AI, and super computers at rates many times that of the US investment.  Similarly, US  educations, spending specifically on critical Science, Technology, Engineering and Mathematics (STEM) curriculum is lagging. The US ranks 30th in math spending and 11th in science spending.  

In the aftermath of our initial awareness of the existence of the Russian attack we are already seeing focus on the incremental operational issues and blame-seeking.  Already there are stories about how Solar Winds didn’t have a person with the title Chief Information Officer (titles vary widely in organizations – its functions that are actually important).We are also seeing stories about does this mean we need to decouple NSA from Cyber Command.

Let’s rearrange the deck chairs and find new people to sit in them.

These are the digital trees that are blocking our view of the larger, much more daunting digital forest – we need to focus on the big picture.

We need to fundamentally re-think our approach to cyber security and that will, if intelligently done, require at a minimum, that we need to spend more money on this issue.

Mr. Biden don’t tell us what your priorities are, show us

Show me the money!  

Join the Rethink Cybersecurity Community click here