co-authored by Dr. Stephen Bryen, Founder & Chairman Ziklag Systems
ABI Research estimates that cyber security spending on the critical infrastructure was $46 billion last year. The largest part of these dollars was spent in the United States.
Meanwhile, in the United States, Federal government agencies have stepped up their efforts to improve cyber security protection. The Pentagon is tripling its staffing of cyber security professionals even while critical defense programs are being cancelled or curtailed. By 2016, the Pentagon should have 6,000 cyber professionals at work. In a boastful speech describing the Defense Department's investment in cyber, Defense Secretary Hagel says they are on the way to building "a modern cyberforce." To back up his words, the Pentagon announced last June that by 2018 the Pentagon planned to spend $23 billion on cyber security.
The Defense Department also created a United States Cyber Command (originated in 2009) which is located at Ft. Meade, Maryland, the home of the National Security Agency. The Cyber Command (officially USCYBERCOM) is headed by a Navy Admiral, Michael S. Rogers, and is subordinate to the US Strategic Command. Strategic Command involves space operations (such as military satellites), information operations (such as information warfare), missile defense, global command and control, intelligence, surveillance, and reconnaissance , global strike and strategic deterrence (the United States nuclear arsenal), and combating weapons of mass destruction. Thus USCYBERCOM is part of the Defense Department's most sensitive organization that includes control over America's strategic nuclear missiles.
But despite this massive spending and the hiring of thousands of security professionals, the United States has thus far failed to protect government agencies, the rest of the critical infrastructure of the United States, regular businesses, and personal security. Despite the billions sunk into the effort each year, none of the investment has stopped the Russians, the Chinese, the Iranians, the Syrians, or the tens of thousands of hackers from pounding America's computer networks. To date there have been massive hits against government computer systems, health care systems, banking and finance, power companies including nuclear facilities and energy companies, and defense companies. Vast amounts of information have been either stolen, overwritten or mutilated by hackers. Today no one can be sure whether our communications are safe, whether the lights will stay on, whether our early warning systems will function. Instead of curtailing the threat, every evidence points to its escalating out of control.
Has anyone bothered to ask why this is so? Now, our leaders, bureaucrats and their academic and industry advisers keep telling us they need to spend more, and like Pavlov's dogs, when the bell rings, they appropriate more money to fight the threat.
If you have a spare $46 billion laying around there is an answer to computer security. But the answer will not be found in any Federal government plan. All of them are, like Hans Brinker, trying to stick their finger in the leaking dyke.
The reason is easy to discern. All computers, including all mobile devices, operate on open systems that were developed by countless software engineers worldwide. The computer industry and its allied software development is a global industry that is totally insecure. You don't know who writes the code, the level of competency, the degree of security training, the level of auditing and internal testing for vulnerabilities, or whether some of the engineers are owned by foreign intelligence services or are promoting various ideological causes. Even in the United States, major companies such as Microsoft, Apple, or Google are run by nameless developers who come from a plethora of places (including lots of foreigners). These companies have no ability to properly vet their employees, nor do they have any real incentive to do so.
What makes matters even worse is that we have grown a security industry, already embedded in government and in corporate America, that feeds off the vast amounts of money being thrown at the computer hacking problem. To be frank, these folks have a vested interest in insecurity, because insecurity fuels their budgets. And even if the majority of them are sincere and want to help, their efforts will always fail.
The brilliant Pentagon, which is supposed to know what it is doing in cyber matters, has hired Amazon to provide "cloud" services for Pentagon information and data. The Pentagon has also cleared Samsung (a Korean company), Apple (an American company) and Blackberry (a Canadian company) to provide mobile phones for top Pentagon employees. These Pentagon decisions are intellectually defective and demonstrate that throwing billions of dollars at a problem may only compound the issue. Who clears the people at Samsung, or Blackberry, Apple or Amazon? A lot of folks in Hollywood right now, who stupidly "trusted" Apple's cloud service, now find their naked bodies (and more) posted on the Internet.
The truth of the matter is that public systems and "open source" software are the real danger. Give us $46 billion and we can fix the problem, at least for the Pentagon and the critical infrastructure by building a truly secure, totally encrypted system that is self contained and invulnerable to hacking. To be safe you must eliminate all open source, public systems for government and critical business enterprises.
Right now you cannot buy a safe operating system because no one has invested in one. That investment is absolutely necessary for our survival and our security, not to mention the protection of our freedom and democracy. Open source public systems will always trample on human rights. They are sources of constant abuse by our enemies.
Let's face it. The US government made a huge mistake when it decided to rely on public systems for critical communications and data storage. When you think that almost all the hardware is made in China and the folks producing these systems are everywhere around the world, you can see the enormity of the security disaster before us..
Given the destabilizing events around the world, the risks to American vital defense systems and critical infrastructure are reaching the tipping point. It is urgent for our leaders to recognize the nature of the threat and implement a radical change in our computer networks and systems. The Pentagon, DARPA, CYBERCOM, NSA and everyone else involved have a responsibility to figure it out and not just play dumb.