The Paradox of Cyber Security Policy

Science and Tech





Over the past decade, in the United States alone, more than $100 billion has been spent on cyber-security at the federal level. An additional $4 billion was allocated to various government agencies for “enhancing cyber-security” each of the past ten years as a part of the intelligence black budget. This spending has been justified by the need to bolster defenses against an amorphous set of cyber-criminals and cyber-attackers. 


Why then was the Office of Personnel Management warned in their Federal Information Security Management Act audit last year that the, “material weakness related to information security governance has been upgraded to a significant deficiency." Why was it that, in 2013, only half of federal agencies reported using a federally approved encryption service?


Following the money tells a story of why cyber-security has not improved, despite so much investment over the past two decades. 


Rather than defense, a significant proportion of these funds have actually been used to develop sophisticated offensive cyber-capabilities, in other words, state-sponsored hacking. 


That billions of dollars earmarked for defense could be spent on offense shouldn’t be surprising. This is the predicable result of the political-economic dynamics that have characterized the military-industrial complex since the 1950s. Today, a military-internet (or cyber-industrial) complex has instead emerged. The government agencies tasked with cyber policy and their private contractor partners have accumulated huge economic and political power, which has then been used to lobby for more cyber-policy. This strategy is not cost-effective, not supported by results, and ultimately self-defeating. 


What is at stake is more than just these outlays of taxpayer funds, which could instead be used to address countless other public policy problems. Collateral damage is everywhere and seen most clearly by individuals who cannot secure their personal information due to persistently poor cyber-security standards; systems are undermined by the very agencies supposed to be protecting them. 



What Are Cyber-Threats?

In the private sector, the term "information security" has existed for a long time and relates, as the it suggests, to securing of important information for organizations. This is by no means a new problem. It’s just that new information technologies have brought with them new challenges in securing information effectively, particularly relating to the scale of the information now collected and stored.


The term "cyber-security" is relatively new. It is part of the lexicon of those who work in the Beltway around Washington, DC. The emergence of this term and the activities it implies expanded in the aftermath of 9/11 with the subsequent demands for increased counter-terrorism capabilities. Billions of dollars were poured into new data collection and analysis methods for detecting suspicious patterns in huge data-sets. 


The prefix “cyber” has been progressively appended to a number of terms to attach some relation to the Internet or computers. The term now encompasses cyber-threats, cyber-crimes, cyber-risks, cyber-terrorism, and so on. It seems that everything has a cyber dimension these days.


To cut through the jargon, there are three commonly recognized categories of cyber-threats. The first relates to espionage, particularly intellectual property theft. The second relates to crimes that are perpetrated on the Internet (child pornographers, drug dealers, terrorists and organized criminals). State-sponsored cyber-war – the Stuxnet worm being one example, but so far not having been seen at scale – rounds out the three. 



Cyber-Policy = Cyber-Spending 

An enormous amount of money is spent combatting these cyber-threats. Among federal agencies in the United States, a $10 billion-a-year effort has been underway every year for the last decade to protect sensitive government data. 


While many departments have jumped on the cyber bandwagon, the intelligence community in particular, at least in the U.S., has become synonymous with cyber policy. There are 46 separate national security agencies in the United States. Around eight percent of the $52 billion intelligence budget in 2012 was dedicated to nominally “enhancing cyber-security.” With 107,035 employees, the intelligence community comprises 83,675 full-time equivalent civilian employees, 23,400 military positions and 21,800 full-time contractors. Two key organizations are in charge of cyber-activities: the US Cyber Command and the National Security Agency (NSA). 


National Security Agency budget, 2004-13 || Source: Office of the Director of National Intelligence, National Intelligence Program Summary, Volume 1, February 2012



The U.S. Cyber Command opened in 2009. An attempt to centralize the Department of Defense’s cyberspace capabilities, it is housed within the NSA and is led by the NSA Director. Over the last decade its budget has continued to climb. In 2011, funding totaled $119 million. By 2014, funding had reached $447 million. In 2013 U.S. Cyber Command consisted of 900 people; the Defense Department plans to grow that cyber-force to 6,000 by the end of 2016. 


The other major organization in which the U.S. Cyber Command is housed is the National Security Agency (NSA). The NSA’s budget swelled post-9/11 as it took on a key role in warning U.S. leaders of critical events, combatting terrorism, and conducting cyber-operations. The organization has a duel mission:

  • The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information. 
  • The Signals Intelligence mission collects, processes, and disseminates intelligence information from foreign signals for intelligence and counterintelligence purposes and to support military operations.


To achieve these missions, the NSA is allocated a budget of approximately $10 billion a year. Somewhere around 40,000 employees are located at the NSA Headquarters at Ft. Meade, Maryland. All told, about 70% of the National Security Agency’s budget is spent on private contracts. Of the 107,035 employees in the intelligence community, roughly one-quarter (21,800) are full-time contractors. This number does not include employees of companies that have been hired by the agencies for a service or project. 


The reason for the enormous role that private contractors play in this cyber budget has to do with a transition in operational model of government agencies like the NSA since 2001. 


A Changing Operational Model for Cyber Activities

As the cyber policy push occurred over the past decade, it was accompanied by a major shift in the way intelligence collection is done by organizations like the NSA. A tongue-in-cheek way to explain this shift is that traditional intelligence work fits into the James Bond mold: international travel, meeting with sources or assets to gain access to sensitive information. This is known, in the community parlance, as “human intelligence” or HUMINT.


Today’s intelligence work is increasingly being done behind a computer. The new emphasis on this “signals intelligence” or SIGINT, is a major shift away from HUMINT methods. Cory Doctorow, a noted expert in technology trends, has likened the HUMINT to SIGINT shift to a change in business model for the agencies in question. Rather than using the labor-intensive HUMINT model of the past, intelligence work followed large swathes of the rest of the economy by fully embracing the digital and Internet revolutions. 


SIGINT methods are almost synonymous with what are colloquially seen as the mass surveillance programs deployed by NSA and now being adopted by the CIA, FBI, and the Drug Enforcement Administration. The bulk interception and collection of all communications data and metadata are integral to the SIGINT model. Once collected and stored, analysts can comb through the data or use ever more sophisticated techniques to create meaning from the data and subsequently track down those responsible for cyber-attacks. 


Given the technological skill deficiencies of the government departments attempting to use SIGINT methods, a lot of procurement is required. This procurement is done through private contractors. Companies like Booz Allen Hamilton and Palantir possess – or are able to acquire – the technical capabilities that public sector agencies lack. 


With such a huge shift in the way that cyber policy is undertaken, fully embracing the digital age, and given the enormous amount of money invested, it seems reasonable to ask: has this actually led to more robust cyber-security? 



What Does $10 Billion a Year Buy These Days?

In spite of $10 billion-plus in investment, federal agencies’ cyber-security remains lackluster at best. According to the nonprofit Privacy Rights Clearinghouse, since 2006, 87 million sensitive or private records including, “employee usernames and passwords, veterans' medical records and a database detailing structural weaknesses in the nation's dams” were exposed by breaches of federal networks. This report was released before the very recent Office of Personnel Management breaches, which involved tens of millions of stolen records. 


Encryption is one of the fundamental measures that an organization can take to protect sensitive data. In 2013 though, only half of federal agencies reported using a federally approved encryption service, up from 35 percent in 2012. While encryption alone is no silver bullet (hint: there are no silver bullets in this field), the fact that half of the agencies still do not use any federally encrypted service at all is dire news indeed. 


Multifactor authentication, another basic (and relatively cheap) element in ensuring robust cyber-security, is also not widely implemented. This method involves adding an additional layer of authentication when logging into a system, often by sending a special code to a separate device. The Office of Personal Management, to give one example, had no such system in place to verify outside users who wished to access their systems. The consequence was, “if someone's credentials were stolen, an attacker could use them from outside to get access to just about anything." Keep in mind that “just about anything” includes every affected person’s Social Security number(s), military records and veterans’ status information, address, birth date, job and pay history, health insurance, life insurance, and pension information, age, gender, race, union status, and more.


That this store of incredibly sensitive information – to the individuals in question and the government itself – was not kept safe in spite of so much spending, is a common but no less savage indictment of the current state of cyber-security.



Defense Spending or Offense Spending? 

The NSA, including U.S. Cyber Command, has also had mixed results in successful defense. Recall that the NSA has two key missions. The Information Assurance mission involves, in short, bolstering cyber-security (or defenses). The Signals Intelligence (SIGINT) mission involves exactly the opposite. 


A series of leaks have revealed more details around the Signals Intelligence mission and the significant investments in offensive cyber-capabilities it requires, (otherwise known as state-sponsored hacking). More than $1.2 billion in funding was allocated to Tailored Access Operations, the elite group of operators, responsible for, “collect[ing] intelligence about foreign targets by hacking into their computers, stealing data, and monitoring communications.” 


The dual missions, defense and offense, turn out to be contradictory in practice. The recent revelations about NSA hacking of the Dutch SIM card provider, Gemalto, is a case in point. The theft of billions of encryption keys, which secure the vast majority of cell phone SIM cards in the world, could in no way be considered enhancing cyber-security. What it is, however, is very successful offense at the expense of the cyber-security of anyone with a cell phone containing a Gemalto SIM card.


Another example of undermining cyber-security through offensive tactics is the NSA’s practice of stockpiling what are known as zero-day exploits. These are vulnerabilities in software that are not publicly known, and for which there are no solutions until detected and patched. The consequences are grave (the attackers who infiltrated the OPM used zero-day exploits according to one report). Instead of revealing these zero-day vulnerabilities to software makers, enabling them to patch vulnerabilities, the NSA stockpiles some of them for their own use. The outcome is a weaker overall cyber-security and potentially avoidable losses due to security breaches that wouldn’t happen were the vulnerabilities discovered and patched earlier. 


The malware and other hacking techniques developed by NSA and its foreign partners have unintended consequences. Cryptography expert Bruce Schneier says that, “some of the techniques the NSA used to hack routers are starting to be seen in criminal cases, amongst other attack types.” The very cyber criminals, who these activities are meant to be fighting, learn from these advanced hacking techniques then deploy these techniques for their own purposes. 


The pattern holds across countries. Ross Anderson, professor of security engineering at the University of Cambridge, points out that spear-phishing tricks used by Chinese secret police against the Dalai Lama in 2008 were being used by Russian crooks to steal money from U.S. companies by 2010. Once the malware or techniques are out in the wild, they serve as a template for any other malicious actor to reverse engineer then deploy against targets, whether American or not. 


There are countless other examples of how the NSA’s dual-mission – to both attack and defend information – results in contradictory outcomes. Two important consequences can be tied to the development of these offensive cyber-capabilities and the subsequent undermining of trust in the Internet.



The Consequences of Cyber Offense

First, the development of offensive cyber-capabilities is done in pursuit of the strategic goal of deterrence. With its origins in military strategy, notably in managing the problem of nuclear weapons, deterrence is meant to dissuade an adversary from taking an action. In short, by displaying such powerful offensive capabilities, it deters the potential attacker from acting out of fear of reprisal.  


This strategy might work in a stable world where offense and defense are relatively even. The current cyber world, however, is anything but even or stable. A former NSA deputy director once said, “if we were to score cyber the way we score soccer, the tally would be 462–456 twenty minutes into the game. In other words, it’s all offense and no defense.” An arms race has instead occurred. For every billion that one country pours into offensive cyber-capabilities, the others do so in turn. The incentive to invest in defensive capabilities is weak when defenses can be trumped by a fraction of the same investment in offensive capabilities. The net outcome is a less secure world, not a more secure world. 


There have been many arms races throughout history, a notable one being the dreadnought race between the Great Powers in the prelude to World War One. The important take away is that arms races are, ultimately, self-defeating. They escalate the situation into a never-ending spiral of wasteful spending and over-armament. This is what is currently occurring in cyber policy.


With the cyber arms-race raging, the collateral damage is seen in a deleterious loss of trust in the Internet and associated communications infrastructure. Estimates of the U.S. tech sector’s lost business due to the continuing revelations about NSA activities, particularly in the form of the slowed transition to the cloud-based hosting, has come in according to one estimate at $180 billion. The other obvious collateral damage is seen in all those who have had their private information stolen in one of the countless large-scale data breaches that have occurred in recent years. The saying goes, “there are two types of companies: those that have been breached and those that don’t know they’ve been breached yet.” When zero-day vulnerabilities are stockpiled, and billions are invested in offensive cyber-capabilities, this is the unfortunate but inevitable outcome.


The conclusion to draw then is that cyber-security policy is a contradictory mess. Despite tens of billions of dollars in investment, the level of cyber-security displayed by federal agencies is abysmal. Instead of enhancing cyber-security, – as the $4 billion budget outlay for intelligence agencies is named – at least a quarter of these funds go towards offensive cyber-capabilities. The consequences of this strategy are that our data and information are less, not more, secure. 


How have the exact opposite objectives of the stated policy been pursued without anyone noticing? How can counter-productive, ineffective, and costly policy continue? The answers to these questions lie in political-economic dynamics that have existed for many decades, but now manifest themselves differently in the form of a military-internet complex. 



A Political-Economic Explanation for This Perplexing Situation 

Defense budgets are to be trimmed by one trillion dollars over the coming decade. It’s not surprising then that one of the only expanding components is the cyber component. Aware of this reality, program managers relabel programs that could land on the chopping block as “cyber-something” to save them. This relabeling has no relation to whether or not the program will actually result in more robust cyber-security. It’s little wonder that these programs have provided no noticeable benefits to cyber-security.


An even more effective way to keep the budget spigot open is through lobbying. The shift towards greater privatization of the activities that comprise cyber policy, through procurement from private defense contractors, coupled with the swelled budgets for cyber polices, has kicked a virtuous cycle of increased funding and increased privatization into gear. Doctorow explains


Where there are procurements, there are lunches at well-funded think-tanks and lobbyists’ offices for Senate Intelligence Committee staffers to talk about how those procurements are the most sensible thing for government. Procurements attract junkets. Procurements produce private-sector jobs. Procurements are laundered back into lawmaking through campaign contributions. 


This is a self-reinforcing cycle. Funds are allocated to government agencies, which are then given to private contractors through procurement, and these contractors subsequently use this economic might to fend off any attempts to curtail future budget allocations through lobbying. 


Given the increasingly important role that money plays in U.S. politics, particularly since the Citizens United decision, defense contractors will continue to play a major role in the allocation of tens of billions of dollars worth of public funds for fending off supposed cyber-crimes and cyber-threats even in the absence of any tangible results or progress. 


As far back as 2011, Jerry Brito and Tate Watkins, in their paper, "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy," identified this emerging dynamic between overinflated cyber-crime statistics, unsubstantiated claims, swelling cyber budgets, and privatization. 


A variety of different terms have been subsequently coined to encapsulate this same phenomenon. Two pre-Snowden NSA whistleblowers, Thomas Drake and Bill Binney, call this, “civil-service empire-building.” In @War: The Rise of the Military-Internet Complex, author and journalist Shane Harris, terms this phenomenon the “military-internet complex,” a play on the military-industrial complex that evolved following the end of the Second World War. 


This isn’t anything new. The same political-economic dynamics manifesting in continual defense spending dynamics and self-defeating arms races have been at play since the 1950s. The technology changes, and the specific threats change, but the political economic forces stay the same. 



In Conclusion

And so in 2015, after hundreds of billions of dollars in spending on cyber-policy, there is SIGINT, bulk metadata collection, and billions of compromised, Internet-enabled devices. All in the name of fighting the ever expanding set of cyber-threats. 


Far from making everyone more secure from cyber-attacks though, the results so far show quite the opposite. If anything, the immense investment in offensive cyber-capabilities has triggered an arms race, which in the short-run, is undermining basic trust in the Internet and, in the long-run, is a self-defeating strategy. 


Why hasn’t anyone stopped for a second to ask why this happens? 


There can be no question that there is a place for intelligence capabilities within a government’s set of agencies. How can this spending be justified though when the development of offensive cyber-capabilities is contributing to escalating conflict and eroded cyber-security? This demands some hard questions to be asked.


Aside from the tangible losses currently being experienced due to persistently poor cyber-security, every dollar that is diverted toward self-defeating cyber policies is another dollar that cannot be invested in other public policy areas. Instead of morphing the military-industrial complex into a cyber-industrial complex, why not invest these billions of dollars into programs that might actually alleviate some of the stresses on people’s lives, into improving health and education, into creating opportunities for those who would otherwise end up disenfranchised? Why not allocate some of the funds to the perennially underfunded IRS or SEC so that they can pursue Internet-enabled crimes that consistently cost society tens of billions of dollars, like tax evasion or insider trading? 


This feels like a bold idea in a world where apocalyptic visions win out instead. 


If there’s anything that the history of the 20th century should have taught us, and what the beginning of the 21st century has taught us thus far, the present course of action – a military-internet complex, the lobbying it entails, and SIGINT, with its bulk data collection and offensive cyber-capabilities – is ultimately self-defeating. It only results in further erosion of cyber-security, and thus makes us less secure in the process. 



Security, internet, Terrorism