Global Security, Privacy, & Risk Management

“CyberSecurity Cold War” – Spending ourselves into Oblivion May 8, 2012

A recent report published by Bloomberg outlines the challenges of securing critical infrastructure against cyber attacks in the 21st century.  According to a survey of 172 companies in six industries, current security measures are only stopping 69% of cyber attacks against banks, utility companies and other ‘critical assets’.   To stop 95% of attacks, companies would need to spend 7 times more than they are today.  This would increase spending from $5.3 billion$30.8 million average) to $46.6 ($270.9 million average).  This, it is estimated, would still only prevent 95% of attacks.  While not a consistent increase, it could be calculated that for every 1% increase in protection, another $1.588 billion would need to be spent by the group.  This amounts to roughly $9.23 million per company…for each 1% increase in protection.  If this is indeed accurate, it is clear that the current perspectives and strategy of cybersecurity is fatally flawed.

During the 1980’s the US and Soviet Union were fully engaged in a Cold War.   With the election of President Ronald Reagan, the US’s strategy changed.  A major component of Reagan’s strategy was to exploit the inherent inefficiencies in the Soviet Union’s command economy. By increasing spending, and forcing the Soviets to match spending on an arms race, the theory held that the SU could be bankrupted.  This has become known as the “Reagan Victory School” and while not completely responsible for the collapse of the Soviet Union, can be credited as hastening their demise. As outlined in a Stanford piece: “A central instrument for putting pressure on the Soviet Union was Reagan’s massive defense build-up, which raised defense spending from $134 billion in 1980 to $253 billion in 1989. This raised American defense spending to 7 percent of GDP, dramatically increasing the federal deficit. Yet in its efforts to keep up with the American defense build-up, the Soviet Union was compelled in the first half of the 1980s to raise the share of its defense spending from 22 percent to 27 percent of GDP, while it froze the production of civilian goods at 1980 levels.”

If one looks at the state of cybersecurity today, it certainly can be argued that the US government and industry is being forced into a cyber security arms race.  For every dollar being spent on cybersecurity, it is a dollar that cannot be spent on R&D, product development and other necessary aspects to remain competitive.  Companies are being bled by huge spending increases in cybersecurity.  A US adversary such as China simply needs to continue to attack US companies.  Companies are forced to respond by increasing security spending.  Security spending has no attributable return on investment (aside from preventing attacks). The end result is a less competitive organization.

As it is not possible for companies to increase security spending 700%, it imperative that we evaluate new models of security.