2010: OPINION–America’s Cyber Scam

Link Restored

by Robert David Steele

Tuesday, 09 February 2010

It’s time to get real about cybersecurity

I am quite certain that a careful examination of all extant SOWs would reveal a degree of obscurity and incoherence confirming that the US Government is engaged in a massive collective self-deception and entertaining bids for vaporware amidst a climate of fear, uncertainty, and doubt (FUD), the latter a tactic of rhetoric and fallacy used in sales, marketing, public relations, politics and propaganda.

In my judgment, informed by consultation with a few colleagues and a simple review of the open record, there are fewer than 100 people in the USA who could be called legitimate cybernauts and are qualified for appropriate security clearances.

Below is a table of the top eight US centers on cybersecurity (research-wise) with the observation that not a single one of them is on the Department of Homeland Security’s (DHS) list of  “centers of excellence.

TABLE

How many of them work at the code level? Out of the 213 faculty, and 191 PhD candidates, only 25 faculty and 38 PhD candidates are doing advanced and seriously interesting research at the code-level (in cybersecurity only – I didn’t count other forms of code research). So the army for the coming war to be funded at $12 billion a year is: 63. How much cheaper would it be to simply pay them directly and give them a few million each to nurture both US and foreign students with a gift for code?

These constitute the “lower code” level of warfare where it really matters. However, only 20 percent of them are working on counter-offensive research (that’s 12 people for a population of 300 million, never mind the global grid we depend on). Twelve people. I do not make this stuff up!

Below the line: safety copy; or see Google Cache

America’s Cyber Scam
by Robert David Steele
Monday, 08 February 2010
It’s time to get real about cybersecurityAppearing Sunday on NBC’s “Meet the Press,” John Brennan, President Obama’s top counterterrorism adviser, reiterated what other top national security officials have been saying: The US faces “serious and significant” cyber-threats that could compromise national security.Last week, Director of National Intelligence Dennis Blair told the House Committee on Intelligence that the United States is increasingly vulnerable to a crippling cyber attack that would “wreak havoc” on the nation. He added that US technology is not yet up to the task of completely protecting the country from a devastating cyber-attack.Brennan assured Sunday that the administration is taking steps to improve cybersecurity – an all too familiar claim that had been repeatedly by previous administrations, Congresses, and called for by scores of official and NGO panels, commissions, and cybersecurity authorities for, well, decades!

Meanwhile, the House this week approved the Cybersecurity Enhancement Act, HR 4061. It presumably would “strengthen domestic cybersecurity talent and find new ways to leverage the expertise that exists in the private sector,” explained Rep. James Langevin (D-RI).

“This bill takes significant steps towards achieving those goals by strengthening federal cybersecurity standards, increasing research and development, and evaluating how to improve our federal cybersecurity workforce,” Langevin said in remarks just before the vote. “We as a nation cannot afford to fail in these efforts.”

Way back in 1994, however, joining with several others, I called for $1 billion in cybersecurity investments – roughly the equivalent of the $12 billion that’s been proposed by the administration. If there’d been enough foresight and fortitude on the part of policymakers a quarter century ago to begin taking action then when those of us who were aware of the looming cybersecurity risks were screaming about the clear and present need to do something, we would have gotten a substantially broader, deeper and more timely return on investment (ROI).

At the same time, I personally introduced the government to its own hackers beginning in 1993 when the National Security Agency (NSA), at my invitation, sent two busloads of employees down for a special encounter with Hackers on Planet Earth and the 2600 Hacker Quarterly gang from New York—pioneers with the right stuff you simply could not then, and cannot now, learn in school.

But since then, nothing of consequence has occurred, and I deliberately omit information operations (IO), on which I have published both a monograph and a book, because it continues to receive less than 1 percent of the resources while consuming up to 80 percent of the best commanders’ time.

We have wasted 25 years—a quarter century. It is time for a reassessment.

The US Government thus is about to blow $12 billion dollars it can ill-afford on mission impossible: achieving cybersecurity in the absence of everything needed.

Here are some talking points:

  • No one has a clue what the “need” is, or how much it will cost. Estimates run from $50 billion for homeland security to $20 billion for cybersecurity. We consider both of these estimates to be grotesquely irresponsible, undocumented, and therefore not acceptable.
  • If you include the big four auditors, and the standard military-industrial complex members (both the huge integrator prime contractors, allowing for some consolidation since 2001 upwards, and the new private security companies), we can say there is a huge scam going on, However, there is a difference between a deliberate scam from a bandit, and an “escalation of commitment” scam from an idiot (who understands neither the threat nor the nuanced remedies). We are in the second situation. It’s a collective self-deception of idiots, in the etymological Greek definition of the word, i.e. non-savants.
  • From a generic management perspective (not something the Office of Management and Budget (OMB) knows how to do—the M has been silent for decades)—it is quite simple to establish the degree of waste in the proposed budget:  identify the tangible outcomes delivered, subtract that from the huge contacts given to the standard suspects, and presto: the balance is vaporware.
  • Since no one has a clue either in the private sector or in government, everyone is engaged in a kabuki dance—the government is pretending it can write a statement of work (SOW)—something that I and senior officers in CIA’s Office of Research & Development (ORD) agreed in the 1980’s had become a lost skill, especially since a proper SOW must be based on both a functional analysis of the need and a qualitative and quantitative schema for evaluating responses to the request for proposals—and industry is doing what they quaintly call “virtual engineering.” This is to say, crafting Potemkin villages in slideshows that fabricate their capabilities.

I am quite certain that a careful examination of all extant SOWs would reveal a degree of obscurity and incoherence confirming that the US Government is engaged in a massive collective self-deception and entertaining bids for vaporware amidst a climate of fear, uncertainty, and doubt (FUD), the latter a tactic of rhetoric and fallacy used in sales, marketing, public relations, politics and propaganda.

In my judgment, informed by consultation with a few colleagues and a simple review of the open record, there are fewer than 100 people in the USA who could be called legitimate cybernauts and are qualified for appropriate security clearances.

Below is a table of the top eight US centers on cybersecurity (research-wise) with the observation that not a single one of them is on the Department of Homeland Security’s (DHS) list of  “centers of excellence.” Yet, these are the very people who can strengthen and invent the next generation at code-level, hopefully with inherent security this time around. In this context, the DHS choices for “centers of excellence” are pathetic—humorous at best, and criminally ignorant at worst. (Note: Although UMass is listed by DHS, the money is not going to I3P at UMass, but to another element not actually qualified as I3P is qualified at the code level.)

Name Place Count Expertise
TRUST Berkeley Berkeley 61 faculty, 80 PhD Network, code
Carnegie Mellon Pittsburgh 50 faculty, 60 PhD Network, code
Stanford University Palo Alto 23 faculty Crypto, protocols, Web, voting machines (!)
MIT Boston 05 faculty Network.
CCIED San Diego 24 faculty, 34 PhD Network Epidemiology
I3P UMass Amherst, MA 19 faculty Policy, upper layers
NYU Polytechnic I. New York 7 faculty, 17 PhD Upper layers
CIAS U. Texas Austin, TX 24 faculty,  (with Raytheon) Architectures

How many of them work at the code level? Out of the 213 faculty, and 191 PhD candidates, only 25 faculty and 38 PhD candidates are doing advanced and seriously interesting research at the code-level (in cybersecurity only – I didn’t count other forms of code research). So the army for the coming war to be funded at $12 billion a year is: 63. How much cheaper would it be to simply pay them directly and give them a few million each to nurture both US and foreign students with a gift for code?

These constitute the “lower code” level of warfare where it really matters. However, only 20 percent of them are working on counter-offensive research (that’s 12 people for a population of 300 million, never mind the global grid we depend on). Twelve people. I do not make this stuff up!

At the “upper code” level, however, the US has a sucking chest wound. The number of graduates in computer science in the US dropped from 15,000 to 8,000 between 2002 and 2007 in the US (see page 12 of, “National Cyber Security Research and Development Challenges Related to Economics, Physical Infrastructure and Human Behavior“). This is minus 40 percent at the same time that the cybersecurity industry has grown by 70 percent. I personally believe that we have fewer and fewer competent individuals—and I include those coming from India and Europe and Russia—for a tsunami of needs that are simply not being met—this is a double whammy, wasting billions we don’t have for vaporware of no value to our security.

In the absence of knowledge, government contracts are being granted on the basis of persistent relationships to companies not remotely qualified for the work that is needed. This is a significant part of the continuity of operations (COO) plan for the military-intelligence-industrial-congressional complex (MIICC). The evidence of this has become increasingly abundant … and detrimental to the nation’s serious and legitimate security needs.

A panoply of companies exist to provide future executives for companies in the area of concern. Former admirals and US generals working for the various domestic and foreign defense industries are put into the pipeline as they retire. Before ever receiving their first offer, every one of these flag officers is acutely aware that their tacit acceptance of the Potemkin village scam while on duty is essential to their being rewarded by the scam’s continuity once they retire. The scam consists of government officers pretending they know what we need; the contractors pretend they are giving it to us; and each generation carries on as if all this were normal legitimate cost-effective business at the taxpayer’s expense.

Numerous congressional and various federal agency inspector generals’ investigations have exposed these revolving doors.

My colleagues tell me this is also true in China, Japan, and Europe with respect to the cyber-contracting business.

Meanwhile, the officers who kept their integrity and actually know what they are doing are working for the entertainment industry or Google, focusing on the protection of “rights” rather than the protection of “capabilities.”

It gets worse. The inherent functions of government and the special trust and confidence reposed in those who receive commissions as officers of the US Government have been devalued, diminished, and subverted. Vendors have invaded every level of national security—in some cases providing “free” personnel in what is probably a highly questionable if not illegal practice.  The subtle cancer here is that we have a revolving door of old mind-sets creating more work for old mind-sets, mutter about “information assurance,” and have absolutely no idea that they are leading the herd over the cliff in collective cyber-suicide.

All of the restructuring and “efficiencies” claimed in the reorganization of the government are a sham and part of the scam for the simple reason that the contracts stay with the physical unit whatever its name. It’s a shell game.

Neither the White House nor any US Government agencies that we know of has actually conducted an inventory—intelligence preparation of the battlefield (IPB), we call it. No one has mapped the system, identified the existing and potential future vulnerabilities. In particular, no one has done what I and a handful of others called for in 1994—crafted a plan for creating a resilient network of networks with open source software and peer-to-peer security that cannot be compromised for the simple reason that it is open. As the LINUX masters like to say, “put enough eyeballs on it, and no bug is invisible.”

In my view, NSA is now a negative factor against national security and national prosperity because NSA thrives on cyber-vulnerabilities and compels corporations to aid and abet. NSA is giving the Chinese and the Israelis, the Germans and the French, and all others, free access to all our systems because NSA would rather that we remain vulnerable so they can have a big budget, instead of making NSA irrelevant by creating anonymous peer-to-peer computing and communications that are impervious to intercept.

The National Science Foundation (NSF), in contrast, appears to be pursuing its mission in this specific area with integrity and economy of resources in contrast to NSA’s wanton and largely ignorant plans, along with those of its impaired step-child, DHS. I do not mention the National Institute of Standards and Technology (NIST) and their Computer Security Division for good reason—no one has heard from them since the 1990’s.

The Hackers on Planet Earth (HOPE) conference in New York City July 16-18 is worth attending. Parents should consider bringing their teen-agers. I am proud to be an honorary hacker, and I can assure my government colleagues that the hackers I know have high ethical standards. They’re the good guys.

Robert David Steele served three overseas tours in the Clandestine Service focused on terrorists and extremists. He served in three of the CIA’s four directorates and was selected for the CIA Mid-Career Course. He also was instrumental in setting up the Marine Corps’ intelligence center. A decades-long advocate of cybersecurity and greater use of open source intelligence, Steele is the author of numerous books on intelligence and information operations. Steele can be contacted through his website, Phi Beta Iota.