According to the Wall Street Journal this morning the Bush administration is pushing to spend $6 billion on cyber security in one year! They claim that US telecom systems are not adequately protected and that they need to spend this money to protect it. Just one problem, the government is not revealing to Congress just how these funds will be spent.
First of all let's put some perspective around the size of this budget. $6 billion is larger than the entire industry for firewalls. That's right, the total sales of firewalls from Check Point, Cisco, Juniper, Watchguard, Sonicwall, and twenty other vendors, world wide, is less than $6 Billion. The entire security industry for products is less than $24 Billion.
So just how could the Federal Government spend $6 Billion on cyber security? They are not saying. They are asking Congress to buy a pig in a poke. Of course you will see the DHS claiming that these new investments must remain secret to be effective. I beg to differ. There is *no* security in secrecy when it comes to effective cyber defenses. Just as the best security in cryptography is to use almost impossible to break but completely transparent encryption schemes, the best security for networks and systems is that which can not be penetrated even if every detail is published and open.
Congress should stick to their guns and refuse to grant funds for secret cyber defense solutions. Yes, investment is needed - more in new policies and rigid enforcement that anything else. But granting a carte blanche to the Department of Homeland Security for $6 Billion a year in budget will result in only one thing: a new cyber bureaucracy.
Transparency is good for security. The administration should earmark these funds for specific departments and specific security measures. Otherwise there will be no metrics, no accountability, and they will be back at the trough next year asking for money to accomplish more secret goals.