US Government seeks to invest $6 Billion in security by obscurity

US Government seeks to invest $6 Billion in security by obscurity

Summary: According to the Wall Street Journal this morning the Bush administration is pushing to spend $6 billion on cyber security in one year! They claim that US telecom systems are not adequately protected and that they need to spend this money to protect it.

TOPICS: Security

According to the Wall Street Journal this morning the Bush administration is pushing to spend $6 billion on cyber security in one year! They claim that US telecom systems are not adequately protected and that they need to spend this money to protect it. Just one problem, the government is not revealing to Congress just how these funds will be spent.

First of all let's put some perspective around the size of this budget. $6 billion is larger than the entire industry for firewalls. That's right, the total sales of firewalls from Check Point, Cisco, Juniper, Watchguard, Sonicwall, and twenty other vendors, world wide, is less than $6 Billion. The entire security industry for products is less than $24 Billion.

So just how could the Federal Government spend $6 Billion on cyber security? They are not saying. They are asking Congress to buy a pig in a poke. Of course you will see the DHS claiming that these new investments must remain secret to be effective. I beg to differ. There is *no* security in secrecy when it comes to effective cyber defenses. Just as the best security in cryptography is to use almost impossible to break but completely transparent encryption schemes, the best security for networks and systems is that which can not be penetrated even if every detail is published and open.

Congress should stick to their guns and refuse to grant funds for secret cyber defense solutions. Yes, investment is needed - more in new policies and rigid enforcement that anything else. But granting a carte blanche to the Department of Homeland Security for $6 Billion a year in budget will result in only one thing: a new cyber bureaucracy.

Transparency is good for security. The administration should earmark these funds for specific departments and specific security measures. Otherwise there will be no metrics, no accountability, and they will be back at the trough next year asking for money to accomplish more secret goals.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I am sure almost $500M will go to security

    You stress too much. Almost 8.5% will end up going into actual security products and processes. This after the 10% goes to a bunch of "admin" companies, and then 60% to study groups, 22.5% go to support groups helping the study groups, etc. I say good bang for the buck, and you seem to imply that when $billions are thrown at any problem in the government with no oversight that mishandling occurs and massive pork barrel payback happens. This is just not the case, it's a myth.

    • Ouch!

      Does your tongue get bitten often, residing in your cheek as it doth?
      • Sorry, was having a dissolustioned hair day.

        Read other storied lately on just how much of a colossal waste of money happens with government lately. I'd like to believe that a few companies (CIOs, etc) won't make an absolute killing with untrackable money and no oversight, it just gets hard. :D

    • that 8.5% for "actual security products and processes."

      How much of that 8.5% for "actual security products and processes" will instead be spent for spying on political enemies?

      Just askin'

      Jack-Booted EULA
  • Maybe they should take a lesson

    from Microsoft on how well security through obscurity works! ]:)
    Linux User 147560
  • Bravo for more security!

    I'm inclined to think that we do need more security on the internet. While we are at it why don't we post someone from the military on every street corner and allow them to shoot at whomever the government thinks is guilty of something? Doesn't make sense does it?
    I'm all for more security on the internet but when someone tells me that they want money for something like security but they aren't going to tell me the why's and how's? YEAH RIGHT! I may have been born in the morning but it wasn't THIS morning. And 6 BILLION?! Are they going to line the circuit boards of the security serveris with platinum? there is no way they need that much money for this. They are looking for a way to line their own pockets and I wonder how many suits on Capital Hill will fall for it?
    • Actually 6 Billion isn't unreasonable

      The fact that security vendors only bring in 24 billion a year shows me that not enough people are taking security seriously. Since security is one of my specialties I can tell you this security spending is always the first to go and last to be applied in any project. If they have money left over it goes to security. If a project is costing to much they cut security to save money.

      I'd say 6 Billion makes sense to me. Security should cost at least that much. Now I'd want to know how they intend to use the money first though. To make sure it's being spent the right way. If there is one thing you see with big budgets like this is spending gets a little silly. Will they waste this or spend it right. If it's hidden you'd never know.
      • It isn't unreasonable, but ...

        When was the last time you successfully sold a budget without disclosing what you were going to buy? At my company, which likely struggles as yours does for every penny, we have to describe exactly what we're going to do with the money. If it isn't spent the way the owners want the budget is disapproved and we have to apply again.

        In this case, Americans are the owners and our representitive is congress. Congress has every right and responsibility to ask for details and should disapprove if none are forthcoming.
        Larry the Security Guy
  • Security costs

    You mention security products as being the only part of security. Security products are only as good as the people using them. So if you have an industry selling 24 billion in products a year you have a workforce spending much more using the products.

    Also if 24 billion is all the security companies get in year then maybe it's a little low.

    One thing I always here about security is this:

    "We've never had anyone hack our networks so do we need all the security we have?"

    I'm always stunned when I hear that. So do these people decide cut the brake lines in their cars because they've never had an accident? It's the stupidest thing I've ever heard. This alone explains why so little is spent on security. The only time I see big spending on security is after someone breaks in and the damage is done. This last for few years then the purse strings tighten again.

    The thing with security is that when it's done right there won't be any problems and no one notices. Then they start wondering why all these dollars are sinking into the abyss of security with no apparent return on investment. Having everything working and secure is not considered cost effective. So they lay off, cut back on operation budgets and get nailed then that justifies spending on security again.

    The whole thing is really really stupid. They'd be better off making people spend on security by passing laws that would put bean counters in prison for cheaping out on security.
  • Seceret from who?

    If they think they are keeping it a secret from the "bad guys" they are kidding themselve's. The only people that will be left in the dark is the tax payer.
    • Yes

      Exactly who do you think the bad guys are? Tax payer Yes!
  • Don't you have to jail all the moles in the government first?

    With the latest fiasco of our officials selling nuke secrets thru liaison folks of other countries, why bother. There should be an AD-Aware program you can run to flag all of the Pollard wannabees.

    Meanwhile I think Bush & Co. should be denied the money and ordered to hand over the culprits from the clean ones in congress. Tall task.
  • Vote for Ron Paul. He never met a porkbarrel...

    project that he wouldn't vote against.

    Of course, if you really secretly like the way things are, you can go with the merchants of 'change', Obama or Hillary, OR you could maybe go with Huckleberry or Rudy. Vote for any of these, and you get what you deserve.
  • Ummm, why aren't the telecoms paying to secure their own systems?

    I mean if they have weak security isn't that their fault and on their shoulders to correct? Hmmm, or maybe by "security" what is really meant is to be able to SPY ON AMERICANS....
    • Why should they?

      Seriously here. What real incentive do they have to secure themselves? They get hacked and what will customers do, will customer even know. Phone service goes down and they just call technical difficulties.

      In the end what is the return on investment for telcos to secure their own networks? I don't really see any. As long as nothing bad happens to them they have no reason to keep feeding the black hole of security. As soon as some thing do happen they will spend spend spend until people stop noticing again.
      • Either way, its not the tax payers problem.

        Unless of course this is really about "Uncle Sam" demanding hardware and software be installed to spy on Americans.
        • Better idea

          Instead of throwing tax payer money at the problem why not force the telcos to do it via laws that mandate compliance to security standards. This way it's not the government paying but the telcos. In the end the result might be the same to the tax payer as their telco bill increases but at least then you have a choice to pay for the service or do with out.
      • I gotta go with No Axe.

        Telco's are mandated to 5 nines reliability. 99.999 uptime. Any outages require expensive and arduous RCA and mandatory government reporting. In terms of security, telecoms (I have worked with most players in the US) are beyond paranoid (good).

        From physical security standpoints, they are amazing. Nobody unauthorized is getting in (without inside help). They obfuscate where their facilities are. You probably have no idea which buildings in your town are telco equipment. From the software side, I have not come accross an IT group that didn't have their act together. There is ZERO, ZERO outside access into live equipment (specific processes are put in place for temporary remote support, but requirements are tight).

        Many telcos runs their equipment isolated. All products have to have a fully defined security plan. Who does the patching, what testing is done, etc.

        Just getting secured VPN access to a lab environment on a customer site can take weeks from approval to actually getting the firewalls opened, the IP allowed, authorizing users, etc.

        No, anyone telling you telco's are not at least as secure as probably the NSA itself is selling you smoke and mirrors. I am not talking about the various web portals, but the actual heart of the telecommunications network.

        • I agree in part

          The telco themselves are secure to the point of paranoid. Where they drop the ball is after the demarcation point. Now really that's not the telco's problem and they do an excellent job protecting themselves from their own customers but this is the area where I see the problem. What's the solution?

          One suggestion and I'm really just throwing this out here to be shot full of holes is to maybe have laws that make it the telcos responsibility to take care of customer security. I can already think of dozen problems with this but really how do you make business XYZ responsible for security? If they need that internet pipe and it gets yanked because the Telco's must by law do so if they are deemed not secure enough then something will change. The Telco won't do it now because they would be to blame but with a law to point to they can't be to blame as the playing field is level. You don't have one telco mandating security and another wooing customers because they are lax.
          • Point Taken

            [B]shot full of holes is to maybe have laws that make it the telcos responsibility to take care of customer security.[/B]

            I would agree that outside the core, it is no better and sometimes worse than just general IT.