IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Cybersecurity Requires Diligence Not Money

Throwing money at an issue doesn't always work.

Money can be very helpful in accomplishing things. Tons of money thrown at an issue many times means that lots of that funding is wasted.

Read the newsletter on cyber below that I got from the Washington Post. If we could get everyone to just install the software patches that are available for known cyber threats, we might be way ahead of the game. Figuring out how to make that happen could pay real dividends.

From the Washington Post: “Cybersecurity 202”

By Joseph Marks
with research by Aaron Schaffer

Welcome to The Cybersecurity 202! Per today’s newsletter top, here’s a great New York Times deep dive on parts of the Manhattan Project that actually took place in Manhattan. From the article: “‘That’s amazing,’ Alexandra Ghitelman said after learning that the buildings she had just passed on inline skates once held tons of uranium destined for atomic weapons.”

Below: The Conti ransomware gang says it’s shutting down even as it’s still demanding money from the hacked government of Costa Rica, and a Trump cyber official’s suspended security clearance is complicating her run for Congress.

Protecting online data isn't exactly comparable to creating the first nuclear bomb

Former director of national intelligence John Ratcliffe is the latest in a string of pundits to call for a “cyber Manhattan Project” to surge the nation’s offensive and defensive digital capabilities.

It’s a tired analogy that was first proffered at least 25 years ago — and most people in the trenches of cybersecurity wish it would be retired.

The complaints: Analogies like “cyber Manhattan Project” and “cyber moonshot” misconstrue the way cybersecurity works, analysts say — portraying it as a project with a dramatic and awe-inspiring goal rather than a never-ending process of slowly ratcheting up defenses and making sure those defenses are in place everywhere they need to be.

The analogy also misleadingly portrays cyberdefense as something that can be fixed with money and smarts alone — failing to acknowledge that most breaches happen because of human failures, such as companies not installing cybersecurity patches that are readily available.

The latest instance: Ratcliffe used the analogy in a Newsweek op-ed co-authored with Abraham Wagner who worked on cybersecurity for the Trump-Pence transition team.

The op-ed calls the current U.S. government cyber posture “inadequate, both in terms of national organization and technical capabilities” and calls for a “‘cyber Manhattan Project’ to make revolutionary leaps ahead in cyberspace, understanding that complete technical overmatch against our adversaries is the surest path to deterring bad actors.”

The authors’ main suggested fixes are integrating the National Security Agency more closely with the Department of Homeland Security’s cyberdefense mission and increasing military spending on offensive cyber capabilities — hardly the equivalent of splitting the atom and definitively ending World War II.

The analogy is one of several that get the goat of cyber researchers. Others include “cyber Pearl Harbor” and “cyber 9/11,” which researcher say have dramatically misstated the cyberthreat — sparking public fear about a mass casualty-level cyberattack that is extremely unlikely to happen while lowering concern about lower-impact cyberattacks that are causing huge amounts of damage in the aggregate.

Such analogies are a common frustration when discussing cyber dangers.

The big problem: Cyber is a comparatively new form of threat that’s not well understood by the public, so analogies could be helpful. But it’s also a peculiar field of conflict where most of the defense is conducted by the private sector and attackers often have a structural advantage — which means most analogies from conventional warfare and geopolitical competition aren’t very well suited.

Some other critiques of the analogy:

If cyber Manhattan Project essentially means government spending a lot of money to do something big and important, then that’s clearly already happening.

The total cost of the actual Manhattan Project was about $36.5 billion in 2022 dollars, according to an analysis from the Brookings Institution think tank. That’s the equivalent of less than two years of military and civilian government cyber spending at the current rate.

If you factor in what the private sector spends on cybersecurity, that clearly blows the Manhattan Project out of the water.

Cyber moonshot is another common analogy. The Trump administration launched a “cyber moonshot” initiative through an advisory committee in 2017, which produced a compelling report but hasn’t significantly shifted the cyber landscape.

The Apollo program, which was responsible for six moon landings, cost a lot more than the Manhattan Project — about $168 billion from 1960 to 1973 in 2022 dollars, per the Planetary Society.

Total U.S. government cyber spending stretching back to the George W. Bush administration is probably approaching that figure if it’s not there already. That spending has undoubtedly produced huge offensive and defensive advances. But — to take just one measurement — it hasn’t exactly given the United States the same technological edge over Russia that the moon landing did in 1969.

Government spending may also be a poor gauge for the importance of cybersecurity — because so much of it is focused on paying for products that maintain the status quo of security rather than on research and development to improve cybersecurity.

There’s also a reasonable argument that U.S. intelligence agencies have devoted a Manhattan Project-level effort to offensive cyber tools that the public just doesn’t know about because it’s classified. Journalist Kevin Poulsen made that argument for Wired in 2015 after a previous high-profile call for a cyber Manhattan Project.

The article came soon after the Russian cyber firm Kaspersky Lab detailed extensive hacking conducted by a group that it dubbed the Equation Group but that was widely understood to be NSA’s offensive hacking division.
Eric Holdeman is a contributing writer for Emergency Management magazine and is the former director of the King County, Wash., Office of Emergency Management.