Cyberwarfare.
The US government is scared as hell about electronic attacks on our nation’s networks and systems. And rightfully so! Our government is WAY behind the curve. Granted it was the US military (correctly – it was the R&D arm and was contractors at that) that sponsored and performed the original development of what has become the Internet. The tie stops there however. We’re in a VASTLY different situation than we were in the late 60′s to early 70′s…and sadly it’s ALL self-inflicted.
=======
A little background - I'm a security professional by trade. I've been building and breaking networks and systems for over a decade. I'm a Linux Junkie ('cause it's awesome) and am VERY interested in and invested in efforts to defend our companies and government agencies. I've worked from several angles and with several organizations and companies in this capacity. It's an exciting time to be working in this space.
I'm certain that a lot of people will be upset and/or offended by this post - but somebody has to say it.
=======
Having recently worked for a contractor to one of the biggest US DoD R&D facilities, I can tell you without a doubt that we are in a sad state indeed. We can put men on the moon (30 years ago), but we can’t seem to keep IT systems operating smoothly to save our lives. Rather than just complaining or stating the publicized obvious though, I’ll point out some of the core problems and offer some solutions.
Issue #1 – our budget system. What’s that? Why would this matter? The truth is that no network, ANYWHERE, can operate (or exist even) without a well oiled Layer 8 and 9 of the OSI model. While not officially published in the spec, politics (L9) and financing (L8) are fundamental components of any IT landscape.
We have a br0ken(!!!!!!) budget system. The US government has adopted a “use it or lose it” funding system (Zero-based_budgeting – specifically Incremental Spending) that is at the core of our problems. Rather than spending wisely or building systems with resiliency, scalability, or reliability in mind, we have mired ourselves in a feeding frenzy. We blow money on stupid shit that serves no purpose. We cannot expect to make sound decisions when decisions are tainted by budget strains. The examples of mismanagement and frivolous spending can go on for weeks.
To remedy the problem, we need to see a shift to performance based budgeting. A system where organizations are given increases based on their Performance and SAVINGS in the prior term. If your group doesn’t cut costs and deliver amazing results, your budget gets CUT. If you perform well and save the government money, you get awarded a bonus to use on projects, ideas, innovations, etc. This is a radical shift from our current model. Remedying this would solve something like 90% of Washington’s problems. I’m probably going to get shot for turning the lights on and making the roaches run & hide.
(after we solve problem #1)
Issue #2 – contractors. Yep, I said it. Having been a govt contractor myself, I can tell you truthfully that “small government” (accomplished by means of outsourcing) is crippling our ability even further for making sound decisions. Imagine an organization that’s interested only in self preservation and “re-election” and then toss in a healthy dose of “money to burn” and you’ll be pretty close to what’s going on. Sounds pretty familiar you say? Congress, the White House, and the rest of our government has painted themselves into the self preservation corner and it’s going to be one hell of a fight to get out.
What we’ve done is put a bunch of self interested groups into the mix, all with conflicting efforts and angles (because there’s no central authority), and are scratching our heads as to why we’re vulnerable and so mixed up. um… do I really need to spell this out?
If we nixed the outsourced groups (that are WAY more costly than govt. employees – *more on this momentarily), we would again have an organized and centrally focused organization, capable of making their own intelligent decisions. If we were politically and financially in the same situation we were in back in the days of the Internet’s origins…we could perhaps continue to use contractors appropriately. BUT…BUT…an outsourced group that’s not managed VERY specifically in regards to their deliverables and cost constraints…will run costs through the roof and hang around like a parasite – leeching funds for as long as it can. Our landscape currently is a LARGE amount of government employees basically only operating as “contractor managers”. Their hands have been tied so badly by the empty promises of “small government” that they cannot get anything accomplished themselves – and are stuck having to only jockey around contractors to try and get anything accomplished.
This isn’t to say that contracting agencies can’t offer tremendous value. (*)The point I want to mention though is that unchecked outsourcing can quickly run afoul. (the names have been changed to protect the guilty) Imagine a powerpoint document that outlines a program’s goals and objectives. About 20-30 pages. Nothing major. Something an administrative assistant and a few Engineering and Management resources could draft in a few days. Tack on a $35,000 price tag…and you’d land spot-on with how “cheap” outsourcing really costs us.
Do you seriously think we can design and operate secure and safe IT systems in this kind of environment?
Issue #3 – Talent
(we’ll be nice and stop here)
If we can tackle Issue #1 and #2 – we’re going to be immensely safer than we are today. This alone will eliminate the infighting (like our most recent embarrassing Republican standoff against anything our President offers) and curb errant and biased spending.
Once we’re past that however – the next hurdle is that of talent. Attracting and keeping top-notch talent to operate and design our Government’s networks and systems is a tough challenge. To even be a player in the field, we’re going to have to be able to offer compelling positions – with beautiful benefits and sweet salaries. Security professionals can command some of the highest compensation in the industry if they’re bright and talented. I’m very sorry to be the one to finally say it – but our enlisted folk are not always the “most capable” to be grappling with these challenges.
I’m personally friends with a lot of Military. There’s a lot of very smart and motivated folks defending our Country. There’s also a LOT of tools in the shed though that could use some sharpening…and these folks cannot be expected to handle defending ourselves in cyberspace. Grunts have no place in a virtual world. We have not yet abstracted and perfected cyber defenses to be some big shiny red button to mush on when there’s a problem…and it takes some pretty damn sharp engineering sometimes to even be able to DETECT some types of attack.
What needs to happen is kids need to wake up and realize that ‘blue collar’ doesn’t exist in America anymore. To be able to enlist and feed yourself…you’re going to have to have some computer experience…and the demands are getting higher and higher.
Grab a book. Install Linux (it’s free by the way). Teach yourself how stuff works. (I’m self taught) Surround yourself with smart people. Befriend a ‘nerd’. Muscles don’t mean shit in cyberspace. Jocks become useless on the playing fields of the ‘net.
We’re in a sad state indeed.
HOWEVER…..(!!!)….. what makes America so friggin awesome is that we’re a nation of ‘go-getters’ that are willing to stand up to a challenge. Roll up our sleeves and get to work, as the metaphor goes. I KNOW that we can climb to the level we need to be. I know we can overcome this.
It’s time to put the money-grubbing and the political infighting aside and get our asses in gear.
Or they’re going to get handed to us.
