Tuesday, 21 September 2010
A must-read is “Cyber Threats to National Security: Countering Challenges to the Global Supply Chain,” which CACI published last July. Although it’s supposed to be just a “summary of the personal remarks made by participants at the March 2, 2010 symposium” that was co-sponsored by CACI and the U.S. Naval Institute, a very fine and anonymous editor has turned those remarks into a well-crafted and readable white paper.
One clear message of the report is that both government and industry continue to take a “penny-wise, pound-foolish” attitude toward security because the economic incentives and disincentives tend to push them in that direction. The report observes that:
…that there are very few individuals or companies that focus on the global end-to-end requirements or security of the supply chain. Components of all scales are usually considered fungible and, consequently, most suppliers are not paid for ensuring all aspects of quality and security… That degree of oversight is most often neither contractually nor culturally their job or their responsibility.
The cultural factors involved with security are of particular interest to me but I’ll focus on that in future blog entries. I’d like to highlight here the parts of the report which point to the inability of the market to deal with security. I’ve bolded a couple of points below should be discussed in greater depth – and urgency – by government and industry.
To date, market forces have not favored products with cybersecurity capabilities that make systems secure at the level required for national or economic security. Companies, and by extension broader society, still view cybersecurity as a revenue drain or an add-on, not as an imperative. Consequently, adequately robust cybersecurity products have not benefited from the economies of scale of the global mass market.
The result has been a “market failure” to the extent that the U.S. can’t afford the security necessary to survive in a system it created. …Since competition for information technology systems is furious and capability is often considered over security, industry continues to develop insecure systems. Purchasers continue to select “competitively priced” products with insecurity engineered in even while the U.S. becomes increasingly less able to afford them from a security standpoint.
As I said in an earlier blog entry, you “can pay now or you can pay later.” My first choice would always be that the market can come up with the solutions. But, if in an area of such importance to U.S. national security, the market is not doing its job, perhaps some outside stimulus is needed. Hopefully, that stimulus won’t come in the form of an attack or breach which takes down major critical infrastructure or shuts down a critical government agency or steals millions of Social Security records.