Hey @suehalpernVT this is actually wrong.
I’ve seen similar claims elsewhere too, so I thought it might be useful to explore this.
https://www.newyorker.com/news/daily-comment/after-the-solarwinds-hack-we-have-no-idea-what-cyber-dangers-we-face
I’ve seen similar claims elsewhere too, so I thought it might be useful to explore this.
https://www.newyorker.com/news/daily-comment/after-the-solarwinds-hack-we-have-no-idea-what-cyber-dangers-we-face
In the piece cited, @Jason_Healey actually juxtaposes spending for just one component of CISA (not total federal spending on cyber defense) to the DoD cyber operations budget (not a giant pot of money to develop “cyber weapons” with kinetic effects)
https://www.lawfareblog.com/reexamining-solarium-commissions-proposal-national-cyber-director
https://www.lawfareblog.com/reexamining-solarium-commissions-proposal-national-cyber-director
As @robknake notes in CFR, much of the DoD’s cyber budget isn’t necessarily spent on offensive cyber missions. And offensive cyber operations encompass a range of activities, contrary to NYer piece.
https://www.cfr.org/blog/no-united-states-does-not-spend-too-much-cyber-offense
https://www.cfr.org/blog/no-united-states-does-not-spend-too-much-cyber-offense
Healey’s article is an interesting exploration of spending on cyber within the US Govt. But, like Rob noted here, NCCIC or even CISA as a whole is only a small part of US gov’t spending on cyber defense, which is spread across the federal government. https://twitter.com/robknake/status/1348661961001676801
This includes DoD & NSA. While fair to argue (as Healey does) that more funding is needed for defense by domestic civilian agencies like CISA, this is still an important part of cyber defense spending - e.g. NSA develops standards and partners with CISA
https://www.washingtonpost.com/national-security/nsa-launches-new-cyber-defense-directorate/2019/09/30/c18585f6-e219-11e9-be96-6adb81821e90_story.html
https://www.washingtonpost.com/national-security/nsa-launches-new-cyber-defense-directorate/2019/09/30/c18585f6-e219-11e9-be96-6adb81821e90_story.html
And federal cyber defense spending doesn’t even account for private sector spending. Like @HostileSpectrum points out, offensive spending is uniquely concentrated in a way that defensive is not. Comparing offensive to defensive spending is hampered by the inherent asymmetries. https://twitter.com/hostilespectrum/status/1348663069237510144
While a large part of the defensive mission of the US gov’t is to defend US private sector (which is important) it can’t ultimately be responsible for defending computers it doesn’t own/operate, hence why private sector spending is relevant. Whereas all offense is done w/ gov’t $
This isn’t to suggest that we shouldn’t increase spending and focus on cyber defense, especially on the civilian side of the house. @alexstamos argues for that here
More defensive spending is imperative, but it doesn’t have to be at the expense of offense https://www.washingtonpost.com/opinions/2020/12/15/enough-is-enough-heres-what-we-should-do-defend-against-next-russian-cyberattacks/
More defensive spending is imperative, but it doesn’t have to be at the expense of offense https://www.washingtonpost.com/opinions/2020/12/15/enough-is-enough-heres-what-we-should-do-defend-against-next-russian-cyberattacks/