Homeland Security Watch

News and analysis of critical issues in homeland security

February 8, 2013

Cyber Insecurity: Black Swan or Headline?

Filed under: Cybersecurity — by Ted Lewis on February 8, 2013

The Iron Triangle

President Dwight D. Eisenhower coined the term, “military industrial complex” during his farewell address to Congress on January 17, 1961. The phrase stuck and is now used to describe an ironclad triangle binding together private-sector companies, the military, and government appropriations for the purpose of promoting defense spending. According to Wikipedia, the triangle contains, “…relationships includ[ing] political contributions, political approval for military spending, lobbying to support bureaucracies, and oversight of the industry.”

The military industrial complex grew during the Cold War, but slowed after the fall of the Former Soviet Union. During Eisenhower’s tenure as President, and through most of the 1950s, military spending remained above 10% of GDP; it dropped slightly during the Vietnam War (about 9 percent of US GDP); and then declined even further to about 5 percent through the 1970s. President Ronald Reagan ramped it back up to 6 percent until the fall of the Soviet Union. By 2000, it had settled down to 3% and has inched up slightly to its current level of 5.5 percent – a far cry from its 9-10% level during the “glory days” of the Cold War.

But a new requirement may be emerging to replace tanks, warships, missiles, and airplanes as the next growth area for the complex: cyber insecurity. Cyber insecurity is the term I use to describe real and imagined security gaps in the global information and communication network infrastructure. It is the opposite of cyber security.

Suddenly, vast sums of money are pouring into cyber insecurity because of perceived increases in cyber threats, growing vulnerabilities created by connecting everything to the TCP/IP monoculture (mobile devices and cloud computing), flawed software, and lack of adequate precautions on the part of government agencies, infrastructure companies, and the public.

It seems governments and companies are rushing to the Internet because it improves efficiencies and reduces costs. But this rush also opens up new vulnerabilities. According to eWeek, government spending to combat cyber insecurity was forecast, “to reach $60 billion in 2011 and is forecast to grow 10 percent every year during the next three to five years.”

Financial institutions spent $17 billion on cyber insecurity in 2012. AT&T estimates spending to reach $40 billion annually, and “Frank Kendall, defense undersecretary for acquisition, technology and logistics, says there is still ‘a lot of money’ to be made in the defense business, despite mounting budget pressures… in cyber security.”

President Obama is seeking $500 million for research into cyber security with emphasis on industrial control systems that control water, power, and transportation systems. Gartner Corp, a market research company, claims total spending on cyber insecurity will reach $86 billion by 2016.

On the surface it would seem that cyber insecurity is emerging as the next big opportunity for the military industrial complex. There is money to be made by extending the military industrial complex to embrace the cyber security industrial complex. With billions of dollars pouring into research and development, how can the iron triangle resist?


The Check, Please

A 2012 survey of 56 corporate and governmental organizations conducted by the Ponemon Institute found that cyber attacks cost an average of $8.9 million per organization in the US, $5.9 million in Germany, $5.1 million in Japan, $3.2 million in UK, and $3.2 million in Australia. Most attacks were perpetrated by malicious insiders or through network exploits such as denial of service attacks.

Compare this with exploits committed against consumers, such as phishing ($687 million, globally, according to RSA Inc.) and online fraud (1% of retail sales or $3.4 billion, globally). There are many problems with estimates of cyber insecurity costs, so readers should be skeptical of these estimates.

The Ponemon study raises questions regarding methodology: how were these costs calculated? Generally, costs are associated with loss of productivity — business disruption, information loss or theft, revenue loss, equipment damages, and the cost of detection, investigation, containment, recovery and measures to fend off future attacks.

Contrast these numbers with $4.5 billion in car theft annually in the USA, and 275,000 accidental deaths of patients in hospitals, annually. [Barbara Starfield, J. AMERICAN MEDICAL ASSOCIATION (JAMA) Vol 284, No 4, (July 26th 2000) reports that medical errors may be the third leading cause of death in the United States: 225,000 deaths per year from unnecessary surgery; medication and other errors; infections in hospitals.]

So far, nobody has died from a cyber attack.

Cyber crime, loss of intellectual property due to cyber exploits, and damages done to banks, consumers, and retail web sites may be on the rise, but the consequences barely compare with traditional crime. In 1999, David Anderson estimated the total cost of crime in the US to exceed $1 trillion – a number several orders of magnitude greater than the most pessimistic scholarly estimates of cyber crime.

So we face two questions: how were estimates of cyber insecurity derived, and how do they compare with other threat statistics?


The Wrong Questions

The superficial numbers cited above suggest that cyber insecurity is a relatively minor problem as compared with more mundane problems such as car accidents, medical accidents, natural disasters, and plain ordinary crime. In addition, cyber insecurity statistics based on surveys are highly unreliable and often misleading.

Julie Ryan and Theresa Jefferson, scientists at George Washington University, conclude in their paper (The Use, Misuse, and Abuse of statistics in Information Security Research), “In the information security arena, there is no reliable data upon which to base decisions. Unfortunately, there is unreliable data that is masquerading as reliable data. The people using that data appear not to question the reliability of the data, but simply quote it with no caveats or constraints. This is of great concern because it may mean that resources are being allocated inappropriately or ineffectively.”

Are these unsubstantiated claims merely a continuation of the 50-year old military industrial complex iron triangle? Claims of an impending “cyber pearl harbor” are very conducive to increasing government spending. After 9/11, perception of an impending black swan event has gone from remotely possible random events to almost inevitable high-impact events without the benefit of solid research.

Instead of hyping a poorly understood potential threat to stimulate government spending, perhaps we should be asking a different question, “what policies and strategies are there to prevent both imagined and real cyber insecurities?”

In other words, cyber security should be about policies instead of headlines.


Ted Lewis is Professor of Computer Science and National Security Affairs at the Naval Postgraduate School. He is the director of the NPS Center for Homeland Defense and Security.  His most recent book is Bak’s Sand Pile: Strategies for a Catastrophic World.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

February 8, 2013 @ 9:27 am

Thanks Ted for a very thought provoking post. But first some comments and data errors.
Starting with the tossing of R&D contracts by FDR’s sciencce advisor to his home university Eisenhower would have long ago been more accurate to state that it is the Military-Industrial-Academic complex!

The modern DoD has over 50 academic complexes it controls both the faculty and curriculum. Some might ask WHY?

As to the nation’s research universities [and note that few profit making colleges and universities conduct any type of research] don’t have major research grants and contracts all that are applied research meaning that they are by design for a specific purpose [if not designed to obtain a specific result-though some are in fact that wayt by design.]

If the total cost of VA’s budget is considered defense related and other components the economy creeps towards the 20% mark for defense and certainly does if HS is included.

There is over a Trillion in costs to clean up the bomb complex still outstanding.

As to cyber security will address that in a comment later today!

Comment by William R. Cumming

February 8, 2013 @ 9:28 am


The 20% figure relates to the federal budget annually not GDP!

Comment by William R. Cumming

February 8, 2013 @ 1:21 pm

Cyber Security? First identified in September 1997 by the PCCIP as the new world as opposed to physical security but also watch 2000 movie “Track Down” about a real world hacker!

My take is the fact that gasoline wars have ended for developed nations and now all about cyber war.

And all the costs of cyber security being shifted to the government just as with airline security. The real costs are born by the public even now and the producers of software and hardware reap the profits.

There should be an immediate reorganization of the Congress to deal with cyber security as was the Joint Committee on Defense Production lasting from 1950-1977!

DHS should be abolished with the FCC incorporated into a new Cyber Department and all other DHS components sent back to their previous homes.

And DISA incorporated also into the new department just as the Energy Department owns the bomb making complex with DoD as a customer.

Pingback by Library: A Round-up of Reading | Res Communis

February 11, 2013 @ 1:26 pm

[…] Cyber Insecurity: Black Swan or Headline? – Homeland Security Watch […]

Comment by William R. Cumming

February 12, 2013 @ 11:04 pm

A new Executive Order on Cyber Security issued by President Obama today!

Comment by Ted Lewis

February 13, 2013 @ 7:23 pm

Thanks, Bill. I will accept your friendly amemdment: Its a military-industrial-academic complex!

Comment by Ted Lewis

February 13, 2013 @ 7:28 pm

PDD-21 has some very interesting items. I mention only a few:
Owner/Operators get classified clearances and access to classified information. Really? How will that work?

The Framework will be available soon. Is this a return to Richard Clarke’s 2002 proposal?

Following the Framework is voluntary, so who will do it? Oh! BTW, the government will tell you why you are vulnerable and what to do about it. No more plausible deniability. Bring back Ford’s exploding Pinto!

The age-old “lets all share information, sing cum-by-ah, and cooperate” strategy, again. How is that working?

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>