Threatpost editor Dennis Fisher talks with Eugene Spafford of Purdue’s CERIAS center about cybercrime, funding for long-term security research projects and whether the federal cybersecurity coordinator position matters.
Fisher: Do you see any indications that there will be more funding coming from the federal government for longer term research projects in the near future?
Spafford: Not really. There are provisions for more research money in some draft legislation that’s in Congress right now, but they are authorizations, not appropriations. And that’s a big distinction. There are a lot of other priorities right now, obviously. We have two wars going on. I don’t have high hopes of there being an influx of new money.
Fisher: You wrote a blog post a couple of months ago about the lack of leadership on cybersecurity in the federal government. At some point Obama will appoint the cyber coordinator. But will that even matter?
Spafford: I don’t see how. It’s a position that’s going to report up to the economic council and the security council. It won’t have any statutory authority. It won’t have any budgetary authority. That does not give it much authority of any kind. The problem is that there are organizations in the government that have some part of the problem space, like DHS, Defense, the NSA. They have good people on it and they’re making headway. But the structure of the government response misses portions of the problem. It isn’t a coordinated effort and there’s no awareness of the magnitude of the problem. There’s certainly a recognition in the military that there needs to be a better response, and that’s what we’re seeing in the establishment of the cyber sub-command. That could be good. But a lot of it will depend on the managing authority. But it does show progress. The downside is that the military views the protection of military assets as their job and the protection of other assets is someone else’s job. They’re not going to protect the banks and the utilities and the telcos and the power grid and everything else. So whose job is it? Where’s the coordination and overall picture of how this works? So when I hear that there are supposedly people who have been interviewed for this cyber coordinator job and didn’t take it, I’m not surprised. It’s not a winning position. I’m not at all surprised by the fact that it’s empty. That position is a blame-taking position.
Fisher: So if getting that position filled won’t really make much difference, what needs to be done to get things going in the right direction?
Spafford: Well, a lot of it is unfortunate timing. Twenty-five years ago when this issue was first being raised, the response was that it isn’t really as big a problem as X, whatever X was at the time, and that the market will undoubtedly respond to a problem that’s as big as what you say this is. So the problem doesn’t appear to be as big as it it really is because it’s hidden by other things. It’s grown so big and the politics are much, much worse now. Terrorism was discussed in the ’90s and it wasn’t taken very seriously because it was seen as a problem that affected a certain region of the world until 2001. And we had our horrible attack and we had a massive reaction to it and we probably committed more resources to it than were really necessary to respond to the issue. We haven’t had that incident in cybersecurity yet, and hopefully we won’t. But if we look at online fraud and crime, we’re talking a drain of tens of billions of dollars on the the U.S. economy. Look at that and compare it to the costs of what we’re spending in Afghanistan. It’s equal to what we’re spending to everything we use to fund NASA, NIST, Energy and a bunch of other agencies. That’s a big bundle of money that’s going into the pockets of criminals.
Fisher: The cybercrime problem seems to really have gotten out of control in the last year or so. As you said, there’s a lot of money involved these days. Obviously the FBI and other agencies are working on it, but it seems like the scope is too big for even them.
Spafford: Think about it in the context of the Mexican drug problem. A couple of years ago, Mexico didn’t have much of a problem because all of the drugs were going north and Mexico was just a conduit. Now, their whole police structure is compromised. They’re bringing in the army. They’re staging gun battles in the streets with drug gangs. They just allowed it to go on too long. And that’s a worry that many of us have [about cybercrime]. The problem is that you’re institutionalizing it and allowing a criminal element to get established. How far away might we be from a criminal group extorting a government for money? Who would be responsible for responding? It’s not a military problem. I don’t think people are weighing the cost benefit and are thinking in terms of these problems. How do we know this hasn’t been happening already? People are looking at narrow problems in their jurisdictions. No one looks at the big picture. They say it’s too expensive to address the whole problem or that these attacks can’t happen or won’t happen. None of those is a good answer.
This is an edited and condensed transcript of the conversation.