Dear Mr President, I have some bad news for you. I know in 2011 we spent 58 percent of the total defense dollars paid out by the world's top 10 military powers and we outspend China, the next-biggest military power, by nearly 6-to-1 or over two thousand times more per person on defence than China but we cannot defend our defence networks. What's more I think we should tell the world we cannot defend them and let us be at the mercy of these heinous hackers.
Doesn't sound right to me, but actually this is what America says, but is it what it seems? I cannot imagine being back in Government and taking this as policy advice to a UK Prime Minister, rightly they would think you are bonkers and dismiss you in more ways than one, so we need to look under the message and work out what IS being said but more importantly why.
In terms of facts America does spend c58% of all worldwide money on defence and it shows. Their capability is second to none – they are THE force to be reckoned with, so why do they claim to be so defenceless? Several possible reasons:
- The first possible reason is one of deflection, sometimes when you are being criticised for the legality of your drone programme, or you are struggling to agree a budget (again, and again) and you are not seeing the growth and improvements in economic prosperity you need, you need something to get everyone focussed on – a bogeyman helps;
- The second possible reason is in a country where Corporate America wins over politics (otherwise politicians do not get re-elected), and Corporate America is driven off profit and Corporate America is also driven off individual greed, anything that gets in the way of these objectives does not make progress. How do you convince Corporate America to make the necessary security improvements – you nudge them in the right direction by driving up the fear
- The third possible reason is it might be true (but words matter)
- And finally another possible reason maybe that the USA is executing a strategy that: drives Corporate America to undertake the necessary security changes; drives Corporate America to bring jobs back home, especially from China by creating such a poisonous atmosphere about China (in this context Huawei is just collateral damage); and the USA looks to slow the economic growth of China outside of its own border and finally it sets its defence networks up as one huge honeypot.
I have written above that words matter, and as no one would want to be caught out lying when America says its defence networks are not defensible (or derivatives) it is true. What it doesn't say is that America is not defensible. All that the American Government and Military are saying is that they have moved their defences into the private sector private network infrastructure. If you think about it, it is quite obvious that to attempt to re-engineer the architecture and rebuild 15,000 separate defence networks is a monumental and thankless task. Why not just agree with the American Telecommunications Operators to install additional defences in their networks so before anything gets to Government, or military, it has been vetted and cleaned etc. Maybe this is why America doesn't want us to sell our equipment to American companies; maybe they will worry that we will see what they do with American Citizens personal data, monitoring and storing of everything that passes through telecommunications.
So why the mention of a honeypot? It's quite clever really. You have just reduced your threat landscape to probably less than 30 network points (just count the undersea cables going into America etc.) and you broadly have less than a handful of telco's, so put on those access points an array of sensors and other top secret gubbins that the USA has spent all of its defence budget on and low and behold you have created a veritable gold mine of information, and a lot of response options – more of this in a future posting.
Just to finish, have you ever asked yourself the question why Governments chose to activate legislation at a particular point in time. You could get the impression that all of these cyber security laws in America about information sharing are about a future requirement, really? More likely the kind of scenario I have detailed above has already created a law breaking situation and these new laws are there to legitimise what might have been happening already – not saying it has just might have been…