FAILED CYBER SECURITY INDUSTRIAL COMPLEX

Cyber Security Industrial Complex has failed

INTRODUCTION

The United States Cyber Security Industrial Complex (CSIC) has failed the United States Government, the Private Sector and the American and Global Citizen.?

Also, CSIC has dramatically failed the incredible women and men Cyber Warfare Warriors who work tirelessly in the Cyber War trenches seen across the private sector, the United States Government Agencies, US Military Agencies and Departments.?CSIC has failed them by not providing adequate leadership, training, tools, innovation, and in many cases support during organization Cyber battles.?These warriors span the spectrum of Cyber Security Universe and include numerous Cyber roles to include such folks as password reset administrators, help desk, architects, engineers, managers and directors.?

We have been at Cyber War every single day for a solid 15 years.?Overall, it has been a faceless non kinetic war (when things blow up).?It is a terrorist guerrilla war that is in the deep shadows and it is very hard for most people to understand this kind of vicious war.?It is only a matter of time that this war will kill people by shutting down vital services like nuclear power plants or it will suddenly escalate up the conventional war ladder to a physical war between nation states.??

We based the CSIC foundation on a famous statement made by President Eisenhower.?We derived the concept and even some principles from Ike’s famous reflection on the threats to our country from the rapidly expanding Military Industrial Complex.???President Eisenhower described the Military-industrial Complex in his farewell speech on January 17 1961 when he said:

"In the councils of government, we must guard against the acquisition of unwarranted influence, whether sought or unsought, by the military-industrial complex. The potential for the disastrous rise of misplaced power exists, and will persist."

If Ike were alive today and reflected on the Cyber Warfare mess that we are now experiencing, I bet he would see a Cyber Warfare and Cyber Security Industry that has created a national problem and that looming issue is the failure of the Cyber Security Industrial Complex and the threats the failure has allowed to penetrate the United States Government and Society.

This paper will address three main CSIC areas

1.?????What is the Cyber Security Industrial Complex

2.?????How and why has the Cyber Security Industrial Complex failed

3.?????Fixing the Cyber Security Industrial Complex

What is the Cyber Security Industrial Complex ?

CSIC, by its very nature, is loosely orchestrated jungle land that has been growing as Cyber threats have escalated into an all out invisible but very real Cyber War.?CSIC has a host of parts that are not truly legislated, regulated and governed.??There are a host of “things” that provide mostly toothless compliance requirements of various private sector and government organizations.?First and foremost are the mostly pointless and non effective Presidential Executive Orders (EO) concerning Cyber issues that tell us generally how to fix and issue without providing tools and tactics and funding to fix the problem. Some other examples of this poorly orchestrated oversight include light weight Cyber Certifications, Sarbanes Oxley, Gramm Leach Bliley, GSOC I and 2, Risk Management Framework, Payment Card Industry, Federal Information System Controls Audit Manual (FISCAM), the Federal information Security Management Act (FISMA) and the tons and tons of military documents defining how to perform Cyber Security Tasks.?These are some examples of the maddening challenge to operate a Cyber Security program and identify, predict, prevent, detect, respond and recover to the millions of Cyber attacks and from the vey well equipped Cyber enemy forces.?The bottom line protecting the United States from Cyber attacks is a hodgepodge crap shoot.?

Some of the better oversight organizations include the United States Government Accountability Office (GAO), the Federal Risk and Authorization Management Program (FedRAMP),?DISA Approved Product List and the Cyber Security and Infrastructure Security Agency (CISA).?And look what the government did to CISA, it fired Chris Krebs its outstanding leader and technologist.?Some would argue that the National Institute of Standards and Technology (NIST) has created superb governance and technical for the government to use in the Cyber War.??Yes, NIST has produced volumes and volumes of “Special Studies”.?However, they are extremely cumbersome documents to use and thus loose their ability to influence Cyber management.

In fact, in November, I used the CISA instructions concerning EO 13800 concerning implementing supply chain controls regarding software creation and deployment to build an extensive Supply Chain Risk Management Strategy for the Department of Agriculture (USDA) and I used the GAO reports on USDA risk management to help USDA focus on building its Cyber Security risk management program.??

“President Trump issued Executive Order 13800, Strengthening the Cyber Security of Federal Networks and Critical Infrastructure on May 11, 2017, to improve the Nation’s Cyber posture and capabilities in the face of intensifying Cyber Security threats. EO 13800 focuses Federal efforts on modernizing Federal information technology infrastructure, working with state and local government and private sector partners to more fully secure critical infrastructure, and collaborating with foreign allies.”

?Despite some efforts and chest pounding multiple Executive Order Declarations and supposed regulatory rules, the CSIC jungle land is not truly integrated and formalized into comprehensive structured technical, governance, process, procedure and risk management framework.?CSIC is in essence a Hobbesian lawless environment that needs government regulation, controls and oversite as the government provides various infrastructure specifications and guidance.??The CSIC has developed and sold to the Government and private sector tools that cannot detect and prevent major Cyber breaches.?Yet, companies like Tenable, Booze Allen, Science Applications International, Symantec, Crowd Strike, MITRE, RSA, and multiple other CSIC vendors easily sell their products and services and charge the tax payer countless millions and even billions for their services.?But, they are not penalized when products and services do not work as advertised.

Billions of taxpayer and corporate funds have fed the CSIC that has produced rudimentary Cyber defensive technology that often does not perform as advertised and has become extremely complex.?The CSIC also provides thousands of contractors for which the CSIC charges billions of dollars in labor fees.??Many of these contractors do not have the skill sets needed to match the billions of dollars the government pays them for.?The CSIC does not have a true incentive to “get it right” as it has made fortunes providing Cyber Security services and tools and multiple versions of these tools that do not perform.?Like Ike indicated this is a dangerous situation in that the vendors are never really penalized for poor performance and they continue to wield extraordinary influence on the government in relationship to managing our country’s treasures. Yes, they might loose a contract but they really should be held accountable, fined, and banned form government contracts.?Has any government agency done forensics on the obvious failure of mismanagement in the Solar Winds attack, all successful Ransom Ware attacks and etc, etc?

Why the Cyber Security Industrial Complex has Failed

In modern terms, we now have the toothless Cyber Security Industrial Complex reflects President Eisenhower’s concern of an industry controlling too much of the strategy and doctrine of warfare now Cyber warfare.?Governments and the Private Sector have spent billions of dollars on buying Vodoo Cyber Security Tools and have paid billions of dollars to contractors to come to their organizations and try and fail to create Cyber Security witch craft and sell magic Cyber Security potions to inexperienced and ineffective Cyber Security leaders. While some of us have cried for years that the future of Cyber attacks and the massive social, economic and political impact a failed Cyber threat identification, prediction, prevention, detection, response and recovery culture would have others just did not understand the warnings and ignored them?…. And here we are.

I could list thousands successful egregious hacks and attacks that have happened in the last 30 years of the ongoing Cyber Warfare environment that is everywhere and nowhere. Please to God everyone, wake up, we are at war and have been for years.?A silent war that baffles most people but a war with devastating consequences that could escalate to nuclear war.?Please see my Cyber nuclear escalation paper at.?https://www.academia.edu/30591206/Cyber _Warfare_Escalation_to_Nuclear_Warfare

There is no need to list the attacks as they are widely publicized in the news on 3 June 2021.?And I can guarantee you that in some very near future we will see a host of Russian, Chinese, Iranian and other Cyber miscreants merge a global, layered and multi pronged attack against the United States lets say on 25 December 2021.?This attack will wipe out our core monitoring systems and then obliterated more of our national infrastructure and shut down power grids, transportation, water supply and even freeze a nuclear plan into a rapid meltdown.?As we have seen with the multiple ransom ware attacks the Cyber criminals can do this.?

By the way, may of the Ransomware attacks could have been predicted and prevented is Cyber teams had the tools and talent to do so.

Someone or some agency must blast us out of the Cyber Brain freeze we are in from drinking too much freezing Cyber cool aid.?Yes, we have been at this for 30 years and it continues to blow me away that we have poorly managed Cyber tools, architectures, risk management, processes, and procedures essentially the same way in those 30 years across the entire spectrum of Cyber Conflict with expectations that the redefinition and remarketing of these ancient solutions will create new and different results ... yet SOLAR WINDS!?Is the definition of crazy constantly repeating bad behaviors expecting a different outcome each time???Yes, given the vast amount of time, money and resources, we have thrown at this has blunted some attacks.?But relatively basic supply chain hacks and now basic cloud hacks are significantly increasing and why ..... lack of Cyber great engineers, innovators, architects and leaders who have in the weeds experience. (BTW there are great men and women out there just not enough of them) And, those capable of leading us out of this mess do not get hired or are quickly fired. We can keep going with this train of thought but let me offer one personal insight. See my above paper "Cyber Escalation to Nuclear War". One would think the USA would address each escalatory problem but it has not done so. So. if we are not addressing these significant issues, then how can we address all other CSIC dysfunctions ???"

Here are some reasons for a failing CSIC

1.?????We have let the United States Cyber Guard Down.?This should not have happened and I suspect many Cyber Warriors might feel this way …I do!

2.?????Where is CYBER COM in this fight??By now, CYBERCOM should have developed and deployed virtual and global tools that shoot down incoming Ransomware and other malware malicious attacks.?Where the heck are these guys in our fight??They eat hots dogs and use gasoline also.?

“United States Cyber Command (USCYBERCOM) is one of the eleven unified combatant commands of the United States Department of Defense (DoD). It unifies the direction of cyberspace operations, strengthens DoD cyberspace capabilities, and integrates and bolsters DoD's cyber expertise.?USCYBERCOM was created in mid-2009 at the National Security Agency (NSA) headquarters in Fort George G. Meade, Maryland. It cooperates with NSA networks and has been concurrently headed by the director of the National Security Agency since its inception.[2] While originally created with a defensive mission in mind, it has increasingly been viewed as an offensive force.[2] On 18 August 2017, it was announced that USCYBERCOM would be elevated to the status of a full and independent unified combatant command.[3] This elevation occurred on 4 May 2018.”

3.?????The enemy we face.?Dedicated and superbly trained Cyber enemies across the globe are coming for us with enormous vicious velocity. Despite the billions spent on Cyber defense, the Russians, Chinese, North Koreans, Hackers for profit, and scrip kiddies still get in ….. and why ??

4.?????Poor standards.?Private Cyber consulting and product development are not strictly governed by specific government specifications.?RMF and FISMA are barely adequate.?FEDRAMP is the best but needs to be 24 x 7 modernized and automated.

5.?????Inadequate leadership.?Cyber Security Leadership is often filled by poorly skilled managers, directors and chief information security officers.?I have worked with the best of them and with the worst of them.?I have seen government CISOs who were good people but woefully not prepared to lead a government Cyber program.?But, I have also worked with awesome Cyber Program managers who had no Cyber training but ran great programs. There is a Cyber skill and leadership crises in Cyber Security Universe.

6.?????Integrity issues.?I have been asked to lie and falsify government documents at TSA, Army, the Air Force and a major telecoms corporation.?I was asked to minimize my military warfighting career at one company working for HHS telling me it was not important. I resigned on each experience at great personal career and financial loss. I would be happy to discuss these circumstances with any Inspector General (IG) at Army CIO, Air Force CIO, DISA, and CISA

7.?????Lack of innovation.?Despite exquisite technology taking us to Mars and landing helicopters there, the CSIC components still focus on the same type of solutions and have not truly developed artificial intelligence, big data, Cloud, container and Alien Space Craft level new technical ideas and solutions.?Where is the data modernization and Cyber Security Manhattan Project?

8.?????Low skill levels.?Often contractors hire people to fill seats to ensure revenue starts to flow.??In many places, as one goes up the leadership pyramid the technical and governance skills seem to significantly dimmish … this is a baffling paradox that must change.?This means that organizational leadership does not realize how bad the Cyber Security situation is.

9.?????Low pay for government Cyber workers.?Numerous government Cyber workers bail out for higher paying jobs in industry.?

10.?Massive Cyber Professional Burnout. ?This “battle fatigue” is causing organizations across the government, military and private sector to lose focus.?We should have predicted, prevented and detected attacks much faster.?SOLAR WINDS and Ransomware attacks should have happened.

11.?The CISSP and some other privately developed Cyber certifications are threats to national security

12.?Depending on weak public and privately defined Cyber certifications.??Using The Certified Systems Security Professional (CISSP) and other non government created certifications as the benchmarks to prove that one has the skills and knowledge needed to run a Cyber operation or engineer or architect Cyber solutions reflects CSIC at its worst.?We need to immediately revise the certification requirements and the certifications themselves to start the CSIC healing process.

13.?Private certifications allowing Military and Government Personnel advancement. The below chart is a prime example to CSIC as it shows the multiple DoD Cyber Security job levels.?The chart shows the certification needed to achieve those levels.?Most of the certifications are developed and administered by core private industry parts of the CSIC.?The government must intervene and stop this symbiotic blood sucking dependence as these companies are not audited and held to rigorous standards. Like the Cyber product owners and service vendors, they are motivated mostly by profit and not the defense of the nation.?Yes, there are numerous people and customers that understand the mission but there true mission is profit.?They are not held accountable when the gas and meat pipelines fail and thousands of people go without pay and MILLIONS of people go without vital infrastructure services.

?

?

How to fix the Cyber Security Industrial Complex Failure

1.?????Create and implement a Cabinet Cyber Security Secretary.?Put a very strong personality and technical expert in this role.

2.?????Immediately launch a Manhattan like project to define the future of networks, data transfer, storage, access control and every thing else that is used for current communication.?Why do we need anything that exists today??We do amazing things on Mars let’s now do them on earth.

3.?????Government needs to take control and establish National Cyber Security Specifications.

4.?????Create extremely effective Information Sharing and Analyses Committees (ISAC).?ISACS happen across industry.?Some are great and other are not.

5.?????Legislate government and private sector Cyber rules as we do national highway and tax rules

6.?????Show citizens the government is engaged,?Briefs from CYBERCOM would help

7.?????Aggressively track compliance of Executive Orders concerning Cyber .

8.?????Legislate SOX like fines and penalties for non Cyber compliance

9.?????Cancel or fix the burgeoning Cyber Security Industrial Complex (CSIC)

10.?Create a rigorous Cyber examination for senior Cyber leadership in industry and government especially CISOs.?Make private sector and government Cyber managers and above take the exam.?Keep results private but ensure they take corrective and supplementary training or upon examination release them from their responsibilities.

11.?Recertify every private sector midlevel and senior Cyber leadership in the private and government sectors.

12.?Lay off poor Cyber Leaders.?Great people are doing there best but many people do not have the leadership, technical and governance skills needed to build and Lead Cyber programs.

13.?Fine failed Cyber products.

14.?Certify all Cyber companies and products as FEDRAMP does for CSPs.?Use a Cyber Security Maturity Model to rate companies that provide any type of Cyber Service

15.?Immediately create new Cyber certifications based on weapon system like specifications

16.?Rate the private sector and public work for Cyber maturity as we use CMMC to rate third party government vendors

17.??Stop appointing inside the belt way people to lead national Cyber as we just did in two key positions.?

18.?Cancel CISSP and other public Cyber certifications as the primary certifications.?Right now CISSP and etc reliance is a threat to national security.?Amazingly as seen in the chart,?it serves as benchmark cert to qualify government people for high level Cyber job.?

19.?Significantly raise salaries. to keep the best in jobs

20.?Change much of CISA infrastructure (TIC, CDM and etc ) as we migrate to zero trust

21.?Have weekly Cyber press briefing on Cyber , threats, and bad actors

22.?Change old think Cyber technology.?Heck where is the Cyber Container

23.?Delete the RMF and make an RMF idea a truly 24 x 7 system versus a done and forget system.?I am about to publish a RMF alternative I created and used once at TSA

24.?Higher as many ex military people as possible that have combat and cyber skills.?Provide them the mission to protect and lock down your organization and use all military approaches as possible.?If you do this you will be much safer.

My qualifications to write this.?I have had several military and private sector jobs building and managing large government and private sector Cyber organizations.