Sponsored by Spectra Cyber Security Solutions
29 Mar 17. 90 percent of federal cyber budget used for offensive ops. When WikiLeaks founder Julian Assange disclosed earlier this month that his anti-secrecy group had obtained CIA tools for hacking into technology products made by U.S. companies, security engineers at Cisco Systems swung into action.
The Wikileaks documents described how the CIA had learned more than a year ago how to exploit flaws in Cisco’s widely used internet switches, which direct electronic traffic, to enable eavesdropping.
Senior Cisco managers immediately reassigned staff from other projects to figure out how the CIA hacking tricks worked, so they could help customers patch their systems and prevent criminal hackers or spies from using the same methods, three employees told Reuters on condition of anonymity.
The Cisco engineers worked around the clock for days to analyze the means of attack, create fixes and craft a stopgap warning about a security risk affecting more than 300 different products, said the employees, who had direct knowledge of the effort.
That a major U.S. company had to rely on WikiLeaks to learn about security problems well-known to U.S. intelligence agencies underscores concerns expressed by dozens of current and former U.S. intelligence and security officials about the government’s approach to cybersecurity.
That policy overwhelmingly emphasizes offensive cybersecurity capabilities over defensive measures, these people told Reuters, even as an increasing number of U.S. organizations have been hit by hacks attributed to foreign governments.
Across the federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters.
Larry Pfeiffer, a former senior director of the White House Situation Room in the Obama administration, said now that others were catching up to the United States in their cyber capabilities, “maybe it is time to take a pause and fully consider the ramifications of what we’re doing.”
U.S. intelligence agencies blamed Russia for the hack of the Democratic National Committee during the 2016 election. Nation-states are also believed to be behind the 2014 hack of Sony Pictures Entertainment and the 2015 breach of the U.S. Government’s Office of Personnel Management.
CIA spokeswoman Heather Fritz Horniak declined to comment on the Cisco case, but said it was the agency’s “job to be innovative, cutting-edge and the first line of defense in protecting this country from enemies abroad.”
The Office of the Director of National Intelligence, which oversees the CIA and NSA, referred questions to the White House, which declined to comment.
President Donald Trump’s budget proposal would put about $1.5bn into cybersecurity defense at the Department of Homeland Security. Private industry and the military also spend money to protect themselves.
But the secret part of the U.S. intelligence budget alone totaled about $50bn annually as of 2013, documents leaked by NSA contractor Edward Snowden show. Just 8 percent of that figure went toward “enhanced cyber security,” while 72 percent was dedicated to collecting strategic intelligence and fighting violent extremism.
Departing NSA Deputy Director Rick Ledgett confirmed in an interview that 90 percent of government cyber spending was on offensive efforts and agreed it was lopsided.
“It’s actually something we’re trying to address” with more appropriations in the military budget, Ledgett said. “As the cyber threat rises, the need for more and better cyber defense and information assurance is increasing as well.”
The long-standing emphasis on offense stems in part from the mission of the