Here is the headline I saw in the Wall Street Journal on March 16, 2017: “The Trump Administration has proposed slashing the budget of the State Department and U.S. Agency for International Development by 31%.” Since then, I have seen absolutely zero commentary on one of the most consequential issues in our national discourse – namely, the cyber security posture of the U.S. State Department, and whether it can reasonably absorb such deep cuts.
If you ask any professional enterprise security executive to identify the worst possible circumstances for effective cyber defense, you will hear three answers: Disgruntled insiders, massive global perimeter dependency, and significant budget cuts. Let’s examine each of these conditions from the perspective of the U.S. State Department in the context of the proposed budget from the White House.
First, the presence of disgruntled insiders is highly predictable. Public criticism, forced change, and a lack of management respect for contributions are the familiar ingredients that produce unhappy campers. Any reasonable person must therefore accept that some portion of existing State Department employees are feeling these pressures. It would thus be ridiculous to not expect pockets of disgruntled staff across all aspects of State. This is a cyber security nightmare.
Second, the massive dependency of the U.S. State Department on a global perimeter is legendary. Stretched across three hundred consulates and embassies, the firewall-based policy enforcement at State is one of the most challenging architectures ever created. Nodes exists in every unusual country in the world, led by diplomats who find it laughable that those geeky security wonks from State should tell them what to do. It’s a complete mess.
Finally – and this is the most important issue, the massive proposed budget cuts recently announced for the U.S. State Department will result in an immediate freeze to security spending. It will cause capable staff to quit, probably escaping to a welcoming cyber security market that will offer big raises. It will result in cutting corners on maintenance contracts, holding off on end-of-life equipment replacement, dissolving contracts with expert contractors, and on and on. I can absolutely guarantee that cyber security posture will plummet. Russia is probably drawing up attack blueprints as I type these words.
Look, I fully understand that some will point to increases in Homeland Security and Defense budgets as compensating controls. I would respectfully offer in response, however, that I am not aware of a single case in the history of cyber security where effective cyber security was provided externally. General Motors, for example, doesn’t cut its design budget and then ask an external group to provide quality. If State relies on DHS and DoD to externally inject cyber security, perhaps through old-fashioned security programs like Einstein, then we should expect nothing but trouble.
We in the cyber security community need to be much noisier about this issue. It is unacceptable that every political debate on budget cuts to civilian agencies, or any other aspect of our government infrastructure, ignores the non-partisan interests of our cyber security community. Regardless of political persuasion, we need to make our voices heard. We need to make sure that anyone considering the full spectrum of implications of budget cuts does not forget that cyber security does not come free. Our work is hard and it requires budget.
I think the bottom line is obvious: When you cut any organization’s budget by 31%, they will get hacked. This is not a controversial statement to cyber security experts, but I wonder if our nation's budget directors ever gave it a thought. If they have not, and I'll bet they haven't, then I consider that sad fact to be the collective fault of the entire cyber security community - and that includes me.