Costs of Security

Interesting blog post on the security costs for the $50B Air Force bomber program -- estimated to be $8B. This isn't all computer security, but the original article specifically calls out Chinese computer espionage as a primary threat.

Posted on April 20, 2011 at 6:31 AM • 27 Comments

Comments

Danny MoulesApril 20, 2011 6:56 AM

The original article throws that statement in at the last second without any rationale. I can't see any evidence or justification for what is a strong statement.

Extraordinary claims require extraordinary evidence... and this doesn't have any.

Anyone have any good citations this article might have used?

keithApril 20, 2011 9:01 AM

It shoots it's self as a goo docnsidered peice when it puts the estimate average cost cost of all of the SAP security overhead as being directly attributable to chinese APT:
"That means, for this program alone, the APT costs the US taxpayer $8 billion."

Does the writer really believe that without the current 'info' on APT attacks that there would be no need for SAP? I don't think any one would resonably make that step.

Slaps forhead and thinks:
“Wow, typical mainstream press idiocy.”

GreenSquirrelApril 20, 2011 10:11 AM

Ah, so the threat of Chinese espionage added to the costs of security pushing it to $8bn.

It must be a real threat then....

Its not like any security related company would be willing to some profit scalping now, is it?

Dirk PraetApril 20, 2011 10:14 AM

Some may be underestimating size, impact and costs of the new China/APT/cyberwar scare, but Richard Bejtlich is definitely on the side of those whom I think are seriously overestimating it. Maybe we should just all hand over our pay cheques to the military and security industries right away and be happy with the food coupons we get in return so a month later we can still do the same. Ask not what your country can do for you, ask what you can do for your country.

Dirk PraetApril 20, 2011 1:17 PM

@ BF Skinner

I already had a minor Twitter discussion on the issue with him a short while ago, beit nowhere near the recent flamewar on Cryptbin between @kaepora, @ioerror and @bleidl 8-)

Richard Steven HackApril 20, 2011 2:21 PM

The original article explicitly says that all personnel involved have to be security vetted to work on the plane. By definition, that is where probably 90% of that $8 billion comes from. Certainly a huge percentage is the cost of security vetting the workers. The cost of security at the facilities researching and building it is probably increased over other facilities as well.

In other words, as usual, personnel and facilities costs far outweigh computer security costs.

Bejtlich in my view has no intellectual honesty. He's pushing this stuff for one reason and one only - he expects to get PR for it which translates into consulting money. Either that or he's simply a right winger who hates China.

Clive RobinsonApril 20, 2011 3:22 PM

Err I can see how the 50Billion guestimate comes about and I can see that 20% uplift to this figure for SAP would have made the prior cost 41.666..Billion but the difference between the two is not 8Billion, it's actually 333.3..Million more than 8Billion.

That nit picking asside, however I can not see how the need for SAP is 100% or even remotly close to it attributable to APT supposadly originating from China.

Surely for such a stratigic project SAP would have been a defacto requirment very early on probably even pre-dating the current "China APT" bruhar.

Sorry but to me this looks like another "get more funding" put up job.

That being said I do think China is a threat but economicaly not militarily.

As for the APT well I'm sorry if the US military and their contractors cannot figure out the required solution to the problem, well what hope is there for the rest of us?

Sarcasm aside sure APT is a nuisance, but it is not a "world stopping" issue, and there are known methods of dealing with it, nearly all of which have been known for a long time. Sure they might inconveniance a few people but not greatly so.

That being said even if China were a potential military threat, what is known about their current arms and armaments is not exactly exciting reading. With few exceptions their equipment is conventional and changed little from the cold war days. So not the sort of high tech offensive or deffensive armaments that would require ordinary stealth, let alone this next round of "Stealth Plus" (c).

Which raises the question about this half trillion dollars and the "super dupper wizzo stealth pluss" it is supposadly buying, who is the enemy that this technology is a must have for?

The only justification I can think of for it is to preemptivly strike at another Super Powers land based Nuclear capability. [Which if it is for this makes it a dangerous destabalising element, the sort the Rand Corperation identified as being likley to actually cause an early first strike attack by a potential enemy on the "use it or lose it" principle].

Back in old Europe we have one or two high end fighter aircraft that have been jointly developed. Although the more recent designs have had stealth consideration taken during their design they are not anywhere near the level of "stealth" of the US first "Stealth Fighter".

Why not?.. well it appears that after due consideration by the various European Nations military thinkers and stratagists they considered that stealth at that level was an unnessassary encumbrance to capability (they opted to reduce the radar and IR profiles). Further that the future enemy the aircraft would go up against would not have a sufficiently overwhelming defense capability that might give stealth the advantage over the compramise to the aircrafts payload etc capability...

That was before considering the expense and other problems arising from "stealth".

If anyone out there knows who this highly advanced and capable enemy is that makes this extra level of "Stealth Pluss" an absolute necessity, I for one would be interested to know.

Finaly some approximate figure to consider,

1) the US military spend is well over twenty times that of the Chinese in almost all areas.

2) The Chinese security spending is such that they spend twice as much on internal security as they do on external security.

3) The US security spending is such that they spend well over twice as much on external security as the do over internal security.

4) China's aproximate investment in the US economy is 3trillion dollars and it's rising.

Based on those figures in which area is China more of a threat to the US economic or military?

Nick PApril 20, 2011 3:50 PM

@ Clive Robinson

Nice points. On economic vs military, I've been saying that for a while. They got their fingers in so many cookie jars that we'd loose out on a lot if we went to war with them. There's also many Chinese over here that could cause us headaches in one form or another. I'm sure a small percentage of them are subversives.

As for internal vs external, I don't know China's numbers. I do agree that the US spends more on external security programs. Most of the Type 1 crypto and the high assurance software systems all explicitly or implicitly trust their operators to not try to circumvent the security policy in a significant way. It's outsiders that get the high assurance defensive treatment.

The wikileaks cables and war documents say it all about their internal security: they lost that much data and the only way they caught the leak was when he confessed. They need to have another look at their *internal* controls.

George C. ScottApril 20, 2011 11:17 PM

"APT costs the US taxpayer $8 billion?"

There's a glaring logical flaw here. This money wasn't spent on recovering from an APT attack. This was money used to safeguard against one. Assuming his figures make sense (and even that's a bit of a jump) it's SAP that costs the US Taxpayer, not APTs.

Look beneath the surface: what's actually going on here is that you have a former military officer who is trying to create the perception of a threat that justifies a set of preconceived solutions. The defense industry wants to move into new markets and as Bruce has pointed out time and time again, the way that we frame the issue of security on the internet will determine how we deal with it.

RobertTApril 21, 2011 1:24 AM

Move along crowds, nothin' to see around here, just some enterprising lads making payroll. Now if there was any morality underlying DOD contracting they'd be trying to make parole, but that's a totally different discussion.

Nick PApril 21, 2011 2:22 AM

@ George C. Scott

You're absolutely right. I'm always extra cautious when I see buzzwords like APT or "cyberwar" thrown around. Usually, there's someone who wants to embed the idea into the public consciousness to make some serious profit.

The security costs of a SAP program are comprehensive. They cover the huge digital, personnel and physical costs of security against a wide range of threats. They also pay plenty of attention to threats like tamper-resistant logistics and collusion of malicious insiders that most commercial and government projects don't focus on much, if at all.

APT is just another label for scareware purposes. SAP, like any real high grade security scheme, provides risk management involving tradeoffs and many countermeasures against real, often specific, threats. They look at all the areas where they might be hit and try to defend against as many risks as they can without stopping the critical work from getting done. I'll be surprised if any SAP security program designers even thought about the term 'APT' during the course of their work.

The report did give me one nice piece of new information: that the security costs of an SAP program were 20%. That sounds like a really nice cost percentage for the level of security gained. One would think SAP-level security would be doubling or tripling costs like we so often hear for just TEMPEST protection on PC components. Instead, *all* of the advanced security just added a fifth to the cost of the project. Military security approaches are rarely optimized for cost efficiency, so I think numbers for a commercial project might be MUCH better albeit with a lower security profile due to lack of government-only technologies.

GreenSquirrelApril 21, 2011 5:14 AM

@ Clive

"Sorry but to me this looks like another "get more funding" put up job."

arent they all?

Clive RobinsonApril 21, 2011 6:11 AM

@ GreenSquirrel,

"arent they all?"

Welll... yes but there are degrees.

If you are quoting for a job it's normal to put in a contingency for inflation of materials. Likewise if the spec is a little loose (and mot are) a contingency for extra man hours at double rate.

On other jobs you would need other contingencies, but importantly you don't "over egg the pudding" otherwise you could find yourself not getting any work or even paid or worse getting a law suite to fight.

However claiming the 8billion SAP cost is just due to APT is not "over egging the pudding", it's burying it under the entire world annual output of chicken 5hit... And it stinks worse than an equivalent quantity of chicken "rag meat" that's been left out long enough to become a serious health hazard.

Richard Steven HackApril 21, 2011 4:03 PM

I'm upping my original offer to take out bin Laden for one billion in advance.

Give me eight billion in advance and I'll take out China! Such a deal I offer you!

Nick PApril 21, 2011 4:53 PM

@ Richard Steven Hack

The bin Laden quote is safe, assuming you get him before me. ;) But, I'd warn against going to war with China: the Chinese people, military and organized crime (Triads) would be gunning for you all at once. I don't think that would be a winnable situation if our side had Batman, Iron Man, Green Hornet and the Watmen (excluding Dr Manhattan) altogether.

They'd just kill us and make money shorting our stock. ;)

kashmarekApril 21, 2011 5:42 PM

Classical themes from the terrorist security complex (or terrorist industrial complex or security industrial complex). I am scared, boohoo, give me money for nothing and I won't be scared anymore.

Dirk PraetApril 21, 2011 7:25 PM

@ Nick P.

I don't agree. Taking out China would probably require nothing more than a guy called Jacques Clouseau of the French Sûreté. Alternatively, getting a number of Belgian top politicians elected there would equally cause the country to come to a grinding halt and implode.

Nick PApril 22, 2011 12:09 AM

@ dirk praet

Haha probably. Belgiums war record indicates they are perfect for leading the Chinese soldiers to their doom. They are just too peaceful for their own good some times.

Davi OttenheimerApril 22, 2011 1:12 AM

"the original article specifically calls out Chinese computer espionage as a primary threat"

well, i'm happy to see the reaction in the comments above. i guess we have to get used to the fact that some camps (bejtlich or lewis or cheney) are going to keep pushing to find a link to china...i guess they don't care that "the chinese are coming" sirens followed by "because i said so" gets old fast.

the funny thing is bejtlich is more than capable of providing a rock-solid root cause analysis. so the lack of connected dots and evidence from him, of all people, just makes his post that much less satisfying.

Dirk PraetApril 22, 2011 10:56 AM

@ Richard Steven Hack

"Give me eight billion in advance and I'll take out China! Such a deal I offer you!"

I don't know. Wouldn't we rather buy the presidency with such funding ? Hey, wait a minute ...

Nick PApril 22, 2011 7:59 PM

@ Dirk Praet

I think the going rate is $1 billion for a campaign. So, 8 billion could buy the president, vice president, and a few key congressman. Or the Supreme Court, which is more powerful. Hey, Justice, let's play "Who wants to be a BILLIONAIRE!"

BrianSJApril 23, 2011 4:56 AM

An earlier article by Bill Sweetman provides invaluable context http://is.gd/NVpboX
The F-16 took big chunks off both cost and timescale by minimising security, but that was John Boyd practising what he preached about OODA loops.

Clive RobinsonApril 24, 2011 4:59 AM

Another write up on APT that (supposedly) comes from China, this time from Federal Comp Weekly,

http://fcw.com/articles/2011/04/25/...

It raises (but then fails to answer) questions about the actors, their sponsors, their raison d'etr and indirectly their modus operandi.

Importantly although it mentioned Russia as a state actor who has recently had "agents" deported home from US soil it fails to talk about if they are involved with cyber espionage.

I'm assuming that Russia is involved heavily with cyber espionage which begs the question how come we don't get to hear about it (except as cyber crime)?

Are we to assume that for some reason the Chinese are sufficiently inept that we are catching their activities and the Russians so good we are not?

Or are we to draw other conclusions as to why the US is focusing so hard on China?

Clive RobinsonApril 24, 2011 10:12 AM

I've just been over to Mr Bejtlich's site to pot a comment on there.

And guess what it gives up an error message saying I must have both "javascript" and "cookies" enabled...

I guess I won't be visiting there again.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..