It’s an annual puzzle for the Defense Department, congressional appropriators, defense contractors and hackers: Calculating how much money the armed forces should spend on protecting weapons systems and warfighting documents, along with attacking adversary networks, can be like taking a shot in the dark.
Consider, for example, the Air Force fiscal 2017 cyber budget for research, development, testing, and evaluation released earlier this month.
The branch wants to nearly quadruple the current $7.7 million purse for defending networked aircraft, launch systems, satellites and data—requesting $29.4 million next year. In the request, the Air Force has proposed doubling down on funding to disrupt foreign systems, asking for $25 million in 2017 for cyber offensives versus $12.9 million this year.
Air Force officials provided a vague rationale for the figures.
“The additional funding supports the DOD and Air Force cyberspace strategic objectives of increasing cyberspace capabilities,” Air Force spokeswoman Karen Roganov told Nextgov in an email.
Keep in mind these research and development expenditures show just one portion of overall Air Force cyberspace funding, she said. The top-level line item for cyber—$4 billion—reflects measured “increases across the entire spectrum of cyberspace capabilities,” Roganov said.
The inability to publicly say how these billions of cyber dollars will strengthen America’s military breeds cynicism and waste, according to some former Defense Department personnel and experts.
“At some point, the questions will start coming about what it actually means to fly, fight and win in cyberspace,” Robert M. Lee, an active-duty Air Force Cyber Warfare Operations Officer who has led multiple cyberspace intelligence programs, and Thomas Rid, a war studies professor at King’s College, say in their 2014 RUSI Journal article “OMG Cyber!”
The Air Force also has plans to triple spending on cyber espionage. The 2017 cyber intelligence budget requests $18.52 million, up from the 2016 level of $6.57 million. This money would benefit cyber-snooping initiatives across the Pentagon, where the proposed collective cyber budget is $7 billion, Air Force officials said.
The cyber surveillance account “includes activities in cyberspace conducted to gather intelligence that may be required to support future operations, including offensive cyber operations or defensive cyber operations,” Roganov said. These efforts focus “on tactical and operational intelligence and on mapping adversary cyberspace to support military planning.”
A problem of overpromising on cybersecurity permeates the military, the “OMG Cyber!” authors say.
“Key to the effective functioning of military services is OT&E—organization, training and equipment; but the primary output has been ‘HC&C’—hype, confusion and contracts,” Lee and Rid say. “The DOD’s investment strategy leaves a bitter aftertaste for its own operators: money seems to be available in abundance for contracts, but money is tight when it comes to career and skill development.”
To its credit, the Air Force is leading the way among the services in how it produces cyber personnel, the “OMG Cyber!” writers say. The branch’s 2017 funding proposal seems to back their opinion. The billion-dollar Air Force cyber budget would rise by $200 million in 2017, in part, to train offensive and defensive cyber teams. The extra money would also fund “next-generation platforms and strike packages” for the code warriors, Roganov said.
Despite some lack of clarity around potential 2017 cybersecurity dollars, the Pentagon has come a long way over the past five years.
Back in 2011, the White House proposed spending a total of $2.3 billion on cybersecurity for the entire DOD in its 2012 budget request. However, at the time, Air Force officials announced their cybersecurity request would be $4.6 billion.
DOD officials later clarified that the Air Force’s $4.6 billion cyber figure differed from their own $440 million Air Force cyber calculation because the branch’s estimation included “things” not typically considered cybersecurity.