Air Force Academy Cadets take part in a cyber defense activity.

Air Force Academy Cadets take part in a cyber defense activity. U.S. Air Force photo/Raymond McCoy

Why the Pentagon's Cybersecurity Dollars Don't Add Up

This is not the first time the Pentagon has had difficulty labeling its cyber investments.

For at least the past four years, the Pentagon has struggled to count up how much defense spending goes toward a "thing" called cybersecurity.

Vocabulary plays a part, but also there are Defense Department organizational issues contributing to the murkiness of what this year's $5.5 billion “cyber” investment will buy. And it all adds up to trouble planning cyber tactics, as adversarial nation states sharpen their own cyber know-how, according to budget analysts. 

When funding is allocated to cyber, that is “also in essence defining . . . who is in charge of those assets, those operations, those decisions," said Peter Singer, an author and strategist at the New America Foundation. It's "the age-old question of who is in charge of” cybersecurity?  

Cyber budget numbers are squishy, partly, because authority over the cyber mission is fragmented -- split among Cyber Command, the Defense Information Systems Agency and the various military services. The command has been tasked with overseeing all network protection activities and offensive cyberstrikes. 

Earlier this month, in an initial Pentagon budget chart, it appeared 2015 CYBERCOM funding was labeled as a single line item, leading one to believe spending would sizably spike this year -- by 92 percent, when in fact it will slightly drop.

An amended chart now shows other accounts would contain an unspecified number of CYBERCOM dollars. And those other accounts will be pared back, resulting in an overall net decrease of 7 percent.

The military does not have a single line item for Cyber Command, according to DOD. 

This is not the first time the Pentagon has experienced challenges labeling cyber investments.

In 2011, Defense revised its departmentwide cyber budget upward by about $1 billion between February and March of that year, ultimately requesting $3.2 billion.

While this was happening, the Air Force was informing the public and lawmakers its own service was requesting $4.6 billion. Department-level officials eventually explained that the Air Force's figure differed from their own calculation ($440 million) because the service's estimation included "things" not typically considered information assurance or cybersecurity.

As for the 2015 mixup, Pentagon officials said the first table did not provide a snapshot of Cyber Command's complete funding, but the updated one now does.

There Might Never Be a Single Line Item

In general, “Fluctuations in the amount requested have been a function of large one-time costs” associated with military construction and the formation of Cyber Mission Forces “offset by changes during enactment,” including adjustments mandated by Congress, across-the-board spending cuts and "reprogramming actions," spokeswoman Lt. Col. Valerie Henderson told Nextgov.

The expectation was always that CYBERCOM would help centralize planning and operations. However, "much of the budget authority still belongs with the individual services," said Todd Harrison, a defense researcher at the Center for Strategic and Budgetary Assessments.

Another issue that's been a headache for upper management: As hack attacks intensify and network defense becomes a higher-priority investment, projects purporting to involve data security are angling for cyber money.

Programs are "relabeling themselves 'cyber' because they see that as a way to better access budget funding," Singer said.

And then there's the decades-long difficulty of defining exactly what is "cyber" -- a point he makes in the book "Cybersecurity and Cyberwar: What Everyone Needs to Know" and recently spotlighted by a Wall Street Journal article about overuse of the prefix

Defense officials acknowledge that calculating cyber spending continues to be an issue -- and they are working on the math. 

"Much of the challenge can be attributed to the complexities and continuing maturation of the cyber domain," Henderson said. The current (and first) official Pentagon definition of "cyberspace," written in a 2013 joint publication, guides fiscal budget requests. 


The publication’s glossary defines cyberspace as "a global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers." 

Some major investments are easy to identify as cyber assets, such as, for example, CYBERCOM mission forces and so-called public key infrastructure, which is technology that secures digital communications. 

But other investments are part and parcel of traditional budget items, like agency information technology contracts. This, it seems, is where labeling becomes subjective.

These expenditures require the program owner "to clearly identify and separate the cyber-related investment of that program from non-cyber investments," Henderson said.

"The bottom line is that the cyberspace operations budget reflects a cooperative effort among the DOD components to ensure that all funding associated with the department's many cyber efforts are identified and included in the cyberspace operations budget," he added.

But what's to stop every combat system from claiming to be a cyber program? Under soon-to-be-released weapons-buying cyber guidelines, “if it’s a missile that’s designed to be cybersecure, does that fall under cybersecurity products?" Singer ruminated. 

What’s the ROI?

The upshot here is that cybersecurity decision-makers have little visibility into inventories or even network war-fighting capabilities. 

Murky budgeting "makes it hard to do an audit of what you are, and are not spending, and therefore what you ought to be spending more on and less of, etc.,” Singer added.

But keep in mind, the U.S. government "isn't good at doing audits for regular things, and stuff, in the Pentagon budget, let alone the cyber stuff," he said.

Regardless, it translates into a problem deriving return on investment as far as military power.  

"When you add one person or add a dollar or take away one person or take one dollar how does it affect your actual capability? What’s the balance here?" Singer questioned.

No one has a good answer. "Maybe this is an exponential world where if I increase my budget by 1 percent, I get a 10 or 100 percent gain in capability -- or maybe it’s when I increase my budget by 10 percent I actually only get a .05 percent gain in capability,” he wondered aloud.

Those types of computations are doable with physical people and weapons, but the military hasn't found a formula for cyber.

"And until we can do that, we don’t have a good way of figuring out just how much we need to spend and what are the consequences of spending more or less year by year budget by budget,” Singer said.

It’s believed the United States has the best hacking chops for now, but military intelligence points to China, Russia, Iran and North Korea honing their cyber skills on U.S. networks.

The Chinese government recently acknowledged it has units dedicated to assaulting computer networks, some of which are responsible for numerous of attacks on American corporations, government agencies and dissidents, according to the Daily Beast

The network exploitation abilities of China and Russia, which is accused of targeting American power companies, are close runners-up to the U.S. in cyber supremacy. Among the emerging threats in cyberspace are alleged Iranian hackers adept at busting life-critical systems and North Korean attackers nimble at data destruction. 

Defense officials are examining techniques to improve the accounting of cyber expenses.

"As our cyber budgeting matures, the department must conduct additional analysis to determine beneficial steps to be taken to improve visibility of cyber resources," Henderson said. 

One possible way to delineate what is and is not deserving of cyber funding hearkens back to a McNamara-era methodology. In the 1960s, Defense broke up the budget into functional areas called Major Force Programs. This was done so planners could analyze, at a high level, how much money was supporting each mission.  

"The MFPs used today are virtually unchanged from the 1960s and are in dire need of updating," Harrison said (see p.101). "You’ll notice that there is no MFP category for cyber, but perhaps there should be. This would be the most logical way to begin capturing all cyber-related funding in the budget."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.