For at least the past four years, the Pentagon has struggled to count up how much defense spending goes toward a “thing” called cybersecurity.
Vocabulary plays a part, but also there are Defense Department organizational issues contributing to the murkiness of what this year’s $5.5 billion “cyber” investment will buy. And it all adds up to trouble planning cyber tactics, as adversarial nation states sharpen their own cyber know-how, according to budget analysts.
When funding is allocated to cyber, that is “also in essence defining … who is in charge of those assets, those operations, those decisions,” said Peter Singer, an author and strategist at the New America Foundation. It’s “the age-old question of who is in charge of” cybersecurity?
Cyber budget numbers are squishy, partly, because authority over the cyber mission is fragmented — split among Cyber Command, the Defense Information Systems Agency and the various military services. The command has been tasked with overseeing all network protection activities and offensive cyberstrikes.
Earlier this month, in an initial Pentagon budget chart, it appeared 2015 CYBERCOM funding was labeled as a single line item, leading one to believe spending would sizably spike this year — by 92 percent, when in fact it will slightly drop.
An amended chart now shows other accounts would contain an unspecified number of CYBERCOM dollars. And those other accounts will be pared back, resulting in an overall net decrease of 7 percent.
The military does not have a single line item for Cyber Command, according to DOD.
This is not the first time the Pentagon has experienced challenges labeling cyber investments.
In 2011, Defense revised its departmentwide cyber budget upward by about $1 billion between February and March of that year, ultimately requesting $3.2 billion.
While this was happening, the Air Force was informing the public and lawmakers its own service was requesting $4.6 billion. Department-level officials eventually explained that the Air Force’s figure differed from their own calculation ($440 million) because the service’s estimation included “things” not typically considered information assurance or cybersecurity.
As for the 2015 mixup, Pentagon officials said the first table did not provide a snapshot of Cyber Command’s complete funding, but the updated one now does.
There Might Never Be a Single Line Item
In general, “Fluctuations in the amount requested have been a function of large one-time costs” associated with military construction and the formation of Cyber Mission Forces “offset by changes during enactment,” including adjustments mandated by Congress, across-the-board spending cuts and “reprogramming actions,” spokeswoman Lt. Col. Valerie Henderson told Nextgov.
The expectation was always that CYBERCOM would help centralize planning and operations. However, “much of the budget authority still belongs with the individual services,” said Todd Harrison, a defense researcher at the Center for Strategic and Budgetary Assessments.
Another issue that’s been a headache for upper management: As hack attacks intensify and network defense becomes a higher-priority investment, projects purporting to involve data security are angling for cyber money.
Programs are “relabeling themselves ‘cyber’ because they see that as a way to better access budget funding,” Singer said.
And then there’s the decades-long difficulty of defining exactly what is “cyber” — a point he makes in the book “Cybersecurity and Cyberwar: What Everyone Needs to Know“ and recently spotlighted by a Wall Street Journal article about overuse of the prefix.
Defense officials acknowledge that calculating cyber spending continues to be an issue — and they are working on the math.
“Much of the challenge can be attributed to the complexities and continuing maturation of the cyber domain,” Henderson said. The current (and first) official Pentagon definition of “cyberspace,” written in a 2013 joint publication, guides fiscal budget requests.
The publication’s glossary defines cyberspace as “a global domain within the information environment consisting of the interdependent networks of information technology infrastructures and resident data, including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.”
Some major investments are easy to identify as cyber assets, such as, for example, CYBERCOM mission forces and so-called public key infrastructure, which is technology that secures digital communications.
But other investments are part and parcel of traditional budget items, like agency information technology contracts. This, it seems, is where labeling becomes subjective.
These expenditures require the program owner “to clearly identify and separate the cyber-related investment of that program from non-cyber investments,” Henderson said.
“The bottom line is that the cyberspace operations budget reflects a cooperative effort among the DOD components to ensure that all funding associated with the department’s many cyber efforts are identified and included in the cyberspace operations budget,” he added.
But what’s to stop every combat system from claiming to be a cyber program? Under soon-to-be-released weapons-buying cyber guidelines, “if it’s a missile that’s designed to be cybersecure, does that fall under cybersecurity products?” Singer ruminated.
What’s the ROI?
The upshot here is that cybersecurity decision-makers have little visibility into inventories or even network war-fighting capabilities.
Murky budgeting “makes it hard to do an audit of what you are, and are not spending, and therefore what you ought to be spending more on and less of, etc.,” Singer added.
But keep in mind, the U.S. government “isn’t good at doing audits for regular things, and stuff, in the Pentagon budget, let alone the cyber stuff,” he said.
Regardless, it translates into a problem deriving return on investment as far as military power.
“When you add one person or add a dollar or take away one person or take one dollar how does it affect your actual capability? What’s the balance here?” Singer questioned.
No one has a good answer. “Maybe this is an exponential world where if I increase my budget by 1 percent, I get a 10 or 100 percent gain in capability — or maybe it’s when I increase my budget by 10 percent I actually only get a .05 percent gain in capability,” he wondered aloud.
Those types of computations are doable with physical people and weapons, but the military hasn’t found a formula for cyber.
“And until we can do that, we don’t have a good way of figuring out just how much we need to spend and what are the consequences of spending more or less year by year budget by budget,” Singer said.
It’s believed the United States has the best hacking chops for now, but military intelligence points to China, Russia, Iran and North Korea honing their cyber skills on U.S. networks.
The Chinese government recently acknowledged it has units dedicated to assaulting computer networks, some of which are responsible for numerous of attacks on American corporations, government agencies and dissidents, according to the Daily Beast.
The network exploitation abilities of China and Russia, which is accused of targeting American power companies, are close runners-up to the U.S. in cyber supremacy. Among the emerging threats in cyberspace are alleged Iranian hackers adept at busting life-critical systems and North Korean attackers nimble at data destruction.
Defense officials are examining techniques to improve the accounting of cyber expenses.
“As our cyber budgeting matures, the department must conduct additional analysis to determine beneficial steps to be taken to improve visibility of cyber resources,” Henderson said.
One possible way to delineate what is and is not deserving of cyber funding hearkens back to a McNamara-era methodology. In the 1960s, Defense broke up the budget into functional areas called Major Force Programs. This was done so planners could analyze, at a high level, how much money was supporting each mission.
“The MFPs used today are virtually unchanged from the 1960s and are in dire need of updating,” Harrison said (see p.101). “You’ll notice that there is no MFP category for cyber, but perhaps there should be. This would be the most logical way to begin capturing all cyber-related funding in the budget.”