recommended reading

Defense funding for cybersecurity is hard to pin down

How much does the military plan to spend on cybersecurity next year?

The answer depends on whom you ask and when.

In mid-February, the White House proposed spending $2.3 billion on cybersecurity at the Defense Department in the release of its 2012 budget request. Simultaneously, Air Force officials announced their cybersecurity request would be $4.6 billion. The Army and Defense Information Systems Agency referred inquiries about their proposed cyber spending to department-level officials. Navy officials said they could not provide a top-line budget figure, since funding that supports Navy cybersecurity activities is scattered across several line items, as well as multiple programs, organizations and commands.

On March 21, in response to a query from Nextgov, Pentagon officials said the original $2.3 billion figure covers all Defense components. On March 23, officials amended that response and provided a higher total -- $3.2 billion -- to reflect the cost of information assurance "program elements" at individual agencies and services, plus activities typically not defined as information assurance that are critical to the military's overall cyber stance.

"When people can't even agree about the most basic terminology, you know there is going to be a lot of confusion," said Noah Shachtman, a nonresident fellow at the Brookings Institution and a contributing editor at Wired magazine. "The chances there aren't billions of dollars in redundancies are slim to none and slim is out of town."

The area surrounding "cybersecurity" funding is gray, given that procedures to protect computers against attack are constantly changing as technology advances, say some observers. Still, the various interpretations of cybersecurity spending translate into real-world financial and national security costs, budget and technology experts note.

"The flaws in the definitions will follow into the procurement cycle and you will end up with the government buying maybe what it doesn't need," said Robert Burton, who served as the top career federal procurement official in the White House Office of Federal Procurement Policy during the George W. Bush administration. Fuzzy cybersecurity budgets likely will result in contract solicitations that contain ambiguous requirements for safeguarding federal networks, he said.

For instance, according to Air Force budget documents, the service's $4.6 billion cybersecurity funding request includes money "to maintain and sustain critical cyberspace capabilities," such as the development of one combined network that can manage information flow among air, space and terrestrial environments. "These migrations streamline and improve security, lower operational costs and standardize the system so airmen can access the network anytime, anyplace," wrote Maj. Gen. Alfred K. Flowers, Air Force deputy assistant secretary for budget.

Source: Defense Department

For more details about how that money would be spent by the military services and Defense agencies, click here.

Department-level officials explained that the Air Force's cyber figure differs from their own Air Force cyber calculation -- pegged at $440 million -- because the service's estimation includes "things" that are not typically considered information assurance or cybersecurity, a department spokeswoman said.

"This is a perfect example of 'What are we spending money for? It's unclear,'" said Burton, now a partner at the law firm Venable LLP in Washington. "Until that's well-defined, you don't really know what the money is going for." There might or might not be duplication in cyber spending across the department's agencies and services because each is characterizing cybersecurity funding differently, he added.

Defense spokeswoman April Cunningham said in an email, "The Air Force included things that we, [at the department's office of the chief information officer] categorize as IT infrastructure, or other activities -- not directly information assurance." According to the department, information assurance consists of five programs, including public key infrastructure, or digital certificates, as well as defense industrial base cybersecurity for private sector assets that support the military.

Cunningham said activities at the Air Force and other services that Defense considers to be "information assurance-cybersecurity" are captured in the total $3.2 billion figure. Based on this formula, the Army is requesting $432 million and the Navy $347 million. Defense agencies -- including DISA, the National Security Agency and the Defense Advanced Research Projects Agency -- are asking for a cumulative $1.6 billion. Details on proposed cyber spending at all Pentagon components are shared with Congress in a classified budget book, she said.

The department's revised request also includes funding for noninformation assurance activities that are integral to the military's cyber posture, specifically cyber operations, security innovations and forensics, Cunningham said. For example, the budget assigns $159 million to the relatively new U.S. Cyber Command, and distributes $258 million among science and technology investments targeted at cyber tools. In addition, some of the proposed funding goes toward a new partnership with the Homeland Security Department, which oversees civilian cyber operations.

Any way you measure it, Defense funding for cybersecurity dwarfs that of Homeland Security. The fiscal 2012 budget for DHS information security is $936 million.

"All of this stuff is still really mushy," Shachtman said. Further obscuring visibility into the budget is the fact that some cybersecurity funding is classified at Defense components such as the NSA. Meanwhile, Cyber Command presents a new spending variable, he noted.

"Exactly where the NSA ends and the Cyber Command ends is a very open question," Shachtman said. "How the Cyber Command is supposed to interact with the services is still being worked out." He predicted it will take years to untangle the process of budgeting for federal computer security.

One way to align spending a bit might be through so-called strategic sourcing, or consolidating purchases across agencies for certain types of services, Burton suggested. The approach is intended to drive down the cost of commonly purchased items by leveraging the Obama administration's buying power.

"A governmentwide strategic procurement strategy is really what they need to focus on because I do think the taxpayers will benefit greatly," he said.

Threatwatch Alert

Spear-phishing

Google Chrome Update Addresses Super Sneaky URL Trick

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.