The development of the National Cybersecurity Initiative also is too secretive, removing a deterrence to attack U.S. networks, Senate committee charges.
The Bush administration's proposal to defend government networks against cyberattacks will cost $17 billion, nearly three times original estimates, and is so secret that it cuts the public out of the debate on the program, according to a Senate report.
Comment on this article in The Forum.The cost of the National Cybersecurity Initiative, a multiagency effort to defend government information systems with strong defenses against cyberattacks, originally was pegged at $6 billion. Because of the increase in cost, the Senate Armed Services Committee recommended in a report that major elements of the project be scaled back "because policy and legal reviews are not complete and because the technology is not mature."
According to the report, the Bush administration has asked for large sums to field parts of the system as a prototype, a proposal that would not gain approval if held to standards enforced in normal acquisition programs. The Defense Department and the National Security Agency consistently find they are short of funds to develop secure versions of commercial information technology systems, the Senate report said. To increase funding for such systems, the committee suggested Defense and NSA levy a 1 percent "tax" on their budgets for information systems to fund what it called "anticipatory development" to adapt new commercial technologies for government use.
This tax, according to the report, would help Defense and NSA avoid requirements shortfalls, such as NSA's needed high-speed Internet protocol encryption capability, which has been held up because of a lack ofresources.
Committee members added they also were concerned that the umbrella cybersecurity program was designed to support programs outside its core mission, such as foreign intelligence collection and analysis.
The secrecy thrown over the cybersecurity initiative removes the possibility that it would act as a deterrent for potential enemies to attack systems, the Senate report noted. The United States should disclose its cyber capabilities in the same way it divulged its nuclear capabilities during the Cold War, when adversaries knew "what capabilities we possessed and the price that adversaries would pay in a real conflict," the report noted. "Some analogous level of disclosure is necessary in the cyber domain."
The committee also noted a disconnect between the bandwidth requirements of key Defense projects such as the Army's Future Combat Systems, which is intended to create a network of sensors, vehicles and systems on the battlefield, with the increased bandwidth demands of intelligence systems, including unmanned aerial vehicles.
The report directed Defense and the Office of the Director of National Intelligence to conduct a review of the departmentand intelligence bandwidth requirements for the next 10 years and report on their findings within a year. The language also directs the Defense secretary and National Intelligence director to establish a process to ensure that the bandwidth requirements for their major acquisition programs will be met before fielding.
The Senate and House versions of the 2009 Defense authorization bills must be approved by both bodies, with differences between the two bills worked out in a joint conference and then signed by the president before the final bill becomes law.