Defense funding for cybersecurity is hard to pin down
Confusion over terminology and agency roles suggests serious procurement challenges, observers say.
How much does the military plan to spend on cybersecurity next year?
The answer depends on whom you ask and when.
In mid-February, the White House proposed spending $2.3 billion on cybersecurity at the Defense Department in the release of its 2012 budget request. Simultaneously, Air Force officials announced their cybersecurity request would be $4.6 billion. The Army and Defense Information Systems Agency referred inquiries about their proposed cyber spending to department-level officials. Navy officials said they could not provide a top-line budget figure, since funding that supports Navy cybersecurity activities is scattered across several line items, as well as multiple programs, organizations and commands.
On March 21, in response to a query from Nextgov , Pentagon officials said the original $2.3 billion figure covers all Defense components. On March 23, officials amended that response and provided a higher total -- $3.2 billion -- to reflect the cost of information assurance "program elements" at individual agencies and services, plus activities typically not defined as information assurance that are critical to the military's overall cyber stance.
"When people can't even agree about the most basic terminology, you know there is going to be a lot of confusion," said Noah Shachtman, a nonresident fellow at the Brookings Institution and a contributing editor at Wired magazine. "The chances there aren't billions of dollars in redundancies are slim to none and slim is out of town."
The area surrounding "cybersecurity" funding is gray, given that procedures to protect computers against attack are constantly changing as technology advances, say some observers. Still, the various interpretations of cybersecurity spending translate into real-world financial and national security costs, budget and technology experts note.
"The flaws in the definitions will follow into the procurement cycle and you will end up with the government buying maybe what it doesn't need," said Robert Burton, who served as the top career federal procurement official in the White House Office of Federal Procurement Policy during the George W. Bush administration. Fuzzy cybersecurity budgets likely will result in contract solicitations that contain ambiguous requirements for safeguarding federal networks, he said.
For instance, according to Air Force budget documents , the service's $4.6 billion cybersecurity funding request includes money "to maintain and sustain critical cyberspace capabilities," such as the development of one combined network that can manage information flow among air, space and terrestrial environments. "These migrations streamline and improve security, lower operational costs and standardize the system so airmen can access the network anytime, anyplace," wrote Maj. Gen. Alfred K. Flowers, Air Force deputy assistant secretary for budget.
For more details about how that money would be spent by the military services and Defense agencies, click here .
Department-level officials explained that the Air Force's cyber figure differs from their own Air Force cyber calculation -- pegged at $440 million -- because the service's estimation includes "things" that are not typically considered information assurance or cybersecurity, a department spokeswoman said.
"This is a perfect example of 'What are we spending money for? It's unclear,'" said Burton, now a partner at the law firm Venable LLP in Washington. "Until that's well-defined, you don't really know what the money is going for." There might or might not be duplication in cyber spending across the department's agencies and services because each is characterizing cybersecurity funding differently, he added.
Defense spokeswoman April Cunningham said in an email, "The Air Force included things that we, [at the department's office of the chief information officer] categorize as IT infrastructure, or other activities -- not directly information assurance." According to the department, information assurance consists of five programs, including public key infrastructure, or digital certificates, as well as defense industrial base cybersecurity for private sector assets that support the military.
Cunningham said activities at the Air Force and other services that Defense considers to be "information assurance-cybersecurity" are captured in the total $3.2 billion figure. Based on this formula, the Army is requesting $432 million and the Navy $347 million. Defense agencies -- including DISA, the National Security Agency and the Defense Advanced Research Projects Agency -- are asking for a cumulative $1.6 billion. Details on proposed cyber spending at all Pentagon components are shared with Congress in a classified budget book, she said.
The department's revised request also includes funding for noninformation assurance activities that are integral to the military's cyber posture, specifically cyber operations, security innovations and forensics, Cunningham said. For example, the budget assigns $159 million to the relatively new U.S. Cyber Command, and distributes $258 million among science and technology investments targeted at cyber tools. In addition, some of the proposed funding goes toward a new partnership with the Homeland Security Department, which oversees civilian cyber operations.
Any way you measure it, Defense funding for cybersecurity dwarfs that of Homeland Security. The fiscal 2012 budget for DHS information security is $936 million.
"All of this stuff is still really mushy," Shachtman said. Further obscuring visibility into the budget is the fact that some cybersecurity funding is classified at Defense components such as the NSA. Meanwhile, Cyber Command presents a new spending variable, he noted.
"Exactly where the NSA ends and the Cyber Command ends is a very open question," Shachtman said. "How the Cyber Command is supposed to interact with the services is still being worked out." He predicted it will take years to untangle the process of budgeting for federal computer security.
One way to align spending a bit might be through so-called strategic sourcing, or consolidating purchases across agencies for certain types of services, Burton suggested. The approach is intended to drive down the cost of commonly purchased items by leveraging the Obama administration's buying power.
"A governmentwide strategic procurement strategy is really what they need to focus on because I do think the taxpayers will benefit greatly," he said.
NEXT STORY: Cybersecurity Ecosystem: The Future?