Auditors: Pentagon Cyber Budget Has Fuzzy Numbers

Federal auditors have told Pentagon officials to define "cybersecurity" so the military services adopt the same terminology, and by extension, calculate their cyber spending plans in comparable ways. With a clear definition, the department could avoid having to redo the math on its cyber budget, something it was forced to do twice this year.

The order follows the disclosure of fuzzy math in the Defense Department's cyber budget. After Nextgov questioned why the Air Force's $4.6 billion 2012 budget request for cybersecurity was $2.3 billion more than Defense's servicewide spending proposal, Pentagon officials upped their total figure from $2.3 billion to $3.2 billion.

Eventually, a Pentagon spokesperson explained that the service's estimate differed dramatically because the Air Force included "things" that are not typically considered information assurance or cybersecurity.

A Government Accountability Office letter to the House Armed Services Committee on Friday reveals Defense officials provided Congress with a rejiggered sum on yet another occasion.

"During February and March 2011, DOD provided Congress with three different views of its cybersecurity budget estimates for fiscal year 2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that included different elements of DOD's cybersecurity efforts," wrote Davi M. D'Agostino, GAO director for Defense Capabilities and Management, and Gregory C. Wilshusen, information technology director.

The source of confusion seems to be the department's narrow view of cybersecurity. GAO officials found that the budget excludes offensive operational costs such as computer network exploitations, or the infiltration of adversaries' systems for intelligence gathering and computer network attacks, which is the disruption of enemy networks. In addition, the military has no agreed-upon definitions for all cyber activities.

"In the absence of such definitions, there are differing perspectives on the elements that constitute cyberspace operations in DOD," the GAO officials wrote.

The Pentagon currently is unable to centrally round up information from the services to calculate a single cyber budget estimate. "DOD has operationally merged defensive and offensive cyberspace operations with the creation of U.S. Cyber Command in October 2010, but the department still does not have a designated focal point or methodology for collecting and compiling budget information," the pair added.

In responding to draft findings, Defense officials said they would define what activities are cyber operations and establish a means of accounting for all such activities.