The December 2022 issue of IEEE Spectrum is here!

Close bar

Fuzzy Math Obscures Pentagon's Cybersecurity Spending

The U.S. military's cybersecurity budgets make it tough to gauge the effectiveness of such spending

3 min read
Fuzzy Math Obscures Pentagon's Cybersecurity Spending
Illustration: Getty Images

U.S. military spending has increasingly focused on cybersecurity in recent years. But some fuzzy math and the fact that funding is spread out among many military services makes it tough to figure out exactly how much money is going toward cybersecurity. That in turn makes it difficult to understand whether each dollar spent really improves the U.S. military’s cyber capabilities.

The U.S. military plans to invest an estimated $5.5 billion in cybersecurity for 2015. But such “cyber budget numbers are squishy” in part because authority over the military’s cyber mission is split among many different organizations and military services, according to a Nextgov analysis. Budget analysts also point to confusion in how certain military services define cybersecurity spending within their individual budgets.

The lack of central authority over the military’s overall cybersecurity spending and some unclear budgetary definitions of what counts as cybersecurity could complicate efforts to assess the effectiveness of military spending on cybersecurity, said Peter Singer, coauthor of “Cybersecurity and Cyberwar” and the upcoming novel “Ghost Fleet.” In an interview with IEEE Spectrum, he added:

“This is the next stage. You can no longer keep using the terms ‘cyber 9/11’ or ‘cyber wake-up call.’ That discourse has passed. If you’re still using that discourse, you’re well behind the times. Now is the time for serious conversation; that’s what comes with creating organizations. Now we get to questions of how do we know we’re spending effectively on cybersecurity.”

In 2010, the Pentagon created the U.S. Cyber Command, also known as CYBERCOM, as a central organization that could coordinate cyber warriors from the Army, Navy, Air Force and other military branches starting in 2010. Cyber Command is located at Fort Meade, Maryland, next door to the National Security Agency. Both organizations are led by Admiral Michael Rogers, a Navy officer who wears two hats as commander of CYBERCOM and director of the NSA.

But Cyber Command does not have a single line item for its budget, because its funding comes from multiple sources. That proved a recipe for confusion when a Pentagon budget chart gave the initial impression that Cyber Command’s projected 2015 budget was growing by 92 percent,  according to Nextgov. In fact the budget represented a 7 percent cut compared to the previous year.

To add to the confusion, Cyber Command’s projected budget of $509 million represents just one piece of the U.S. military’s estimated $5.5 billion investment in cybersecurity. That overall number seems to have risen over the past several years. But it’s tough to tell exactly what defense dollars are being spent on because different military organizations and services define cybersecurity differently. For instance, a report by the Federation of American Scientists pointed out that the U.S. military’s cybersecurity spending appeared to increase by $1 billion from 2013 to 2014, but added the cautionary note that “this increase may reflect changes in how DOD programmatic elements have defined ‘cybersecurity’ programs.”

In another example, the U.S. Air Force submitted a $4.6 billion cybersecurity funding request in 2011. That represented a 10-fold inflation of the U.S. Department of Defense’s own estimate of the Air Force cybersecurity figure as being $440 million. Defense officials explained that the Air Force estimate included “things” that are not typically considered cybersecurity.

Part of that difference in defining cybersecurity within budgets may simply come from internal reorganization of military personnel and resources, explained Singer, a strategist and senior fellow at the New America Foundation, a nonprofit think tank in Washington, D.C. Other cases may involve military officials relabeling certain programs as “cyber” because that boosts their chances of getting funding. “You have some relabeling for political and budgetary purposes,” said Singer.

It’s natural for the U.S. military to “keep piling people and money” into Cyber Command and other cybersecurity initiatives as it builds up its capabilities, Singer said. But he added that the military and policymakers need to be able to understand whether military cybersecurity spending is getting the bang for the buck in terms of capability. Does raising the budget 1 percent lead to a 1 percent gain in capability? 10 percent? 100 percent? Or has it reached the point of diminishing returns where it just leads to 0.5 percent gain in capability?

There is also the question of what cyber capabilities the U.S. military should focus on funding for research and development (R&D) in cybersecurity. R&D accounts for approximately $1 billion of the military’s overall $5.5 billion projected budget for cybersecurity. Until now, U.S. military spending has heavily favored R&D efforts aimed at developing offensive cyber capabilities such as Stuxnet, the computer virus that targeted Iran’s nuclear program and was discovered in 2010.

But Singer prefers rebalancing the U.S. military’s R&D spending in favor of developing breakthroughs or game-changers in cyber defense. He pointed out that the U.S. currently has a huge strategic vulnerability as the country that is perhaps most vulnerable to cyber attacks; boosting U.S. cyber defenses could make a big differences. By comparison, the U.S. military already possesses some of the most advanced physical and cyber capabilities for attacking enemies around the world. Developing “Stuxnet 2.0” might only represent a relatively minor increase in offensive capability.

“If we’re look for more gamechangers, we’d get more out of being less vulnerable than by being a bit better at reaching out and attacking enemies,” Singer said.

The Conversation (0)

Metamaterials Could Solve One of 6G’s Big Problems

There’s plenty of bandwidth available if we use reconfigurable intelligent surfaces

12 min read
An illustration depicting cellphone users at street level in a city, with wireless signals reaching them via reflecting surfaces.

Ground level in a typical urban canyon, shielded by tall buildings, will be inaccessible to some 6G frequencies. Deft placement of reconfigurable intelligent surfaces [yellow] will enable the signals to pervade these areas.

Chris Philpot

For all the tumultuous revolution in wireless technology over the past several decades, there have been a couple of constants. One is the overcrowding of radio bands, and the other is the move to escape that congestion by exploiting higher and higher frequencies. And today, as engineers roll out 5G and plan for 6G wireless, they find themselves at a crossroads: After years of designing superefficient transmitters and receivers, and of compensating for the signal losses at the end points of a radio channel, they’re beginning to realize that they are approaching the practical limits of transmitter and receiver efficiency. From now on, to get high performance as we go to higher frequencies, we will need to engineer the wireless channel itself. But how can we possibly engineer and control a wireless environment, which is determined by a host of factors, many of them random and therefore unpredictable?

Perhaps the most promising solution, right now, is to use reconfigurable intelligent surfaces. These are planar structures typically ranging in size from about 100 square centimeters to about 5 square meters or more, depending on the frequency and other factors. These surfaces use advanced substances called metamaterials to reflect and refract electromagnetic waves. Thin two-dimensional metamaterials, known as metasurfaces, can be designed to sense the local electromagnetic environment and tune the wave’s key properties, such as its amplitude, phase, and polarization, as the wave is reflected or refracted by the surface. So as the waves fall on such a surface, it can alter the incident waves’ direction so as to strengthen the channel. In fact, these metasurfaces can be programmed to make these changes dynamically, reconfiguring the signal in real time in response to changes in the wireless channel. Think of reconfigurable intelligent surfaces as the next evolution of the repeater concept.

Keep Reading ↓Show less