Fuzzy Math Obscures Pentagon's Cybersecurity Spending

U.S. military spending has increasingly focused on cybersecurity in recent years. But some fuzzy math and the fact that funding is spread out among many military services makes it tough to figure out exactly how much money is going toward cybersecurity. That in turn makes it difficult to understand whether each dollar spent really improves the U.S. military’s cyber capabilities.

The U.S. military plans to invest an estimated $5.5 billion in cybersecurity for 2015. But such “cyber budget numbers are squishy” in part because authority over the military’s cyber mission is split among many different organizations and military services, according to a Nextgov analysis. Budget analysts also point to confusion in how certain military services define cybersecurity spending within their individual budgets.

The lack of central authority over the military’s overall cybersecurity spending and some unclear budgetary definitions of what counts as cybersecurity could complicate efforts to assess the effectiveness of military spending on cybersecurity, said Peter Singer, coauthor of “Cybersecurity and Cyberwar” and the upcoming novel “Ghost Fleet.” In an interview with IEEE Spectrum, he added:

“This is the next stage. You can no longer keep using the terms ‘cyber 9/11’ or ‘cyber wake-up call.’ That discourse has passed. If you’re still using that discourse, you’re well behind the times. Now is the time for serious conversation; that’s what comes with creating organizations. Now we get to questions of how do we know we’re spending effectively on cybersecurity.”

In 2010, the Pentagon created the U.S. Cyber Command, also known as CYBERCOM, as a central organization that could coordinate cyber warriors from the Army, Navy, Air Force and other military branches starting in 2010. Cyber Command is located at Fort Meade, Maryland, next door to the National Security Agency. Both organizations are led by Admiral Michael Rogers, a Navy officer who wears two hats as commander of CYBERCOM and director of the NSA.

But Cyber Command does not have a single line item for its budget, because its funding comes from multiple sources. That proved a recipe for confusion when a Pentagon budget chart gave the initial impression that Cyber Command’s projected 2015 budget was growing by 92 percent,  according to Nextgov. In fact the budget represented a 7 percent cut compared to the previous year.

To add to the confusion, Cyber Command’s projected budget of $509 million represents just one piece of the U.S. military’s estimated $5.5 billion investment in cybersecurity. That overall number seems to have risen over the past several years. But it’s tough to tell exactly what defense dollars are being spent on because different military organizations and services define cybersecurity differently. For instance, a report by the Federation of American Scientists pointed out that the U.S. military’s cybersecurity spending appeared to increase by $1 billion from 2013 to 2014, but added the cautionary note that “this increase may reflect changes in how DOD programmatic elements have defined ‘cybersecurity’ programs.”

In another example, the U.S. Air Force submitted a $4.6 billion cybersecurity funding request in 2011. That represented a 10-fold inflation of the U.S. Department of Defense’s own estimate of the Air Force cybersecurity figure as being $440 million. Defense officials explained that the Air Force estimate included “things” that are not typically considered cybersecurity.

Part of that difference in defining cybersecurity within budgets may simply come from internal reorganization of military personnel and resources, explained Singer, a strategist and senior fellow at the New America Foundation, a nonprofit think tank in Washington, D.C. Other cases may involve military officials relabeling certain programs as “cyber” because that boosts their chances of getting funding. “You have some relabeling for political and budgetary purposes,” said Singer.

It’s natural for the U.S. military to “keep piling people and money” into Cyber Command and other cybersecurity initiatives as it builds up its capabilities, Singer said. But he added that the military and policymakers need to be able to understand whether military cybersecurity spending is getting the bang for the buck in terms of capability. Does raising the budget 1 percent lead to a 1 percent gain in capability? 10 percent? 100 percent? Or has it reached the point of diminishing returns where it just leads to 0.5 percent gain in capability?

There is also the question of what cyber capabilities the U.S. military should focus on funding for research and development (R&D) in cybersecurity. R&D accounts for approximately $1 billion of the military’s overall $5.5 billion projected budget for cybersecurity. Until now, U.S. military spending has heavily favored R&D efforts aimed at developing offensive cyber capabilities such as Stuxnet, the computer virus that targeted Iran’s nuclear program and was discovered in 2010.

But Singer prefers rebalancing the U.S. military’s R&D spending in favor of developing breakthroughs or game-changers in cyber defense. He pointed out that the U.S. currently has a huge strategic vulnerability as the country that is perhaps most vulnerable to cyber attacks; boosting U.S. cyber defenses could make a big differences. By comparison, the U.S. military already possesses some of the most advanced physical and cyber capabilities for attacking enemies around the world. Developing “Stuxnet 2.0” might only represent a relatively minor increase in offensive capability.

“If we’re look for more gamechangers, we’d get more out of being less vulnerable than by being a bit better at reaching out and attacking enemies,” Singer said.