This letter discusses the Department of Defense’s (DOD) cyber and information assurance budget for fiscal year 2012 and future years defense spending. The objectives of this review were to (1) assess the extent to which DOD has prepared an overarching budget estimate for full-spectrum cyberspace operations across the department; and (2) identify the challenges DOD has faced in providing such estimates.
The President has identified the cyber threat as one of the most serious national security challenges that the nation faces. In February 2011 the Deputy Secretary of Defense said that more than 100 foreign intelligence agencies have tried to breach DOD computer networks, and that one was successful in breaching networks containing classified information.
To aid its efforts in countering cyberspace threats, DOD established the U.S. Cyber Command in 2010 and is currently undertaking department-wide efforts to defend against cyber threats.
DOD has defined some key cyber-related terms.
- — Cyberspace operations [are] defined as the employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the global information grid.
- — U.S. Cyber Command defines full-spectrum cyber operations as the employment of the full range of cyberspace operations to support combatant command operational requirements and the defense of DOD information networks. This includes efforts such as computer network defense, computer network attack, and computer network exploitation.
- — Computer network defense is defined as actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks.
- — Computer network attack is defined as actions taken to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.
- — Computer network exploitation is defined as enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks.
- — Information assurance is defined as measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
DOD has planned and budgeted for information assurance programs for fiscal year 2012 and has projected future years’ spending for these programs. However, DOD does not yet have an overarching budget estimate for full-spectrum cyberspace operations including computer network attack, computer network exploitation, and classified funding.
During February and March 2011, DOD provided Congress with three different views of its cybersecurity budget estimates for fiscal year 2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that included different elements of DOD’s cybersecurity efforts.
The three budget views are largely related to the Defense-wide Information Assurance Program and do not include all full-spectrum cyber operation costs, such as computer network exploitation and computer network attack, which are funded through classified programs from the national intelligence and military intelligence program budgets.
DOD’s ability to develop an overarching budget estimate for full-spectrum cyberspace operations has been challenged by the absence of clear, agreed-upon department-wide budget definitions and program elements for full-spectrum cyberspace operations and the absence of a central organization or a methodology for collecting and compiling budget information on cyberspace operations.
With regard to the first issue, DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations for budgeting purposes. In the absence of such definitions, there are differing perspectives on the elements that constitute cyberspace operations in DOD.
DOD’s “Financial Management Regulation” established steps for budget submission requirements and for reporting information technology and information assurance programs to Congress, including identifying the activities that constitute information assurance. Although computer network defense is included in the list of information assurance activities, computer network attack and computer network exploitation, which are part of full-spectrum cyberspace operations, are not accounted for in this regulation.
Concerning the second issue, DOD has operationally merged defensive and offensive cyberspace operations with the creation of U.S. Cyber Command in October 2010, but the department still does not have a designated focal point or methodology for collecting and compiling budget information on full-spectrum cyberspace operations across the department. U.S. Cyber Command has recognized that the department must incorporate integrated defensive and offensive cyberspace operations into all planning efforts.
To improve DOD’s ability to develop and provide consistent and complete budget estimates for cyberspace operations across the department, we recommend that the Secretary of Defense take the following actions:
- (1) Direct the Under Secretary of Defense for Policy, in coordination with the Chairman of the Joint Chiefs of Staff, U.S. Cyber Command, and other organizations as appropriate, to develop and document cyberspace-related definitions, including identifying specific activities and program elements, for purposes of budgeting for full-spectrum cyberspace operations, that will be used and accepted department-wide. They should also establish a time frame for completing these actions.
- (2) Designate a single focal point to develop a methodology and provide a single, department-wide budget estimate and detailed spending data for full-spectrum cyberspace operations (to include computer network defense, attack, and exploitation), including unclassified funding as well as classified data from the military intelligence and national intelligence programs and any other programs, as appropriate.