Cyber Costs

By John Liang / July 29, 2011 at 6:30 PM

The Defense Department "does not yet have an overarching budget estimate for full-spectrum cyberspace operations including computer network attack, computer network exploitation, and classified funding," according to the Government Accountability Office.

In a just-released letter to House Armed Services emerging threats and capabilities subcommmittee Chairman Mac Thornberry (R-TX) and Ranking Member Jim Langevin (D-RI), GAO provides a "final briefing" on the Pentagon's cyber and information assurance budget for fiscal year 2012 and the future years defense program. Specifically:

During February and March 2011, DOD provided Congress with three different views of its cybersecurity budget estimates for fiscal year 2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that included different elements of DOD's cybersecurity efforts. The three budget views are largely related to the Defense-wide Information Assurance Program and do not include all full-spectrum cyber operation costs, such as computer network exploitation and computer network attack, which are funded through classified programs from the national intelligence and military intelligence program budgets.

DOD's ability to develop an overarching budget estimate for full-spectrum cyberspace operations has been challenged by the absence of clear, agreed-upon departmentwide budget definitions and program elements for full-spectrum cyberspace operations and the absence of a central organization or a methodology for collecting and compiling budget information on cyberspace operations.

With regard to the first issue, DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations for budgeting purposes. In the absence of such definitions, there are differing perspectives on the elements that constitute cyberspace operations in DOD. DOD's "Financial Management Regulation" established steps for budget submission requirements and for reporting information technology and information assurance programs to Congress, including identifying the activities that constitute information assurance. Although computer network defense is included in the list of information assurance activities, computer network attack and computer network exploitation, which are part of full-spectrum cyberspace operations, are not accounted for in this regulation. Concerning the second issue, DOD has operationally merged defensive and offensive cyberspace operations with the creation of U.S. Cyber Command in October 2010, but the department still does not have a designated focal point or methodology for collecting and compiling budget information on full-spectrum cyberspace operations across the department. U.S. Cyber Command has recognized that the department must incorporate integrated defensive and offensive cyberspace operations into all planning efforts.

Consequently, GAO recommends the defense secretary take the following actions to improve its "ability to develop and provide consistent and complete budget estimates for cyberspace operations across the department":

(1) Direct the Under Secretary of Defense for Policy, in coordination with the Chairman of the Joint Chiefs of Staff, U.S. Cyber Command, and other organizations as appropriate, to develop and document cyberspace-related definitions, including identifying specific activities and program elements, for purposes of budgeting for full-spectrum cyberspace operations, that will be used and accepted department-wide. They should also establish a time frame for completing these actions.

(2) Designate a single focal point to develop a methodology and provide a single, department-wide budget estimate and detailed spending data for full-spectrum cyberspace operations (to include computer network defense, attack, and exploitation), including unclassified funding as well as classified data from the military intelligence and national intelligence programs and any other programs, as appropriate.

Today's letter comes on the heels of a related GAO assessment released earlier this week, which stated that the Pentagon is in a global cyberspace crisis as foreign nations and hackers continue to exploit department networks to further their personal objectives, Inside the Air Force reported this morning. Further:

The auditors recommend that DOD more fully assess cyber-specific capability gaps and develop a plan for addressing them, according to the report released July 25. The GAO also recommends that DOD establish a time frame on whether to complete a separate joint cyberspace publication and one for updating the existing body of at least 16 joint publications.

U.S. Strategic Command (STRATCOM) has stated that DOD's cyber workforce is undersized and unprepared to meet the current threat, according to the GAO report.

"The Department of Defense (DOD) alone depends on 7 million computer devices, linked on over 10,000 networks with satellite gateways and commercial circuits that are composed of innumerable devices and components," the GAO report states. "The threat to DOD computer networks is thus substantial, and the potential for sabotage and destructing is present."

65735

About the Insider

The INSIDER is a daily news digest from Inside Defense. Every business day, the INSIDER delivers news and notes on the Defense Department, Congress and the defense industry. And every day, we send you highlights via email.

Depending on the terms of your subscription to Inside Defense, you will have easy access to the linked articles and documents.

If you have any questions about the INSIDER, please contact our Customer Service Department at 1-800-424-9068 or insidedefense@iwpnews.com.