Examining the US Cyber Budget

Jason Healey takes a detailed look at the US federal cybersecurity budget and reaches an important conclusion: the US keeps saying that we need to prioritize defense, but in fact we prioritize attack.

To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5 percent above the fiscal 2019 estimate. However, federal cybersecurity spending on civilian departments like the departments of Homeland Security, State, Treasury and Justice is overshadowed by that going toward the military:

  • The Defense Department’s cyber-related budget is nearly 25 percent higher than the total going to all civilian departments, including the departments of Homeland Security, Treasury and Energy, which not only have to defend their own critical systems but also partner with critical infrastructure to help secure the energy, finance, transportation and health sectors ($9.6 billion compared to $7.8 billion).
  • The funds to support just the headquarters element­ — that is, not even the operational teams in facilities outside of headquarters — ­of U.S. Cyber Command are 33 percent higher than all the cyber-related funding to the State Department ($532 million compared to $400 million).
  • Just the increased funding to Defense was 30 percent higher than the total Homeland Security budget to improve the security of federal networks ($909 million compared to $694.1 million).
  • The Defense Department is budgeted two and a half times as much just for cyber operations as the Cybersecurity and Infrastructure Security Agency (CISA), which is nominally in charge of cybersecurity ($3.7 billion compared to $1.47 billion). In fact, the cyber operations budget is higher than the budgets for the CISA, the FBI and the Department of Justice’s National Security Division combined ($3.7 billion compared to $2.21 billion).
  • The Defense Department’s cyber operations have nearly 10 times the funding as the relevant Homeland Security defensive operational element, the National Cybersecurity and Communications Integration Center (NCCIC) ($3.7 billion compared to $371.4 million).
  • The U.S. government budgeted as much on military construction for cyber units as it did for the entirety of Homeland Security ($1.9 billion for each).

We cannot ignore what the money is telling us. The White House and National Cyber Strategy emphasize the need to protect the American people and our way of life, yet the budget does not reflect those values. Rather, the budget clearly shows that the Defense Department is the government’s main priority. Of course, the exact Defense numbers for how much is spent on offense are classified.

Posted on June 15, 2020 at 6:06 AM11 Comments

Comments

bobbi June 15, 2020 8:16 AM

The entire “offense versus defense” dichotomy is a false characterization. The overlap between the two is huge, esp when your work has wide scope.

And just because funds are going to DoD doesn’t mean they’re being used on offense; or that even if they’re marked that way, the work done isn’t equally applicable to defensive tech that can be transferred to other departments, via consulting, training, advisories, etc.

Also, having been on the inside of some of this, I can tell you that the problem isn’t money. The problem is talent, and will continue to be as long as the up and coming generations are indoctrinated with an “internationalist” attitude that makes them reluctant to work for their own government.

Doesn’t matter how much money you have to throw at a problem, if you’re unable to hire or retain talent.

wiredog June 15, 2020 9:50 AM

@bobbi,
There’s plenty of talent in the contractor world in the DC area. It just costs a bundle. The outsourcing of work from the government to the contractors has tremendously raised the cost.

Clive Robinson June 15, 2020 10:54 AM

@ wiredog,

The outsourcing of work from the government to the contractors has tremendously raised the cost.

Exactly the opposite of what the proponents of such “outsourcing” originally claimed it would do…

But it’s similar in industry, where companies claim that they can reduce the cost because they use Indian or Chinese based programmers at one tenth or one hundredth the cost…

Whilst the foreign programers are almost certainly getting paid a lot lot less than those who are natively located, there is always many more costs involved. Even when you have your own staff that natively speak the foreign languages required the likes of timezones and non native outlook/familiarity makes the job considerably more problematical than it’s worth. To reword the old saying,

    “Sometimes a water cooler meeting is worth a thousand emails”

As for the “embedded programing” side of things, need I say “Internet of Things” as an example of just how badly things can go wrong…

My advice is avoid “distance, time zones and language differences” when outsourcing. Also only outsource code that is not core to a system or program and has very clearly defined interfaces and functionality. Then of course consider the “loss of IP” and the fact you will have to retrain a programmer every time a change is made and those changes in programmers are not under your control via agencies and the like.

Oh and if you are say in the US and your contract programmers are in China, you might wake up one morning 90% of the way through a project to discover it is now illegal to continue because some politician has got a point to prove etc.

Ross Snider June 15, 2020 11:11 AM

This is very similar to the naming of the Defense Department itself. It was once called the “War Department” but was rebranded due to the optics.

It’s indisputably the case that the United States spends much more on offense than defense in nearly every regard, when it comes to security. Here, security is best defined by National Security Presidential Directive 1 (NSPD-1):

“National security includes the defense of the United States of America, protection of our constitutional system of government, and the advancement of United States interests around the globe. National security also depends on America’s opportunity to prosper in the world economy.”

As the world’s sole superpower (though challenged for that title), the United State’s emphasis is on the advancement of its interests around the globe and its opportunity to prosper abroad. With the asymmetry inherent in cyber ($1 million gets you a lot more advancement of interests in offense than measurable risk reduction in defense), it’s not a misallocation to spend more there, especially since the US priorities are far more offensive than defensive to begin with.

I would put this in the bucket of “the public perception and messaging from the federal government is that security means defense, because this helps the system maintain legitimacy – whereas the fact of the matter is that security in this context means offense, because that is what is in the interests of the nation.”

Tony June 15, 2020 4:19 PM

Of course the military budgets are higher. You might be able to buy a cyber-hammer for $12.95 (plus tax). But when the military go to buy one it costs $8372.71

Wesley Parish June 16, 2020 1:28 AM

Well, when things are as amorphous as the Global War on/of Terror proved to be, much as the Vietnam War proved to be, much as US defense of its interests in the Western Hemisphere proved to be – ask any Chilean about US Defense of Democracy in Chile, 7th September 1973 and you’ll get a dissertion-length explanation of why substituting an elected president for an unelected dictator by way of a CIA-funded coup did not advance democracy in the Western Hemisphere so much as butcher it …

When you’ve grown up with this sort of thing going on, you soon begin to ask “Who is that funny little man behind the curtain?

Of course Uncle Sam can’t get his act together. When he’s too scared to find out just how much he’s spending on defense, of course he’ll never know if he’s actually doing anything even remotely intelligible by his spending. Simple Home Economics 101.

myliit June 16, 2020 3:13 AM

It is hard to have good national security, of course, if a major security risk is at the top of the executive branch (our President).

MikeA June 16, 2020 11:11 AM

@Tony — About that cyberhammer…

I recall (UseNet days) reading a story (true? Who knows, but it rang true to many who had dealt with government procurement) allegedly from a junior engineer on another famous case, the $LUDICROUS_PRICE coffee maker for the latest flying boondoggle.

It seems our correspondent noticed that the contract had referenced the wrong specification. Or perhaps sub-specification. Rather than calling for the referenced equipment to survive rather extreme acceleration in all directions, it called for the equipment to be capable of operating under that set of conditions.

That’s right, Uncle Sam had (inadvertently? who knows, maybe some ex-general had a friend in the custom-coffee business, but I’d go with “cock up”) asked for a device that could Brew Coffee during combat maneuvers (including inverted flight).

Jr. Engineer brought this to their superior’s attention, and learned something about defense contracting: “If we call this to their attention, they will probably revise it, and that will call for bidding to be re-opened, and WE MIGHT NOT KEEP THE CONTRACT!” And the contract was “Cost Plus”, so the cost would not damage corporate profits.

So, our hero did what they were told and designed what would probably be an impressive bit of their CV, if they were allowed to mention it. One can imagine it was a bit more expensive than the usual coffee-maker.

Clive Robinson June 16, 2020 1:54 PM

@ MikeA,

… designed what would probably be an impressive bit of their CV, if…

A number of us have such holes in our C.V. What realy suprises me these days is the C.V.s up on linkedIn and it’s like where shall we say the holes are way way to shallow…

What galls though is seeing work you did and ideas you invented still having to being kept “secret” even though some other idiot has claimed discovery nearly two decades later… And worse gets granted a ludicrous patent on it.

Trust me when I say the “civil servants” package is realy not worth it[1] as you have to “eat dirt” for atleast fourty years to get a worthwhile pension… I realised just about in time what a racket it was and got the heck out of that boondoggle.

Not being nasty but appart from frontline staff most civil service jobs are not for anyone who has any ability. Many such jobs are for the meek and/or mild who are happy to be at best a very very small cog in a vast machine that mostly serves little purpose other than for psychopathic empire builders. If you are lucky job satisfaction comes when you get the “Happy Retirment” card because you were lucky enough to be in a part of the civil service that did not get moved several hundred miles for political reasons thus you kept your job.

[1] Oh in the back of Peter Wright’s “Spy Catcher” is a good explanation of the system not playing fair with peoples pensions, just because the government think they can, then finding out some people do not agree thus take orher measures to get the money they should have been paid… Apparently it caused UK Prime Mibister “Mad Maggie” Thatcher to get in rather more than a spin, which I guess makes it all the more fun 😉

Wesley Parish June 17, 2020 6:13 AM

All apologies, brain fart. I meant the 9/11 coup in Chile, 1973. (Isn’t “Defense” such a wonderful word!?! Amongst other things it means that government is never accountable, because Defense. A bit rough if your country started its independent existence because of a previous regime’s lack of accountability, but that’s the way the Evil Empire crumbles… )

Wesley Parish June 17, 2020 10:12 PM

Just to add icing to the cake (remember their song, “Sheep go to heaven, goats … go to hell!”?)

If you’re despairing at staff sharing admin passwords, look on the bright side. That’s CIA-grade security
https://www.theregister.com/2020/06/16/cia_report_vault_7_leak/

Don’t just take our word for it. An internal CIA report into the embarrassing affair came to much the same conclusion: Uncle Sam’s snoops lost control of at least 180GB of hacking tools and documentation, which ended up in the lap of WikiLeaks, due to lax security. From shared admin passwords to no limitations on removable storage, the agency broke or snubbed virtually every rule in the book.

That, my dear American relations, friends, serfs, and wageslaves, is your tax-payer dollars at work. Hard at work.

“While Congress exempted the intelligence community from the requirement to implement the Department of Homeland Security’s cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with out nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden said.

It’s called entitlement. It’s why the Thirteen Colonies seceded from the United Kingdom in the first place.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.