GAO: Hard to Define DoD Cybersecurity SpendingAuditors Question Latest Estimate of $3.2 Billion for FY 2012
Reps. Mac Thornberry, R-Texas, and James Langevin, D-R.I., chairman and ranking member of the House Armed Services Subcommittee on Emerging Threats and Capabilities, requested GAO to examine DoD's cyber and information assurance budget for the coming and future fiscal years.
The letter points out that DoD does not have an overarching budget estimate for full-spectrum cyberspace operations including computer network attack, computer network exploitation and classified funding.
In February and March, DoD provided Congress with three different views of its cybersecurity budget estimates for FYI 2012 - $2.3 billion, $2.8 billion and $3.2 billion - that included different elements of DOD's cybersecurity efforts.
Semantics could prove to be one reason for the differences. "DOD's ability to develop an overarching budget estimate ... has been challenged by the absence of clear, agreed-upon departmentwide budget definitions and program elements for full-spectrum cyberspace operations," the GAO letter states.
GAO says DOD has defined some key cyber-related terms but hasn't yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations for budgeting purposes. "In the absence of such definitions, there are differing perspectives on the elements that constitute cyberspace operations in DOD," the auditors says.
The absence of a central DoD cybersecurity organization or a methodology for collecting and compiling budget information on cyberspace operations represents another reason DoD's spending plans can't be more precise, GAO says.
Last October, DoD operationally merged defensive and offensive cyberspace operations with the creation of U.S. Cyber Command (Military Stands Up CYBERCOM as Its Latest Command), but the department does not have a designated focal point or methodology to collect and compile budget information on full-spectrum cyberspace operations across the department, the letter states.
The Decentralization Dilemma
The decentralized nature of cybersecurity governance in the department doesn't help. GAO provided this example:
DoD's chief information officer manages the departmentwide information assurance program, a well-developed and structured program that has existed since 1998 and produces standard budget data for the information assurance portion of cyberspace operations. However, this office does not have responsibility for preparing a departmentwide, full-spectrum cyberspace operations budget estimate that includes offensive operations such as computer network attack and exploitation because such activities are associated with multiple program elements that have cyber and non-cyber components.
Except for the Army, the three other branches told GAO they found it difficult to generate complete budget estimates for full-spectrum cyberspace operations that included computer network attack and exploitation. The reason? Historically, computer network attack and exploitation have been a part of classified initiatives involving signals intelligence, information operations and cryptography and, appropriately, have not been identified publicly. These programs are usually funded through classified military intelligence and national intelligence program budgets.
By not including this information in its cyberspace operations budget estimates, GAO contends, DoD and Congress lack a comprehensive view on how money is being spent on cybersecurity.
"In light of the need to confront this serious national security challenge and the fiscal constraints the nation is facing," the auditors say, "it is important that DOD have better visibility of its cyberspace resources so that the department and Congress may prioritize among the program investments needed to defend DoD's computer networks."