Cyber Methodology

Cyber Methodology

Article  | Data & Documents
Jun 1, 2017  | 16 min read | Print Article

WHAT IS THIS DATABASE?

When it comes to cyber spending, of this much we are sure: The federal government spends a boatload of money. How many billions Taxpayers for Common Sense can’t say for sure given the government’s propensity to fold cyber spending into overall programs, without a detailed breakdown.

So, what we are presenting here is the best picture we developed from extensive research of government programs. TCS created this database to give the public insight—sometimes penetrating, sometimes not, depending on available government data we could scrub—of what individual federal agencies spend to protect its many cyber secrets.

This database presents information on unclassified federal cyber spending from Fiscal Year 2007 to Fiscal Year 2016. Dollar figures are actual numbers through 2015.  Fiscal year 2016 numbers are estimates included with President Obama’s Fiscal Year 2017 budget request. All figures are in thousands of dollars, and are in current dollars (not adjusted for inflation).

TCS searched publicly available federal budget submissions to Congress and budget justification documents to identify programs included in this database.  Our researchers analyzed those documents to identify individual budget lines that contain programs that the government acknowledges relate to cyber spending. In cases where budget documents were not available in a searchable format, we relied on congressional bills and reports for dollar figures.

We reviewed only public documents. We did not seek out nor did we review any classified or “Sensitive but Unclassified” documents.

Our review of all the Presidential Budget Request documents identified lines that indicated the work included cyber funding.  We know of no way, using only public documents, to determine precisely how much of that money is direct cyber spending.  If we had included only programs with “cyber” in their title, we would have identified only a fraction of the hundreds of lines in this database. Instead, we looked for every instance in which “cyber” is mentioned in the explanatory documentation, or when it was reasonable to infer that such spending would have a significant impact on promoting cybersecurity.

SEARCH TERMS

TCS used the following search terms to identify these budget lines:

– Cyber

– Information technology

– Information assurance

– Network security

– IT security

– Information security

– Chief Information Officer (CIO)

– Program-specific terms that became obvious in some agencies

ORGANIZING THE DATABASE SPREADSHEETS

In many places in this database, the Department of Defense is organized in a way that is more complex, more rigid, and at the same time easier to follow than other federal agencies. Because of deeper congressional oversight of the Pentagon budget, due to its size and as a legacy of budgeting scandals in the 1970s, the budget documents produced by the DoD, related agencies and the military services are more highly detailed and widely available than most other federal departments.

The greater detail used to identify budget lines, as well as the many agencies within DoD, means there is far more information about exactly where the money is spent. Therefore, the DoD portion of this database gives more detail than we could identify from unclassified sources for most other agencies.

In order for the data visualization tool to work, all the spreadsheets had to have the same number of columns. For this reason, there are columns for other agencies that are never used, but were needed for the Pentagon numbers.

Another complication in DoD budget documents is that in a small percentage of budget lines the justification document actually does give greater detail on how much of that budget line is devoted to cyber. Unfortunately, this was the exception and not the rule. Again, for the data visualization tool to work the spreadsheets had to handle the budget lines in an identical manner. The data presented reflects the entire budget line. Researchers are able to drill down to the budget justification documents by using the tables to find those instances where cyber spending is quantified within a budget line.

THE HUMBLE MATTER OF PAGE NUMBERING

When using the underlying tables prepared by TCS, researchers will find page numbers noting the range of pages included in the budget justification for a particular line item. These page numbers correspond to the PDF pages and not the numbers at the bottom of document pages.

THE HUMBLE MATTER OF PROGRAM TITLES

This database spans ten fiscal years. In that length of time it is common for the names/titles of programs and line items to change. The line item number or program element number typically remains the same while the words in the title evolve. This database uses only the most current name or title in relation to a specific line item. Therefore, researchers looking back in time at a specific program may find it was called something else in the past.

CONGRESSIONAL RESPONSE TO LACK OF STANDARDIZATION

There is no government-wide standard definition or method of accounting for what qualifies as cyber funding and, therefore, no way to fully track it. The recent Omnibus Appropriations bill for Fiscal Year 2017 shows that congressional appropriations committees recognize the lack of transparency on precise spending on cyber activities–in this case, cyberspace activities:

“While the Service and defense-wide budget justification material, as well as the Department of Defense classified cyberspace activities information technology investments budget justification materials, provide some level of detail, much of the funding is encompassed within larger programs and funding lines, which limits visibility and congressional oversight of requested funding for cyberspace activities specifically.”

Congress goes on to direct the Department of Defense Chief Information Officer to modify budget exhibits relating to cyberspace activities.

We agree and point out that congressional and public oversight across all federal departments would be enhanced with similar modifications to all federal budget documents.

CHIEF INFORMATION OFFICERS

The lack of budgeting symmetry across agencies, noted above, was a real challenge to data standardization. The requirement for a Chief Information Officer (CIO) in federal agencies, beginning in 1996, however, added some level of standardization.

RELATED ARTICLE
Forget Tom Price, Americans Are Being Ripped Off by the Private Jet Lobby

Most cyber activities, particularly when centralized across sub-agencies, fall under each agency’s CIO. As a general rule, we adopted a methodology designed to avoid double counting and the “flavor of the month” phenomenon. But in the case of operations that fall under the authority of the CIO, we adopted the opposite approach, preferring to err on the side of inclusion rather than on the side of caution. We do so because the other IT functions performed by the CIO are very likely to have an impact, either direct or indirect, on the CIO’s cyber activities.

While generally it is the CIO who oversees cyber operations, a few agencies do not have this position. In such cases, it is possible that either the Chief Financial Officers (CFO) or the Office of the Inspector General (OIG) performs this function. When that is the case, we have adopted a narrower approach on what funding we have included because other functions performed by either the CFO or the OIG are considerably less likely to have any impact on providing cybersecurity.

SALARIES AND EXPENSES

For many agencies, cyber operations are essentially service functions, such as auditing, oversight, coordinating interagency activities, and ensuring implementation and compliance with federal guidelines. As a result, funding for cyber activities in many agencies appears as part of “Salaries and Expenses” within a specific program, rather than under “Information Technology” or a similar function. Our database includes those salaries and expenses data budget lines. Cyber funding found under the IT category generally includes hardware upgrades and software-related expenses.

WORKING CAPITAL FUNDS (WCF) IN NON-DoD AGENCIES

In many agencies (other than the Department of Defense), cyber operations are centralized, usually under the Chief Information Officer (CIO). This is particularly true in agencies with numerous sub-agencies, (especially small ones) as a way to improve coordination, avoid redundancy, and achieve economies of scale. In such cases, sub-agencies adopt essentially a “fee for service” approach, contributing to a central fund that supports cyber functions across the agency.

WORKING CAPITAL FUNDS (WCF) AND SELECT AND NATIVE PROGRAMMING INFORMATION TECHNOLOGY (SNaP-IT) FUNDS AT THE DEPARTMENT OF DEFENSE

Again, the DoD is different from other federal agencies in that, for the most part, funds identified under WCF, are also accounted for in other parts of the budget documents. Therefore, including the WCF lines would amount to double counting those dollar figures. For this reason, we chose not to put the WCF-specific lines into the Pentagon portion of the database.

Likewise, the Pentagon’s Select and Native Programming Information Technology (SNaP-IT) budget lines are accounted for in other parts of the budget documents including personnel, procurement, and operations & maintenance. For this reason, we chose not to put the SNaP-IT-specific lines into the Pentagon portion of the database.

The Department of Homeland Security accounts for spending in the same fashion as DoD. While DHS provides separate reporting of Working Capital Fund expenditures, it also integrates these expenditures into the funding of its sub-agency budgets. To avoid double counting, this database does not list DHS Working Capital fund expenditures separately.

OPERATIONS AND MAINTENANCE (O&M) FUNDING AT THE DEPARTMENT OF DEFENSE

The O&M slice of the Pentagon’s budget pie is so large and all-encompassing that the budget lines don’t drill down to the level of detail required to capture cyber-specific funding. In other portions of the Pentagon budget, such as procurement and research and development, the budget justification documents are all heavily detailed, showing exactly what topics are covered in that budget line.

In some cases, the exact cyber spending in a given Pentagon budget line is unknowable in an unclassified setting. While we can’t always state that all of a Pentagon budget line or program is being spent directly on cyber, the lines are still discrete enough to add depth to the budget picture.

That is not the case in O&M funding. For example, a budget line may include an item titled “Cyber Network Operations,” but that line is rolled up into a much larger O&M budget line of several billion dollars. Including that entire budget line in the data visualization tool would distort the results, showing a much high dollar figure.  For instance, the Navy’s O&M budget line, “Combat Support Forces,” indicates that it includes some level of funding for cyber activities. However, overall funding for that line, and the identical line in the Navy’s Overseas Contingency Operations (OCO) account, range from $2.6 billion to $1.7 billion per year, depending on the particular operational tempo of the Navy in that year. To include an average of $2 billion in the Navy’s “cyber” total of spending in a given fiscal year would be misleading and make the cyber tool much less useful.

We have, however, identified all the O&M lines that publicly include cyber spending. We also identified the fiscal years in which that spending appears. We are appending that database for O&M scholars who wish to do further research on how cyber spending is affecting the unclassified O&M budgets.

CYBER SECURITY VERSUS CYBER CRIME

Cyber crime funding is not identified in this database. Presumably for security reasons, most of the lines that include funds to fight cyber crime are not specified. For instance, the Inspector General of a given federal agency may be tasked to investigate cyber crime. However, the portion of the Inspector General’s budget devoted to cyber crime is not specified.

Additionally, there are crimes that occur in cyberspace that have nothing to do with cybersecurity, such as the movement of pornographic images across the Web. Therefore, to include any such cyber crime lines in their entirety is likely to be a vast overstatement of federal funding on cyber issues; we elected not to include those lines.