Classified Cyber Spending – The Rest of the Iceberg

Classified Cyber Spending – The Rest of the Iceberg

National Security  | Data & Documents
Jun 1, 2017  | 5 min read

Taxpayers for Common Sense’s cyber spending database contains only the unclassified portion of federal cyber spending, and draws only from public documents.

So it shows you only the unclassified “tip” of the entire cyber spending iceberg. But while you can’t use the database to determine the exact size of the classified portion of the iceberg, there are a few hints to be found. And you can use it to draw some reasonable conclusions about what the remainder of the classified cyber budget might contain.

The database tells us that a sizeable portion of the total cyber budget falls under the Pentagon’s budget, and it is reasonable to assume that this is also true for classified cyber spending. The Defense Department’s budgets contain numerous programs whose funding fade in and out of view over time, particularly in the research and development (RDT&E) portions of the budget. Examples include DARPA’s “Tactical Technology” program, the Army’s “Electronic Warfare Technology” and the Navy’s “Power Projection Advanced Technology Computational Analysis of Cyber-terrorism Against the United States.”

In some cases, like the Air Force’s “C3I Advanced Development” program, the funding simply ends. This might indicate a program has been terminated, but this seems unlikely since the services generally announce program terminations, and because in many cases the “program element” (PE) number of the program continues to appear in subsequent budget documents.

Such budgetary breadcrumbs are not unique to the Defense Department. Take this example from the data for the Federal Bureau of Investigation. The FBI’s proposed budget for FY2010, under the heading “Prevent Terrorism and Promote the Nation’s Security” includes historical data and a new funding request for “Program Activity/ 1.1, 3. Cyber Program (Intrusions).” Yet funding for this program is subsequently listed as “classified” in both the FY2011 and FY2012 FBI spending proposals. Interestingly, the FBI’s subsequent FY2013 budget request again includes funding for this program, and even contains historical funding data for the years that were previously listed as “classified.”

And while the database doesn’t tell us this, it is also likely that the Pentagon’s classified cyber budget will fund intelligence-style activities focused on disrupting the cyber capabilities of potential adversaries, and similar operations funded through the various intelligence services – the Central Intelligence Agency, National Reconnaissance Office, and the National Security Agency (whose entire budget is classified), to name a few.

Unclassified Cyber Spending, by Agency (FY 2007 - 2016)

Similarly, the Pentagon’s classified cyber budget will also fund tactical capabilities related to the military’s traditional warfighting mission. Disrupting an enemy’s ability to gather and disseminate critical information is an essential part of the military’s strategy for dominating the modern battlefield. This is cyber offense. And where once this was achieved primarily by physical attacks against an enemy’s sensor platforms, communications nodes, and command and control networks, militaries around the world are now developing electronic methods to “turn out the lights” of potential adversaries.

We know that funding for these types of activities is classified because our researchers’ exhaustive efforts did not identify them in the Pentagon’s budget documents. Yet they must be there—no 21st century military can afford to ignore these capabilities, let alone the most technologically sophisticated military in the world.

We can also draw reasonable conclusions about other sorts of classified offensive cyber capabilities the United States is developing by looking closely at where the government is spending money to protect against attack. This is cyber defense. Our nation’s critical infrastructure, the U.S. financial sector, and personal data held by federal agencies are just a few examples of potential (or actual) targets of cyber attacks that have been prioritized by the government – priorities reflected by our data. Not reflected in the data, however, is funding to develop our own capabilities to attack similar targets belonging to current or future adversaries. Yet the funding must certainly be there.

To put it another way, do you think only Russia can hack an election?