The Taxpayers for Common Sense cyber spending database indicates considerable growth in such spending over the past decade, both by the federal government as a whole and across individual agencies.
But does this funding growth actually reflect spending increases for existing cyber programs and an emphasis on new initiatives? Or is it more an effort by the government to highlight their contributions to federal efforts to meet a newly perceived challenge?
In the annual battle of the budget, individual federal agencies are acutely aware of their need to appear relevant, and funding, particularly new funding, tends to follow the latest trends. Federal spending can take on a “flavor of the month” quality, where dollars follow crises, be they real or perceived.
This is because the federal government is often criticized for being slow to react to emerging crises (let alone acting proactively). Federal officials are acutely aware of the need to show that the government is responding to the newest emerging national emergency, be it disaster relief (as in the wake of hurricane Katrina), homeland security after the 2001 terrorist attacks, or the potential “Y2K” computer crisis on January 1, 2000. For example, President George W. Bush’s budget request materials for Fiscal Year 2003 (the first budget proposal released after the 9/11 attacks)—evidently to show their awareness of the gravity of the situation—included the use of a “Minuteman” (the Revolutionary War figure, not the inter-continental ballistic missile) icon throughout the document to identify “…where a discussion on homeland security begins.”
Similarly, in FY2004 the Office of Management and Budget (OMB) began including as part of the annual federal budget request a table that presented total federal homeland security funding by agency. According to OMB’s reporting, homeland security funding within the Defense Department increased gradually by roughly $1 billion annually for several years after the 9/11 attacks. But in the FY2007 request OMB reported a jump of nearly $7 billion over FY2006 levels – an increase of over 70 percent in a single year. After that, the annual increases in Defense Department homeland security spending returned to the previous rate of about $1 billion, but from that much higher level. And while it is possible that the Pentagon’s homeland security budget experienced a major one-time increase, what is much more likely is that the increase reflected a change in what DoD was defining as “homeland security funding” rather than any real growth in spending.
The 1996 Clinger-Cohen Act helped establish the position of Chief Information Officer (CIO) within each federal agency, tasked with overseeing information technology (IT) including cyber security. This cyber security function has grown in importance over time, and the database shows increased funding in both the CIO offices and in programs under their jurisdiction across the federal government. This reflects both the growing importance of the CIO function and the consolidation of IT and cyber activities under the CIO umbrella. But closer examination of CIO operations is necessary to determine if this consolidation has actually resulted in the greater efficiencies, better coordination, and economies of scale originally envisioned.
The Department of Homeland Security (DHS) is the lead federal agency for securing civilian government computer systems, so one would expect to see significant increases in cyber security funding for the agency, and the database bears this out. Between fiscal years 2008 and 2016, DHS funding almost tripled, increasing by roughly 170 percent. (NOTE: This increase is in current dollars. If adjusted for inflation, DHS cyber security funding growth would be even greater.)
Yet funding for DHS’s Chief Information Officer over the same period grew at a much lower level, increasing by only 42 percent between fiscal years 2008 and 2016. And these figures are deceiving, due to $100 million in new funding for the CIO’s “cyber fund” in FY2016. When compared to FY2015 funding levels, spending for DHS’s Chief Information Officer grew at a very modest 10 percent.
In June 2015 the Office of Personnel Management (OPM) revealed that it had experienced at least two cyber intrusions. It is estimated that the security breaches compromised sensitive personnel information of 22 million current and former federal employees, including one of the people who developed this database. Yet OPM cyber funding in FY2016, at roughly $48 million, grew by only an approximate one-third from the previous year. More significantly, this level is considerably below cyber security funding in previous years, which averaged about $130 million annually between fiscal years 2010 and 2014.
So the short answer to the question “do funding increases address actual problems, or reflect government agencies jumping on the bandwagon,” is, “probably both.” And it is one of the goals of this database to help budget watchers develop good answers to this and other questions about federal cyber spending.