Unclassified federal cyber spending spiked in Fiscal Year 2011 and again in Fiscal Year 2015.

It makes sense that these surges, in both funding and the number of programs devoted to cyber issues, were in response to real world events. And we have an idea of what they were. But stepping back a bit may be in order, because formulating the federal budget is not a quick process.

In an average year, one not directly following a Presidential election, the President’s Budget Request will be released in early February. So the Fiscal Year 2019 budget request is likely to be released in February of 2018. However, the process of drafting the budget request begins in the agencies roughly a year prior to that release. At the time of writing in the summer of 2017, the administration is in the process of formulating the FY19 federal budget request. For this reason we must look back about two years prior to the start of a given fiscal year to find what real world events are shaping the drafting of the President’s Budget. For the hike in spending we have identified in 2011, we need to look at what was happening in the spring and summer of 2009.

In May 2009 a White House press release highlighted the need to “institutionalize the need for strong cybersecurity and to operationalize the policies that we have developed to better protect our Nation against cyber threats.” Specifically, the President said, “From now on, our digital infrastructure – the networks and computers we depend on every day – will be treated as they should be: as a strategic national asset.  Protecting this infrastructure will be a national security priority.”

On July Fourth, a U.S. federal holiday, there was a first wave of “denial of service” attacks on U.S. and South Korean government agencies. According to the Washington Post, “In the United States, the attacks primarily targeted Internet sites operated by major government agencies, including the departments of Homeland Security and Defense, the Federal Aviation Administration and the Federal Trade Commission, according to several computer security researchers. But The Washington Post’s site was also affected. … The effort did not involve the theft of sensitive information or the disabling of crucial operational systems, government and security experts said. But they noted that it was widespread, resilient and aimed at government sites.”

Two more waves of similar attacks followed on July 7th and July 9th that, apparently, continued to target South Korean government agencies. Later that month the Partnership for Public Service released a report stating that, “The nation’s security could be in jeopardy because not enough workers are sufficiently trained to protect computer systems from hackers, criminals, terrorists and foreign governments…”

For the hike in spending we have identified in 2015, we need to look at what was happening in the spring and summer of 2013.

In March, South Korea was again targeted with cyber-attacks against major banks and broadcasters.

Similar to the July 4, 2009 (American Independence Day) attack, the Colombian government was hit on Colombian Independence Day in 2013. Thirty separate Colombian government websites were attacked, and some were knocked off the internet for the entire day.

In January and again in August, the New York Times website was attacked and successfully taken offline.

Operation Ababil was launched against U.S. banks in 2012 and continued into 2013 with at least four major “waves” throughout calendar year 2013.

In October the Adobe Corporation notified close to three million customers that their encrypted credit and debit card numbers may have been compromised.

Another major attack was directed at the Spamhaus Project, based in Switzerland and, ironically, “an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets, provides realtime actionable and highly accurate threat intelligence to the Internet’s major networks, corporations and security vendors, and works with law enforcement agencies to identify and pursue spam and malware sources worldwide.”

The year ended with a major breach of data related to Target customers using credit cards during the busy holiday shopping season.

Whether the overall increases in federal funding along with the shifts in emphasis that followed these events and correspond to the spikes in federal spending in FY11 and FY15 were actually effective against this type of state-sponsored and criminal hack attacks will require further study.

We also looked at acknowledged cyber-attacks in other calendar years when there seems to be no increase in federal cyber spending two years later. Since we’re based in Washington, the one that leaps first to mind was the massive hack of records of federal employees from the Office of Personnel Management in early 2015. The fiscal year most likely to have been affected by reactions to that hack, Fiscal Year 2017, is beyond the current scope of this database. As we continue to review budgets and update this database, we’ll write more on that topic.

But for comparison purposes we looked back at calendar year 2010. Because there was no spike in unclassified federal spending in 2012 we thought it might be informative. And while attacks were reported, for the most part the attacks were not against the U.S. government or critical infrastructure. It is reported there was a doubling of the number of “phishing” attempts and other cyber-attacks on social media sites. In January of 2010 there was a major intrusion into Google sites. And in December of 2010 PayPal and credit card sites that took action to reduce the ability of Wikileaks to raise funds were attacked, presumably by Wikileaks itself, against an organization who sympathized with them.

As with everything in this report and analysis of federal cyber spending, TCS got all of its information from open sources. This means there are things we don’t know about successful and attempted cyber-attacks on U.S. government or critical infrastructure sites. And it also means that spikes in classified cyber spending are not reflected in the database. We are reporting on the patterns we have found in publicly available data.

For further reading on this topic, visit the website Lawfare. In 2012, Lawfare made public a list of acknowledged cyber-attacks on U.S. Government agencies dating back to 2004.