The federal government’s cyber security role is complex, and involves protecting federal information systems, determining the appropriate federal role in protecting non-federal systems, and, presumably, preparing for offensive cyber operations.
But there is no concise, universally accepted definition of what “cyber security” means or what other “cyber” spending also contributes to cyber security. There is no comprehensive legislative or regulatory framework which defines the government’s role in promoting cyber security and other cyber spending and determining the appropriate level or focus for federal cyber spending. It is therefore impossible to know exactly how much the government spends on cyber issues.
In recent years administration officials have made a point of announcing the total “top line” amount the government plans to spend on cyber security in the coming year – $19 billion in Fiscal Year 2017, for example – but these figures have little meaning without a better understanding of what qualifies as “cyber security” overall, and which portion of overall cyber funding the government is including in this total.
Determining what cyber spending really is, and then identifying how much funding it receives, are two of the major challenges Taxpayers for Common Sense faced when deciding how to build the Taxpayers federal cyber spending database.
For budget watchers, a key component of assessing cyber spending is knowing what we don’t know. The recent Omnibus Appropriations bill for Fiscal Year 2017 shows that Congress recognized the lack of transparency into what, exactly, is spent on cyber activities—in this case, cyberspace activities:
“While the Service and defense-wide budget justification material, as well as the Department of Defense classified cyberspace activities information technology investments budget justification materials, provide some level of detail, much of the funding is encompassed within larger programs and funding lines, which limits visibility and congressional oversight of requested funding for cyberspace activities specifically.” Congress goes on to direct the Department of Defense Chief Information Officer to modify exhibits relating to cyberspace activities.
There are ways to reduce the barriers to understanding total cyber spending. Take for example those portions of the cyber security budget which are classified.
For obvious reasons, some amounts of what the government spends on cyber security is, and should remain, classified. This would include such things as the Defense Department’s efforts to thwart enemy cyber attacks against U.S. forces and the military’s abilities to conduct cyber warfare against existing and potential adversaries, as well as similar operations funded through the various intelligence services – the Central Intelligence Agency, National Reconnaissance Office, and the National Security Agency (whose entire budget is classified), to name a few.
But that doesn’t mean we can’t have a general idea of the amount of classified cyber spending, if not the specific programs. For much of the last decade the government has made public the annual “top line” total of what we spend on intelligence through both the National Intelligence Program (which funds civilian intelligence through the CIA, NSA, etc.) and the Military Intelligence Program, which funds the Pentagon’s intelligence work. So while the details of the government’s intelligence spending remain classified, we can at least get an idea of the order of magnitude of U.S. intelligence budgets, and watch trends over time.
What is lacking here is a government-wide reporting requirement on cyber security spending. For example, in Fiscal Year 2004 the Office of Management and Budget (OMB) began including as part of the annual budget request, a table that presented total federal homeland security funding by agency. Over time this reporting grew into a “Homeland Security Funding Analysis” chapter in the annual budget’s “Analytical Perspectives.” (Sadly, this reporting requirement was eliminated by Congress as part of the FY 2017 Consolidated Appropriations Act, and does not appear in the Trump Administration’s FY2018 budget requests, which states that “it will not be included in future Budgets.”)
The Taxpayers database contains a lot of information about what the government spends on cyber, and allows us to begin to draw a fairly detailed picture of what cyber funding looks like. It also points to areas where greater transparency is needed in order to have better understanding of and fuller discussion about what our cyber spending priorities are, and whether the billions of dollars spent are actually making us more secure.