In any fiscal year there is likely to be a mismatch between how much money the president and top federal officials say are being allocated for cyber security, and the funding levels shown in the Taxpayers for Common Sense Federal Cyber Spending Database, both for the government as a whole and at the agency level.
The likely reasons for these discrepancies fall into three main categories – varying definitions of what comprises “cyber funding,” differences in methodology, and different levels of access to information.
There is no government-wide standard definition or method of accounting for what qualifies as cyber funding. Absent any such general understanding of what “cyber security” means, any definition will be at least partially subjective, and determined, to some extent, by the bias of whoever is trying to do the counting. For example, in an effort to highlight their commitment to responding to a given issue, government officials may use a broader, more inclusive definition of the problem when calculating the amount of federal funding allocated to addressing it.
Taxpayers adopted a more conservative approach in determining how to calculate what the government spends on cyber security, opting instead to err on the side of caution in order avoid inflating funding levels contained in the database. For example, Taxpayers’ analysts opted not to include “cyber crime” – criminal activities that occur in the cyber realm – in calculating cyber funding, as they do not directly contribute to promoting U.S. national security, homeland security, or safeguarding government data.
In examining all of the Presidential Budget Request documents for the fiscal years covered in the database, we realized that if we limited ourselves to programs that had “cyber” somewhere in their title, we would identify only a fraction of total cyber security funding. We therefore attempted to pinpoint programs that in some way indicated work in that budget line included cyber funding. We know of no way, using only public documents, to determine precisely how much of that money is direct cyber spending. Instead, we looked for instances where “cyber” is mentioned in the explanatory documentation, or where it was reasonable to infer that such spending would have a significant impact on promoting cyber security. Again we generally tended to err on the side of caution so that our accounting would be conservative rather than inflated. Yet these are subjective analyses that can lead to reporting discrepancies.
Conversely, while we generally used methodology intended to avoid double-counting and the “flavor of the month” phenomenon, which we describe in greater detail in other papers, in the case of operations that fall under the authority of each agency’s Chief Information Officer (CIO), we have adopted a broader approach, preferring in this case to err on the wide side rather than on the side of caution. We did so because most agency cyber activities, particularly when centralized across sub-agencies, fall under the CIO, and because the other Information Technology (IT) functions performed by the CIO are very likely to have an impact, either direct or indirect, on both the CIO’s overall cyber and cyber security responsibilities.
Every document Taxpayers reviewed as part of our preparation of the database was a public document. We did not seek out nor did we look at any classified or “sensitive but unclassified” material. Yet we know that portions of the total cyber security budget are classified even if we don’t know how big a slice of the pie that is. Our lack of knowledge about the size of the classified cyber security budget, or how much, if any of it is included in “totals” released by federal officials, could help explain any discrepancies when comparing government reporting of funding to the database.
Ironically, knowing the “total” size of the federal cyber security budget, and calculating the non-classified total by drawing from the Taxpayers database, one could theoretically “reverse-engineer” the budget and calculate the size of the classified portion. But given the other variables at play – lack of a consensus definition of “cyber security” and at least partially subjective methodology – it seems that this would be a very rough estimate at best.
For more information on how we made our calculations, please refer to our overall methodology document.