Defense Department Cyber Efforts: Definitions, Focal Point, and Methodology Needed for DOD to Develop Full-Spectrum Cyberspace Budget Estimates
This letter discusses the Department of Defense's (DOD) cyber and information assurance budget for fiscal year 2012 and future years defense spending. The objectives of this review were to (1) assess the extent to which DOD has prepared an overarching budget estimate for full-spectrum cyberspace operations across the department; and (2) identify the challenges DOD has faced in providing such estimates. The President has identified the cyber threat as one of the most serious national security challenges that the nation faces. In February 2011 the Deputy Secretary of Defense said that more than 100 foreign intelligence agencies have tried to breach DOD computer networks, and that one was successful in breaching networks containing classified information. To aid its efforts in countering cyberspace threats, DOD established the U.S. Cyber Command in 2010 and is currently undertaking departmentwide efforts to defend against cyber threats. DOD has defined some key cyber-related terms. Cyberspace operations is defined as the employment of cyber capabilities where the primary purpose is to achieve military objectives or effects in or through cyberspace. Such operations include computer network operations and activities to operate and defend the global information grid. U.S. Cyber Command defines full-spectrum cyber operations as the employment of the full range of cyberspace operations to support combatant command operational requirements and the defense of DOD information networks. This includes efforts such as computer network defense, computer network attack, and computer network exploitation. Computer network defense is defined as actions taken to protect, monitor, analyze, detect, and respond to unauthorized activity within DOD information systems and computer networks. Computer network attack is defined as actions taken to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves. Computer network exploitation is defined as enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks. Information assurance is defined as measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation. This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
DOD has planned and budgeted for information assurance programs for fiscal year 2012 and has projected future years' spending for these programs. However, DOD does not yet have an overarching budget estimate for full-spectrum cyberspace operations including computer network attack, computer network exploitation, and classified funding. During February and March 2011, DOD provided Congress with three different views of its cybersecurity budget estimates for fiscal year 2012 ($2.3 billion, $2.8 billion, and $3.2 billion, respectively) that included different elements of DOD's cybersecurity efforts. The three budget views are largely related to the Defense-wide Information Assurance Program and do not include all full-spectrum cyber operation costs, such as computer network exploitation and computer network attack, which are funded through classified programs from the national intelligence and military intelligence program budgets. DOD's ability to develop an overarching budget estimate for full-spectrum cyberspace operations has been challenged by the absence of clear, agreed-upon departmentwide budget definitions and program elements for full-spectrum cyberspace operations and the absence of a central organization or a methodology for collecting and compiling budget information on cyberspace operations. With regard to the first issue, DOD has defined some key cyber-related terms but it has not yet fully identified the specific types of operations and program elements that are associated with full-spectrum cyberspace operations for budgeting purposes. In the absence of such definitions, there are differing perspectives on the elements that constitute cyberspace operations in DOD. DOD's "Financial Management Regulation" established steps for budget submission requirements and for reporting information technology and information assurance programs to Congress, including identifying the activities that constitute information assurance. Although computer network defense is included in the list of information assurance activities, computer network attack and computer network exploitation, which are part of full-spectrum cyberspace operations, are not accounted for in this regulation. Concerning the second issue, DOD has operationally merged defensive and offensive cyberspace operations with the creation of U.S. Cyber Command in October 2010, but the department still does not have a designated focal point or methodology for collecting and compiling budget information on full-spectrum cyberspace operations across the department. U.S. Cyber Command has recognized that the department must incorporate integrated defensive and offensive cyberspace operations into all planning efforts. To improve DOD's ability to develop and provide consistent and complete budget estimates for cyberspace operations across the department, we recommend that the Secretary of Defense take the following actions: (1) Direct the Under Secretary of Defense for Policy, in coordination with the Chairman of the Joint Chiefs of Staff, U.S. Cyber Command, and other organizations as appropriate, to develop and document cyberspace-related definitions, including identifying specific activities and program elements, for purposes of budgeting for full-spectrum cyberspace operations, that will be used and accepted departmentwide. They should also establish a time frame for completing these actions. (2) Designate a single focal point to develop a methodology and provide a single, departmentwide budget estimate and detailed spending data for full-spectrum cyberspace operations (to include computer network defense, attack, and exploitation), including unclassified funding as well as classified data from the military intelligence and national intelligence programs and any other programs, as appropriate.
Recommendations for Executive Action
|Department of Defense||To improve DOD's ability to develop and provide consistent and complete budget estimates for cyberspace operations across the department, the Secretary of Defense should direct the Under Secretary of Defense for Policy, in coordination with the Chairman of the Joint Chiefs of Staff, U.S. Cyber Command, and other organizations as appropriate, to develop and document cyberspace-related definitions, including identifying specific activities and program elements, for purposes of budgeting for full-spectrum cyberspace operations, that will be used and accepted departmentwide. They should also establish a time frame for completing these actions.||
As of November 2012, DOD finalized guidance that will be used to capture the Department's budget for cyberspace operations. DOD updated the Financial Management Regulation 7000.14-R, Volume 2B, Chapter 18 to include budgetary guidance and requirements for cyberspace operations reporting and definitions associated with cyberspace operations. Additionally, DOD issued guidance to all DOD components for completing the fiscal year 2014 budget estimate submission and President's Budget for information technology that provided specific directions and requirements and identified the program elements required for the cyberspace operations budget estimate. We believe DOD's actions meet the intent of our recommendation and that the new guidance will likely enable the department to develop a single cyberspace operations budget estimate to provide a complete picture of the resources it is investing in its cyberspace operations.
|Department of Defense||To improve DOD's ability to develop and provide consistent and complete budget estimates for cyberspace operations across the department, the Secretary of Defense should designate a single focal point to develop a methodology and provide a single, departmentwide budget estimate and detailed spending data for full-spectrum cyberspace operations (to include computer network defense, attack, and exploitation), including unclassified funding as well as classified data from the military intelligence and national intelligence programs and any other programs, as appropriate.||
As of November 2012, DOD issued and updated various guidance documents including the Financial Management Regulation DOD 7000.14-R, Volume 2B, Chapter 18 and Fiscal Year 2014 budget estimate guidance that combined provide a methodology for developing its cyberspace operations budget estimate and designated the Office of the Chief Information Officer as the focal point for developing the cyberspace operations budget estimate. Utilizing that guidance, DOD developed and reported a single cyberspace operations budget estimate for fiscal year 2014 in the amount of $4.7 billion for full spectrum cyberspace operations including classified and military intelligence program related funding. DOD has closed this recommendation and noted, in its 2014 update, that national intelligence program cyberspace operations related-funds would be reported through the Office of the Director of National Intelligence. DOD's comments as of May 2013: The recommendation was completed with the update and publication of the DOD Financial Management Regulation DoD 7000.14-R, Volume 2B, Chapter 18. The DOD Chief Information Officer led development of the Department's Fiscal Year 2014 cyberspace operations budget justification material, which includes all aspects of the Cyberspace Operations mission with the exception of the National Intelligence programs. DOD Chief Information Officer continues to work closely with other DOD components to ensure the Department's Cyberspace budget is an accurate reflection of DoD cyberspace operations. In the July 2014 update, DOD stated that they are reporting the cyberspace operations related funds for which it has oversight and that national intelligence program cyberspace operations related funds would be reported through the Office of the Director of National Intelligence.