Cyber sailors man their stations in Little Creek, Va. (US Navy)
WASHINGTON — US spending on cyber, both defensive and offensive, will continue to grow in the coming years, including in the fiscal 2015 budget, officials said. But while the money has poured in, there are still questions to be answered as to how that money should be spent as the military settles what cyber preparedness really means.
US cyber Command (CYBERCOM) officially got more than $500 million for 2014, although experts say that number is dwarfed by the total spending on cyber, much of which is buried in areas of the budget that get lesser scrutiny and total in the billions.
Asked about the 2015 budget at a late February conference, acting Deputy Defense Secretary Christine Fox confirmed that cyber spending will continue to be strong.
“Yes, we did protect investments in cyber, in cyber defense, cyber offense and the Defense Department’s responsibility to support the Department of Homeland Security for national cyber defense,” she said.
While the spending may be ample, experts said defense leaders are uncertain how that money should be spent. The bulk of the money is going to training cyber teams, for offensive and defensive purposes. What hasn’t been fully sorted out is exactly what those teams are going to do, how they’re going to respond and what type of cyber conflict the Pentagon expects to confront. That creates uncertainty for commanders and makes it difficult to tailor training for the missions cyber experts will actually need to undertake.
“If you’re not done looking through what the concept is going to look like, you don’t know where to spend your money,” said Jason Healey, director of the Atlantic Council’s cyber Statecraft Initiative. “Whenever I talk to folks in the Pentagon, they say ‘we still don’t know exactly what to do with the organization; we still don’t know what to do with the workforce.’ ”
CYBERCOM’s commander, Gen. Keith Alexander, acknowledged some of the work that’s required in written testimony to the Senate Armed Services Committee Feb. 27.
“US cyber Command, with the services and other partners, are doing something that our military has never done before,” he wrote. “We are putting in place foundational systems and processes for organizing, training, equipping and operating our military cyber capabilities to meet cyber threats. USCYBERCOM and the services are building a world class, professional and highly capable force in readiness to conduct full spectrum cyberspace operations.”
To that end, he wrote that 17 of the planned 133 cyber mission teams are operating.
The emphasis on training new people makes sense given the previous shortage, said Ian Wallace, a fellow at the Brookings Institution.
“The question of how many and what focus those people [should take] depends on what you actually want from cyber Command, and ... this is less certain,” he said.
Congress seems to also believe that a thorough evaluation of the future cyber mission is in order. The 2014 National Defense Authorization Act included roughly three pages of questions Defense Secretary Chuck Hagel is expected to answer on everything from the concept of cyber warfare to manpower needs, the roles of each of the services, methodology and more.
The report is required to be submitted 180 days from the legislation’s signing, meaning in June, although congressionally mandated reports are often late.
That should help advance the conversation on what to do with the new forces and how to spend the increasing money.
“There’s a sequence of conversations that need to happen in parallel,” Wallace said. “There’s a conversation about the role of the federal government compared to the private sector. There’s a question about the role of DoD in relation to the federal government. And then I think there’s a separate discussion about how the services and CYBERCOM relate to each other.”
The question of how to use the services has been central to much of the debate on the force’s growth. Each service has a cyber command to monitor service-specific networks and feed trained personnel to CYBERCOM. Because of this arrangement, the abilities of cyber personnel can be uneven.
“There’s certainly an argument to say that the aggregate of what the services think are right for their own purposes may not be right for the country, so there is a question as to whether the sum of the individual requirements adds up to what CYBERCOM requires,” Wallace said.
Some have argued that service-specific cyber doesn’t make sense, given that networks are largely the same and a sailor can just as effectively defend an Army network as a soldier. The idea of creating a unified cyber force has been floated.
Most of these discussions are taking place behind the scenes. cyber, having come from the world of intelligence and still bridging the divide, with the National Security Agency and CYBERCOM sharing a commander, has been even more shadowy than most military realms. The secrecy, however, isn’t the primary problem, Healey said.
“With cyber, it’s not just that it’s classified, it’s that they really aren’t sure what the cyber domain is going to look like,” he said. ■