As Alex Stamos pointed out in the Washington Post, the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security has only 2,200 employees for a mission that includes protecting all sixteen critical infrastructure sectors and all federal agencies while the National Security Agency (NSA) alone has more than 40,000 employees.
The Department of Defense’s (DOD) Cyber Command has over 12,000 personnel, including 6,000 military members.
While total spending on cyber missions at NSA is classified, what is known about federal spending suggests priorities skewed toward offense. As Jason Healey pointed out last spring, the DOD’s cybersecurity budget is significantly larger than the cybersecurity budgets of all civilian components combined. The federal government spends more than half a billion dollars per year on the headquarters elements of Cyber Command alone and only $400 million on cyber diplomacy at the State department. All of CISA’s budget adds up to about half of what DOD spends on just offensive cyber operations.
The SolarWinds disaster clearly indicates that CISA and federal agencies will need more money in order to develop the capabilities necessary to detect and contain adversaries as capable as Russia’s Foreign Intelligence Service. Additional funds are also badly needed to scale out efforts to coordinate with the private sector, fund research that the market will not support, and bolster the security of critical infrastructure. That funding, however, should not come out of the current budgets or future budget growth on the offensive side of the equation.
Since cybersecurity first became an issue of national import, cyber policy has been predicated on the idea of a public-private partnership, a term that is now nauseating to much of the community. Yet the phrase captures the reality that the federal government, unlike in other domains, does not assume ultimate responsibility for the security of systems it does not own or operate, including critical infrastructure. In terms of dollars and cents, what this means is that total spending on U.S. cybersecurity is actually heavily skewed toward defense not offense because all the cybersecurity spending in the private sector goes in the defense column.
Alongside DHS’s 2,200 employees at CISA, the 6,000 cyber warriors in the Defense Department suggest an imbalance towards offense over defense until you recognize that only about 2,000 of these 6,000 are in units that carry out offensive cyber missions and these 2,000 people are the only people in the United States that are authorized to carry out offensive cyber operations. Even the NSA’s 40,000 employees, only a fraction of which are focused on intelligence collection against adversary cyber operators, pale alongside the total cybersecurity workforce estimated at 750,000.
While estimates of total private sector spending in the United States range from $40 billion to $120 billion, even the lower end of that range is more than ten times the Pentagon’s budget for cyber operations and four times what data leaked from the Snowden disclosures suggested was the NSA’s budget. Microsoft alone says that it spends $1 billion a year on cybersecurity, and JP Morgan also spends close to that amount.
No doubt CISA needs to grow several times over to carry out its mission, and other civilian agencies will need a large influx of funds to secure themselves, but relative percentages between defense and offense in the federal budget could look largely the same.
While the defense clearly failed, it is becoming increasingly clear that the intelligence community either failed to detect this campaign or lacked the ability to understand and communicate what they saw. It’s also possible that the NSA supplied indications and warnings of the campaign to Cyber Command but offensive operators were spread too thin to engage and disrupt the activity. Either way, more spending, not less on offense, could be in the cards.
