The recent report of the Cyberspace Solarium Commission is bringing welcome focus to U.S. cyber strategy. As the two co-chairs of the commission wrote on Lawfare, the purpose of the commission was to drive “consensus toward a comprehensive strategy.”
The report’s tone differs from traditional strategies of defense or security, common in the civilian cybersecurity community. Instead, the report uses hawkish national security language that the “federal government and the private sector must defend themselves and strike back with speed and agility” and with “layered deterrence.” This reflects the view of the co-chairs that “the status quo is inviting attacks on America every second of every day. The status quo is a slow surrender of American power and responsibility.” Yet this assessment rests on two important questions about American cyber strategy: First, does the U.S. government prioritize cyber offense or defense? And second, does the U.S. have a militarized approach to cyber issues, looking to the military as the principal actor?
If the approach is more offensive and militarized, then perhaps the co-chairs have this the wrong way around and the status quo is characterized by America being more predator than prey.
The stated priorities seem clear as the last three presidents have stated that the U.S. is vulnerable and must have a strong defense. But sometimes analysts have to follow the money, to see if the facts match the rhetoric. And by examining the federal cybersecurity budget, it is clear the U.S. government prioritizes the military—a fact with important implications for national security policy.
Stated U.S. Priorities
For more than 20 years and four presidential administrations, U.S. policy has prioritized cybersecurity and resilience, especially through partnerships between the public and private sectors with little to any direct military role.
The very first presidential document on cyber strategy, President Clinton’s PDD-63 of 1998, asserted that it “will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.” President Bush’s National Strategy to Secure Cyberspace of 2003 aspired to “to protect against the debilitating disruption of the operation of information systems for critical infrastructures and, thereby, help to protect the people, economy, and national security of the United States.” The Department of Defense hardly gets any mention in either document. President Obama continued this defensive focus but did introduce more themes of active defense, such as his 2015 speech at Stanford University, stressing that “we have to build stronger defenses and disrupt more attacks” (emphasis added), but he mentions the military only in passing.
The Trump administration continues this trend, extolling defense, at least in public comments. Vice President Mike Pence declared that “the American people demand, and deserve, the strongest possible defense. And we [the U.S. government] will give it to them.” His statements criticizing previous administrations for “let[ting] the American people down when it came to cyber defense” suggests a renewed priority for improving cyber defenses. In the opening message of his National Cyber Strategy, President Trump likewise emphasized that his priorities are “protecting America’s national security and promoting the prosperity of the American people” and that “ensuring the security of cyberspace is fundamental to both endeavors.”
The administration, though, has changed what is meant by “defense.” Disrupting attacks has gone from a mere mention by Obama to a central effort by Trump; the National Cyber Strategy also promises to “punish those who use cyber tools for malicious purposes” if necessary, with an entire pillar on “peace through strength,” concepts almost entirely missing from prior policies. Even so, the “strength” in this pillar is only about responding to adversary attacks, with nothing on U.S. offensive and espionage efforts. The section “how did we get here” similarly skips, for example, Stuxnet and the Snowden revelations. The latest Defense cyber strategy, though, was built explicitly with a new concept of persistent engagement and defending forward in mind: “exposing, disrupting, and degrading cyber activity threatening U.S. interests.”
Less has been said officially about militarization, though Gen. Paul Nakasone—current commander of U.S. Cyber Command—has represented the general sentiment; while adversaries may seek to mistakenly portray the Defense “strategy as ‘militarizing’ the cyberspace domain … the Command will make no apologies for defending US interests … in a domain already militarized by our adversaries.”
Following the Money
Having reviewed the stated government priorities, it is worth remembering the advice of a former vice president: “Don’t tell me what you value. Show me your budget, and I’ll tell you what you value.”
The federal budget is not always easy to analyze—and the exact spending on offense is classified—but the Fiscal 2020 President’s Budget on cybersecurity, published in March 2019, augmented with testimony and press reports, are clear enough to discern the overall magnitude of funded U.S. priorities.
To its credit, this budget does reveal an overall growth in cybersecurity funding of about 5 percent above the fiscal 2019 estimate. However, federal cybersecurity spending on civilian departments like the departments of Homeland Security, State, Treasury and Justice is overshadowed by that going toward the military:
● The Defense Department’s cyber-related budget is nearly 25 percent higher than the total going to all civilian departments, including the departments of Homeland Security, Treasury and Energy, which not only have to defend their own critical systems but also partner with critical infrastructure to help secure the energy, finance, transportation and health sectors ($9.6 billion compared to $7.8 billion).
● The funds to support just the headquarters element—that is, not even the operational teams in facilities outside of headquarters—of U.S. Cyber Command are 33 percent higher than all the cyber-related funding to the State Department ($532 million compared to $400 million).
● Just the increased funding to Defense was 30 percent higher than the total Homeland Security budget to improve the security of federal networks ($909 million compared to $694.1 million).
● The Defense Department is budgeted two and a half times as much just for cyber operations as the Cybersecurity and Infrastructure Security Agency (CISA), which is nominally in charge of cybersecurity ($3.7 billion compared to $1.47 billion). In fact, the cyber operations budget is higher than the budgets for the CISA, the FBI and the Department of Justice’s National Security Division combined ($3.7 billion compared to $2.21 billion).
● The Defense Department’s cyber operations have nearly 10 times the funding as the relevant Homeland Security defensive operational element, the National Cybersecurity and Communications Integration Center (NCCIC) ($3.7 billion compared to $371.4 million).
● The U.S. government budgeted as much on military construction for cyber units as it did for the entirety of Homeland Security ($1.9 billion for each).
We cannot ignore what the money is telling us. The White House and National Cyber Strategy emphasize the need to protect the American people and our way of life, yet the budget does not reflect those values. Rather, the budget clearly shows that the Defense Department is the government’s main priority. Of course, the exact Defense numbers for how much is spent on offense are classified.
If the focus were defensive, rather than offensive, then law enforcement and Homeland Security funding—especially for federal cybersecurity—would be at least comparable. The NCCIC, which is supposed to be the “Nation’s flagship cyber defense, incident response, and operational integration center,” gets just one dollar for every 10 that goes to military offensive and defensive operations.
This predates the current administration. The massive Comprehensive National Cybersecurity Initiative, started late in the George W. Bush administration but continued into President Obama’s, was supposed to be both comprehensive and national in scope, but only 10 percent of the allocated $3.6 billion went to the Department of Homeland Security. Most of the rest was funneled to the military, especially the National Security Agency (NSA), encouraging a militarized, offense-heavy approach. According to P.W. Singer and Allan Friedman, “budget plans in 2014 show the US Air Force spending 2.4 times as much on cyber offense research as on cyber defense” and in 2012, “the Pentagon spent roughly eight times as much [as Homeland Security] not even including the NSA’s classified budget (roughly $10.5 billion according to the Snowden leaks).”
Analysis and Implications
This mismatch, between stated defensive priorities but funding for offense and the military, has happened in part because the U.S. government has been historically skittish about discussing cyber offense. Officials publicize the punches the U.S. is taking but heavily classify those we’re throwing. Another reason for the mismatch is a more recent focus on offense over defense. Launching the White House strategy, former National Security Adviser John Bolton announced that “any nation that's taking cyber activity against the United States … should expect we will respond offensively as well as defensively.” Gen. Mark Milley, in his confirmation testimony to be the new chairman of the Joint Chiefs of Staff, emphasized this focus: “We have to have those offensive capabilities ... if [adversaries] know that we have an incredible offensive capability, then that should deter them from conducting attacks on us.”
The larger trend is that, to paraphrase Rosa Brooks, everything became war and the military became everything. The United States is seeing a wide variety of challenges through a militarized, national security lens. The Defense Department is one of the most trusted U.S. institutions. For cyber issues, this is amplified because of the high turnover of Homeland Security leadership, cyber being sidelined in the Department of Homeland Security by immigration issues, President Trump’s personal affinity—especially early in his administration—for generals and admirals, and the lack in the White House of a cybersecurity coordinator or strong homeland security adviser after the ouster of the cyber-savvy Tom Bossert.
The most obvious implication for national security is that more could be done to reduce America’s significant cyber vulnerabilities. Defense through offense may be a promising experiment or operational concept, but it may not be fully developed as a strategy. The government, both the executive and legislative branches, must work to rebalance these efforts with significantly more funding for federal cybersecurity, critical infrastructure, information sharing and a wide range of other defensive priorities.
The Cyberspace Solarium Commission noted that within the Homeland Security budget, only 15 percent is “committed to initiatives supporting the private sector.” Overall, that is perhaps 1 percent of Defense Department funding. This percentage must increase many times over, targeted at embracing those innovations that give defenders the greatest advantages over attackers at the greatest scale and least cost; working toward major political goals, such as getting to zero botnets; creating new organizations to directly collaborate on response and not just share information; and countless other critical civilian cyber tasks. The U.S. strategy should place non-state actors, with their unique agility and capabilities, at the center of defense and help fund them accordingly.
Just as serious is the misconception in U.S. strategic thinking that sees U.S. moves as beneficial and stabilizing but our adversaries’ as dangerous militarizing escalations. Brazen, reckless attacks like WannaCry and NotPetya are destabilizing and nothing like more precise U.S. operations. We must recognize that adversaries are responding in part to U.S. actions—like Stuxnet and those revealed by Snowden—and perceived U.S. actions—such as Russian President Vladimir Putin’s belief that the Panama Papers were a U.S. covert action aimed at him.
While the budget comparisons I have presented may come as a surprise to some Lawfare readers, they will not surprise most U.S. adversaries, who have long feared U.S. cyber power. Recognizing the true U.S. priorities may help us recognize a more balanced perspective.
Moreover, as I wrote on Lawfare last year, there are tremendous risks when a “fearsome offense [is] paired with a weak defense.” If adversaries feel a war with the United States may be coming, our having “a more fearsome cyber offense makes it more likely they will [get in a sucker punch] on the U.S. before Cyber Command can bring its big guns to bear.”
While the Defense Department needs significant funding for its essential cyber missions, this money will not make the United States significantly more secure in cyberspace. If the U.S. government truly believes the top priority is defense—and that it is not militarizing cyberspace—then its budget for civilian cyber defense must be drastically increased to align more closely with these values.