All talk and no action sums up DOD systems security budget

The vulnerability of Defense Department information systems is
""the major security challenge of this decade and possibly of the next
century,'' according to a landmark Pentagon study. But a review of next year's Defense
budget suggests Congress and DOD aren't really that concerned.

Few topics grab headlines like the unrelenting penetration of DOD networks by hackers.
When the Joint Security Commission reported in February 1994 that ""we have
neither come to grips with the enormity of the problem nor devoted the resources necessary
to understand it fully, much less rise to the challenge,'' Congress promptly gave the
issue its 15 minutes of fame.

The report recommended that at least 10 percent of DOD's infrastructure development and
operations spending be devoted to what the department now calls infosec.

""Using this yardstick, DOD should invest between $500 million and $1 billion
annually to protect its information systems,'' members of the Senate Armed Services
Committee observed in their report accompanying the 1995 Defense authorization bill.
""In contrast, DOD plans to spend about $19 million on information systems
security in fiscal year 1995. The committee is prepared to accept that $1 billion is too
much, but it is certain that $19 million is far too little.''

Pentagon brass joined in the hand-wringing, pushing systems security as a top priority
at industry conferences and boasting that the 1996 budget request would include $1.2
billion in new funds spread over six years.

But when the dust settled, DOD had requested just $80 million in new information
security money for 1996, according to a Pentagon spokeswoman. And industry sources
familiar with the budget said most of that is for the Defense Message System, a new
electronic-mail system that will do nothing to protect DOD's porous legacy networks.

In its report on the 1996 Defense spending bill, the House Appropriations committee
concluded that ""only a small portion of the [$80 million in] requested funds
are to protect, detect and react to attacks on DOD's information network.''

The Senate, for its part, seems to have yawned. The Senate Armed Services Committee's
report on the 1996 authorization bill devotes one sentence to the subject, blandly
endorsing DOD's efforts ""to develop multilevel security systems.''

The Senate Appropriations Committee, in its report on the 1996 DOD appropriations bill,
actually cuts $6 million from departmentwide R&D funds earmarked for
""systems security management'' and ""firewalls and guards for defense
information infrastructure.''

Retired Adm. Jerry Tuttle called the planned funding level ""an
embarrassment.'' Tuttle, former director of Navy Space and Electronic Warfare and now
chief staff officer of Oracle Corp.'s federal group in Bethesda, Md., said,
""The nature of the threat to our national security has changed completely in
the information age, and there are products out there that could protect us, but people
don't understand this.''

""This is a clear and present danger to our national defense, and we are not
making the minimum investment required to protect ourselves,'' said another former
high-ranking Pentagon official who worked extensively on systems security.

Government and industry sources said DOD dropped the ball for predictable reasons.
There is no room in the budget for significant new spending. Funding for security programs
has to be reallocated from budgets that already are cut thin. And despite all the
high-blown rhetoric, the danger still is largely theoretical.

""The senior service chiefs basically say, "Well, if it's such a big
threat, why hasn't somebody destroyed us?' And folks on the Hill say, "If it's so
bad, then why isn't the Pentagon requesting funds?' '' the former Pentagon official said.
""So it's a vicious circle. And in the end the services come to the table and
say don't take [the funds] out of my force structure.''

Other observers agreed that was essentially the fate of the $1.2 billion initially
proposed for 1996. Internal Pentagon wrangling brought the amount down to around $700
million; roughly $400 million of that was designated for the Defense Message System. The
remaining $300 million was spread over six years, accounting for the minuscule outlays in
fiscal 1996.

But there are new moves to increase DOD's investment in information security
initiatives. Last month, the Defense Information Systems Agency awarded contracts worth
nearly $1 billion to Computer Sciences Corp., Science Applications International Corp. and
Merdan Group Inc. for its Information Security Technical Services program [GCN,
July 17, Page 4]. Industry observers call it the largest information security buy ever.

And the House Appropriations Committee and the Senate Select Committee on Intelligence
both have instructed DOD to come up with a concrete plan for dealing with the intrusion
threat in the 1997 budget.

Pentagon budget planners are said to be hashing out a new infosec R&D request, also
in the billion-dollar range, for the six years beginning with fiscal 1997.

inside gcn

  • Congressman sees broader role for DHS in state and local cyber efforts

    Automating the ATO

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above