Usually, the federal government claims to be spending money efficiently. But on Tuesday, the Pentagon said that it racked up $100 million in cyberdefense costs over a period of six months, raising eyebrows even as the damages related to online attacks mount.
According to U.S. military leaders, the figures include cleanup after attacks and to fix internal errors. The comments came as senior military officials made a case for increased spending on cyberdefense initiatives at the USSTRATCOM Cyberspace Symposium in Omaha, Neb. During the event, Air Force Gen. Kevin Chilton, who heads U.S. Strategic Command, and Army Brig. Gen. John Davis, deputy commander for network operations, urged the government to allocate money before an attack rather than after it.
The news comes as Defense Secretary Robert Gates has signaled a complete overhaul of military spending. While defense firms are worrying whether their weapons programs will be cut, it’s possible that the sweeping change will provide an opportunity for those who want to modernize the military by,
for example, improving its data security.
There’s certainly a need, and that need is recognized at the highest levels. Almost exactly two months ago, President Obama ordered a sweeping two month review of government cyber security procedures after breaches made the case for change.
Julie Ziegenhorn of STRATCOM public affairs confirmed the $100 million number to InternetNews.com. She said the number includes the cost of housing and feeding technicians as well as the cost of training technicians to handle new threats. Each compromised machine, she said, can cost the Pentagon $5,000 to $7,000, without counting the price of people.
“The idea,” she said, “is to do the training ahead of time.”
In the private sector, the cost of data breaches is recognized to be high, but few cases cost $100 million. The most recent annual survey released in February by the Ponemon Institute on the cost of a data breach in 2008 concluded that breaches cost about $200 per record. The survey covered breaches ranging in size
from 4,200 records to over 113,000 records, so a breach compromising 113,000 records would cost, according to this data, over $22 million.
But the Ponemon study factors in the cost of lost customers and a lower reputation for a business. The Pentagon is talking only about the IT cost of containing the security breach, making the military’s figure appear high compared to costs in the private sector.
The Ponemon study’s recommendations, however, may provide some suggestions for how the Pentagon can slim down its cybersecurity spending, noting that solutions are available that can solve most of these problems.
“Automated, cost-effective enterprise data protection solutions are now available to secure data both within an organization and among business partners,” the study said. “Centralized management of encryption solutions allows information protection to be aligned with corporate security policies and regulatory or business-partner mandates. A holistic approach to data protection — at rest, in motion and in use — allows security best practices to be automatically enforced throughout the enterprise.”
Of course, security is about people as well as software, and if the Pentagon needs $100 million to train its IT staff, it’s possible that the cybersecurity review, whose conclusions are due any day now, will recommend that the government give STRATCOM the money it’s asking for, and that Gates could also also take up Chilton and Davis’s argument.