2010 Defense Authorization Act Spending

November 14, 2009 by ADMIN

Share |

By Richard Stiennon, Chief Research Analyst, IT-Harvest

On October 28th President Obama signed into law the National Defense Authorization Act for Fiscal Year 2010 (655 page PDF here ).

After removing the Department of Energy allotment of $122 million it appears that the DoD is not gearing up in a major way for cyber defense: only $79 million.

I can only imagine that spending on things like Einstein II and III, a government network IPS solution, are coming from some other budget.

One thing that is missing is the $7 billion that is supposed to be part of the Comprehensive National Cyber Security Initiative.

I will soon be digging deeper to explain all the cyber security numbers that have been reported recently that seem to conflict with the low allocations evident in the Department of Defense Authorization for 2010.

The following are lines I pulled just from the “provisions” section that mention cyber or information security. Of course there is a lot more spending on Information Technology in the Bill.

Since most analysis has focused on the National Hate Crimes Bill that was appended to it I thought it would be valuable to peruse it for cyber security provisions.

Here they are:

TITLE IX. Sec. 901. Authority to allow private sector civilians to receive instruction at Defense Cyber Investigations Training Academy of the Defense Cyber Crime Center.

§ 2167a. Defense Cyber Investigations Training Academy:
admission of private sector civilians to receive instruction

(a) AUTHORITY FOR ADMISSION.—The Secretary of Defense may
permit eligible private sector employees to receive instruction at
the Defense Cyber Investigations Training Academy operating
under the direction of the Defense Cyber Crime Center. No more
than the equivalent of 200 full-time student positions may be filled
at any one time by private sector employees enrolled under this
section, on a yearly basis. Upon successful completion of the course
of instruction in which enrolled, any such private sector employee
may be awarded an appropriate certification or diploma.

‘‘(b) ELIGIBLE PRIVATE SECTOR EMPLOYEES.—For purposes of
this section, an eligible private sector employee is an individual
employed by a private firm that is engaged in providing to the
Department of Defense or other Government departments or agencies
significant and substantial defense-related systems, products,
or services, or whose work product is relevant to national security
policy or strategy. A private sector employee remains eligible for
such instruction only so long as that person remains employed
by an eligible private sector firm.

(c) PROGRAM REQUIREMENTS.—The Secretary of Defense shall
ensure that—
(1) the curriculum in which private sector employees may
be enrolled under this section is not readily available through
other schools; and
(2) the course offerings at the Defense Cyber Investigations
Training Academy continue to be determined solely by the
needs of the Department of Defense.

(d) TUITION.—The Secretary of Defense shall charge private
sector employees enrolled under this section tuition at a rate that
is at least equal to the rate charged for employees of the United
States. In determining tuition rates, the Secretary shall include
overhead costs of the Defense Cyber Investigations Training
Academy.

(e) STANDARDS OF CONDUCT.—While receiving instruction at
the Defense Cyber Investigations Training Academy, students
enrolled under this section, to the extent practicable, are subject
to the same regulations governing academic performance, attendance,
norms of behavior, and enrollment as apply to Government
civilian employees receiving instruction at the Academy.
(f) USE OF FUNDS.—Amounts received by the Defense Cyber
Investigations Training Academy for instruction of students enrolled
under this section shall be retained by the Academy to defray
the costs of such instruction. The source, and the disposition, of
H. R. 2647—234 such funds shall be specifically identified in records of the
Academy

For more on the Cyber Defense Academy read about this contract award:

Federal contractor CSC has won a task order worth up to $85 million from the General Services Administration to provide training at the Defense Cyber Investigations Training Academy in Linthicum, Md.

Under the one-year contract, with four one-year options to extend the work, Falls Church-based CSC will develop and teach more than 20 courses on security, law enforcement, counterintelligence, computer forensics and other cybersecurity related topics.

Yikes! $4.35 million per course. Now this could be the interesting provision:

SEC. 931. IMPLEMENTATION STRATEGY FOR DEVELOPING LEAPAHEAD
CYBER OPERATIONS CAPABILITIES.
(a) STRATEGY REPORT REQUIRED.—Not later than March 1,
2010, the Under Secretary of Defense for Acquisition, Technology,
and Logistics shall submit to the congressional defense committees
a report on a strategy for organizing the research and development
bodies of the Department of Defense to develop leap-ahead cyber
operations capabilities.
H. R. 2647—244
(b) ELEMENTS.—The report required by subsection (a) shall
address the following:
(1) A description of the management structure and investment
review process for coordinating the technology development
of advanced offensive and defensive cyber operations
capabilities—
(A) among the military departments, the Defense Agencies,
the combatant commands, and the intelligence community;
(B) across all levels of classification, including relevant
special access programs; and
(C) based on the identification and prioritization of
joint cyber operations capabilities gaps.
(2) Actions taken and recommendations for further
improving the coordination of research and development of
offensive and defensive cyber operations capabilities among
private sector, interagency, non-governmental, and international
partners.
(3) Assessment of the feasibility and utility of regular
national level, joint, interagency cyber exercises that would
include, to the extent possible, participants from industry, international
militaries, and non-governmental organizations to
assess technologies, policies, and capabilities.
(c) COORDINATION.—The report required by subsection (a) shall
be developed in coordination and concurrence with the Vice Chairman
of the Joint Chiefs of Staff, the Under Secretary of Defense
for Intelligence, the Under Secretary of Defense for Policy, the
Assistant Secretary of Defense for Networks and Information
Integration, the Director of the National Security Agency, and the
commander of the United States Cyber Command.
(d) FORM.—The report required by subsection (a) shall be submitted
in unclassified form, but may include a classified annex.
(e) CYBER OPERATIONS CAPABILITIES DEFINED.—The term
‘‘cyber operations capabilities’’ means the range of capabilities
needed for computer network defense, computer network attack,
and computer network exploitations. Such term includes technical as well as non-materiel solutions.

This seems to be a requirement for creating a report on “leapahead” cyber technology, not actually initiating any research.

SEC. 934. STUDY ON THE RECRUITMENT, RETENTION, AND CAREER
PROGRESSION OF UNIFORMED AND CIVILIAN MILITARY
CYBER OPERATIONS PERSONNEL.
(a) REPORT.—Not later than one year after the date of the
enactment of this Act, the Secretary of Defense shall submit to
the congressional defense committees a report assessing the challenges
to retention and professional development of cyber operations
personnel within the Department of Defense.
(b) MATTERS TO BE ADDRESSED.—The assessment by the Secretary
of Defense shall address the following matters:
(1) The sufficiency of the numbers and types of personnel
available for cyber operations, including an assessment of the
balance between military and civilian positions and the availability
of personnel with expertise in matters related to cyber
operations from outside of the Department of Defense.
(2) The definition and coherence of career fields for both
members of the Armed Forces and civilian employees of the
Department of Defense, including the sufficiency of training
and experience levels required, and measures to improve them
if necessary.
(3) The types of recruitment and retention incentives available
to members of the Armed Forces and civilian employees
of the Department of Defense.
(4) Identification of legal, policy, or administrative impediments
to attracting and retaining cyber operations personnel.
(5) The standards used by the Department of Defense to
measure effectiveness at recruiting, retaining, and ensuring
an adequate career progression for cyber operations personnel.
(6) The effectiveness of educational and outreach activities
used to attract, retain, and reward cyber operations personnel,
including how to expand outreach to academic institutions and
improve coordination with other civilian agencies and industrial
partners.
(7) The management of educational and outreach activities
used to attract, retain, and reward cyber operations personnel,
such as the National Centers of Academic Excellence in
Information Assurance Education.
(8) Efforts to establish public-private partnerships to meet
the needs of the Department with respect to cyber operations
personnel and training.
(9) Recommendations for legislative changes necessary to
increase the availability of cyber operations personnel.
(c) CYBER OPERATIONS PERSONNEL DEFINED.—In this section,
the term ‘‘cyber operations personnel’’ refers to members of the
Armed Forces and civilian employees of the Department of Defense
involved with the operations and maintenance of a computer network
connected to the global information grid, as well as offensive,
defensive, and exploitation functions of such a network.

OK, so more people are needed. So, let’s talk money. How much money is provided in the 2010 Defense Authorization Act for Cyber Defense?

027 CYBER SECURITY INITIATIVE 18,188,000.00
Cybersecurity for control networks research (1,700,000.00)
End-user software safeguard research    (2,000,000.00)
Informatics research                                   (1,000,000.00)
Information security research                     (1,500,000.00)
Cyber Attack and Security Environment         4,000,000.00
183 0305103F CYBER SECURITY INITIATIVE 2,065,000.00
163 0305103E CYBER SECURITY INITIATIVE     50,000,000.00
206 0305103D8Z CYBER SECURITY INITIATIVE 993,000.00
207 0305103G CYBER SECURITY INITIATIVE               - 0 -
208 0305103K CYBER SECURITY INITIATIVE     10,080,000.00
DOE Cyber Security 122,511,000.00

TOTAL 201,637,000.00

* * *

Stay Informed With ISR News Alerts:

* * *

Announcing the birth of Cyber Defense Weekly, a newsletter created to give participants in this new category a comprehensive summary of the week’s news, product announcements, and escalations in cyber threats.

Simply provide your email address here to become a subscriber.

Comments and input are welcome as always on this critical new category.

Richard Stiennon, security expert and industry analyst, is known for shaking up the industry and providing actionable guidance to vendors and end users. He recently re-launched the security blog ThreatChaos.com and is the founder of IT-Harvest, an independent analyst firm that researches the 1,200 IT security vendors. He was Chief Marketing Officer for Fortinet, Inc. the leading UTM vendor. Prior to that he was VP Threat Research at Webroot Software. Before Webroot, Mr. Stiennon was VP Research at Gartner Inc. where he covered security topics including firewalls, intrusion detection, intrusion prevention, security consulting, and managed security services for the Security and Privacy group. He is a holder of Gartner’s Thought Leadership award and was named “One of the 50 most powerful people in Networking” by NetworkWorld Magazine.

The Publisher gives permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author and to Information-Security-Resources.com

These icons link to social bookmarking sites where readers can share and discover new web pages.