Monday, July 15, 2013

The increasing cyberization of the NDAA

The yearly "National Defense Authorization Act" is the yearly defense budget for the U.S., currently over $600,000,000,000. It also sets defense priorities and authorizes defense related activities. For example, two years ago the NDAA infamously authorized the indefinite detention of American citizens suspected of terrorism (and this year it'll try to regulate the proliferation of cyber-weapons).

In the last few years, "cyber" related topics has exploded. Prior to 2010, the word "cyber" was only mentioned once or twice a year. Since then, the word "cyber" has been mentioned 40 to 80 times each year. This can be seen in the following graph:

The early mentions of the word "cyber" are:
  • 2000 - mentions "cyber security" along with physical security of nuclear facilities
  • 2001 - $5-million to establish an Institute of Defense Computer Security to exchange information regarding cyber-threats, $10-million in loan guarantees to combat cyber-terrorism -- this was passed about a year before 9/11 attack.
  • 2003 - demands a report on how military will respond to terrorism threats, including cyber-terrorism
  • 2008 - demands a report on China's cyber-warfare capabilities, plus more on cyber-terrorism and cyber-threats to nuclear
I'm only doing text searches of the word "cyber". Things like "computer security" are mentioned in previous years. The 1996 NDAA uses "computer security" referencing another act passed in 1987. Whether "cyber" or "computer security" or "network security", as far as I can tell, prior to 2010, all mentions of the subject were about defensive operations.

It's 2010 that I can find the first authorization of offensive cyber capabilities. Every NDAA since has had a complete section devoted to "cyber". Much of the language repeats the previous year's content, reflecting continuing efforts to develop offensive cyber-warfare capabilities.

Note that the "cyber command" or "USCYBERCOM" was created in June 2009, the same month when the 2010 NDAA was drafted. The NDAA doesn't mention USCYBERCOM directly, but I assume the two events go hand-in-hand.

I've collected the links going back each year to 1996 (prior bills don't seem to be available on government website). You can find my spreadsheet with links to the original NDAA texts here (in case you want to replicate my results, or do a better analysis with things like "computer security").


Anonymous said...

FWIW, USCYBERCOM is mentioned in NDAA FY2010:

Sec 931. (c) Coordination.--..., and the commander of the United States Cyber Command.

Anonymous said...

I wonder how many of these people know what the word "cyber" actually means.