Cyber déjà vu: Wasted dollars

Find opportunities — and win them.

Will cybersecurity become a big hole where we throw dollars? The risk is there and it's real.

That the Pentagon is planning to boost its cybersecurity forces is probably needed and prudent. The cyber threat is getting bigger and more dangerous. I get that.

The details of the plan are sparse, but the Washington Post reported this morning that Cyber Command will grow from about 900 to 4,900. They will be divided into three types of forces. One will protect critical infrastructure, such as the power grid and power plants. The second will be combat mission forces to help commanders plan and execute attacks. And the third will be cyber protection forces to fortify Defense Department networks.

It all sounds logical to me, but I couldn’t help but get a bit of déjà vu as I read the article. I started thinking about some of the spending we saw during the first five years after the Sept. 11 terrorist attacks.

Everyone, it seemed, needed and got homeland security money. But, the question remains, how much value did we receive for that spending?

As I read the Post article, I kept wondering if history is going to repeat itself. Will we see a rush of new money or reprogrammed dollars going to cybersecurity? Will we see agencies bending over backwards to put a cyber tag on projects and programs as a way of protecting funds?

And at the end of the day, will we get any value from the spending?

I’m not criticizing the Defense Department plan per se. I just worry that there will not be the controls and oversight that is needed.

I worry that there will be too much secrecy in how money is spent and what threats are identified and mitigated.

Four or five years from now, will we be scratching our heads saying, "where did it all go"?

I wonder, too, how political will cyber become? Will politicians fear being labeled “weak on cyber” if they don’t support cybersecurity programs? Which, in turn, could lead to wasteful spending.

What I hope happens is that there is a good, strong debate about what the government is doing – not just DOD – and that agencies are required to justify what they spend, and that they are pushed, if not forced, to work together.

I drive through Washington, and I see the proliferation of separate police forces serving various agencies: Amtrak, the Government Printing Office, the State Department, the Pentagon, the Supreme Court, General Services Administration, and the list goes on.

Each can make an argument about how unique and special they are, and why they need their own force, but I still see a lot of waste and redundancy.

At the very least, let’s avoid that with cybersecurity. Or, is it too late already?