CHAPTER 9. THE COST OF SECURITY - AN ELUSIVE TARGET Understanding Security Costs The total cost of security is a complex interweaving of direct charges and shared, hidden, and opportunity costs that cannot be captured by budget line items or data calls alone. The numbers do not tell the whole story and by themselves can be misleading. They do not account for the costs associated with inefficiency, excessive levels of protection, or lost opportunities. The Commission has tried to capture these less obvious costs, in addition to the conventional ones, in its findings and recommendations in the belief that once identified, security costs can be better managed. On the basis of information gathered in recent industry studies and our own analysis, it is clear that no one has a good handle on what security really costs. Our accounting systems are not designed to collect security cost data and do not provide the analytic tools necessary to support resource decision making. The Commission discovered early the difficulty of isolating discretionary or controllable security costs from those that are inherently part of the cost of doing business. Virtually every concern, public or private, buys some kind of security protection depending on the nature of the enterprise. To illustrate this point, figure 6 depicts various levels of security as a function of what is being protected. It shows how the classified world of security rests on a substantial underpinning of security resources. Even if there were no classified information or programs, there would still be basic security costs. We would fence off certain areas, put security police on flight lines, put locks on ammunition storage facilities and lock up expensive equipment. Figure 6 also depicts what we see as a building-block approach to security countermeasures in government and industry. The cost of doing business is represented in the four lower boxes. Each successive block requires additional protection and entails additional costs. The examples in each box are not all-inclusive but merely illustrative of the types of information being protected within each category. Classified
THE COST OF SECURITY - AN ELUSIVE TARGET
Understanding Security Costs
The total cost of security is a complex interweaving of direct charges and shared, hidden, and opportunity costs that cannot be captured by budget line items or data calls alone. The numbers do not tell the whole story and by themselves can be misleading. They do not account for the costs associated with inefficiency, excessive levels of protection, or lost opportunities. The Commission has tried to capture these less obvious costs, in addition to the conventional ones, in its findings and recommendations in the belief that once identified, security costs can be better managed.
On the basis of information gathered in recent industry studies and our own analysis, it is clear that no one has a good handle on what security really costs. Our accounting systems are not designed to collect security cost data and do not provide the analytic tools necessary to support resource decision making. The Commission discovered early the difficulty of isolating discretionary or controllable security costs from those that are inherently part of the cost of doing business. Virtually every concern, public or private, buys some kind of security protection depending on the nature of the enterprise. To illustrate this point, figure 6 depicts various levels of security as a function of what is being protected. It shows how the classified world of security rests on a substantial underpinning of security resources. Even if there were no classified information or programs, there would still be basic security costs. We would fence off certain areas, put security police on flight lines, put locks on ammunition storage facilities and lock up expensive equipment. Figure 6 also depicts what we see as a building-block approach to security countermeasures in government and industry. The cost of doing business is represented in the four lower boxes. Each successive block requires additional protection and entails additional costs. The examples in each box are not all-inclusive but merely illustrative of the types of information being protected within each category.
Figure 6. Protection by Program Type
Costs in Black and White
Security costs can vary widely depending on the classification or the sensitivity of the work involved. The Commission has received some verifiable data points that can be used to gauge security costs in unclassified programs, acknowledged or collateral programs, and unacknowledged programs (especially those that use cover)26:
o In unclassified programs, direct security costs typically fall within the range of one-half to 1 percent of total operating costs (for government and industry).
o In acknowledged or collateral programs, direct security costs range from 1 percent to 3 percent of total operating costs.
o For unacknowledged programs, costs range considerably higher, from 3 percent to 10 percent of total operating costs. One SAP program manager estimated security costs could be as high as 40 percent of total operating costs. This estimate supports the widespread perception that SAP security costs can be exorbitant compared to acknowledged collateral programs.
Visible and Invisible Security Costs
The cost of security can be depicted as an iceberg having four facets. Two of the facets are visible and therefore more or less quantifiable. The other two are hidden below the waterline and, while difficult to measure, experience suggests they may be very large indeed.
As shown in figure 7, the visible facets of the iceberg are made up of direct and indirect security costs. Together they account for a small percent of the iceberg. Direct costs are quantifiable charges such as labor, equipment and facilities. More difficult to quantify, but still visible, are indirect costs that contractors typically charge as overhead and general and administrative (G&A) expenses. G&A and overhead charges are shared costs and may include, for example, guards who cover several program facilities or corporate security managers who service a number of programs.
Figure 7. The Cost Iceberg
Below the waterline are difficult to quantify and comparatively large hidden costs, loosely defined as inefficiency and opportunity costs. The Commission believes that attacking these kinds of costs can yield near-term savings without degrading effectiveness:
As part of a contract to support a Special Access Program, a large defense firm on the west coast must regularly visit a "sensitive" activity in the Boston area. Based on the SAP security plan, which specifies that for cover reasons the contractor must not be associated with the site, the SAP program manager requires that contractor personnel traveling to Boston use circuitous routes by stopping at an intermediate location to change planes.
Recently, another contractor needed to reassign 170 employees to work on a DIA contract. Despite all of their employees' clearances being on record in the Intelligence Community's 4C clearance data base, DIA required new personal history statements from each person and readjudicated each case. After six months, only 32 people had been processed.
With an eye toward the total cost of security, the Commission adopted the following approach:
o Each of the subcommittees-threat, physical/technical, personnel, and information systems security-attempted to identify costs and investigated potential savings in its respective area.
o The staff reviewed cost data in the National Foreign Intelligence Program (NFIP) and DoD budgets (excluding SAPs).
o The staff reviewed the just-completed final report of the NISP Resources Working Group, "Capturing Security Costs in Industry," as well as other recent industry cost surveys.
o The Commission held extensive discussions with industry (including three well-attended roundtable meetings) in addition to meeting with professional associations and public interest groups. We interviewed members of Congress and their staff, senior public officials, and working-level security officers in government and industry, all of whom addressed the security costs of doing business.
"There's No Way To Know How Much We're Spending on Security!"
This oft-heard declaration sums up the feeling of many managers, budget examiners, and members of Congress alike. Frustration in the Congress over the Intelligence Community's inability to justify its security expenditures in terms of the changing threat led to a 0.5 percent reduction in the NFIP in FY 1993. There have been more recent calls for cost clarity and containment. Representative David Skaggs authored language in the FY 1994 Intelligence Authorization Act calling for the Director of Central Intelligence to report to the Intelligence Committees by 31 March 1994 on the cost of classifying documents and a plan for reducing classification-related costs. The Commission believes that establishing a coherent system to capture security costs is crucial to streamlining and cost reduction. While some progress is being made in the NFIP, the DoD, and the NISP, these disparate efforts are not well coordinated and are proceeding far too slowly to offer any hope that a uniform cost accounting methodology is achievable in time to meaningfully capture any of the Commission's cost-impacting recommendations.
The Commission recommends the creation of an ad hoc panel to create a common approach and budget framework for defining and tracking security costs in the DoD, the Intelligence Community, and industry.
Work to Date in the DoD
The DoD has embarked on an ambitious effort to capture security costs using Tactical Intelligence and Related Activities (TIARA) as a model. Under the auspices of the Assistant Secretary of Defense, C3I, the Intelligence Programs Support Group (IPSG) is at work on the so-called CI, SCM, and Related Activities (CISARA) initiative, which attempts to aggregate security costs that are not part of the NFIP. (Footnote 27) A new data base incorporating CISARA as well as NFIP costs will make it possible to identify the cost of security throughout the DoD's Major Force Programs.
Intelligence Community Efforts
The Intelligence Community, under the auspices of the DCI's Community Management Staff (CMS), launched a parallel effort to capture security costs using methods compatible with the DoD's CISARA effort. For the first time, Joint DoD-NFIP Program and Planning Guidance was issued for the FY 1995-99 program build. Included as a part of a Common Budget Framework for programs in the Defense and Intelligence Communities were new security cost categories for NFIP and DoD programmers to follow in building and displaying resources allocated to security. In a follow-on directive signed by the Deputy Director of Central Intelligence, program managers were informed of the Commission's intent to use FY 1995 budget submissions as the primary source of security resource data. Unfortunately, the Commission did not receive usable resource data from all the NFIP programs. The data we did receive are incomplete, inconsistent and not coherently integrated into NFIP-wide cost estimates. As a consequence, the Commission has not been able to do much more than glimpse at the big security cost picture in the NFIP. The Commission's recommendation to create a uniform cost accounting methodology and tracking system should bring about the accuracy, uniformity, and responsiveness currently lacking in the Intelligence Community.
Capturing Security Costs in Industry
There is a commonly held perception in industry that industry has been subjected to indiscriminate, inconsistent, and unnecessary security procedures at costs not commensurate with the risk of compromise or level of threat. The Commission concurs with the NISP's strategy to make security more effective and economical in industry by identifying:
o Cost efficiencies resulting from the development and application of baseline standards.
o Security standards for special activities or programs that exceed baseline standards and are not linked to demonstrable threats.
o Resource impacts of proposed changes in security standards and policies to aid risk-based decision-making.
Capturing security costs in government contracts is generally more difficult than capturing the other security costs, because in industry security costs are frequently carried as indirect charges. There is no separate requirement for industry to report these costs to the government. The NISP tasked a working group (Footnote 28) to develop a measurement tool to determine the cost of security in both baseline and special programs standards and then to identify the most feasible system for monitoring continued data collection.
The NISP's effort to develop cost metrics led to several broad-scope industry surveys that tried to collect security cost data from government contracts. These surveys have had limited success for two primary reasons. First, they unsuccessfully attempted to capture indirect/imbedded costs, such as employee time spent completing personnel security questionnaires, conducting clearance determinations, and escorting visitors. Second, contractors are not required to respond to a survey conducted by a Federal agency. Thus, data calls are unlikely to yield a sufficient number of responses for a representative sampling.
But the surveys have provided information, subsequently validated by independent auditors, that helps size the problem:
o Of the total costs billed to security for both collateral and special programs, 60 to 80 percent is directly attributable to security labor (wages, salaries, and benefits for security managers, document control personnel, guards, and couriers).
o An additional 10 to 30 percent of total security costs are for facility and equipment costs, including buildings, locks, alarms, and security containers.
o The remaining security costs are carried in overhead or G&A and not identifiable as security costs per se.
o Between 10 to 20 percent of contractors doing classified work for the government account for 60 to 80 percent of overall costs billed to security.
Since there are no common accounting practices for industrial security costs, there are huge variances in cost tracking systems used by contractors. The Commission believes that prescribing uniform accounting procedures for industry would be unworkable and unreasonably costly. An independent study by a government organization estimates that for its contractors alone, total start-up costs for a security cost reporting/tracking system would be about $12 million, with an annual recurring cost of about $8 million.
An alternative approach, offered by the NISP and endorsed by a consensus of government and industry security experts, is to focus on direct security labor and facility costs, since these categories constitute approximately 90 percent of costs billed to security by industry. Moreover, these costs can be extracted from contractors' existing accounting systems. Capturing the remaining 10 percent, which is no less important but harder to define, can be accomplished by sampling a small number of major defense firms to gauge trends across the entire business base. This strategy effectively divides costs traceable to security requirements into four categories:
o Routine security costs that would be incurred if there were no Federal Government contracts.
o Visible security costs usually associated with collateral programs and budgeted and controlled by the corporate security organization.
o Those contract-specific security costs for special activities and programs that are under the direct control of program or contract managers.
o Those imbedded costs not identifiable as direct labor that are related to security tasks and regulations and are accomplished by non-security employees and not recorded as security costs.
The Commission endorses the joint government and industry strategy for capturing industrial security costs and recommends that this strategy be incorporated within the new accounting and budget framework for security.
Moving Towards Consistency
Capturing security costs in the DoD, the NFIP and industry consistently and at some reasonable level of detail is essential to baselining security expenditures. Unless all three define costs in a manner that lends itself to subsequent aggregation and analysis on similar program and budget cycles, it will not serve the needs of policymakers and risk managers at all levels who have to make sound security decisions in a resource-constrained environment.
Getting to the Bottom Line-The Payoff Is Long Term . . .
The Commission has made two types of cost-saving recommendations that will directly reduce costs. First, we have suggested ways to lower security costs (eliminating inefficiencies and excessive layers of protection) without degrading the effectiveness of protection. Second, the Commission has offered a number of specific proposals that will lessen the cost of security and reduce levels of protection without jeopardizing security by managing risk. Because our focus has been on systemic problems, the kind that appear below the waterline on the iceberg graphic, there are a number of recommendations where the cost-savings impact will be more gradual but nonetheless significant over the long term. We have not been able to quantify the savings except in very rough terms:
o Overhauling the classification system will have cost-beneficial impacts on virtually every aspect of security. We will be able to integrate our information architectures and exchange people and ideas more efficiently, while protecting secrets effectively. Moreover, if we classify less and declassify more, we will have to clear fewer people, buy fewer safes, and mount fewer guard posts.
o The personnel security system can be streamlined by mandating reciprocity, consolidating functions and encouraging automation. Long-term savings will result from merging investigative organizations for the Defense and Intelligence Communities, reducing investigative lag times, reducing the scope of the SSBI, mandating reciprocity of adjudications, consolidating DoD adjudicative centers, using industrial funding strategies for select security functions, consolidating security forms and establishing a personnel security questionnaire in electronic format.
o Revising physical security requirements will establish standards and ensure reciprocity. Costs can be reduced by eliminating routine industrial inspections, establishing a facility certification and registration system, reducing domestic TEMPEST requirements, discontinuing routine TSCM inspections, and maintaining central data bases for clearances for all of government and industry.
o Introducing effective oversight and discipline into the security communities through the creation of the security executive committee and its supporting staff will reduce costs. So will streamlining the policy coordination mechanism by consolidating several committees and their supporting structures into one cohesive policy management structure.
o Taking full advantage of existing Defense and Intelligence Community training expertise and facilities by pooling resources and coordinating training initiatives is also a cost saver.
o Avoiding conflicting research and development programs will protect critical efforts that track changes in foreign intelligence threats as well as technology while freeing up resources for other priority needs.
. . . With Up-Front Costs in the Near Term
o Start-up costs for a new DoD-Intelligence Community badge system are estimated at $3 million. However, the benefits of increased efficiency and productivity savings suggest that the system could pay for itself in one year.
o Increasing our investment in information systems security will be expensive in the short run. However, the consequences of a security breakdown in this area are so critical and far-reaching, that committing additional resources is only prudent.
The Bottom Line
The Commission was not given a cost reduction target, and without being able to define costs precisely, meeting one would have been nearly impossible in any case. Nonetheless, the Commission believes that its recommendations can lead to net long-term savings. Furthermore, we believe there needs to be a sound resource strategy that:
o Links security countermeasures and costs to realistic threat assessments and risks.
o Provides a financial blueprint to guide resource allocation and establishes top-level policy direction and control over security expenditures.
The Commission recommends that the Secretary of defense and the Director of Central Intelligence develop a long-term resource strategy for security.
On to Chapter 10
Back to JSC Top Page