Evaluating a “Cybersecurity Moonshot”
“Moonshot” is a metaphor for bold action to create radical solutions to an immense problem. The concept has garnered popularity as an approach to resolve the seemingly intractable problem of cybersecurity. For cybersecurity, however, the “moonshot” or the sometimes-interchangeable cyber “Manhattan Project” may not be the best models.
First, both the moonshot and the Manhattan Project were relatively focused, short-term efforts aimed at a single and clearly defined objective—land on the moon, explode an atomic bomb. We do not have the same clarity and focus for cybersecurity. Project Apollo, delayed by a tragic fire, took seven years to put people on the moon while the Manhattan Project took three years to build the atomic bomb. Both were well-resourced. It may be possible to match these speeds if the technological objective of the cybersecurity moonshot was clearly defined and if the United States is willing to make the needed investments, but the construct we call cyberspace is the most complex creation ever built by humans. There are entrenched interests fearful of any change, and the politics of a cyber moonshot will be much more daunting.
A cyber moonshot could increase its chances of success if it could identify technologies that would provide wide-ranging improvements for cybersecurity.
Identifying those specific technologies is by itself a significant challenge for research, but without this kind of focus, the chances of a moonshot success are greatly reduced. Apollo and Manhattan had tangible and discrete metrics for success (a bomb, a landing) that will be hard to duplicate for cybersecurity.
Spending is key to the moonshot concept. Both Apollo and Manhattan involved sustained investments in technology to achieve a specific goal. The unwillingness of current Congresses to make sustained, major investments in any project not involving the Department of Defense may be an insurmountable obstacle to repeating the successes of Apollo and Manhattan. Moonshots are not something that can be done on the cheap. Project Apollo cost about $12 billion annually. The Manhattan Project cost roughly $11 billion annually (both figures are in 2018 dollars). An equivalent cybersecurity effort would require serious investments in the billions of dollars for a period of years. A rough approximation would put this at between $50 billion and $100 billion (about 0.3 percent of U.S. GDP). This means real money, not budget tricks (like matching funds). The United States is not short of resources—its national income is six times larger than it was in 1961— but it may be short of the political will needed to commit these resources.
Congress would need to allocate billions of dollars for a period of years (and shield this from later congressional interference) and then develop new organizational processes to allocate resources and to focus and coordinate research by companies and academic researchers. As with the Manhattan Project, the talent needed for progress lies largely outside the federal workforce. The Manhattan Project, while overseen by a military officer, recruited and depended upon civilian scientists with significant stature in the research community. A new organizational structure for a cyber moonshot might copy the Manhattan or Apollo projects and appoint an independent project director who would have discretionary authority to allocate resources and direct research to drive a national effort supported by senior policy and research committees.
A cybersecurity moonshot will need to define the parameters of collaboration with other nations. While Project Apollo was a national effort, the Manhattan Project involved a significant degree of cooperation with a few close allies. A cyber moonshot would need to decide under what conditions international collaboration would occur, how U.S. resources would be shared, and whether it would involve potential opponents, such as China. International cooperation brings related problems, such as the ownership of intellectual property (IP) generated by a new program, but there are many precedents for resolving these issues. As long as the rules for IP do not deter research and are clear and binding from the start, IP need not be a problem.
A better analogy than moonshot for cybersecurity may be the massive investment the United States made in science and technology during the Cold War to achieve military parity with the Soviet Union and then surpass it. Beginning with the Sputnik shock, when the Soviets frightened Americans by orbiting a satellite over North America, the United States spent $1.2 trillion over thirty years. For perspective, this is a little less than we have spent in Iraq and Afghanistan since 2001.
Spending on science and technology averaged about $40 billion annually in the response to Sputnik and peaked in 1989 at $70 billion, funding programs that included basic research, technology development, and investments in education to build a scientific workforce. This open-ended investment provided military superiority, built the technology base that undergirds American prosperity, and educated generations of researchers. The United States is living off this Cold War investment, but not replenishing it. Given the complexity of the problem, cybersecurity will require this kind of sustained, multi-year investment.
Cybersecurity is a public good and radical improvements to it would provide benefits to the global community, but as with any public good there is little incentive for any individual to pay for this effort as they will not make corresponding returns on their investment. Cybersecurity is also a collective action problem, where multiple parties have to act in a coordinated fashion to get a positive outcome. The most effective solution for both the public good and collective action problems is government action, but the role of government is now disputed and debated in ways that would have been unthinkable in 1942 or 1961.
This brief discussion describes the attributes of a viable cybersecurity moonshot: a multiyear, multi-billion-dollar federal investment lodged in some independent, mission-specific agency, led by eminent civilian experts as part of a new kind of government supported research, with partnerships with other nations, and with the objective of creating technologies that provide broad improvements in cybersecurity. The first test of viability is simple: will Congress allocate the money? The answer to that question determines the viability of a moonshot.
In April 1961, shortly before calling for America to land a man on the moon, President Kennedy asked Vice President Johnson to look into why the Russians were leading in space. Johnson indicated that while America had greater resources, “The U.S.…has failed to make the necessary hard decisions and to marshal those resources to achieve such leadership.” Perhaps one benefit of the moonshot analogy is that it highlights the need for the United States, like Kennedy, to make the hard decisions and marshal the resources that better cybersecurity will require.
James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2018 by the Center for Strategic and International Studies. All rights reserved.