Public Funds, Private Interest
The Role of Private Companies in Shaping US Cybersecurity Policy
This paper compares current cybersecurity policy with the Cold War military industrial complex to understand how links between the private cybersecurity industry and government impact federal policy.
Collectively driven by increased awareness of cyber threats, fear of snooping by government agencies, and growth in intelligence budgets, the private cybersecurity industry has recently exploded. Global cybersecurity spending is predicted to hit $90 billion in 2018 and grow at an annual rate of above 20% to $232 billion by 2022.
Along with industry expansion, connections between private cybersecurity firms and the government have multiplied. Government intelligence agencies have enlisted the services of private companies for everything ranging from espionage operations to the development of offensive capacities. However, as government and industry deepen their ties, it becomes increasingly possible for misalignment between public and private interests to drive policy in the wrong direction. Given that US cybersecurity strategy is currently ill-defined and malleable, missteps could have impacts for decades. Nevertheless, collaboration between government and industry is also in its infancy, so the nature of public-private relations has yet to solidify. This means that is still time for the government to change course.
This paper will analyze the evolving relationship between government agencies and private sector cybersecurity firms in four parts. The first will explore the forms of government contact with the broader cybersecurity marketplace. The second will consider historical connections between the defense establishment and private companies – the Cold War military-industrial complex and the use of private military contractors (PMCs) since the late-90s – as a template for potential policy risks associated with a modern alliance between defense and industry. The third will examine how that public-private cybersecurity connections are distinct from previous military-industrial linkages and analyze the policy implications of those distinctions. The last section will offer some ways to leverage the advantages of the private sector while minimizing harm.
II. Government Contact with the Cybersecurity Industry
Government agencies have developed ties with the cybersecurity industry in two main ways. First, agencies have spurred demand for information security technology both directly, through government contracts, and indirectly, by encouraging investment by the private sector. Second, a revolving door between government and the private sector has packed corporate boardrooms and staff ranks alike with former intelligence and defense personnel.
With growing national security threats and opportunities in cyberspace, members of the defense and intelligence communities have emphasized the need to both secure US critical infrastructure and develop offensive cyber capacities. In response, Congress has approved growing budgets for cyber defense, allowing millions of dollars to go to contractors. More recently, the Pentagon requested $8.5 billion for “cybersecurity-related activities,” while in the FY 2019 budget President Trump called for $15 billion in total cybersecurity spending, a 4% increase over fiscal year 2018 requests. Growth in government demand for private cybersecurity services has directly fueled the industry’s expansion by causing the government to outsource a sizable share of its spending to private contractors. Indeed, in DC, where most contractors are located, almost 24,000 new cybersecurity job openings were posted in 2015, about double that of the next highest region.
Government investment in cybersecurity has also indirectly led to market expansion. First, the shifting composition of federal budgets during the 8-year Obama administration in favor of cyber, encouraged large defense contractors to invest more in information security. Despite the overall shrinking of military spending, investment in cybersecurity significantly grew. In response, big tech-centered defense contractors like Boeing, Raytheon, and even consultancy Booz Allen Hamilton have created cybersecurity branches. Seeking to win contracts with innovative new tools, these larger companies have continued to acquire boutique firms offering custom software with narrow applications. Although the Trump administration won a substantial increase in defense spending as part of a February 2018 budget deal, those increases may be temporary, given that ten-year spending caps imposed by the 2011 Budget Control Act remain in place and could force steep cuts at the end of the decade. Therefore, cybersecurity offers a more stable source of demand for contractors than traditional spending.
Second, greater government interest in network defense suggests to private firms that cyber threats are widespread, meaning they should invest in their own cybersecurity capacities. While increasing their own cyber spending, federal agencies have published recommendations on how firms should bolster their defenses. For example, Obama’s 2013 executive order commissioning a framework for critical infrastructure protection stated that the government should “provide guidance” on which commercially-available cybersecurity services companies should buy. The Trump administration has pursued continuity with Obama-era policies, and in its 2017 National Security Strategy urged coordinated responses to major threats in both the private and public sectors. Additionally, the intelligence community has invited private firms to attend classified briefings informing them about emerging cybersecurity threats. According to one NSA official, the meetings aim to “scare the bejeezus out of them.” Frightened CEOs then turn to cybersecurity companies for help. The Chief Security Officer of Mandiant, a private security outfit, alleged that executives often buy the firm’s products after attending classified NSA briefings. Federal policy decisions guide the industry’s scale and composition, so firms within the market have a clear profit interest in the government’s cyber strategy. That is not to say, however, that government officials are distorting the scale of cyber threats for private sector benefit. Scare tactics are often necessary to convince recalcitrant executives to make necessary upgrades. However, the outsized effect of federal policies on this industry risks creating real or perceived conflicts of interest.
Many top cybersecurity firms are led by experts who once held high-level posts within law enforcement and intelligence agencies. Endgame, for example, sells zero day vulnerabilities and global maps of network weaknesses almost exclusively to government agencies. Its board includes former NSA chief Kenneth Minihan and is chaired by Christopher Darby, the current CEO of the CIA’s venture capital arm. CrowdStrike, a cyber forensics firm, boasts two former FBI officials as top executives – CEO Shawn Henry, former chief of worldwide cyber investigations, and the company’s general counsel, who served as the deputy head of cyber for the Bureau. Many other senior administrators with experience in intelligence and defense sit on corporate boards or serve as executives at major cybersecurity firms.
The revolving door between government and the private sector exists for lower level employees as well. Some ex-hackers found their own companies. For example, Brendan Conlon, a Naval Academy graduate who worked as a hacker for both the NSA and CIA, recently founded Vahna, a firm that publicizes its employees’ time working for government agencies. One former NSA official suggests that the best private security companies are founded by members of the “SIGINT” community, who apply the hacking skills they acquired during their time in government to assess system vulnerabilities and respond to breaches. Large defense firms are especially interested in acquiring startups founded by former intelligence community members to secure contacts within the CIA, NSA, and the Pentagon. Knowing that big companies will scramble to buy their startup, government employees become more likely to move to the private sector.
Lastly, even if government employees do not start their own company, they frequently move to the private sector with their training in hacking techniques. Though government agencies have taken pains to recruit technically skilled employees to work in their security and hacking divisions, the government lacks the resources to pay competitive salaries compared to the private sector. As a result, many military and intelligence personnel transition to industry work after receiving government training. The cycle has become so predictable that agencies now only plan to keep new hires for a few years.
Thus, almost all sectors of the cybersecurity industry have at least some form of contact with government. Private firms have an interest in shaping government cybersecurity policy for their benefit, and these firms may have a unique ability to do so based on these widespread connections. Of course, the revolving door between government and the private sector is not limited to the cybersecurity industry. However, this dynamic presents unique risks in the cyber sphere, given the differences between public and private interests in the cybersecurity industry and several unique characteristics of public-private relations on cybersecurity issues. The next two sections explore those concerns.
III. The Cyber-Industrial Complex – Lessons from the Cold War and Private Military Contractors
Relationships between the defense establishment and industries that seek government influence are hardly a new phenomenon. Throughout the Cold War, policymakers faced a military-industrial complex, where government demand for military goods and services propped up a lucrative defense contracting industry. In turn, this industry lobbied Congress and the Pentagon for ever-increasing levels of spending. More recently, during the 2003 invasion of Iraq, the Pentagon hired PMCs for operational support. Common challenges between those two episodes demonstrate how ties between the cybersecurity industry and government could negatively impact policymaking.
A. Increasing Costs and Threat Inflation
From the beginning of the Cold War, connections between private contractors and government encouraged policymakers to overstate Soviet threats and waste money on unnecessary military buildup. A classic example is Eisenhower’s attempt to downsize the B-70 bomber program during his first term. The bomber program involved contracts with thousands of private firms, with production so dispersed that a majority of congressmen had at least one important supplier in their districts. Immediately after announcing the cuts, Eisenhower met fierce opposition from Congress, which accused him of jeopardizing American national security by letting the Soviets outpace American airpower. Eventually, Eisenhower caved and reinstated the program. Air Force officials later testified that claims of a “bomber gap” were invalid, since US capabilities far exceeded those of the USSR. Private contracting had introduced new benefactors of military spending with considerable leverage over policymakers. To justify higher expenditures that kept contractors’ factories running, lawmakers manufactured exaggerated threats.
The use of PMCs has also created the potential for overstating threats. Over 60 firms serviced contracts worth billions of dollars during the Iraq War, carrying out many crucial combat operations. However, much of the stated pretense for the Iraqi invasion was unfounded – the Bush administration’s claims that Hussein helped plan 9/11 and that the Iraqi government was nearing the acquisition of nuclear weapons ultimately proved incorrect. It is beyond the scope of this article to speculate on whether the connections between top officials and private beneficiaries of the war – most notably Dick Cheney and Halliburton – motivated the administration to distort the Iraqi threat for financial gain. However, the perception that those ties influenced the invasion undermined the administration’s credibility and damaged Bush’s Iraq policy.
These incidents suggest two related concerns for cybersecurity policy: cybersecurity industry players may encourage government officials to overstate the risk of cyber-attacks for private gain, or the public will perceive that they are doing so.
There is already evidence that industry interests have outsized influence in national conversations. Former intelligence personnel with a financial stake in private contractors use their credentials as ex-government officials to support extensive cyber operations. After the Snowden disclosures, some of the most stalwart defenders of NSA snooping had both impressive government credentials and deep financial stakes in the agency’s contractors. Stewart Baker, former NSA general counsel who testified before Congress claiming that cutting back PATRIOT Act surveillance programs would help terrorists, now lobbies for NSA contractors including SAIC and the Computer Sciences Corporation. Jack Keane, a former four-star general who defended the NSA’s programs on cable news, is also a board member of the NSA contractor General Dynamics. Retired General Wesley Clark emphasized the need for the PRISM program while simultaneously taking payments from a private equity firm with substantial financial stake in NSA contractors. Of course, there is nothing wrong with former top brass opining about what they consider important defense issues. However, given that officials enjoy a privileged place in national security conversations, conflicts of interest potentially open up avenues for abuse and may cause speculation about corruption.
Relationships between local governments and private firms may prevent elected officials from checking threat inflation. From Maryland to Texas, local and state governments have designed tax incentives and run advertising campaigns seeking to create a “cyber Silicon Valley.” Some have even used tax dollars for direct investment in startups. If tech firms set up shop in regions desperate to keep the jobs they provide, then the congressional representatives from those areas will likely lobby extensively for greater government funds devoted to cybersecurity. Representatives of cybersecurity districts may warn of a B-70 bomber-style “cyber gap” as an excuse to spend more on firms with local power.
The notion that the cybersecurity industry can influence public threat perception through multiple channels is worrying. Given current trends and cybersecurity’s rapid growth, there is a risk of creating even more problematic relationships in a poorly-understood industry. Besides leading to wasteful and unnecessary spending, an overemphasis on threats could prevent policymakers from properly assessing tradeoffs between security and other interests such as Internet freedom and governance. Even if private actors do not put pressure on policymakers to distort threats for personal gain, the appearance of close ties between industry and government can create perceived conflicts of interest. This might in turn lower trust in government and limit officials’ ability to craft constructive policy.
However, despite similarities, the risks of malignant cyber threat inflation and massive government waste are lower than during the Cold War or the invasion of Iraq. First, apparent overstatement of cyber threats is at least partially due to the fact that many do not take threats seriously enough. Therefore, apparent threat inflation may be more indicative of attempts to increase stakeholder attention on an important issue than private sector manipulation of government policy. Second, powerful private interests have an incentive to counter the cybersecurity industry’s threat narrative. Large tech companies recognize that overstating the cyber threats may encourage Congress to mandate that companies meet certain cybersecurity baselines. Since those firms want to avoid burdensome regulation, they have an incentive to lobby lawmakers and make cyber threats seem less severe.
Even if public-private ties do not drive unnecessary spending, they can drive up costs and make it more difficult for governments to provide necessary services.
Theoretically, private contracting lowers government costs by leveraging the competitive forces of the market. Federal agencies can allow firms to bid against each other and award the contract to the company that makes the best offer. However, when firms have government ties, it becomes easier to spend money by lobbying to win more lucrative contracts rather than offering the best one. During the Cold War, private contracts were the products of political negotiation, not competitive bidding, so the firms with the best lobbyists secured the most lucrative contracts. The Pentagon sometimes passed over firms offering the lowest price to grant awards to the firm whose “turn was next.” That process both increased costs by granting contractors monopoly power and privileged firms that already had connections in the system.
The use of PMCs increased costs in other ways. By offering salaries that exceeded military pay, contractors lured talented soldiers into the private sector. Then, the contractors sold their services to the government at a higher per-soldier cost to cover their overhead.
It is possible that links between the cybersecurity industry and government could create similar inefficiencies. First, former government workers now working as contractors can leverage connections to negotiate deals, even if they do not offer the best package. Second, as traditional defense contractors pivot towards the cybersecurity market, they may use their status as trusted collaborators to win awards over more competitive firms. The fact that many of the biggest cybersecurity contractors are companies with longstanding connections to the intelligence community could raise suspicions that the most entrenched firms, and not necessarily the best, receive government funds. Also, cybersecurity contracts may require that companies have security clearance, limiting the pool of competitors to insiders.
Third, cybersecurity firms poach the best technical personnel from government. If federal agencies contract government-trained hackers at a higher cost, then the government ends up paying more for an identical service. Already, some agencies, unable to keep sufficiently skilled technicians away from the private sector, plan on contracting with cybersecurity firms who hire government-trained personnel. Although the government should leverage its own monopoly power to bring down prices and maximize efficiency, current trends suggest that the influence of private firms will serve to increase their margins and waste federal funds.
C. Differing Roles and Constraints
Even when the government and the private sector carry out similar functions, they occupy different roles and face different constraints. Those distinctions become clear when examining the PMC industry. Private contractors are just that: private. This means they can perform tasks that governments are either legally or politically constrained from doing. Relying on PMCs to carry out combat operations reduces the danger faced by US service members, thereby lowering the political barriers to conflict. Additionally, PMCs are not subject to congressional constraints – for example, the Bush administration used PMCs to circumvent limitations on US military involvement in the Colombian civil war.
While the US has used PMCs to expand its operational flexibility, contractors are in no way beholden to American interests. PMCs have worked with dictatorships, drug smugglers, and al-Qaeda-linked terrorist organizations. By increasing demand for PMCs, US operations in Iraq encouraged investment in startups and the expansion of existing firms. As operations in Iraq wind down, those firms need new customers – and there is no guarantee that Washington will like them.
US demand for privately-produced cyber weapons and security products raises similar concerns. First, private tools can provide ways for governments to evade legal prohibitions on certain cyber techniques. For example, while CrowdStrike CEO Shawn Henry worked at the FBI, he developed technology to remotely monitor a target’s computer undetected. However, the FBI needed a court order to use the technology. At CrowdStrike, he uses a similar tool, but, as a private entity, he can deploy it without going to court. In an attempt to indict WikiLeaks’ founder Julian Assange, the Justice Department organized a group of small cybersecurity firms, mostly tied to the public-sector security community, to dig up dirt. The group planned to launch an intimidation campaign against WikiLeaks’ followers and discredit the organization by tricking it into publishing fake documents. If performed directly by part of the federal intelligence community, such tactics would spark outrage. While that operation failed, it suggests that, by unloading dirty work onto private companies, the government could skirt political and legal barriers. That may seem like an attractive option in the short run, but in the long run it risks eroding public trust and landing intelligence agencies in even greater legal trouble once laws catch up with technological innovation.
Second, the US government has no guarantee that cyber weapons firms will not peddle their wares to countries that threaten American interests. For example, the Mubarak regime and the Bahraini government cracked down on political dissidents allegedly using software purchased from Gamma, a UK firm. US-based Blue Coat has sold Deep Packet Inspection, a technology used to censor journalists and track down dissidents, to Syria, Myanmar, Egypt, Qatar, China, and Venezuela, all countries with spotty human rights records.
At first blush, given that the US government does not deal with these companies, it seems that US connections to the cybersecurity industry have no bearing on the development of a worldwide network of cyber mercenaries. While demand from authoritarian regimes for surveillance products would exist regardless, US reliance on private firms to build cyber weapons compounds the problem in two ways. First, demand from the US government increases the size of the market. This is an issue in the market for zero-day exploits, cyber-attacks that exploit previously-unknown technical vulnerabilities. When the US pays millions in government contracts for zero-day exploits, it encourages more companies to enter the business, some of which will inevitably sell to whoever wants to buy. Second, by buying exploits from private companies, the US legitimizes an international cyber arms market. That makes adversaries more likely to brazenly seek out private firms to meet their intelligence needs. An unregulated international trade in cyber vulnerabilities leads to the proliferation of offensive capabilities, multiplying the threats that the US will face in the future.
IV. Unique Characteristics
While many challenges look similar to those arising from past public-private relationships, several unique characteristics of the cybersecurity industry create new dynamics.
First, government dealings with the cybersecurity industry are subject to higher levels of secrecy than most other public-private relationships. The intelligence community hides its contracts behind a shroud of hyper secrecy. One of the documents in the Snowden dump emphasizes the importance of preventing any association between the NSA and one of its contractors, the Computer Sciences Corporation. Similarly, in 2010, Endgame’s modus operandi relied on avoiding any mention in media at all, let alone in relation to the NSA. In this context, intelligence contractors often have better knowledge of the government’s projects than lawmakers, meaning they can use their inside scoop to lobby Congress and win even more contracts. As a result, it is difficult to conduct an appropriate cost-benefit analysis of the tradeoffs associated with existing ties.
Second, the cybersecurity industry has other customers besides the government. While PMCs and defense contractors can only sell their services to government agencies, most cybersecurity firms can market and develop products for the private sector as well. Therefore, the size, scope, and composition of the cybersecurity industry is largely determined by factors outside the government’s control. On the one hand, that means the government may have trouble reversing any negative effects of the industry on policy. If a strong cybersecurity industry causes poor government policy, rather than the other way around, then improvements in protocol surrounding agencies’ relationships with industry will not have much of an effect. On the other hand, if firms are participants in a broader private cybersecurity industry, then they will have to adjust their behavior to market realities. For example, if firms encourage government to adopt policies that lead to artificial demand for cybersecurity products, then they risk creating a bubble that would hurt them financially if it bursts. Therefore, firms either avoid extensive lobbying for unnecessarily favorable policies, reducing their distortionary effect, or they engage in such lobbying and weaken their influence in government in the long run once the bubble bursts. Additionally, companies may have less of an incentive to engage in the sorts of problematic rent-seeking behavior explored earlier. If they cannot win government contracts, instead of spending millions on lobbying campaigns, firms might just look for customers in the private sector.
Finally, contracting may stymie vital information sharing. During the Cold War and the Iraq invasion, the Department of Defense could hire a single contractor (or group of contractors) to complete a single product or mission. The intelligence and defense establishment have largely replicated this model – single firms produce discrete software tools that the agencies subsequently integrate into their operational doctrine. However, in doing so, agencies lose the ability to work collaboratively and share information to solve important security problems. In fact, with most contractors in direct competition with one another, firms are likely to guard their methods as proprietary secrets. In the current system, the only way contractors can integrate their teams to work on a single project is if one firm buys out another. But that, in turn, reduces competition in the industry as a whole, which can also stifle innovation.
While certain characteristics of the cybersecurity industry allow it to self-correct for some of the negative policy effects of public-private ties, the government must take additional steps to be able to eliminate them all.
V. Ways to Mitigate the Threat
The government benefits from contact with the private cybersecurity sector – contractors allow the intelligence community to tap into the industry’s innovative power and give agencies the flexibility to temporarily increase the size of its workforce for time-sensitive projects. Therefore, policymakers should make changes that retain those benefits while minimizing the costs.
First, government agencies should rely less on contractors and more on public-private partnerships to develop new technologies. For example, after Google told the NSA that hackers in China breached their networks, the NSA drafted a “cooperative research and development agreement” where the government and a firm collaborate to develop a new product. The government fronts the R&D costs, while the company participates in the development phase and has the right to patent and build the product designed. In addition, the government can “use any information gained from the collaboration.” This sort of agreement allows the government to access the productive capacities of the private sector, but reduces superfluous spending. While under a traditional contract, a firm gets paid so long as it produces a desired product, under a public-private partnership such as the one formed between the NSA and Google, the firm only profits if they produce a useful tool that someone is willing to buy. Therefore, under this less traditional agreement, firms have no incentive to engage in completely spurious projects without any commercial value. Additionally, all tax dollars go directly towards research and development, eliminating the increased costs resulting from the markup rate that firms would charge the government under a traditional contract. Lastly, a less reliable stream of payments reduces the incentives for big contractors to acquire smaller ones and develop monopoly power in the industry, increasing the number of competitors in the industry and encouraging innovation.
Second, the government should try to bolster its in-house cybersecurity capacity. If it can provide more of the services it needs on its own, then it can limit the prevalence and influence of cybersecurity contractors on policy. To do so, all agencies should include a non-compete clause in their employment contracts that prevents former employees from being hired back in a contracting role for a certain period of time. Moreover, agencies should consider adding incentives to stay in government. Additional compensation would be a start, but government needs to find an incentive that is unique from the private sector, such as the intangible benefits of public service or additional prestige.
Third, when the US does need to use contractors, it should improve its protocol for awarding contracts. Agencies should implement mechanisms to fast track approval of security clearances to allow more firms to compete in the bidding process, allowing the government to drive down the cost of securing contracts.
Fourth, the government should negotiate multilateral agreements to prevent the export of cyber weapons systems to countries on the arms export blacklist for NATO, the US, and the EU. The EU and the US have already banned the export of surveillance technology to Iran and Syria, but efforts should go further. However, such an initiative faces two challenges. First, “cyber weapons” are difficult to define, given the overlap between offense and defense in the cyber sphere. Second, it seems almost impossible to control the cross-border flow of software over the Internet. Despite these challenges, a ban would at least discourage large firms in Western countries from selling to rogue regimes. Since those companies likely offer the best products, a ban would succeed in limiting the proliferation of advanced cyber technologies to adversarial actors.
Finally, public and private actors alike should make efforts to increase transparency. Expanding in-house capacity and reducing reliance on contracts should make intelligence and defense agencies more accountable to the public. However, the best way to hold agencies accountable is to subject them to greater scrutiny. When former government officials make statements, media outlets and lawmakers should investigate and report their financial conflicts of interest. Then, policymakers can evaluate whether the speaker’s testimony is biased, enabling nuanced debate on US cyber threats. When intelligence agencies or the Pentagon request more money for cybersecurity, they should disclose, at least to Congress, specific details about how that money will be spent. That disclosure should make it easier to identify unnecessary spending, parse out corporate interests, and prevent agency officials from awarding contracts based on connections instead of merit, making bidding processes more competitive. Of course, some aspects of intelligence ought to be kept secret. But it is impossible to make informed policy judgments without some understanding of where money goes.
 "Cybersecurity Market by Solution (IAM, Encryption, DLP, UTM, Antivirus/Anti-Malware, Firewall, IDS/IPS, Disaster Recovery, DDOS Mitigation, SIEM), Service, Security Type, Deployment Mode, Organization Size, Vertical, and Region - Global Forecast to 2022." Markets and Markets Research. July 2017. Accessed April 18, 2018. CAGR from author’s calculations.
 Talbot, Daniel. "The Cyber Security Industrial Complex." MIT Technology Review. December 06, 2011. Accessed May 09, 2016.
 Robertson, Jordan, and Michael Riley. "US Contractors Scale Up Search for Heartbleed-Like Flaws." Bloomberg. May 2, 2014. Accessed May 08, 2016.
 Bamford, James. "NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar." Wired Magazine. June 13, 13. Accessed May 09, 2016.
 United States. White House. Office of Management and Budget. Analytical Perspectives, Section 21: Cybersecurity Funding. Washington, DC: US Government Publishing Office, 2018. 273-87.
 Fox-Brewster, Thomas. "Embracing The Awful Irony At A Huge Counter-Terrorism Fair In Paris Days After ISIS Attacks." Forbes. November 22, 2015. Accessed May 09, 2016.
 Sorcher, Sara. "The Race to Build the Silicon Valley of Cybersecurity." The Christian Science Monitor. December 2015. Accessed May 09, 2016.
 Bamford, “NSA Snooping.”
 Byrt, Frank. "U.S. Defense Contractors Are Scrambling To Fill Massive Cyber Security Contracts." Business Insider. November 19, 2010. Accessed May 09, 2016.
 O'Brien, Connor. "Military Hawks Win Big in Budget Deal — for Now." Politico, February 9, 2018. Accessed April 18, 2018.
 Exec. Order No. 13636, 3 C.F.R. (2013).
 Fazzini, Kate. "Under Trump, Some Subtle Cybersecurity Changes." The Wall Street Journal, December 13, 2017. Accessed April 18, 2018.
 United States. The White House. National Security Strategy of the United States of America. 2017.
 Harris, Shane. War the Rise of the Military-Internet Complex. Boston, Mass.: Houghton Mifflin Harcourt, 2014. 180.
 Ibid, 180.
 Harris, @War, 104.
 Greenberg, Andy. "Inside Endgame: A Second Act For The Blackwater Of Hacking." Forbes. February 12, 2014. Accessed May 09, 2016.
 Harris, @War, 109.
 Benner, Katie. "Cybersecurity's Money Men." The Information. January 21, 2014. Accessed May 9, 2016.
 Harris, @War, 121.
 Ibid, 120.
 Ibid, 223.
 York, Herbert. Race to Oblivion: A Participant's View of the Arms Race. Simon and Schuster, 1971. Accessed May 11, 2016, 53.
 Brito, Jerry, and Tate Watkins. "Loving the Cyber Bomb? The Dangers of Threat Inflation in Cybersecurity Policy." Harvard National Security Journal 3 (2011): 39-84. Accessed May 11, 2016. HeinOnline. 66.
 Singer, Peter. "Outsourcing War." Foreign Affairs 84, no. 2 (March/April 2005): 119-32. 122.
 Brito and Watkins, "Loving the Cyber Bomb?,” 43.
 Martha Minow, Outsourcing Power: How Privatizing Military Efforts Challenges Accountability, Professionalism, and Democracy, 46 B.C.L. Rev. 989 (2005), vol46/iss5/2.
 Fang, Lee. "Many of the NSA's Loudest Defenders Have Financial Ties to NSA Contractors." The Intercept. May 12, 2015. Accessed May 11, 2016.
 Sorcher, “The Race to Build the Silicon Valley of Cybersecurity.”
 Etzioni, Amitai. "The Private Sector: A Reluctant Partner in Cybersecurity." Institute for Communitarian Studies, December 19, 2014.
 Markusen, Ann. "Defense Spending: A Successful Industrial Policy?" International Journal of Urban and Regional Research 10, no. 1 (1986): 105-22. Accessed May 11, 2016.
 Adams, Walter. "The Military-Industrial Complex and the New Industrial State." The American Economic Review 58, no. 2 (May 1968): 652-65. 658.
 Singer, “Outsourcing War,” 129.
 Chesterman, Simon. "‘We Can't Spy …If We Can't Buy!’" European Journal of International Law 19, no. 5 (November 2008): 1055-071.
 Harris, @War, 223.
 Singer, “Outsourcing War,” 126.
 Ibid, 125.
 Seabrook, John. "Network Insecurity." The New Yorker. May 20, 2013. Accessed May 11, 2016.
 Ibid, 115. The collaboration dissolved in 2011 when Anonymous hacked into one of the coordinators’ emails and released correspondences about the group’s plans.
 Keating, Lucy. "Surveillance: A Thriving British Industry." The Bureau of Investigative Journalism. December 01, 2011. Accessed May 11, 2016.
 Reporters without Borders. Enemies of the Internet. Publication. 2013. 7.
 Bamford, “NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar.”
 Shorrock, "How Private Contractors Have Created a Shadow NSA."
 Greenberg, “Inside Endgame.”
 Chesterman, "‘We Can't Spy …If We Can't Buy!’"
 Some commentators think government policies might create a bubble. See Harris, @War, 122; for evidence that the value of cybersecurity firms has declined in the last year, see King, “Under Pressure, Cybersecurity Ripe for M&A This Year.”
 Naturally, none of those principles strictly hold – look no further than the success of IT lobbyists in recent years to win government money. See Brito and Watkins, "Loving the Cyber Bomb?,” 69.
 Chesterman, “We Can’t Spy…If We Can’t Buy!”
 Harris, @War, 175.
 The CIA already does this: see Chesterman, “We Can’t Spy…If We Can’t Buy!”
Adams, Walter. "The Military-Industrial Complex and the New Industrial State." The American Economic Review 58, no. 2 (May 1968): 652-65.
Bamford, James. "NSA Snooping Was Only the Beginning. Meet the Spy Chief Leading Us Into Cyberwar." Wired Magazine. June 13, 13. Accessed May 09, 2016. https://www.wired.com/2013/06/general-keith-alexander-cyberwar/.
Benner, Katie. "Cybersecurity's Money Men." The Information. January 21, 2014. Accessed May 9, 2016. https://www.theinformation.com/cybersecuritys-money-men.
Byrt, Frank. "U.S. Defense Contractors Are Scrambling To Fill Massive Cyber Security Contracts." Business Insider. November 19, 2010. Accessed May 09, 2016. http://www.businessinsider.com/obama-is-spending-a-ton-on-defense-spending-in-cyber-security-2010-11.
Chesterman, Simon. "‘We Can't Spy …If We Can't Buy!’: The Privatization of Intelligence and the Limits of Outsourcing ‘Inherently Governmental Functions’." European Journal of International Law 19, no. 5 (November 2008): 1055-071.
Chief Financial Officer, Office of the Undersecretary of Defense (Comptroller). Defense Budget Overview: US Department of Defense Fiscal Year 2017 Budget Request. Washington, D.C.: Department of Defense, 2016.
"Cybersecurity Market by Solution (IAM, Encryption, DLP, UTM, Antivirus/Anti-Malware, Firewall, IDS/IPS, Disaster Recovery, DDOS Mitigation, SIEM), Service, Security Type, Deployment Mode, Organization Size, Vertical, and Region - Global Forecast to 2022." Markets and Markets Research. July 2017. Accessed April 18, 2018.
Etzioni, Amitai. "The Private Sector: A Reluctant Partner in Cybersecurity." Institute for Communitarian Studies, December 19, 2014. https://icps.gwu.edu/private-sector-reluctant-partner-cybersecurity.
Exec. Order No. 13636, 3 C.F.R. (2013).
Fang, Lee. "Many of the NSA's Loudest Defenders Have Financial Ties to NSA Contractors." The Intercept. May 12, 2015. Accessed May 11, 2016. https://theintercept.com/2015/05/12/intelligence-industry-cash-flows-media-echo-chamber-defending-nsa-surveillance/.
Fazzini, Kate. "Under Trump, Some Subtle Cybersecurity Changes." The Wall Street Journal, December 13, 2017. Accessed April 18, 2018.
Fox-Brewster, Thomas. "Embracing The Awful Irony At A Huge Counter-Terrorism Fair In Paris Days After ISIS Attacks." Forbes. November 22, 2015. Accessed May 09, 2016. http://www.forbes.com/sites/thomasbrewster/2015/11/22/paris-hosts-milipol-homeland-defense-expo-after-isis-attacks/#7fc15fc97da6.
Greenberg, Andy. "Inside Endgame: A Second Act For The Blackwater Of Hacking." Forbes. February 12, 2014. Accessed May 09, 2016. http://www.forbes.com/sites/andygreenberg/2014/02/12/inside-endgame-a-new-direction-for-the-blackwater-of-hacking/#5da8ea7a52d9.
Harris, Shane. War the Rise of the Military-Internet Complex. Boston, Mass.: Houghton Mifflin Harcourt, 2014.
Keating, Lucy. "Surveillance: A Thriving British Industry." The Bureau of Investigative Journalism. December 01, 2011. Accessed May 11, 2016. https://www.thebureauinvestigates.com/2011/12/01/surveillance-a-thriving-british-industry/.
King, Rachel. "Under Pressure, Cybersecurity Market Is Ripe for M&A in 2016." The Wall Street Journal. February 29, 2016. Accessed May 08, 2016. http://blogs.wsj.com/cio/2016/02/29/under-pressure-cybersecurity-market-is-ripe-for-ma-in-2016/.
Markusen, Ann. "Defense Spending: A Successful Industrial Policy?" International Journal of Urban and Regional Research 10, no. 1 (1986): 105-22. Accessed May 11, 2016. http://dx.doi.org/10.1111/j.1468-2427.1986.tb00007.x.
Martha Minow, Outsourcing Power: How Privatizing Military Efforts Challenges Accountability, Professionalism, and Democracy, 46 B.C.L. Rev. 989 (2005), vol46/iss5/2.
O'Brien, Connor. "Military Hawks Win Big in Budget Deal — for Now." Politico, February 9, 2018. Accessed April 18, 2018.
Office of the Press Secretary. "Cybersecurity National Action Plan." The White House. February 09, 2016. Accessed May 09, 2016. https://www.whitehouse.gov/the-press-office/2016/02/09/fact-sheet-cybersecurity-national-action-plan.
Panetta, Leon. Speech, The Global Threat of Cyber Attacks, Business Executives for National Security, New York City. Accessed May 11, 2016. http://www.cfr.org/cybersecurity/secretary-panettas-speech-cybersecurity/p29262.
Robertson, Jordan, and Michael Riley. "US Contractors Scale Up Search for Heartbleed-Like Flaws." Bloomberg. May 2, 2014. Accessed May 08, 2016. http://www.bloomberg.com/news/articles/2014-05-02/us-contractors-scale-up-search-for-heartbleed-like-flaws.
Reporters without Borders. Enemies of the Internet. Publication. 2013.
Seabrook, John. "Network Insecurity." The New Yorker. May 20, 2013. Accessed May 11, 2016. http://www.newyorker.com/magazine/2013/05/20/network-insecurity.
Shorrock, Tim. "How Private Contractors Have Created a Shadow NSA." The Nation. May 27, 2015. Accessed May 09, 2016. http://www.thenation.com/article/how-private-contractors-have-created-shadow-nsa/.
Swartz, Jon. "Cybersecurity Spending to Hit $90 Billion In 2018: Report." Barron's. February 23, 2018. Accessed April 18, 2018.
Singer, Peter. "Outsourcing War." Foreign Affairs 84, no. 2 (March/April 2005): 119-32.
Sorcher, Sara. "The Race to Build the Silicon Valley of Cybersecurity." The Christian Science Monitor. December 2015. Accessed May 09, 2016. http://passcode.csmonitor.com/goldrush.
Talbot, Daniel. "The Cyber Security Industrial Complex." MIT Technology Review. December 06, 2011. Accessed May 09, 2016. https://www.technologyreview.com/s/426285/the-cyber-security-industrial-complex/.
United States. National Institute for Standards and Technology. US Department of Commerce. Framework for Improving Critical Infrastructure Cybersecurity. 2014.
United States. The White House. National Security Strategy of the United States of America. 2017.
United States. White House. Office of Management and Budget. Analytical Perspectives, Section 21: Cybersecurity Funding. Washington, DC: US Government Publishing Office, 2018. 273-87.
York, Herbert. Race to Oblivion: A Participant's View of the Arms Race. Simon and Schuster, 1971. Accessed May 11, 2016. http://www.learnworld.com/ZNW/LWText.York.Race.Ch03.html.