Countries are increasing their cyber response budgets — but spending still varies widely

Nations around the world don’t seem to agree on the appropriate amount of money to earmark for cyber defense and incident response, according to an analysis by The Record. But in recent years, almost every country examined has boosted its cyber spending.

Although it’s challenging to compare cybersecurity investments across regions—budgets are rarely made public, spending is spread across different sectors, and eye-popping numbers often refer to initiatives only tangentially related to cybersecurity, just to name a few difficulties—we mapped out how much money is spent by 20 different agencies that are chiefly responsible for reducing cyberthreats and coordinating responses to attacks.

Through interviews with government officials, public records requests, and estimates from academic and government bodies, The Record was able to obtain a snapshot of the huge gap in spending between cybersecurity programs. The budgets ranged from just a few million dollars (Colombia, Botswana) to over $2 billion (the U.S.).

The question of how much money countries should budget for these issues is one of the most pressing cybersecurity decisions that lawmakers around the world are making. Incidents including the SolarWinds supply chain compromise, Microsoft Exchange vulnerabilities, and the Colonial Pipeline ransomware attack have made businesses and policy officials question governments' capacity to respond to major incidents.

The differences in spending are surprising in many cases, and can’t be easily explained by a country’s size or relative wealth. For example, New Zealand, a “Five Eyes” member with a population of more than 5 million people, spent about $16 million ($22.2 million NZD) to establish its Computer Emergency Response Team. Singapore, another Asia-Pacifc country with about 5.7 million people, spends about $250 million per year ($1 billion SGD over three years), according to an official at the Cybersecurity Agency of Singapore who asked to remain anonymous. Singapore’s CSA handles the country’s CERT function.

According to government documents viewed by The Record, India’s CERT has a budget of about $29.5 million for 2021-2022. Canada, which has roughly one-fortieth of India’s population, allocates about $36.7 million per year for its Centre for Cyber Security, which acts as the country’s national CERT and issues alerts and advisories on cyber threats.

But the biggest discrepancy in the data is between the United States and everyone else. The Cybersecurity and Infrastructure Security Agency, which was established in 2018 and houses the country’s digital emergency response teams, has a budget (over $2 billion) that’s roughly three times the size of Japan’s National Center of Incident Readiness and Strategy for Cybersecurity ($665 million). It also dwarfs the budgets of the UK’s National Cyber Security Centre ($350 million, per public documents), Germany’s Federal Office for Information Security ($240 million, according to officials there), and France’s National Cybersecurity Agency ($165 million, per its published budget).

Other countries, such as China, likely spend sizable amounts on defensive cyber efforts, but they do not publish data on the matter.

Even individual cities in the U.S. have substantial incident response budgets that exceed those of many nations. New York City, for example, established a Cyber Command in 2017 that directs citywide cyber defense and incident response—the agency has a budget of $135 million, according to documents from the city’s finance division, up about $40 million from its 2020 budget. It eclipses its counterparts in countries such as Australia, Israel, and Belgium, which is tasked in part with supporting NATO, EU institutions, and other international bodies that are based in Brussels.

"It’s not just about the money,” said NYC’s chief information security officer Geoff Brown, who leads the city's Cyber Command. “Like any element of homeland security and national security, we need to collaborate and ensure we are being smart about how we spend money. There is no silver bullet here, and we’re all going to need to do more. That means additional resources, but also building operational collaboration, shared intelligence and shared approaches to cyber defense, reducing the very real risks to our city and nation."

And additional resources are likely on the way. Like most countries, the U.S. has been rapidly increasing its spending on cybersecurity in recent years. In a March talk held by Auburn University’s McCrary Institute, Rep. John Katko (R., N.Y.), Ranking Member of the House Homeland Security Committee, said he could see Congress upping CISA’s budget to $5 billion in the coming years. 

“Every team needs a quarterback,” he said. “You don’t have a quarterback, full stop. CISA needs to be that quarterback.”

In April, lawmakers called on the House Appropriations Committee to boost CISA’s funding by roughly $400 million in 2022. “Forgoing such an increase will delay implementation of key authorities Congress just passed to strengthen CISA and perpetuate gaps in federal network security that have been exposed by the rising threats in this new domain,” Reps. Jim Langevin (D., R.I.) and Mike Gallagher. (R., Wis.) wrote in a letter to the leaders of the committee.

Other countries are also allocating more funds to cyberdefense. A spokesman for Germany’s BSI, for example, said the agency’s budget has grown by more than 75 million Euro over the last three years, or a roughly 65% increase.

A Dutch planning document that was shared with The Record by an official with the Netherlands' National Cyber Security Centre shows that the agency's budget has more than doubled in the last four years, from about 4.1 million Euros in 2017 to almost 10 million Euros in 2021. "The scale and severity of the threat is still considerable and continues to develop," the planning document says. "There is a continuous threat in the digital domain and resilience sometimes lags behind the threat. That is why investments are made in cyber security."

<p><script type="text/javascript" src="https://www.gstatic.com/charts/loader.js"></script><script type="text/javascript">
      google.charts.load('current', {
        'packages':['geochart'],
        // Note: you will need to get a mapsApiKey for your project.
        // See: https://developers.google.com/chart/interactive/docs/basic_load_libs#load-settings
        'mapsApiKey': 'AIzaSyD-9tSrke72PouQMnMX-a7eZSW0jkFMBWY'
      });
      google.charts.setOnLoadCallback(drawRegionsMap);

      function drawRegionsMap() {
        var data = google.visualization.arrayToDataTable([
          ['Country', 'Budget (in USD)'],
          ['United States', 2015000000],
          ['Japan', 665000000],
          ['United Kingdom', 350700000],
          ['Singapore', 250000000],
          ['France', 165000000],
          ['South Korea', 158000000],
          ['Germany', 240000000],
          ['Australia', 105000000],
          ['Denmark', 45900000],        
          ['Canada', 36720000],
          ['Canada', 36720000],
          ['India', 29500000],
          ['Belgium', 18250000],
          ['New Zealand', 16000000],
          ['Netherlands', 12138000],
          ['Sweden', 11800000],
          ['Turkey', 11175000],
          ['Botswana', 6180000],
          ['Colombia', 3000000]
        ]);

        var options = {
          colorAxis: {colors: ['#FAAE76', '#EF6922']},
          backgroundColor: '#f7f7f7',
          datalessRegionColor: '#DDDDDD',
                 width: 828,
          height: 510,

};

        var chart = new google.visualization.GeoChart(document.getElementById('regions_div'));

        chart.draw(data, options);
      }
    </script></p>
<div id="regions_div" style="width: 1080px; height: 600px;"> </div>

Do you have additional information on other cyber agency budgets? Let us know at [email protected].