President’s cyber budget request is off to a good start; Congress should fill the gaps
The White House released the President’s Budget Request for Fiscal Year (FY) 2024 last month, just a few days after issuing the much-anticipated National Cybersecurity Strategy. The budget reflects many of the new strategy’s priorities, including modernizing federal network infrastructure and developing public-private and international partnerships. Both documents continue a multi-year focus on defending critical infrastructure, but many of the budget’s funding requests to resource this effort fall short.
The new budget would increase spending on securing the federal government’s digital infrastructure with a beefy 13 percent increase over the FY23 congressional appropriation for information technology at civilian agencies. This growth reflects the administration’s commitment to a comprehensive, all-agency approach to adopting zero-trust architecture and retiring older systems. A key component of the new spending is a $12.7 billion investment in cybersecurity at federal civilian agencies — itself an increase of 13 percent over the FY23 enacted levels.
The “quarterback” of the federal government cyber team, the Cybersecurity and Infrastructure Security Agency (CISA), would receive a total of $3.1 billion, which includes $149 million in new money for programs reinforcing “cybersecurity and infrastructure security.” Of that, $98 million is allocated to implement the Cyber Incident Reporting for Critical Infrastructure Act, which requires critical infrastructure owners and operators to report significant cyber incidents to CISA. Another $425 million is allocated to CISA’s new Cyber Analytics Data System, which aims to improve CISA’s capabilities to record, analyze, and defend against vulnerabilities rapidly. For the first time, CISA acknowledged its responsibility to fund and execute K-12 cyber security awareness programs, which Congress has directed (and resourced) for nearly five years. The president’s budget request for FY23 had suggested cutting this funding.
Effective engagement in global cyberspace also requires consistent funding. In recognition of this, the budget requests $395 million for the State Department’s digital connectivity program through the U.S. Agency for International Development (USAID) and for the department’s new Bureau of Cyberspace and Digital Policy. The first-ever cyber ambassador, Nathaniel Fick, will need to use some of the bureau’s portion of this funding to build a team to meet new international cyber challenges.
The budget also demonstrates the administration’s continuing commitment to cooperating with and building the cyber capacity of U.S. partners and allies. USAID, which provided Ukraine with $38 million in cybersecurity assistance between 2020 and February 2022, would receive $522 million to, among other things, provide the Ukrainian people with “continuity of government services” by investing in energy infrastructure and cybersecurity.
The budget would also invest in building capacity at home via the CyberCorps: Scholarship for Service program at the National Science Foundation. This highly successful program provides government agencies with recent graduates committed to public service.
Meanwhile, the Treasury Department is requesting $215 million, an increase of $115 million above the FY23 enacted level, to help secure and defend the agency’s sensitive digital systems and information. Working with allies, Treasury has been imposing increasingly severe sanctions in response to Russia’s invasion of Ukraine. Russian hackers may hit back, and so Congress will need to ensure Treasury has the resources it needs to heighten its cybersecurity posture.
Alongside all of these important cybersecurity investments, the budget becomes decidedly more mixed on funding public-private collaboration. On the positive side, with the transportation industry under constant cyberattack, the administration has been improving Transportation Security Administration’s ability to support pipeline, rail, and aviation cybersecurity. The U.S. Coast Guard, meanwhile, provides support to the maritime but suffers from the cyber workforce shortage to meet mission demands. Recognizing the need to ramp up in recruiting to fill the gaps, the president’s budget requests nearly $12 million for workforce and recruiting efforts.
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response, meanwhile, is requesting $245 million, a nearly 23 percent increase over FY23 enacted levels, to address cyber threats to U.S. energy infrastructure. The budget, however, requests only $19.4 million for the corresponding office at the Environmental Protection Agency to help drinking water and wastewater utilities mitigate cybersecurity risks.
In response to a recent GAO report, the Department of Health and Human Services reported that it would request an increase of $6.5 million in FY24 for its efforts to help the health and public health sector manage risk and strengthen resilience. Its budget request does not clearly identify this funding, but it is hard to believe this increase is sufficient given the dramatic increase in cyberattacks against hospitals.
A small but positive step, the Department of Agriculture for the first time requested dedicated funding for its sector risk management duties. The amount requested, $225,000, is a minuscule amount to secure America’s food and agriculture supply chain, which includes more than 2.1 million farms across the country. Yet, it demonstrates a new commitment to protecting farms and agriculture supply chains – an important part of U.S. critical infrastructure.
With budget hearings in Congress in full swing, appropriators will have a chance to press administration officials about the kind of cybersecurity investments called for in the National Cybersecurity Strategy. By filling in the gaps, Congress can ensure U.S. national cyber resilience.
Retired Rear Admiral Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation (CCTI) and is a senior fellow at the Foundation for Defense of Democracies (@FDD), a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy. Montgomery also directs CSC 2.0, an initiative that works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he served as executive director. Follow him on Twitter @MarkCMontgomery
Jiwon Ma is a program analyst at CCTI, where she contributes to the CSC 2.0 project. Follow her on Twitter @jiwonma_92.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..