RADM (Ret) Mark Montgomery
The White House’s proposed budget for fiscal year 2022 will seek significant increases in cybersecurity funding for most federal agencies. Cybersecurity, the budget plan asserted, is “a top priority” for the Biden administration. While the White House deserves praise for these allocations, the budget missed significant opportunities, which congressional appropriators will need to address.
The White House is requesting a 14 percent increase in federal civilian cybersecurity spending, or $9.8 billion all together. This comes on top of the FY2021 11 percent spending growth among major civilian departments and agencies. The $1.2 billion annual increase includes an additional $750 million for “agencies affected by recent, significant cyber incidents.” These figures do not include $650 million already appropriated for the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) through the American Recovery Plan Act (ARPA) or the $1.5 billion infusion to the Technology Modernization Fund, $1 billion of that from the ARPA.
The proposed budget includes a $40 million dollar increase — or $458.4 million total — for the FBI’s cyber investigations and an additional $15.2 million to shore up the Bureau’s own cybersecurity. The proposal also increases State Department funding for international capacity building measures to combat cybercrime.
Several of the new policy tools recommended by the congressionally mandated Cyberspace Solarium Commission make an appearance in the White House’s proposal. Created by last year’s National Defense Authorization Act (NDAA), the Joint Cyber Planning Office will receive a $10 million increase. Another $20 million for the Cyber Response and Recovery Fund will help the federal government respond to a cyber incident and support the private sector in its response.
Importantly, the budget requests $15 million to support the newly created position of National Cyber Director (NCD), a flagship recommendation of the Commission. The NCD will provide the government with a focal point for leadership on cybersecurity issues and for implementing the president’s national cyber strategy. The NCD will ensure federal agencies are making the correct investments and working in unison and will expand public-private collaboration to protect critical infrastructure.
The White House’s budget increases federal cybersecurity funding about as much as possible while still spending efficiently. Yet the government will have to maintain this double-digit growth for several years if it is to have the resources it needs to deal with cyber threats.
Beyond improving its own cybersecurity, Washington has a responsibility to work with outside stakeholders to enable trusted communications and increase the resilience of infrastructure far beyond government office buildings. In this area, the budget proposal is lacking. Leveraging some of the 32 budget recommendations from the Cyberspace Solarium Commission, appropriators can equip the government to help others enhance their cybersecurity.
First, the top line budget request for CISA is insufficient given its role in protecting critical infrastructure nationwide. The administration requested a $110 million (6 percent) increase in CISA’s funding. In a letter to Congress earlier this year, the Commission recommended a budget increase for CISA of at least $400 million (20 percent), given how much more CISA must do to bolster engagement with critical infrastructure operators, secure the federal cyber ecosystem and expand network resilience, and develop cyber response and recovery efforts. Top trade groups recommend an even greater increase of $750 million, or 37.5 percent.
Second, more funding is needed for the National Institute of Standards and Technology (NIST) Cybersecurity and Privacy program. NIST plays a leading role in national, even global, cybersecurity. It maintains the National Vulnerabilities Database and the cybersecurity framework considered internationally to be the authoritative standard for best practices in the field. These and other tools are nothing short of keystones of global cybersecurity architecture. Yet while NIST will receive a 45 percent increase, the Cybersecurity and Privacy program will get only a 6 percent increase from $77.5 million to $81.9 million. The CSC recommended the White House nearly double the program’s budget to $142.3 million.
Third, the president’s budget highlights the importance of supporting federal cyber workforce development efforts — but falls short on funding. More than two decades after the inception of the CyberCorps: Scholarship for Service (SFS) program, it is still not funded sufficiently to reach the size originally intended. The program feeds talent directly into the public sector, and while the new budget request does increase funding, the increase is only half of the yearly $20 million increase required for the program to reach its full potential.
Meanwhile, another key cyber education program, the Cyber Education and Training Assistance Program (CETAP), had its approximately $6 million budget eliminated entirely. CETAP provides training to middle school and high school teachers to spark student interest in the cybersecurity field. Congress has repeatedly had to restore funding to this program after administrations have zeroed it out. Thus, Congress rightly codified the program in the NDAA last year.
Fourth, the cyber budget in the State Department’s Economic Support Fund for international capacity building efforts flatlined. This fund enables Washington to offer expert advice to foreign governments on key decisions such as crafting their domestic cybersecurity strategy or their critical infrastructure protection plan. Providing expertise helps build a more secure internet while prioritizing the free flow of information globally. If Washington does not step in, that vacuum is often filled by Beijing and Moscow.
In past years, moderate cybersecurity budget increases left the United States treading water amid a rising tide of ransomware attacks, cyber espionage incidents, and critical infrastructure vulnerabilities. The Biden administration is headed in the right direction but is too narrowly focused on what it calls “investments tailored to respond to lessons learned from the SolarWinds incident.”
America needs proactive, forward-looking investment that both mitigates the past year’s problems and prevents next year’s.
In the world of policymaking, real priorities do not come from pronouncements; they come from budgets. Even as the White House’s budget moves in the right direction, Congress will need to make additions to firmly establish national cybersecurity as a strategic priority.
Retired Rear Admiral Mark Montgomery is senior director of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (@FDD) and serves as a senior advisor to the co-chairs of the Cyberspace Solarium Commission. FDD is a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy. Follow the author on Twitter @MarkCMontgomery