Opinion: $19 billion alone won't fix Washington's cybersecurity problem
Spending more on cybersecurity is a start but it's certainly no panacea. President Obama's new spending plans should come with policy proposals and organizational initiatives that stand in the way of protecting US networks from malicious hackers.
The White House focused much needed national attention on cybersecurity on Tuesday. Its Cybersecurity National Action Plan accompanied plans to request $19 billion in cybersecurity funding in next year's budget – a substantial 35 percent jump from current funding. The $19 billion isn't the full picture, either, since it doesn't include related spending at the National Security Agency and other parts of the intelligence community.
The uptick in cybersecurity spending, especially at a time when other parts of the federal budget are flat or declining, isn't trivial. It represents a serious commitment by the White House to tackle the significant cyberthreats facing the US and reduce the ongoing harm to our national and economic security as the result of breaches and attacks. Many of the specific proposals within it deserve to be funded.
However, this overall request for such a large increase is fraught with risk and uncertainty, due to critical gaps in cybersecurity budget information within the federal government.
Let's start with the $19 billion. Nowhere in the thousands of pages of budget documents released this week by the Office of Management and Budget (OMB) is there a clear agency-by-agency breakdown of this figure. OMB releases a report annually that includes a chart on agency cybersecurity spending, but it is backward-looking, only calculating funds that have already been appropriated. Many federal agencies provide their cybersecurity top-line request in budget justification documents, but this practice is inconsistent and agencies do not appear to conform to a common definition of cybersecurity activities.
Given this lack of information, it is difficult to answer even basic questions about the administration’s request for an increase in cybersecurity spending. What proposed new programs or activities account for this $5 billion increase? What items are the highest priorities? How do proposed investments in different agencies relate to each other, and to existing programs? Are there existing programs that should be cut or eliminated as new ones are developed?
None of these questions can be easily examined today, a reality that weakens public accountability and impairs Congress from fulfilling its responsibilities to authorize programs and appropriate funds. Congress needs better information in order to make tough trade-off decisions on cybersecurity spending, with a clear understanding of costs, benefits, and risks.
Both the administration and Congress can take specific steps to address this problem and reduce these information gaps. The administration should develop and publicly release a crosscutting cybersecurity budget request annually, and should align proposed new investments with its existing processes for performance measurement, where cybersecurity is currently measured as a cross-agency priority goal.
The administration should also encourage consistency across departments and agencies with respect to their budget proposals for cybersecurity. Many agencies are doing an excellent job with this. The Department of Energy’s budget request treats cybersecurity as one of seven agency-wide crosscutting initiatives, and includes voluminous details on its proposed cybersecurity investments. The Department of the Treasury has established a new "Cybersecurity Enhancement Account" to focus all of its strategic investments in cybersecurity within a single budget account.
But other agencies – notably the Department of Defense – provide less detailed information on their cybersecurity budget proposals, making it difficult to assess proposals on their merits and in comparison with other agencies’ proposed investments.
Congress can address this challenge by coordinating among committees to develop a broad perspective on cybersecurity spending, rather than looking only at the narrow slices within each committee’s jurisdiction. It should also task the Government Accountability Office with reviewing the administration’s policies and processes for identifying and categorizing cybersecurity spending.
Finally, all parties should realize that increased funding for cybersecurity may be warranted but is not a panacea. We cannot eliminate cyberthreats by simply spending our way out of the problem. New cyber-spending proposals need to be complemented with policy proposals and organizational initiatives to address long-standing impediments to effective program execution by the government. Acquisition policies need to be reformed to make it easier for the government to invest in leading-edge technologies, and workforce policies make it difficult for agencies to compete for tech talent with Silicon Valley.
If such steps are taken by the administration and Congress, it increases the likelihood that taxpayer resources will be spent effectively and efficiently, reducing the government’s vulnerability to large-scale hacks and data breaches and ultimately ensuring that it is prepared to play its critical role in addressing today's digital threats.
Christian Beckner is the deputy director of the Center for Cyber and Homeland Security at the George Washington University. Follow him on Twitter @cjbeckner.