Modern field guide to security and privacy

Opinion: $19 billion alone won't fix Washington's cybersecurity problem

Spending more on cybersecurity is a start but it's certainly no panacea. President Obama's new spending plans should come with policy proposals and organizational initiatives that stand in the way of protecting US networks from malicious hackers.

Kevin Lamarque/Reuters/File
President Obama spoke at the Summit on Cybersecurity and Consumer Protection at Stanford University in February 2015.

The White House focused much needed national attention on cybersecurity on Tuesday. Its Cybersecurity National Action Plan accompanied plans to request $19 billion in cybersecurity funding in next year's budget – a substantial 35 percent jump from current funding. The $19 billion isn't the full picture, either, since it doesn't include related spending at the National Security Agency and other parts of the intelligence community. 

The uptick in cybersecurity spending, especially at a time when other parts of the federal budget are flat or declining, isn't trivial. It represents a serious commitment by the White House to tackle the significant cyberthreats facing the US and reduce the ongoing harm to our national and economic security as the result of breaches and attacks. Many of the specific proposals within it deserve to be funded.

However, this overall request for such a large increase is fraught with risk and uncertainty, due to critical gaps in cybersecurity budget information within the federal government.   

Let's start with the $19 billion. Nowhere in the thousands of pages of budget documents released this week by the Office of Management and Budget (OMB) is there a clear agency-by-agency breakdown of this figure. OMB releases a report annually that includes a chart on agency cybersecurity spending, but it is backward-looking, only calculating funds that have already been appropriated. Many federal agencies provide their cybersecurity top-line request in budget justification documents, but this practice is inconsistent and agencies do not appear to conform to a common definition of cybersecurity activities. 

Given this lack of information, it is difficult to answer even basic questions about the administration’s request for an increase in cybersecurity spending. What proposed new programs or activities account for this $5 billion increase? What items are the highest priorities? How do proposed investments in different agencies relate to each other, and to existing programs? Are there existing programs that should be cut or eliminated as new ones are developed?  

None of these questions can be easily examined today, a reality that weakens public accountability and impairs Congress from fulfilling its responsibilities to authorize programs and appropriate funds. Congress needs better information in order to make tough trade-off decisions on cybersecurity spending, with a clear understanding of costs, benefits, and risks.

Both the administration and Congress can take specific steps to address this problem and reduce these information gaps. The administration should develop and publicly release a crosscutting cybersecurity budget request annually, and should align proposed new investments with its existing processes for performance measurement, where cybersecurity is currently measured as a cross-agency priority goal

The administration should also encourage consistency across departments and agencies with respect to their budget proposals for cybersecurity. Many agencies are doing an excellent job with this. The Department of Energy’s budget request treats cybersecurity as one of seven agency-wide crosscutting initiatives, and includes voluminous details on its proposed cybersecurity investments. The Department of the Treasury has established a new "Cybersecurity Enhancement Account" to focus all of its strategic investments in cybersecurity within a single budget account.

But other agencies – notably the Department of Defense – provide less detailed information on their cybersecurity budget proposals, making it difficult to assess proposals on their merits and in comparison with other agencies’ proposed investments.

Congress can address this challenge by coordinating among committees to develop a broad perspective on cybersecurity spending, rather than looking only at the narrow slices within each committee’s jurisdiction. It should also task the Government Accountability Office with reviewing the administration’s policies and processes for identifying and categorizing cybersecurity spending.  

Finally, all parties should realize that increased funding for cybersecurity may be warranted but is not a panacea. We cannot eliminate cyberthreats by simply spending our way out of the problem. New cyber-spending proposals need to be complemented with policy proposals and organizational initiatives to address long-standing impediments to effective program execution by the government.  Acquisition policies need to be reformed to make it easier for the government to invest in leading-edge technologies, and workforce policies make it difficult for agencies to compete for tech talent with Silicon Valley.

If such steps are taken by the administration and Congress, it increases the likelihood that taxpayer resources will be spent effectively and efficiently, reducing the government’s vulnerability to large-scale hacks and data breaches and ultimately ensuring that it is prepared to play its critical role in addressing today's digital threats.  

Christian Beckner is the deputy director of the Center for Cyber and Homeland Security at the George Washington University. Follow him on Twitter @cjbeckner.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.