27 May 2017

How the Trump Budget Would Fund Cybersecurity


The Donald Trump administration, in its proposed fiscal year 2018 budget, outlines steps it contends would strengthen the U.S. federal government's information systems, even as it would cut some cybersecurity spending at specific agencies.

At the heart of the budget for the fiscal year that begins Oct. 1 is a proposal to spend $1.5 billion on cybersecurity at the Department of Homeland Security, part of an overall DHS budget slated to grow by 7.1 percent next year. The federal budget - unveiled May 23 by Office of Management and Budget Director Mick Mulvaney - also proposes to allot $228 million to modernize the government's information technology.

The budget also calls for increases in cybersecurity-related spending at the FBI and Justice Department, as well as cuts at the State Department, the National Science Foundation and National Institute of Standards and Technology.

The Trump budget should be seen as an administration wish list, and needs to pass Congress before it takes effect. In recent years, Congress has failed to enact a budget, instead relying on a continuing resolution that carries on spending from previous years. 

Appropriations bills, not the budget, provide the money agencies use to fund their initiatives.
Budgeting for Network Protection

The White House, in a budget blueprint outlining the spending initiative, says the money slotted for DHS would provide safeguards to protect federal networks and critical infrastructure from attacks.

"DHS would share more cybersecurity incident information with other federal agencies and the private sector, leading to faster responses to cybersecurity attacks directed at federal networks and critical infrastructure," the blueprint says.

To put these figures in perspective, the Trump budget proposes to spend more than $80 billion on information technology, with IT security being a relatively small chunk, according to the General Services Administration's FY 2018 Congressional Justification document. The administration did not provide an across-the-government figure for IT security spending.

Larry Clinton, president of the trade group Internet Security Alliance, sees the Trump administration moving in the right direction, but questions whether it's allocating enough money to achieve its cybersecurity goals. "This entire DHS increase probably is equal to what three financial services companies spend," Clinton says. "And DHS has far greater responsibilities. Although individual agencies have their own cybersecurity budgets, DHS is meant to be the federal-wide cybersecurity hub, and it should be resourced accordingly."

Former Obama White House Cybersecurity Coordinator Michael Daniel suggests the budget documents provided by OMB and other agencies are scant on details. "However, it does hold DHS at roughly the levels we were working with at the end of the Obama administration," says Daniel, who now is president of the Cyber Threat Alliance, a not-for-profit information sharing and analysis organization. "So at least DHS is not experiencing cuts in its cyber funding."

Cybersecurity is just one relatively small part of DHS activities, with most of the spending going to other areas such as managing the nation's borders, enforcing immigration laws and preventing terrorism. Most of DHS's cybersecurity initiatives reside in the National Protection and Programs Directorate. The Trump budget would allot nearly $3.28 billion to NPPD. That's not even 7.5 percent of the entire $44.1 billion budget plan for all of DHS in fiscal 2018.

DHS Spending Breakdown

According to DHS's budget breakdown, the 2018 budget would allot $719 million for federal network protection. That includes initiatives such as the National Cybersecurity Protection System, which includes the Einstein 3 Accelerated intrusion detection and prevention system; continuous diagnostics and mitigation, programs designed to identify and mitigate systems' vulnerabilities; and federal network resilience, an initiative to drive change in cybersecurity risk management by focusing on establishing metrics that have measureable impact on improving cybersecurity.

It's unclear from the administration's budget documents where the increases at DHS would come. Apples-to-apples comparisons weren't provided. For instance, DHS did not break down how it would spend the $719 million for federal network protection. But in last year's budget proposal, the Obama administration slated $274.8 million for the Continuous Diagnostics and Mitigation and $471.1 million for Einstein.

The Trump budget also would earmark $236 million for proactive cyber protection, which DHS defines as detecting vulnerabilities, blocking malicious activity, mitigating the impact of intrusions and developing cybersecurity standards to increase security of federal civilian networks.

The administration did not detail how the rest of the $1.5 billion in DHS cybersecurity spending would be spent.

This budget includes $43 million to, among other things, fund 20 full-time employees to be based at the National Cybersecurity and Communications Integration Center, or NCCIC, the DHS unit responsible for sharing cyberthreat information among agencies and the private sector. Those employees would help NCCIC protect private businesses through the Enhanced Cybersecurity Services program, provide additional threat assessment capabilities, support the growth in demand for analytical products and around-the-clock operational staffing and maintain readiness to execute national security and emergency preparedness.

The Technology Modernization Fund

The push to modernize federal government IT is designed, in part, to enhance cybersecurity because new technology often bakes in security, or at least can more easily be patched, than older, legacy systems, some dating back a half century.

"The Technology Modernization Fund will be dedicated to retiring and replacing antiquated legacy IT systems that are not cost-effective or pose security risks by transitioning to more secure and efficient modern IT platforms, such as cloud and shared services, while also establishing a self-sustaining mechanism for federal agencies to regularly refresh their IT systems based on up-to-date technologies," the GSA analysis of the budget says.

Still, the IT modernization funding presented in the Trump budget is significantly less than proposed by President Obama, who sought $3 billion to upgrade federal government IT (see White House Proposes $3 Billion Fund to Modernize Federal IT). Clinton contends the Obama figure is closer to what agencies would need to spend to replace less secure, legacy systems. "Getting a $3 billion fund may not be doable in today's thrifty environment, but the House recently approved an authorization bill, allocating $250 million for such a fund, so hopefully this spending proposal gets speedy approval," he says.

And Daniel contends that to make real progress in modernizing government IT, it's "simply not sufficient to put a dent in the problem. That needs to be a much bigger number to move at the speed required."

On May 18, the House passed and sent to the Senate the Modernizing Government Technology Act, in which major agencies would create IT capital funds in which they could recover savings from IT modernization initiatives (see Modernizing Government Technology Act Passes House).

FBI Cyber Budget on the Rise

Trump's budget calls for FBI spending on cybersecurity to increase by $41.5 million, to, for example, fund 36 new positions, including 20 agents, to enhance the bureau's cyber efforts, which the Justice Department says is among its top priorities.

According to its FBI budget request, DoJ now spends $328.3 million to fund 1,651 positions, including 881 agents focused on cyber. "The FBI will improve technical tools, support the FBI's cyber program and expand high-speed networks," the DoJ document says. "This will support the FBI's mission to defeat cyber-intrusion threats through a unique combination of law enforcement and national security authorities."

Elsewhere at the Justice Department, spending next year on its National Security Division - which includes combating cyberthreats to national security and protecting national security assets - would increase by 6.6 percent, or $6.2 million, to $101 million. The National Security Division budget does not break down how much would be allotted for cyberdefense.

Spending Cuts

The Trump budget also calls for some cuts in IT security- and privacy-related spending. Take, for instance, hefty cuts proposed for the two Department of Health and Human Services agencies responsible for health data privacy and security issues, including HIPAA enforcement (see Trump Proposes Hefty HHS Budget Cuts for OCR, ONC).

Without providing details, Secretary Rex Tillerson said the State Department requested $200 million to enhance its cybersecurity posture. But among some State units, less money would be spent on IT and security in fiscal 2018 than being expended in the current year.

The Trump budget would cut $7.2 million, or 3.1 percent, from the $235 million budget for the Bureau of Information Management Resources, according to State's congressional budget justification document. How can it provide cybersecurity with less money? IRM, the document states, is committed to efficiency and accountability: "IRM will emphasize and implement cost savings measures with a focus on achieving its core priorities."

Among the bureau's investments for the coming year, according to the document: "A robust information security program designed to quickly and efficiently identify cybersecurity vulnerabilities and mitigate risk so that the department's work is uninterrupted and U.S. national security information is protected."

Other cybersecurity-related cuts are tied to research and development. At the National Science Foundation, the Trump budget would allot nearly $113.8 million for an initiative to create a secure and trustworthy cyberspace, a 12. 3 percent reduction. Trump proposes decreased spending at the National Institute of Standards and Technology, where it's laboratory programs - which includes the unit that creates cybersecurity guidance - would see its funding decrease to $547 million, or 12 percent, down from the estimated $620 million allotted for the current fiscal year.

No comments: