Biden’s cybersecurity budget is a good start; Congress must fill the gaps

The White House released the president’s budget request for fiscal year 2023 on the heels of the recently passed Consolidated Appropriations Act, which provided a jolt of cybersecurity funding for 2022 but missed important opportunities. For its part, the FY23 budget request contains a number of critical investments in cybersecurity, but falls short of addressing cyber education and critical infrastructure resilience and fails to adequately fund the National Institute of Standards and Technology (NIST). Congress should now act decisively to fill these gaps, as it has often done in previous years.

FY23 budget prioritizes securing federal government digital systems and networks with an 11% ($10.9 billion) increase in funding for enterprise cybersecurity and information technology for departments and agencies. For example, the White House is requesting a $197 million increase “to protect and defend sensitive agency systems and information” from the Treasury Department. Similarly, the budget cites improving Pentagon network security and strengthening cybersecurity standards for the defense industrial base as priorities. This growth and prioritization aligns perfectly with Executive Order 14028 on Improving the Nation’s Cybersecurity, which the budget notes emphasizes “improving the security of government-purchased software.” [and] improve the detection of cyber threats and vulnerabilities on federal systems.

The White House also recognizes the need to expand the federal cybersecurity workforce, increasing funding for the National Science Foundation’s (NSF) “CyberCorps: Scholarship for Service” program by $12 million from the previous one. FY22 assignment. CyberCorps is an essential pathway for post-secondary cybersecurity education and recruitment. The budget, however, neglects K-12 cybersecurity education as it does not request any funding for the Cybersecurity Education and Training Assistance Program (CETAP) hosted by the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security. The administration also flagged CETAP for disposal in the FY22 request, but Congress ultimately allocated $6.8 million in FY22 to continue this congressionally authorized program. The FY23 budget provides no reason to eliminate CETAP funding other than to suggest that the NSF will support some elements of the work. As they have done in the past, congressional officials should resolve the confusion by funding this critical cybersecurity education program at its current headquarters at CISA and ensuring that any increased funding for cybersecurity activities K-12 education at NSF is truly additive, rather than coming at the expense of CETAP or existing NSF educational programs like CyberCorps.

While defending its own networks, the federal government must also protect the digital lives and livelihoods of Americans by supporting public-private collaboration to secure critical national infrastructure. It was an area where last year’s budget request struggled, but to the White House’s credit, its new funding request shows growing recognition of the government’s role. For example, the budget calls for $22 million for the new Office of the National Director of Cybersecurity, in part to “enhance national coordination in the face of escalating cyberattacks on government and critical infrastructure.” The White House is also requesting a $52 million increase from the Justice Department to bolster its cyber investigative capabilities and anti-ransomware efforts.

One of the most important ways the federal government uses to strengthen critical infrastructure cybersecurity is through Sector Risk Management Agencies (SRMAs) – the links between government cybersecurity experts and infrastructure owners and operators. critical infrastructure. Here, the FY23 budget is decidedly inconsistent. On the positive side, the Department of Energy is requesting an increase of almost 30% over FY21 spending for its Office of Cybersecurity, Energy Security and Emergency Response. The Department of Transportation is seeking a much-needed $25 million increase for cybersecurity from the Federal Aviation Administration. And the Environmental Protection Agency is asking for $25 million under a grant program to improve cybersecurity in the water sector. These are all smart investments.

At the same time, however, the Treasury Department, the financial sector’s SRMA, is asking for an increase of less than $300,000 for the Office of Cybersecurity and Critical Infrastructure Protection despite its own admission that its “staffing level is insufficient to handle the real volume of incidents” targeting the financial sector. Three hundred thousand dollars won’t settle much. Most problematic, CISA is asking for $163,000 decrease for support to SMRAs in relation to its FY22 request. Congress will likely ignore this decrease given that appropriation officials doled out a $39 million increase for CISA’s SRMA support role in the FY22 appropriations bill last month. .

CISA’s overall budget is $377 million higher than the FY22 budget request. The 18 percent increase is a clear signal that the administration is prioritizing the expansion of CISA’s work. As remarkable as this increase is, it’s actually nearly $82 million less than the amount Congress appropriated for FY22, making it appear as a budget cut rather than an increase. Given that the President signed the delayed FY22 appropriations bill just two weeks before submitting the FY23 budget request, the White House had likely already finalized its FY23 request and probably thought his CISA request would be a significant raise, not $80 million. decline in the dollar. The fact that the administration has been functionally overshadowed by Congress doesn’t take away from the clear demonstration of White House support for the cybersecurity agency. Congress itself now has the opportunity to reconcile the differences and produce a larger CISA budget for FY23.

The administration is also moving in the right direction, albeit slowly, at the State Department. In early April, the state officially launched its new Office of Cyberspace and Digital Policy (CDP) diplomacy “to encourage responsible state behavior in cyberspace and advance policies that … uphold democratic values.” The CDP office is as much a realignment as a new creation, bringing together three existing teams that had evolved separately through the department. So, in announcing its FY23 budget, the state added a new budget line retroactively announcing $6.4 million for the new office for FY22. The FY23 budget increases this request by $2.6 million to support seven new positions within the CDP. The FY23 budget also includes $37 million for CDP in the Economic Support Fund, which the new office would likely spend on international cybersecurity capacity building projects. While this figure also likely includes a mix of realigned and new funding, it is encouraging to see the department recognize the importance of cybersecurity support for partners and allies. The new office still has a lot to do, but the FY23 application is a step in the right direction.

Finally, the FY23 budget calls for a 20% increase ($18 million) for NIST’s cybersecurity and privacy work. While this is a welcome increase after years of limited growth, much more is needed to fulfill NIST’s growing mission. NIST not only maintains frameworks and resources that serve as the cornerstones of global cybersecurity, but it has taken on new responsibilities under EO 14028 and oversees a new workforce development grant program. work. In light of NIST’s pivotal role in improving cybersecurity nationwide, the congressional Cyberspace Solarium Commission previously recommended nearly doubling its cybersecurity and privacy budget to $142 million.

Despite occasional setbacks, President Biden’s FY23 budget request is an overall victory for cybersecurity. It is now up to congressional officials to roll over the victories, close the gaps, and build on last year’s investments to further strengthen cybersecurity for all Americans.

Retired Rear Admiral Mark Montgomery is Senior Director of the Center on Cyber ​​and Technological Innovation (CCTI) and Senior Fellow at the Foundation for the Defense of Democracies (@FDD), a Washington DC-based nonpartisan research institute that focuses on national security and foreign policy. Montgomery also leads CSC 2.0, an initiative that aims to implement the recommendations of the congressional Cyberspace Solarium Commission, where he served as executive director. Follow him on Twitter @MarcCMontgomery

Comments are closed.