The fiscal 2017 budget is a “make or break” point for cybersecurity and the federal government, said a top Department of Homeland Security official.
“The Department of Defense has gotten, I think from my civilian perspective, pretty steady and good funding for what they are trying to do in [U.S.] Cyber Command,” said Andy Ozment, assistant secretary for cybersecurity and communications at DHS. “Relatively speaking [we have] not put as much funding into civilian government cybersecurity. If we are going to be serious about this, we have to put the dollars there.”
The 2017 president’s budget request asks Congress for $19 billion to support a broad-based cybersecurity strategy and for enhancing critical infrastructure. That is a 35 percent increase over the 2016 budget.
Almost $7 billion of that is going to the Defense Department for executing DoD’s cyber strategy and defending DoD’s systems. The money also supports the Cyber Mission Forces, which are tasked with defending the cyber homeland and undertaking contingency operations.
One of the initiatives in the bill that is so important to the cybersecurity of the nation is the $3.1 billion Information Technology Modernization Fund, Ozment and Senior Director for Cybersecurity for the National Security Council Andrew Grotto said during a May 24 Center for Strategic and International Studies (CSIS) event in Washington.
“You really can’t separate cybersecurity from IT acquisition and IT management. At the end of the day we don’t do cybersecurity for its own sake, we do cybersecurity to support reliable IT,” Grotto said. “We have a long list of legacy IT systems across the government. We can bubble wrap it, we can wrap it in duct tape but these systems were not necessarily built with cybersecurity in mind.”
The idea behind the fund is that it is more cost effective to replace legacy IT than to keep making patches. Agencies identify systems they have that need to be replaced. The government then loans the agencies the money and the agencies pay back the loan with the savings from the modernizations.
The House Oversight and Government Reform Committee is expected to hold hearings on the cyber budget tomorrow.
Federal Chief Information Officer Tony Scott will testify and has been championing the fund.
Still, Several House lawmakers say they haven’t had recent in-depth discussion with OMB about the IT Modernization Fund.
It has its backers though. Sen. Charles Schumer (D-N.Y.) recently sent a letter to Senate Appropriations Committee leaders emphasizing the need for the fund.
“The creation of this fund, which was included in the President’s Cybersecurity National Action Plan, would help agencies replace antiquated equipment and transition to more secure and efficient IT infrastructure — such as the cloud network,” Schumer wrote. “The fund would enable agencies to annually refresh their IT systems based on up-to-date technologies and best practices. Put together, these reforms could make substantial network improvements that could help save money over time.”
The government also needs to invest in managed and shared services between agencies.
Grotto said the issue of who manages these services depends on the agencies, but one area needs to be addressed first.
“If I could pick one shared service I would start with email. … because that is the vector by which bad guys, and people in the private sector notice this as well, it’s the most common way for bad guys to get into your systems,” Grotto said. “If you can harden email you’ll go a long way towards reducing your taxes.”
Of course without funding from Congress this next year, or in future years none of these projects or goals will make it to fruition.
Sen. Tim Kaine (D-Virginia), who also spoke at CSIS, said there is one glaring issue preventing that – sequestration.
“Any cuts across the board on anything is foolish from a management standpoint, especially areas where there’s a wide recognition that we are doing too little,” Kaine said.
He said he would try to pass language to lift sequestration caps in the 2017 defense authorization bill. He also emphasized the point that Congress can’t just raise DoD funds, like some Republicans are suggesting, and not raise domestic spending and still expect gains in cybersecurity.