Officials: Yearly budgeting stifles cybersecurity

padlocked keyboard

Current and former federal cybersecurity officials say the government needs to move from a one-year budget cycle to address critical cybersecurity and IT needs.

"Structurally, from a budgeting perspective, we're not set up for success," said Thomas McDermott, acting deputy assistant secretary for cyber policy at the Department of Homeland Security.

"The way that the federal budgeting process works with one-year money, it makes it much harder to spend long term [on] upgrading infrastructure as opposed to continuing to patch old, sometimes indefensible IT systems," he added during a panel discussion at FedScoop's Lowering the Cost of Government with IT Summit.

"Cybersecurity is a key element of fiscal security," he said. "We've seen that the costs of incidents are huge, both financially and reputationally."

McDermott argued that the federal government needs to incorporate cybersecurity as part of agencies' budgeting process.

"If we're saying cybersecurity is a key part of our national security...we need to be addressing it as such," said Kiersten Todt, executive director of the Presidential Commission on Enhancing National Cybersecurity.

The 12-member commission is in the process of preparing a report, due Dec. 1, that will make recommendations on national policies to strengthen cybersecurity and secure the digital economy over the next decade. One of the central topics will be budgeting.

"We have a budget structure that's set up to look a year at a time," Todt said. "If you talk to any successful CEO and if you look across the board, you can't plan and activate effectively on an issue like cybersecurity if you're looking at that one year at a time."

That will be one of the messages in the report, which will also serve as a transition document for the next president, Todt said. She added that there is an opportunity for the next administration to prioritize cybersecurity and move it forward.

"President Obama has been emphatic that this is really about looking forward and how...we set up cybersecurity for the future," she said.

The administration has been pushing a plan to create a $3.1 billion revolving fund outside the appropriations process to help agencies upgrade their legacy IT. Panelists argued that in addition to moving toward longer-term budgeting, the government must make upfront expenditures to save costs over the long run.

"I think strategically, if you can reduce the need to respond to [cyberattacks], you are saving a lot of resources -- time, energy, money -- and you're better able to get your job done," said Bob Gourley, partner at the technology consultancy Cognitio and former CTO at the Defense Intelligence Agency.

Still, there are savings available on the front end as well. McDermott cited DHS' Continuous Diagnostics and Mitigation program as an example of an initiative that is increasing efficiency and reducing costs.

CDM offers a suite of tools and acquisition vehicles that allow agencies to take advantage of bulk savings. So far, McDermott said the program has saved $46 million over what agencies would have spent purchasing the tools and capabilities through the General Services Administration's schedule program.

McDermott said that to budget efficiently in a world of limited resources, agencies must identify their most critical data and assess the security of that data.

Todt said the government and the private sector must see cybersecurity as a facilitator and enabler rather than an inhibitor of innovation.

"The only way to view cybersecurity spending is as critical to reducing the overall cost of government and having more efficient and effective government operations," she said.

Editor's note: This article was updated Aug. 26 to include Bob Gourley's current job title.

About the Author

Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.