How to right-size DHS cyber funding

With proposed cybersecurity funding levels flat for 2020, does the Department of Homeland Security have the resources to protect federal civilian networks?

tech budget
 

With proposed cybersecurity funding levels flat for 2020, does the Department of Homeland Security have the resources to protect federal civilian networks?

While the Trump administration's budget request would boost cybersecurity spending throughout the federal government to $17.4 billion, funding levels for cybersecurity operations at DHS would remain more or less flat at $1.9 billion, including $1.1 billion for the Cybersecurity and Infrastructure Security Agency.

The administration also proposed deep cuts for DHS' Science and Technology Directorate, the research and development arm that has increasingly aligned its mission with CISA.

Experts and stakeholders interviewed by FCW said that the cybersecurity mission is expanding at DHS, but funding has not kept up.

Chris Cummiskey, former deputy undersecretary for management at DHS, said agency leaders spent much of the past decade fighting battles to receive the necessary authorities and reorganization powers to fill its new role as the lead civilian cyber agency, but actual funding for cyber priorities have stayed flat for the past four or five years.

"What I was looking for was really a bump to be commensurate with the fact that DHS is now the hub for protecting federal civilian cyberspace, and that's what I think was missing," he said. 

In particular, Cummiskey pointed to the need for more money to fund Continuous Diagnostics and Mitigation (CDM), the National Cybersecurity Protection System (dubbed Einstein) and the National Cybersecurity and Communications Integration Center as their portfolios have continue to expand over the past several years.

Rep. Dutch Ruppersberger (D-Md.), a member of the House Appropriations Committee, told FCW that he believes DHS cybersecurity priorities are under-resourced at current budget levels, particularly given DHS Secretary Kirstjen Nielsen's public comments about the rising importance of protecting federal networks and critical infrastructure to the department's mission.

Ruppersberger said the department must start considering how the changing federal workforce – with its expanding number of remote employees and increased reliance on the cloud -- affect the threat landscape patrolled by DHS.

However, he said the current jurisdictional morass over DHS creates near constant negotiations between competing subcommittees and makes for an "uphill battle" when it comes to funding cyber priorities at the department.

Like many others, he took the administration to task for proposed cuts to the Science and Technology Directorate, noting it could have repercussions for cybersecurity down the line.

"Research and development should be a strategic asset, and I fear the department is trying to be too tactical with their precious R&D dollars," Ruppersberger said.

Others in Congress expressed support for more robust spending. A staffer for Sen. Gary Peters (D-Mich.), ranking Democrat on the Senate Homeland Security Committee, told FCW that the senator will be pushing "to ensure [CISA] has sufficient funding to address the growing number of cyber threats facing our country." A House subcommittee director with oversight over DHS said that there is broad consensus among Democratic members that CISA will need more money in the coming years to accomplish the key goals of expanding election security efforts and maximizing the potential of the National Risk Management Center.

Former DHS officials also expressed dissatisfaction at the amount of proposed funding support at DHS and CISA. Along with Cummiskey, Suzanne Spaulding -- who led CISA's predecessor agency, the National Protection and Programs Directorate -- said the department's latest budget does not adequately fund the agency's current mission and objectives.

She pointed to the need to beef up deployment of cybersecurity advisors to assist state and local governments and build in greater resilience between federal, state and local governments as well as industry against cross-sector cyber threats.

"The work of the National Risk Management Center and the ICS CERT to fully understand interdependencies and cascading risks is also something that could be expanded," Spaulding said.

Strategy, not dollars

Not everyone believes more money is the answer.

Rep. John Ratcliffe (R-Texas), who serves on the House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee, told FCW that he was pleased with the funding levels for CISA and DHS cybersecurity operations outlined in the administration’s budget request.

"The president’s budget request fully funds DHS' key cybersecurity programs, and as we look to it as a baseline in our appropriations process, I would urge my colleagues to look at the FY2019 enacted levels for guidance moving into the upcoming fiscal year," Ratcliffe said.

Trevor Rudolph, who served as chief of the Cyber and National Security Unit at the Office of Management and Budget under the Obama administration, told FCW he believes CISA and DHS have enough money, instead questioning whether key programs like Einstein and CDM are appropriately structured to provide the most value to customers and stakeholders.

"I think some of the key questions that appropriators need to ask moving forward is are we getting the right bang for our buck?" said Rudolph, now vice president of global digital public policy at Schneider Electric. "I would argue that with programs like Einstein, they need to take a serious look at whether they're working and … whether DHS is focused on the right outcomes. Talking to CISOs, it's blatantly obvious that they can't use Einstein indicators because they're not helpful and they're late, so why are we spending millions of dollars [to push them out]?"

Rudolph has expressed similar misgivings about the structure of other agencywide cybersecurity programs managed by DHS. His larger point is that poor structure and strategy -- not lack of money -- sits at the root of the federal government's cybersecurity shortcomings, and fattening CISA's budget further won’t fix the problem.

If the government moved to a shared-services approach for core IT capabilities, connectivity and basic applications, he argued, much of its now-dispersed network monitoring and security activities could be centralized and improved, likely at a lower cost than the government pays now.

In line with the visions of Congress and the executive branch, he said DHS and CISA could play a prominent role in federal civilian cybersecurity by building and owning these capabilities, but continuing to operate under the status quo only ensures that another OPM-like breach is "just a matter of time."

Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cybersecurity coordinator under the Obama administration, raised similar concerns. With federal funding for cybersecurity receiving steady year-over-year increases since the mid-2000s, DHS probably doesn't need more dollars unless its mission or mandate expands further, either for protecting federal networks or providing new capabilities to the private sector.

Like Rudolph, Daniel said the federal government could make better use of its dollars by re-examining the way it splits resources between DHS and individual agencies for certain cybersecurity functions, like protecting federal networks.

"One key question is whether the balance is right between what DHS funds centrally and what individual agencies pay for," Daniel said. "That's difficult to assess from the outside, but in general, I am in favor of greater centralization … because I think that approach is more efficient and effective."

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.