How to right-size DHS cyber funding

With proposed cybersecurity funding levels flat for 2020, does the Department of Homeland Security have the resources to protect federal civilian networks?

While the Trump administration's budget request would boost cybersecurity spending throughout the federal government to $17.4 billion, funding levels for cybersecurity operations at DHS would remain more or less flat at $1.9 billion, including $1.1 billion for the Cybersecurity and Infrastructure Security Agency.

The administration also proposed deep cuts for DHS' Science and Technology Directorate, the research and development arm that has increasingly aligned its mission with CISA.

Experts and stakeholders interviewed by FCW said that the cybersecurity mission is expanding at DHS, but funding has not kept up.

Chris Cummiskey, former deputy undersecretary for management at DHS, said agency leaders spent much of the past decade fighting battles to receive the necessary authorities and reorganization powers to fill its new role as the lead civilian cyber agency, but actual funding for cyber priorities have stayed flat for the past four or five years.

"What I was looking for was really a bump to be commensurate with the fact that DHS is now the hub for protecting federal civilian cyberspace, and that's what I think was missing," he said. 

In particular, Cummiskey pointed to the need for more money to fund Continuous Diagnostics and Mitigation (CDM), the National Cybersecurity Protection System (dubbed Einstein) and the National Cybersecurity and Communications Integration Center as their portfolios have continue to expand over the past several years.

Rep. Dutch Ruppersberger (D-Md.), a member of the House Appropriations Committee, told FCW that he believes DHS cybersecurity priorities are under-resourced at current budget levels, particularly given DHS Secretary Kirstjen Nielsen's public comments about the rising importance of protecting federal networks and critical infrastructure to the department's mission.

Ruppersberger said the department must start considering how the changing federal workforce – with its expanding number of remote employees and increased reliance on the cloud -- affect the threat landscape patrolled by DHS.

However, he said the current jurisdictional morass over DHS creates near constant negotiations between competing subcommittees and makes for an "uphill battle" when it comes to funding cyber priorities at the department.

Like many others, he took the administration to task for proposed cuts to the Science and Technology Directorate, noting it could have repercussions for cybersecurity down the line.

"Research and development should be a strategic asset, and I fear the department is trying to be too tactical with their precious R&D dollars," Ruppersberger said.

Others in Congress expressed support for more robust spending. A staffer for Sen. Gary Peters (D-Mich.), ranking Democrat on the Senate Homeland Security Committee, told FCW that the senator will be pushing "to ensure [CISA] has sufficient funding to address the growing number of cyber threats facing our country." A House subcommittee director with oversight over DHS said that there is broad consensus among Democratic members that CISA will need more money in the coming years to accomplish the key goals of expanding election security efforts and maximizing the potential of the National Risk Management Center.

Former DHS officials also expressed dissatisfaction at the amount of proposed funding support at DHS and CISA. Along with Cummiskey, Suzanne Spaulding -- who led CISA's predecessor agency, the National Protection and Programs Directorate -- said the department's latest budget does not adequately fund the agency's current mission and objectives.

She pointed to the need to beef up deployment of cybersecurity advisors to assist state and local governments and build in greater resilience between federal, state and local governments as well as industry against cross-sector cyber threats.

"The work of the National Risk Management Center and the ICS CERT to fully understand interdependencies and cascading risks is also something that could be expanded," Spaulding said.

Strategy, not dollars

Not everyone believes more money is the answer.

Rep. John Ratcliffe (R-Texas), who serves on the House Homeland Security Cybersecurity and Infrastructure Protection Subcommittee, told FCW that he was pleased with the funding levels for CISA and DHS cybersecurity operations outlined in the administration’s budget request.

"The president’s budget request fully funds DHS' key cybersecurity programs, and as we look to it as a baseline in our appropriations process, I would urge my colleagues to look at the FY2019 enacted levels for guidance moving into the upcoming fiscal year," Ratcliffe said.

Trevor Rudolph, who served as chief of the Cyber and National Security Unit at the Office of Management and Budget under the Obama administration, told FCW he believes CISA and DHS have enough money, instead questioning whether key programs like Einstein and CDM are appropriately structured to provide the most value to customers and stakeholders.

"I think some of the key questions that appropriators need to ask moving forward is are we getting the right bang for our buck?" said Rudolph, now vice president of global digital public policy at Schneider Electric. "I would argue that with programs like Einstein, they need to take a serious look at whether they're working and … whether DHS is focused on the right outcomes. Talking to CISOs, it's blatantly obvious that they can't use Einstein indicators because they're not helpful and they're late, so why are we spending millions of dollars [to push them out]?"

Rudolph has expressed similar misgivings about the structure of other agencywide cybersecurity programs managed by DHS. His larger point is that poor structure and strategy -- not lack of money -- sits at the root of the federal government's cybersecurity shortcomings, and fattening CISA's budget further won’t fix the problem.

If the government moved to a shared-services approach for core IT capabilities, connectivity and basic applications, he argued, much of its now-dispersed network monitoring and security activities could be centralized and improved, likely at a lower cost than the government pays now.

In line with the visions of Congress and the executive branch, he said DHS and CISA could play a prominent role in federal civilian cybersecurity by building and owning these capabilities, but continuing to operate under the status quo only ensures that another OPM-like breach is "just a matter of time."

Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cybersecurity coordinator under the Obama administration, raised similar concerns. With federal funding for cybersecurity receiving steady year-over-year increases since the mid-2000s, DHS probably doesn't need more dollars unless its mission or mandate expands further, either for protecting federal networks or providing new capabilities to the private sector.

Like Rudolph, Daniel said the federal government could make better use of its dollars by re-examining the way it splits resources between DHS and individual agencies for certain cybersecurity functions, like protecting federal networks.

"One key question is whether the balance is right between what DHS funds centrally and what individual agencies pay for," Daniel said. "That's difficult to assess from the outside, but in general, I am in favor of greater centralization … because I think that approach is more efficient and effective."