Most of the nearly $11 billion in cybersecurity funding proposed in President Trump’s budget blueprint will likely be agreed to by Congress, and actually get spent, even though the budget as a whole has already been declared “dead on arrival” by Democrats in the House, according to observers and Hill staff.
There is broad, bipartisan consensus about the need to secure the nation’s vital networks against hackers, cyber-spies and online criminals, which has gotten prior years’ cybersecurity requests funded in full. Moreover, the lion’s share of the money — $9.6 billion — is in the defense budget, which likewise enjoys support on both sides of the aisle.
Cyberspace is the cheapest domain for U.S. military
The Defense Department gave more details Tuesday about how that money — 20 percent more than last year’s $8 billion ask — would be spent.
The money would fund “offensive and defensive cyberspace capabilities and operations enhancements, resilient networks to protect our operating networks and systems, and … create a modern multi-cloud environment,” Lt. Gen. Anthony Ierardi, a senior officer in the Joint Chiefs of Staff, told a Pentagon briefing Tuesday.
Notably, that $9.6 billion makes cyberspace the cheapest domain in which the U.S. military operates. The next cheapest are space, at $14.1 billion and land, at $14.6 billion. The most expensive is air, at $57.7 billion.
Indeed, cyber is even cheaper than that, because the $9.6 billion figure includes the cost of cyberspace operations, whereas the figures for other domains count only procurement programs.
According to the so-called “weapons book,” a Defense Department document that breaks down major weapons systems spending, only about $2.8 billion of the cyber dollars are allocated to buying stuff — $843 million for procurement and another $2 billion for research and development.
According to the weapons book, that $2.8 billion will fund efforts in the following eight “focus areas:”
- endpoint management;
- identity, credential, and access management, or ICAM;
- insider threat security;
- secure application development;
- cross-domain security to include mission partner networks;
- supply chain risk management;
- cybersecurity measures for other critical infrastructure.
Pentagon cybersecurity programs
Under ICAM, don’t look for a replacement for the CAC card anytime soon. The technologies DOD are looking to buy are those that more efficiently and swiftly tie the verified identity a CAC card login provides with the system access to which that individual is entitled.
The Pentagon request includes $94 million to fund the Air Force’s Unified Platform — a cyber weapons factory that uses agile software development practices to meet warfighter needs more swiftly. That’s a big plus up from the $29 million requested in FY2019 and reflects the ramping up of capability expected from UP, which is slated to reach full capacity by the end of 2021.
The Army request includes $3 million for its persistent cyber training environment, the same as was enacted this year.
Energy, Treasury also get cyber dollars
Beyond the Pentagon, the Energy Department budget request includes $156 million to fund its new Office of Cybersecurity, Energy Security and Emergency Response, headed by Assistant Secretary Karen Evans. The money will “support early-stage R&D activities that improve cybersecurity and resilience to enable the private sector to harden and evolve critical infrastructure,” according to the budget overview.
The $11 billion top line number for cyber spending across the government also includes $125 million for the Treasury’s Financial Crimes Enforcement Network, or FinCEN. That will be spent “to administer the Bank Secrecy Act and focus on the prevention of terrorist financing, money laundering, and other financial crimes. These resources would expand FinCEN’s special measures enforcement activities and enhance its efforts to combat cybercrime and cryptocurrency threats,” the overview states.
Also included is $13 million for Treasury’s Office of Critical Infrastructure Protection and Compliance Policy “to enhance the Department’s capacity to identify and remediate new [cyber] vulnerabilities [in the financial system] before they can be exploited.”
DHS cyber funding will be caught in partisan dispute
But the largest chunk of non-defense cyber spending in the budget plan — more than a billion dollars, according to the overview — is in DHS, and therefore liable to get caught up in the partisan spat over border security and immigration enforcement spending, Hill staffers say.
“The President’s National Cyber Strategy highlighted DHS’s role in securing and building cybersecurity resilience for the Nation’s most critical infrastructure, including government networks,” states the overview. “DHS works with key partners and stakeholders to identify and manage national cybersecurity risks.”
The budget includes money for:
- The Continuous Diagnostics and Mitigation program — ensuring visibility into federal networks and building a dashboard that will enable agencies to prioritize their most important vulnerabilities;
- EINSTEIN and the National Cybersecurity Protection System;
- DHS-led network risk assessments — increasing the number of them from 473 to 684, including assessments of State and local electoral systems.
Budget veterans say that because all of these are existing programs already funded in the current year, delays in reaching a spending deal for DHS won’t necessarily impact them — barring a government shutdown. When appropriators can’t reach a deal, they typically keep the lights on using a so-called continuing resolution, which continues prior year spending into the current year. Since all the programs are already funded, spending on them would continue, although without any increases or other changes.