Trump's Budget Proposal to Significantly Boost Cybersecurity Funding

The White House’s first federal budget blueprint unveiled Thursday seeks to fund the nation’s cybersecurity efforts by boosting budgets of the U.S. Defense Department and Department of Homeland Security—an initiative officials say will guard against the magnified threat landscape that is only getting worse. 

The budget seeks $1.5 billion for the DHS that will help the government modernize federal computer networks that “can no longer sustain themselves,” White House homeland security adviser Thomas Bossert said a day earlier during Cyber Disrupt 2017, an event hosted by the Center for Strategic and International Studies, or CSIS.

“We cannot tolerate indefensible technology, antiquated technology, hardware or software,” Bossert said. “Modernization is absolutely critical.” The White House will circulate details in the coming weeks and months on plans to upgrade networks, he said.

The budget proposal also calls for an increase in the Defense Department’s spending by $54 billion, an increase that will be offset by fiscal reductions from some 18 other agencies.

“President Trump intends to put his money where his mouth is,” Bossert said of the request to Congress.

The budget aligns with strategies outlined in President Donald Trump’s forthcoming cybersecurity executive order, which will direct the heads of government agencies and departments to not only better secure agency data, but adopt best practices from the private sector. Those scattered responsibilities, however, will have to be balanced with a governmentwide federal IT security approach, Bossert said.  “Shared services will be a fundamental requirement,” he said. “We can no longer dream away the notion that we will have cybersecurity expertise, in terms of capital investment and human investment, resident in [all] federal agencies.”

Cyber vulnerabilities pose a national security threat, and the United States “not yet gotten serious about a serious deterrent strategy,” Bossert added.

That has been fodder for repeated warnings from government officials who have highlighted the lack of a cohesive or detailed U.S. retaliatory response toward nation-states that breach government networks. Those shortcomings, shared earlier this year by top U.S. intelligence leaders who testified before the Senate, threaten to disrupt the development of a deterrence framework.

The government struggles to effectively derail nation-states and cyber intruders that repeatedly highlight U.S. vulnerabilities, such as the string of notorious incidents from Russia’s reported interference in the U.S. presidential electoral process to the notable OPM breach attributed to China that exfiltrated the sensitive records of 22 million federal employees, and North Korea’s hack of Sony Pictures Entertainment emails.

While the executive order could provide for a decent foundation, the administration must push for more, Ray Rothrock, CEO of RedSeal, a network modeling and risk scoring company said recently. “Executive orders are often about gathering information and formulating plans of action,” Rothrock said. “To get it right, though, it is also important that the new administration ask the right questions about measuring and managing risk.

“Protection is still an important strategy, but it is not enough," he continued. "The strongest firewalls will have cracks. Networks are constantly changing and becoming more interconnected. Vulnerabilities in one network open the door to others. How do we manage risk is this dynamic environment? How do we prioritize assets? And how do we minimize losses? These are the questions that if asked will move us forward.”

The administration already has at its disposal a good road map that lays out sound paths to defeat cyber criminals—The Commission on Enhancing National Cybersecurity’s “Report on Securing and Growing the Digital Economy” released in December, Rothrock writes in a blog for SIGNAL Media. “To that end, I offer this to the Trump administration: heed a few action items from the report, such as the need for public and private cooperation.” The commission called for a collaborative cybersecurity operation program between the public and private sectors to identify, protect from, detect, respond to and recover from cyber incidents affecting critical infrastructure.

The budget proposal does not reflect an overnight, all-encompassing modernization effort, Bossert said. “I think that’s somewhere around a $90 billion endeavor.” Because not all agencies will get a funding boost, agencies will instead need to address cyber needs through “improved efficiencies,” Bossert said.

Additionally, technology will not be the sole solution to improving cybersecurity, offered Frances Townsend, for whom Bossert once worked during President George W. Bush’s administration. Cultivating—and keeping—the right talent is critical to boosting a proper workforce, Townsend said during the event's keynote discussion with Bossert, who then floated a potentially radical idea: What if the federal government stopped competing with industry for the same talent?

“I think we need to concede a managed service provider model is the model we’re going to have to move toward,” Bossert said.

Another issue that continues to dog government and industry alike has been insider threats, Townsend said. “This has been a decades-long, persistent threat.”

Addressing that threat, for starters, requires that everyone take seriously the responsibility to institute good controls and good hiring practices, Bossert offered. “Secondly, we need to find the people who do it, hold them accountable and be unwavering in doing so. People have taken, in the past, things they should not have taken—absolute enemies of the state. Period. They need to be caught, punished and treated as such. If people feel like they can continue to get away with it, they will.”