The White House at night showing cybersecurity budget

Biden $13 Billion Cybersecurity Budget Request Would Provide Major Boosts to CISA, AI Research

The White House’s 2025 fiscal plan includes a request for $13 billion to the federal cybersecurity budget, a substantial increase from the current $11.8 billion number that is still being negotiated.

The request is close to the administration’s original plan for $12.7 billion for 2024, something that was waylaid by a contentious bipartisan budget debate that has left the government operating on a temporary resolution and faced with an imminent shutdown as a broad assortment of bills are negotiated.

Cybersecurity budget plan sends big boosts to CISA, Justice Department

The proposed cybersecurity budget would send an additional $103 million to CISA’s coffers, increasing its total budget to $3 billion. One of the cybersecurity programs it is looking to enhance is the Joint Collaborative Environment (JCE), an ongoing effort to centralize data on known cyber threats and reported vulnerabilities that would involve agencies at all levels of government as well as private organizations with a major cybersecurity presence (such as Microsoft). This would help state and local governments, which have proven to be dangerously underprepared and vulnerable in some cases over the past few years, to tap into better intelligence and mitigation recommendations from one trusted central source as well as potentially seek assistance in a more streamlined manner.

CISA is also looking to improve the Continuous Diagnostics and Mitigation (CDM) program, which is entering its 12th year. This program focuses on defensive improvement across the federal government, with the current cybersecurity budget seeking to complete ongoing cloud and mobile device asset deployments and to continue implementing “zero trust” systems.

Some of CISA’s cybersecurity budget request would also be going toward the implementation of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). This act is seeking to establish a unified incident reporting standard for the 16 CISA-designated critical infrastructure sectors, with the agency expected to issue a notice of proposed rulemaking sometime in the next few weeks.

The DOJ would also see an infusion of $25 million of new money under the cybersecurity budget, with $5 million of this slated for a new office in the National Security Division that would focus entirely on cyber threats to the nation. A number of other agencies would see small boosts: funding of new initiatives for hospital defense at the Department of Health and Human Services (as well as improvements to its own internal cybersecurity), a boost to a rural loan program managed by the Department of Agriculture that would assist with web-based security development, and an added $50 million for the Treasury Department’s ongoing zero trust initiative.

Unsurprisingly, some of the new money is also going to AI research. The Energy Department would have a total of $455 million for AI testing aimed at building security and resilience models for the energy sector. DHS would also receive cybersecurity budget money for developing methods of managing AI risks.

Emily Phelps, Director at Cyware, sees the emphasis on continued public-private partnership and the involvement of state and local governments as perhaps the most promising element of the proposal: “The White House’s emphasis on cybersecurity in the 2025 budget reflects a strong commitment to national and economic security. This significant investment reinforces the importance of collaborative efforts between public and private sectors to combat sophisticated and persistent cyber threats. By focusing on key areas such as healthcare cybersecurity and leveraging advancements in AI and military defenses, the budget aims to fortify the resilience of our critical infrastructure, economy, and the protection of citizens and industries against the concerted efforts of threat actors.”

Military and AI concerns drive cybersecurity budget

In addition to concerns about the emerging threats posed by AI, the cybersecurity budget is driven in large part by perceived defensive shortcomings. CISA has previously noted that it simply does not have the manpower to respond to a coordinated large-scale attack on operational technology systems in multiple locations, and also recently noted that it is badly outnumbered by China’s force of state-sponsored hackers.

The cybersecurity budget also clearly recognizes something spelled out in multiple reports and reviews of 2023 crime activity: hospitals and the health care sector have become the hottest target for hackers looking to steal valuable data. This might be one area where a large budget increase can be hammered out between the parties, particularly after the havoc caused by the recent Change Healthcare breach. Rural hospitals and those with minimal defenses at present would be the primary focus of next year’s assistance, but all facilities could potentially recoup the cost of cybersecurity investments under the proposed incentives program.

All of this hinges on Congress, however, which has still not been able to settle on 2024 funding. The 2025 bill is expected to be received just as poorly by Republicans, which means that the ultimate form of next year’s cybersecurity budget is still very much in question. At the moment the government is continuing to operate on continuing resolutions that allow for spending from the previous year to be held in place while negotiations take place, but these are only in place until March 22. Congress would have to vote for another extension before then, or enter a shutdown that suspends most non-essential federal services.