If ultimately approved by Congress, a newly issued federal budget proposal from the Biden administration would provide a major financial shot in the arm for the nation’s cybersecurity. The request would set aside $9.8 billion in civilian cybersecurity funding in total, which would be in addition to the $10.4 billion the Department of Defense is looking to spend when the new fiscal year begins on October 1.
Much of this spending is meant to support a series of executive orders issued by the administration in response to a string of attacks that posed potential threats to national security in 2021. These included the SolarWinds breach as well as attacks by opportunistic ransomware criminals on energy provider Colonial Pipeline and meat packer JBS.
$5.8 trillion proposed federal budget contains billions for cybersecurity
The Office of Management and Budget proposal seeks $9.8 billion for securing federal civilian networks and national infrastructure, the central elements targeted for shoring up by the Biden administration’s series of executive orders. There are not many specifics beyond that at this point, but the bill does make a point to set aside $750 million for “lessons learned from the SolarWinds supply chain attack” (though it is not clear exactly where that money would be going to). In total it would be an 11% increase over the amount in the current federal budget.
Some specifics have been laid out for a few of the relatively smaller portions of the federal budget proposal. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) would see a budget increase of $500 million, the newly formed Office of the National Cyber Director within the White House would be given $15 million to work with, and $20 million would be put toward a new Cyber Response and Recovery Fund meant to provide grants for bolstering cybersecurity defenses and assisting organizations that have been hit by attacks.
$300 million is also earmarked for the Technology Modernization Fund, which is meant to modernize IT systems in federal agencies. Legacy systems are scattered throughout these agencies that have outdated versions of Windows and other software that no longer receives security patches, or is unable to properly interface with modern networks to be secured adequately against attacks. These funds are presumably meant for modernizing these systems wherever possible.
FEMA would receive $3.5 billion from the federal budget to be doled out at a rate of $1 billion per year through 2025, with the money going to grants for state and local governments and critical infrastructure agencies looking to make cybersecurity improvements. An additional $80 million in grants would be available to a broader range of public and private organizations looking to implement cyber risk reduction programs.
Among other things the Defense Department is looking for money to bolster the Cyber Command’s Cyber Mission Force, raising the current number of teams from 137 to 142. Established in 2009, this force is the “action arm” of the Cyber Command and undertakes both offensive and defensive missions in cyberspace.
Mariano Nunez, CEO at Onapsis, notes: “Additional funding for cybersecurity within the federal government is extremely important in this new era of interconnected risk, especially between business applications and critical operational technology infrastructure. Prioritizing the modernization of aging technology stacks will be essential to mitigate rising cybersecurity vulnerabilities, and ensure the security of the Nation’s most critical systems and applications from malicious cyber campaigns.”
Cybersecurity focus comes after year of critical infrastructure attacks, Ukraine invasion
Though the cybersecurity specifics of the federal budget are not entirely in focus yet, some safe assumptions can be made. One is that the talk of learning lessons from SolarWinds likely means a focus in bolstering the Treasury Department, Department of Energy and other critical agencies that were targeted in that attack. The breach of the software provider is thought to be the work of Russian state-backed hackers as the compromise granted access to tens of thousands of the company’s clients, but the attackers ignored the vast majority of those while focusing on federal agencies and about a dozen select private targets of espionage interest. A line in the bill mentions that the Treasury Department specifically would get an additional $210 million for cybersecurity, and that other comparably sensitive agencies might get similar boosts in funding.
Another is the move to “zero trust” architecture throughout all federal government systems, something mandated by a January 2022 executive order and scheduled to be completed by the end of 2024. The move would require a major overhaul of federal systems to allow user accounts to only access elements they need for work purposes, and to require multi-factor authentication logins.
The federal budget for the upcoming year will need to be hashed out in October, generally a contentious process in which various members of Congress create their own offshoots of proposals such as these. The final form is still in question, but cybersecurity spending is almost certain to increase significantly given the double impact of the increased crime (and increased boldness of criminals) brought on during the pandemic and the possibility of Russia engaging in retaliatory cyber attacks that target entities in the US. As Nick Tausek, Security Automation Architect at Swimlane, observes: “Although it is very likely that this proposal will go through numerous changes before being approved, the increased investment in cybersecurity, combined with recent security directives around Zero Trust, Logging, and Security Orchestration, Automation and Response (SOAR) are an encouraging steps for the future of the nation’s cybersecurity strategy. While it’s hard to pinpoint the chances the whole budget has of passing in its current form, it seems likely that the cybersecurity measures will remain largely unchanged due to their emphasis on national defense.”