The proposed White House budget for 2024’s cybersecurity spending calls for a big investment in tech innovation to keep pace with foreign rivals, a bigger budget for the Cybersecurity and Infrastructure Security Agency (CISA), and the modernization of public-facing online government resources (such as passport applications, which are currently experiencing unprecedented delays).
Given the substantial increases the Biden administration is requesting, the proposal likely faces tough resistance from Congressional Republicans and is unlikely to survive in its current form. Based on the current partisan clashes in government and patterns in recent years, the budget is unlikely to be passed until very late in 2023 or early 2024.
White House budget would boost CISA, modernize customer-facing online systems
The proposed White House budget presently sits at a total of $6.8 trillion, up from $6.27 trillion in 2022 but about on par with 2021. A recent meeting of House Republicans indicates that the party’s strategy will be to trim that amount back to 2022 levels, and cybersecurity spending may be part of those targeted cuts.
The spending proposal follows the administration’s release of its National Cybersecurity Strategy earlier in the month. One of the key items is a $145 million budget increase for CISA, most of that devoted to implementing the Cyber Incident Reporting for Critical Infrastructure Act. This bill was signed into law in March 2022 and has tasked CISA with developing new cyber incident reporting requirements for these industries, as well as more directly providing assistance to victims.
The White House budget is also seeking $245 million in new funds for training cybersecurity professionals in the energy sector, and $63 million for the FBI’s cyber investigations division to be used for hiring new agents and bolstering intelligence and analysis capabilities. $215 million of the cybersecurity spending would also be provided to the Treasury Department to implement zero trust architecture and generally bolster its cyber defenses.
Given recent talk among Republican candidates for president, a proposed additional $735 million for Ukraine’s cybersecurity is likely to be one of the first items attacked. The White House budget is seeking these funds for programs countering Russian misinformation and disinformation and promoting cyber and energy resiliency in the country.
Amit Shaked, CEO and co-founder of Laminar, praised the federal cybersecurity spending plan but notes that more private sector attention may be needed: “We applaud the Biden Administration’s ongoing commitment to strengthening the U.S.’s national cyberdefenses. By providing guidance with the 2023 National Cybersecurity Strategy, and now the funds to carry it out with a significant portion of the $3 trillion budget for the fiscal year, both public and private sector organizations will be in much better shape to address problem areas inhibiting them from getting the upper hand with adversaries … However, it’s critical that federal organizations prioritize data visibility and security while taking on these modernization projects. In the height of the pandemic when other organizations were undertaking similar initiatives, one in two businesses experienced a breach due to unknown or ‘shadow’ data, lack of visibility into the network and overall disconnection between developers and IT and security teams. The move to the cloud, proliferation of shadow data, changing role of security and death of the traditional security perimeter contributed to what is now known as the “innovation attack surface,” a new threat vector that resulted from the massive, decentralized, accidental risk created by individuals driving innovation for the business.”
Richard Bird, CSO at Traceable AI, echoed this sentiment but added that consumer protections are also conspicuously lacking at this point: “While it is encouraging to see the White House continue to emphasize and increase investments in cybersecurity, it is disappointing to see a focus on old ways of thinking. Faster incident reporting is not a security improvement, no more than an alarm system that goes off two days after you have been robbed is a security improvement. It’s time for the US government to get serious about legislating actual cyber protections for citizens and consumers in our nation, instead of taking half measures and half steps like this. The White House continues to show commitment and focus to defining and funding cybersecurity improvements for our nation. But, neither Congress nor the Executive Branch are showing the necessary courage and urgency to address the massive legislative gap in protections for citizens and consumers in this country. Until they do, much of this spending will be sub-optimized.”
Half a billion in cybersecurity spending to modernize government systems used by the general public
$500 million is also being sought to modernize the government computer systems that the public regularly uses, though not all of this amount is strictly cybersecurity spending.
A big portion of this would go to the State Department to improve its online passport application and renewal services. The traditional paper-based passport processing system has been overwhelmed for some time and has seen multiple months added to expected processing times, forcing some citizens to cancel or reschedule planned trips out of the country. The General Services Administration would also benefit with a boost to the functionality of assorted services it oversees such as Search.gov, Digital.gov and the Digital Analytics Program.
The biggest individual cybersecurity spending item in this area is a $6.4 billion boost to the Departments of Veterans Affairs to go toward its ongoing modernization of its health records systems, a program that has been criticized by both parties for burning through public money without showing desired results. This has included cybersecurity incidents such as the accidental routing of patient records to the wrong destinations. This may be another main area of the White House budget targeted by Republicans as the party has shown more interest in simply scrapping the project, while Democrats have leaned toward revising its approach.
Investments in keeping ahead of China technologically and strategically are also one of the central points stressed by the White House budget. The primary focus in terms of cybersecurity spending is the Indo-Pacific region, where the Department of Defense would look to strengthen the capability of allies such as Australia and Japan. The administration is also seeking more funding for assorted digital development initiatives such as the Department of State’s Bureau of Cyberspace and Digital Policy, USAID’s Digital Strategy, Partnership for Global Infrastructure and Investment (PGII) digital connectivity efforts, and regional initiatives such as Digital Transformation with Africa.
Aaron Sandeen, CEO and co-founder of Securin, notes that the White House budget proposal does not do much to specifically address how cybersecurity spending might benefit the defenses of individual states that are badly in need of assistance: “The White House revealed its proposed budget for the 2024 fiscal year, and it shed light on the president’s priorities for increasing the federal government’s security posture against malicious actors … The budget increases the Cybersecurity and Infrastructure Security Agency (CISA) total funding, but it’s unclear whether these funds will be further allocated to individual states. There is specific funding for enhancing the security of the energy supply chain with extra assistance diverted to States and local governments for emergency planning and preparation, but States have many other vulnerable networks. Securin passively scanned and discovered 262,000 internet-facing assets across the 50 US states and discovered 64 unique vulnerabilities overall in all the states with exploits available in the public domain.”
