March 16, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

“We need to rethink our approach to managing cybersecurity,” said Cybersecurity and Infrastructure Security Agency (CISA) Acting Director Brandon Wales at a House Appropriations Homeland Security Subcommittee hearing last week.

CISA Executive Assistant Director Eric Goldstein reinforced this comment noting that additional funding was “urgently needed” for CISA to provide foundational capabilities of CISA’s designated mission.

Congress should appropriate full funding for everything CISA requests.

Wales suggested that the cybersecurity money provided in the recently enacted COVID relief bill, the American Rescue Plan Act, should be understood as a “down payment” on increasing the agency’s ability to do its job. That is a very useful metaphor. Most of us think of down payments on a house – which are typically 10%. That sounds about right. The COVID money is probably about 10% of what is needed to truly address this issue.

The Appropriations Committees, quite rightly, tend to carefully review agency funding requests and track for judicious use of funds in line with the specifications used to justify the request. However, in this case, CISA is faced with a massive and unforeseen task and it is literally impossible for them to accurately foresee all the needs that will emerge as they address it in real time.

Not only should Congress provide all the funding CISA requests (and btw from our perspective CISA’s funding requests have historically been extremely conservative), but Congress should expect to provide the agency with substantial latitude in using what they receive – this is not a time for micromanaging.

The written testimony submitted by Wales and Goldstein correctly concludes by pointing out that “today’s landscape reflects challenges stemming from decades of under-investment in technology infrastructure; federal network security has been on the Government Accountability Office’s High-Risk list since 1997.”

To put it another way, the federal government has been underfunding cybersecurity for basically a quarter of a century, or essentially since the digital age began. No less an authority than, then Vice-President Biden famously remarked “don’t tell me what you value, show me your budget and I’ll tell you what you value.”

Wales and Goldstein were specifically referring to federal agency infrastructure, which was the subject of last week’s hearing, but the truth of their comment goes much further than that. Cybersecurity is not, truly an IT issue. It is an enterprise-wide risk management issue. To properly begin to address our nation’s, not just our government’s cybersecurity problems we need to think far more broadly about the issue, as is suggested by Acting Director Wales comment that we need to “rethink” the issue.

It is not just that spending on the federal IT systems themselves has been woefully underfunded, but virtually every aspect of the broader cyber risk management domain has been dramatically underfunded.
It is ludicrous to expect the FBI to manage the $2 trillion dollar cybercrime epidemic with a budget under $500 million.
According to CSIS’s Jim Lewis, China is outspending the U.S. on advanced technology by 1000 to 1.
The Bureau of Labor statistics recently estimated that there are over 200,000 cybersecurity jobs that are going unfilled. A more recent study puts that number at 3.5 million unfilled jobs.
The private sector spends approximately 5 times what our government spends on cybersecurity (isn’t providing for the common defense a government job?) and last year federal spending increased about 4.6 % while private spending went up nearly twice as much percentagewise then federal cybersecurity spending.

Five years ago, the ISA published a book – The Cybersecurity Social Contract – that included a 12-step program to put the U.S. on the path to helping to create a sustainably secure cyber system. Step one was “address the issue with far greater urgency.” Step two was appreciating the economics, not just the technical aspects of cybersecurity. Step three was “vastly increase funding for cybersecurity.”

CISA’s testimony eerily echos these themes and underlines the need for Congress to attend to them. Perhaps the energy produced by SolarWinds can begin to push the Congress down the road toward treating cybersecurity with the seriousness it demands. One vehicle to drive down that road might be the coming infrastructure bill. There is no more critical infrastructure in the 21st Century than our digital infrastructure – and not just the technical parts of it, the whole system.

As we look for direction down the road to internet security perhaps, we should be guided by one of the most famous quotes in Washington D.C. history “follow the money.”

Join the Rethink Cybersecurity Community click here