ISA TO CONGRESS: SHOW CISA THE MONEY!

May 3, 2021

[INSERT DATE]

[INSERT MEMBER OF CONGRESS/SENATE

[INSERT ADDRESS]

Dear _____________:

The Internet Security Alliance (ISA) is writing to the House and Senate Committees on Appropriations in support of President’ Biden’s FY’2022 budget, as a minimum level for federal cybersecurity spending in the coming year.

It is ISA’s steadfast belief that the funding requirements for federal spending on cybersecurity should not be assessed primarily by using our past funding as a baseline.  It is a common misconception that the root cause of our cyber insecurity is that there is something wrong with the technologies.  However, the problem isn’t that the technologies are flawed – it is that the technologies are under attack.

As a result, we would urge the Committee to determine the appropriate spending on cybersecurity to be based on what our adversaries are spending to attack us.  As a point of reference China released their 5-year plan last month and they have allocated $1.4 trillion for their digital strategy over the next 5 years.  They anticipate their spending on their digital strategy will grow even faster than their military budget.

Although this is, admittedly not a direct apple to apples comparison, the expanse of the differences between US Federal spending for cybersecurity and what our prime adversaries are spending (and China is only one of several adversaries in cyberspace) needs to be strongly considered as the Committee makes its decisions. 

ISA also suggests that when the Committee reviews cybersecurity spending it consider the issue in its full and appropriate context.  For example, much of the President’s recently announced budget regarding cybersecurity is directed at needed upgrades for federal systems and other technical and operational items.

Another widely held misconception about cybersecurity is that it is primarily a technical operational issue – it is not.  Obviously, there are technical and operational aspects top cybersecurity, but it is a far broader – enterprise-wide risk management issue. Therefore, in the appropriate vehicles, ISA strongly suggests that the Committee substantially increase funding for items like cybersecurity education and law enforcement.

According to the World Economic Forum cybercrime will generate $2.2 trillion in 2021 – and growing fast.  Further, the Forum estimates that we currently prosecute about one-half of one percent of cyber criminals. To fight off this criminal empire the FBI’s cybercrime budget is about a half a billion dollars.   Obviously, we need more than money to address the cybercrime problem, but it is also unreasonable to believe we can make any serious dent in the problem when our law enforcement personnel are being out-resourced to such a great degree.

 We face a similar problem with our cybersecurity workforce.  Everyone in the cybersecurity field knows that there are literally thousands, some estimates are there are millions good-paying cybersecurity jobs going unfilled, not just in the federal and state governments but nation-wide. The problem, like the cybercrime problem, has existed for decades.  It is obvious that we will never be able to provide a reasonably secure cyberspace without an adequate workforce.  The time for half-measures is long past, we urge the Committee to take aggressive action to address these issues with substantial spending increases

Finally, consistent with our request that you consider cybersecurity in its broad and appropriate context, we urge to you to consider funding for small companies who are part of our nations’ critical infrastructure and yet are subject to nation-state attacks for which they simply do not have the economies of scope and scale to manage.  In 2016 the National Infrastructure Protection Plan (NIPP) made the point that commercial entities and government appropriately assess risk in different ways with the private companies generally funding security at a lower “commercial” level whereas government naturally must fund security at a higher level based on its national security concerns. However, when it comes to the Internet, the private sector and the public sector are for the most part all using the same system.  As a result, the commercial level of spending does not, and cannot, achieve necessary national there is a disparity between security levels,

A recent study by the US Telecom Association found that 75% of critical infrastructure small companies had suffered a cyber breach on the past year.  And 55% believe their company is not prepared to prevent or recover from a cyberattack. The study concluded that small companies may not be able to sustain uneconomic investment cybersecurity beyond minimum requirements and consequently consideration must be given to what incentives are required.”

We urge the Committee to find the right vehicle to provide incentives for small companies involved in critical infrastructure to be provided economic incentives to enhance their cybersecurity – not in their economic self-interest, but in the national security interest.

We are grateful for your consideration of these recommendations and, naturally, stand ready to assist the Committee in any way possible.

Sincerely,

Larry Clinton

President

Internet Security Alliance