Following the federal cybersecurity money trail

In Washington, if you want to know which programs and initiatives are being prioritized, you need to look at where the most discretionary money is spent. The budget reveals where and how the federal government addresses cybersecurity challenges.

President Biden’s 2025 budget request asks for nearly $13 billion in cybersecurity spending by the government's civilian agencies. This amount is nearly 10% more than was requested last year. As noted by OMB, the cyber investment priorities in the budget are largely in line with the National Cybersecurity Strategy that was released in March 2023. This strategy balances federal cyber activity between addressing short-term needs and investing in activities to support long-term whole-of-nation cyber resilience.

Immediate needs

With regard to the more immediate needs, it’s instructive to time travel back to 2021 when President Biden issued the cybersecurity executive order and track how the budget request tracks with goals set out in that EO. To that end, the administration  requested $470 million for the Continuous Diagnostics and Mitigation program, which  supports zero-trust implementation within the government and provides increasing capabilities. 

The CDM program has become a veritable Swiss Army knife for federal agencies, and plays a critical role in endpoint and network security, hardware and software asset management, identity management, data protection, and the ability to have a dashboard that offers increasingly detailed visibility and control across agencies. 

Complementing the CDM program is a $394 million requested for additional internal cybersecurity and analytical capabilities for the Cybersecurity and Infrastructure Security Agency. The Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires notification to CISA of significant cyber incidents at 300,000+ U.S. critical infrastructure sector organizations, comes into effect next year, and the budget requested $116 million for CISA to hire the staff and build the infrastructure to handle this flow of incident reporting efficiently and securely.

The 188-page summary of the proposed federal budget also describes smaller-ticket but important imminent federal initiatives like the Department of Justice’s investments in its new legal section focused on cyberthreats and in the FBI’s cyber and counterintelligence investigative capabilities.

Longer term and national needs

The 2025 budget request also considers long-term cybersecurity spending, including $455 million for AI research, including research into AI safety, security and resilience. This tracks with the increasing federal focus on AI and its possibilities for shoring up cyber defenses.

The budget also increases the federal government's ability to support U.S. critical infrastructure, including frequently targeted healthcare systems. To that end, the Department of Health and Human Services asked for $800 million for cybersecurity at hospitals designated as high need and low resource and for an additional $500 million for hospitals to use for advanced cybersecurity capabilities.

Not all federal cyber priorities align to spending

A major theme of the 2023 National Cyber Strategy is a call for a shift in responsibility for cybersecurity with a focus on secure by design and secure by default. Secure by design means that instead of adding security as an afterthought or bolting it on later, security should be built into Information Technology (IT) products by design and from the outset. Secure by default means that that products and services should be configured to be secure out of the box, rather than relying on users to figure out settings to improve security

According to the fact sheet released with the NCS, “We must rebalance the responsibility to defend cyberspace by shifting the burden for cybersecurity away from individuals, small businesses, and local governments, and onto the organizations that are most capable and best-positioned to reduce risks for all of us.”

The strategy lays out a future where secure by design and secure by default become the norm in information technology development, in much the same way that automobile manufacturers are expected to design and produce safe vehicles. Instead of only addressing security after a product has reached the marketplace, and in the worst case, relying on users to find any security flaws, security should be prioritized from the design phase and addressed through good software development practices during product development. Progress in secure by design and default should improve the security of products and services in the IT marketplace that the federal government as well as the private sector relies on.

'How is as important as 'where'

Government will not be doing the bulk of the hard work of implementing secure by design and secure by default, and convincing IT providers to voluntarily spend resources changing their processes requires creating market demand. In June CISA released a secure by design pledge it negotiated with the IT sector, and to date over 200 companies have committed to making good faith efforts to meet pledge goals. 

The 2025 budget request for federal civilian agencies IT spending is $75 billion, and if even a portion of these funds are directed at contracts that recognize and reward adherence to secure by design, federal spending can begin to create the necessary market incentive to drive secure by design implementation. Successful development of secure by design products for the federal market is likely to have crossover appeal to large enterprises as well, many of whom like to buy ‘government grade’ IT solutions whenever possible. 

Both the public and private sectors are exploring how generative AI can be used in virtually every facet of digital activity. Security is a major concern, and security controls often have to be negotiated in an a la carte fashion between customers and GenAI service providers as well as between those who create and run Large Language Model data sets, build GenAI algorithms and provide the computing resources that enable GenAI to operate. 

We are collectively hampered by the lack of a commonly accepted model of security roles and responsibilities like the shared security model for cloud computing. While the cloud model evolved over time and as a result of repeated breaches; the federal government could accelerate the creation of a comparable model for GenAI security by ensuring that its requirements for GenAI addressed the ‘full stack’ of security requirements, leveraging the NIST AI Risk Management Framework as a solid foundation.

Cybersecurity is crucial to everything from massive critical infrastructure projects to the safe operation of small businesses and increasingly to the private life of every American. The federal government has the lead in functions such as law enforcement, while the private sector typically leads in generating the products that provide cybersecurity capability. 

The federal government’s cyber budget is focused on procuring products and services for its own use, and in the process often creates solutions that are attractive to private sector enterprises, including critical infrastructure providers. Government also leads in creating frameworks such as secure by design and AI risk management, where government, industry, and end users are partners in implementation. The 2025 federal budget request reflects the federal government’s role in each of these important priorities.

Comments