[BreachExchange] How the Trump Budget Would Fund Cybersecurity

Destry Winant destry at riskbasedsecurity.com
Thu May 25 01:25:03 EDT 2017


The Donald Trump administration, in its proposed fiscal year 2018 budget,
outlines steps it contends would strengthen the U.S. federal government's
information systems, even as it would cut some cybersecurity spending at
specific agencies.

At the heart of the budget for the fiscal year that begins Oct. 1 is a
proposal to spend $1.5 billion on cybersecurity at the Department of
Homeland Security, part of an overall DHS budget slated to grow by 7.1
percent next year. The federal budget - unveiled May 23 by Office of
Management and Budget Director Mick Mulvaney - also proposes to allot $228
million to modernize the government's information technology.

The budget also calls for increases in cybersecurity-related spending at
the FBI and Justice Department, as well as cuts at the State Department,
the National Science Foundation and National Institute of Standards and

The Trump budget should be seen as an administration wish list, and needs
to pass Congress before it takes effect. In recent years, Congress has
failed to enact a budget, instead relying on a continuing resolution that
carries on spending from previous years. Appropriations bills, not the
budget, provide the money agencies use to fund their initiatives.
Budgeting for Network Protection

The White House, in a budget blueprint
the spending initiative, says the money slotted for DHS would provide
safeguards to protect federal networks and critical infrastructure from

"DHS would share more cybersecurity incident information with other federal
agencies and the private sector, leading to faster responses to
cybersecurity attacks directed at federal networks and critical
infrastructure," the blueprint says.

To put these figures in perspective, the Trump budget proposes to spend
more than $80 billion on information technology, with IT security being a
relatively small chunk, according to the General Services Administration's
FY 2018 Congressional Justification
<https://www.gsa.gov/portal/getMediaData?mediaId=162214> document. The
administration did not provide an across-the-government figure for IT
security spending.

Larry Clinton, president of the trade group Internet Security Alliance,
sees the Trump administration moving in the right direction, but questions
whether it's allocating enough money to achieve its cybersecurity goals.
"This entire DHS increase probably is equal to what three financial
services companies spend," Clinton says. "And DHS has far greater
responsibilities. Although individual agencies have their own cybersecurity
budgets, DHS is meant to be the federal-wide cybersecurity hub, and it
should be resourced accordingly."

Former Obama White House Cybersecurity Coordinator Michael Daniel suggests
the budget documents provided by OMB and other agencies are scant on
details. "However, it does hold DHS at roughly the levels we were working
with at the end of the Obama administration," says Daniel, who now is
president of the Cyber Threat Alliance, a not-for-profit information
sharing and analysis organization. "So at least DHS is not experiencing
cuts in its cyber funding."

Cybersecurity is just one relatively small part of DHS activities, with
most of the spending going to other areas such as managing the nation's
borders, enforcing immigration laws and preventing terrorism. Most of DHS's
cybersecurity initiatives reside in the National Protection and Programs
Directorate. The Trump budget would allot nearly $3.28 billion to NPPD.
That's not even 7.5 percent of the entire $44.1 billion budget plan for all
of DHS in fiscal 2018.
DHS Spending Breakdown

According to DHS's budget breakdown, the 2018 budget would allot $719
million for federal network protection. That includes initiatives such as
the National Cybersecurity Protection System, which includes the Einstein 3
Accelerated <https://www.dhs.gov/publication/einstein-3-accelerated> intrusion
detection and prevention system; continuous diagnostics and mitigation
<https://www.dhs.gov/cdm>, programs designed to identify and mitigate
systems' vulnerabilities; and federal network resilience
<https://www.dhs.gov/federal-network-resilience>, an initiative to drive
change in cybersecurity risk management by focusing on establishing metrics
that have measureable impact on improving cybersecurity.

It's unclear from the administration's budget documents where the increases
at DHS would come. Apples-to-apples comparisons weren't provided. For
instance, DHS did not break down how it would spend the $719 million for
federal network protection. But in last year's budget proposal, the Obama
administration slated $274.8 million for the Continuous Diagnostics and
Mitigation and $471.1 million for Einstein.

The Trump budget also would earmark $236 million for proactive cyber
protection, which DHS defines as detecting vulnerabilities, blocking
malicious activity, mitigating the impact of intrusions and developing
cybersecurity standards to increase security of federal civilian networks.

The administration did not detail how the rest of the $1.5 billion in DHS
cybersecurity spending would be spent.

This budget includes $43 million to, among other things, fund 20 full-time
employees to be based at the National Cybersecurity and Communications
Integration Center, or NCCIC, the DHS unit responsible for sharing
cyberthreat information among agencies and the private sector. Those
employees would help NCCIC protect private businesses through the Enhanced
Cybersecurity Services program, provide additional threat assessment
capabilities, support the growth in demand for analytical products and
around-the-clock operational staffing and maintain readiness to execute
national security and emergency preparedness.
The Technology Modernization Fund

The push to modernize federal government IT is designed, in part, to
enhance cybersecurity because new technology often bakes in security, or at
least can more easily be patched, than older, legacy systems, some dating
back a half century.

"The Technology Modernization Fund will be dedicated to retiring and
replacing antiquated legacy IT systems that are not cost-effective or pose
security risks by transitioning to more secure and efficient modern IT
platforms, such as cloud and shared services, while also establishing a
self-sustaining mechanism for federal agencies to regularly refresh their
IT systems based on up-to-date technologies," the GSA analysis of the
budget says.

Still, the IT modernization funding presented in the Trump budget is
significantly less than proposed by President Obama, who sought $3 billion
to upgrade federal government IT (see *White House Proposes $3 Billion Fund
to Modernize Federal IT
Clinton contends the Obama figure is closer to what agencies would need to
spend to replace less secure, legacy systems. "Getting a $3 billion fund
may not be doable in today's thrifty environment, but the House recently
approved an authorization bill, allocating $250 million for such a fund, so
hopefully this spending proposal gets speedy approval," he says.

And Daniel contends that to make real progress in modernizing government
IT, it's "simply not sufficient to put a dent in the problem. That needs to
be a much bigger number to move at the speed required."

On May 18, the House passed and sent to the Senate the Modernizing
Government Technology Act, in which major agencies would create IT capital
funds in which they could recover savings from IT modernization initiatives
(see *Modernizing Government Technology Act Passes House
FBI Cyber Budget on the Rise

Trump's budget calls for FBI spending on cybersecurity to increase by $41.5
million, to, for example, fund 36 new positions, including 20 agents, to
enhance the bureau's cyber efforts, which the Justice Department says is
among its top priorities.

According to its FBI budget request
<https://www.justice.gov/jmd/page/file/968261/download>, DoJ now spends
$328.3 million to fund 1,651 positions, including 881 agents focused on
cyber. "The FBI will improve technical tools, support the FBI's cyber
program and expand high-speed networks," the DoJ document says. "This will
support the FBI's mission to defeat cyber-intrusion threats through a
unique combination of law enforcement and national security authorities."

Elsewhere at the Justice Department, spending next year on its National
Security Division <https://www.justice.gov/jmd/page/file/968346/download> -
which includes combating cyberthreats to national security and protecting
national security assets - would increase by 6.6 percent, or $6.2 million,
to $101 million. The National Security Division budget does not break down
how much would be allotted for cyberdefense.
Spending Cuts

The Trump budget also calls for some cuts in IT security- and
privacy-related spending. Take, for instance, hefty cuts proposed for the
two Department of Health and Human Services agencies responsible for health
data privacy and security issues, including HIPAA enforcement (see *Trump
Proposes Hefty HHS Budget Cuts for OCR, ONC

Without providing details, Secretary Rex Tillerson said the State
Department requested $200 million to enhance its cybersecurity posture. But
among some State units, less money would be spent on IT and security in
fiscal 2018 than being expended in the current year.

The Trump budget would cut $7.2 million, or 3.1 percent, from the $235
million budget for the Bureau of Information Management Resources,
according to State's congressional budget justification
<https://www.state.gov/documents/organization/271013.pdf> document. How can
it provide cybersecurity with less money? IRM, the document states, is
committed to efficiency and accountability: "IRM will emphasize and
implement cost savings measures with a focus on achieving its core

Among the bureau's investments for the coming year, according to the
document: "A robust information security program designed to quickly and
efficiently identify cybersecurity vulnerabilities and mitigate risk so
that the department's work is uninterrupted and U.S. national security
information is protected."

Other cybersecurity-related cuts are tied to research and development. At
the National Science Foundation, the Trump budget would allot nearly $113.8
million for an initiative to create a secure and trustworthy cyberspace, a
12. 3 percent reduction. Trump proposes decreased spending at the National
Institute of Standards and Technology, where it's laboratory programs -
which includes the unit that creates cybersecurity guidance - would see its
funding decrease to $547 million, or 12 percent, down from the estimated
$620 million allotted for the current fiscal year.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170525/1f1e8085/attachment.html>

More information about the BreachExchange mailing list