President Biden Skimping on Cybersecurity

 President Biden originally proposed a $10 billion relief package for IT and cybersecurity modernization, and with the American Rescue Plan bill that just passed, the amount was reduced to only $2 billion.

According to Data Breach Today “The cybersecurity and IT funding includes $650 million allocated to the U.S. Cybersecurity and Infrastructure Security Agency for “cybersecurity risk mitigation” as well as $1 billion for the General Services Administration to spend on IT modernization projects throughout the government. Another $200 million is set aside for the U.S. Digital Service to hire additional security experts and provide additional services to agencies. The package does not include any further details.”

Politics as Usual

The Biden administration promised a $10 billion plan with $9 billion to go to CISA and GSA for cyber and IT modernization projects in the initial draft of the proposal. It appeared that they were prioritizing a serious issue that has become intertwined with the COVID-19 pandemic. However, between then and now, as often happens with politics, the story changes, and the relief package for cybersecurity was skimped down to a measly $2 billion that won’t stretch very far.

Not Nearly Enough

Experts believe that the $2 billion won’t be enough to fix an increasing problem. Have the SolarWinds and Microsoft Exchange server compromises taught us nothing? These two issues alone showcase the severity of threats aimed at American companies.

Phil Reitinger, a former director of National Cyber Security Center within the Department of Homeland Security who is now president and CEO of the Global Cyber Alliance, said,

“The funding in the stimulus bill is helpful, but a down payment only.” He also added, “It is increasingly difficult to pretend that cybersecurity is not one of the two most important national security issues, along with domestic extremism.”

Rep. Jim Langevin, D-R.I, who serves on the House Homeland Security Committee, commented that “We need significant, sustained increases in CISA’s budget to ensure it has the personnel and tools to succeed in its vital missions,” Langevin tells Information Security Media Group.

“We need to replace our antiquated digital infrastructure at both the federal and state and local levels [and] to improve operational efficiency and tighten security. We also need to enact a national cybersecurity assistance fund to provide prioritized investments in critical infrastructure based on a careful analysis of intersectoral risk.”

Spend with a Plan

Other experts, including the first federal CISO, Greg Touhill, also a retired U.S. Air Force Brigadier General, feel that such limited funds require a well-executed plan. If the government has only $2 billion to spend, it needs to be spent wisely.

Data Breach Today reiterated Touhill’s comment as “It’s not very transparent what they’re going to be spending the money on, and that’s part of my concern. Throwing money at spending wildly is not the answer - it needs to be strategic.”

Touhill witnessed many government, and private corporations dusting off old technology and network VPN equipment to allow remote work as COVID-19 unfolded. When instead, they should have been upgrading and moving forward with new technologies. These outdated, unsafe resources need to be retired and put to rest once and for all. Otherwise, America cannot keep up with the deluge of cyber attacks. A solid plan with structure is necessary to succeed with this limited budget.

Along with a strategic plan, Touhill suggests that the government adopt a  “zero trust  framework across all federal agencies’ networks.” Touhill qualified his statement with, “Certainly, the recent events with SolarWinds and Microsoft Exchange - and I’m sure there are many others out there we don’t know about - have highlighted the fact that the software supply chain and the hardware supply chain are at risk. And if you can’t trust your software or your hardware, you’ve got to implement zero trust.”