Cybersecurity in the US President's Budget for Fiscal Year 2024.

The President's Budget for Fiscal Year 2024 has been published, and it addresses cybersecurity across the spectrum of the Federal Government's operations. The Budget will now go to Congress for the usual review, debate, modification, and passage.

The President's Budget and cybersecurity.

The President's message in the opening pages of the document says, in part, "this Budget cements our commitment to confronting global challenges and keeping America safe. It outlines crucial investments to out-compete China globally and to continue support for Ukraine in the face of unprovoked Russian aggression. It also continues our work to restore America’s global leadership—reviving key alliances and partnerships, strengthening our military, fostering democracy and human rights, protecting global health, honoring our veterans, fixing our immigration system at home, and advancing cybersecurity through implementation of the National Cybersecurity Strategy I just signed."

The Budget throughout ties appropriate spending requests to the National Cybersecurity Strategy. Much of that funding will go not only to counter the work of adversaries like China and Russia in cyberspace (page 15), but also to more enforcement actions against cybercrime (pages 36-37), to the countering of "malign influence" (page 39), and to "bolstering Federal cybersecurity" (page 53).

Allocations for cybersecurity by US cabinet department.

The White House factsheet that accompanied the release of the President's Budget devoted a paragraph to cybersecurity:

"The Budget continues to invest in cybersecurity programs recognizing that cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national security. The recently signed National Cybersecurity Strategy details a comprehensive approach to better secure cyberspace and ensure the United States is in the strongest possible position to seize all the benefits and potential of our digital future. The Budget requests more than $395 million to advance global cyber and digital development initiatives, including the Department of State’s Bureau of Cyberspace and Digital Policy, USAID’s Digital Strategy, Partnership for Global Infrastructure and Investment (PGII) digital connectivity efforts, and regional initiatives such as Digital Transformation with Africa."

Some of the proposed appropriations for cybersecurity are broken down in the Budget itself by cabinet department.

Department of Defense.

The Pentagon's discretionary budget as a whole would, under the President's request, be $842 billion, and of course only a fraction of that would go toward cybersecurity. The cyber missions called out in the document would be accomplished within the scope of the Defense Department's larger budget. Some of the intentions expressed are either explicitly or implicitly concerned with cyber capabilities:

• "Advances U.S. Cybersecurity. The Budget continues to invest in cybersecurity programs to protect the Nation from malicious cyber actors and cyber campaigns. These investments strengthen cyber protection standards for the defense industrial base and cybersecurity of DOD networks" (page 64).
• "Supports a Ready and Modern Army. The Budget maintains a ready Army capable of responding globally as part of the Joint Force through investments in Army modernization initiatives, including continued investments in the Multi-Domain Task Force providing critical non-kinetic and long-range strike capabilities" (page 65. emphasis added--non-kinetic strike includes cyber and electronic warfare).
• "Increases Space Resilience. Space is vital to U.S. national security and integral to modern warfare. The Budget maintains America’s advantage by improving the resilience of U.S. space architectures, such as in space sensing and communications, to bolster deterrence and increase survivability during hostilities" (page 65, emphasis added--"resilience" includes resilience in the face of cyber threats).

Department of Energy.

For the Department of Energy, "the Budget provides $245 million to enhance the security of clean energy technologies and the energy supply" (page 73).

Department of Homeland Security.

The Department of Homeland Security would get $3.1 billion for the Cybersecurity and Infrastructure Security Agency (CISA). This represents an increase of $145 million (page 84).

Department of Justice.

The Department of Justice would receive "$14 million to address technological abuse through funding new VAWA [Violence Against Women Act] programs to address cybercrimes against individuals." The FBI would get "an additional $63 million for more agents, enhanced response capabilities, and strengthened intelligence collection and analysis capabilities" (page 96).

Department of State.

The State Department's proposed funding includes "more than $395 million to advance global cyber and digital development initiatives, including State’s Bureau of Cyberspace and Digital Policy, USAID’s Digital Strategy, PGII digital connectivity efforts, and regional initiatives such as Digital Transformation with Africa" (105). State would also receive funds to "counter malign influence," specifically, "To assert U.S. leadership in strategic competition with the PRC, the Budget includes $400 million for the Countering PRC Influence Fund. In addition, the Budget requests $753 million for Ukraine to continue to counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience" (page 106).

Department of the Treasury.

The Department of the Treasury would be allocated "$215 million, an increase of $115 million above the 2023 enacted level, to protect and defend sensitive agency systems and information, including those designated as high-value assets. The Budget increases centralized funding to strengthen Treasury’s overall cybersecurity efforts and continue the implementation of a Zero Trust Architecture. These investments would protect Treasury systems from future attacks" (page 114).

Reaction to the President's Budget from the cybersecurity industry.

Ilona Cohen, Chief Policy Officer at HackerOne, former OMB General Counsel, wrote to express some confidence in the possibility of bipartisan consensus over cybersecurity:

"Although lawmakers looking toward the 2024 electoral cycle may seek ways to distinguish themselves from the other party, cybersecurity funding is one of the few areas where bipartisan cooperation is possible — and critical. 

"The President proposed increasing cybersecurity funding for federal civilian agencies by several hundred million dollars. These funds will prove vital to hiring a more skilled and diverse cybersecurity workforce, transitioning legacy systems to modern infrastructure, and enabling agencies to adopt a zero-trust architecture. These funding increases can establish effective use of cybersecurity standards to defend our critical infrastructure and improve national security.

"I believe legislators can accomplish all of the above and encourage the adoption of best practices around vulnerability disclosure. Launching vulnerability disclosure programs and trusting ethical hackers is crucial for identifying the most critical vulnerabilities within our digital infrastructure and establishing more resilient systems. 

"In recognizing these steps necessary for protecting federal information systems and data, lawmakers can work together to prove that they are working in the best interest of all Americans."

Amit Shaked, CEO and co-founder of Laminar, likes the Budget's direction, and is especially gratified by appropriations intended for the Technology Modernization Fund:

“We applaud the Biden Administration’s ongoing commitment to strengthening the U.S.’s national cyberdefenses. By providing guidance with the 2023 National Cybersecurity Strategy, and now the funds to carry it out with a significant portion of the $3 trillion budget for the fiscal year, both public and private sector organizations will be in much better shape to address problem areas inhibiting them from getting the upper hand with adversaries.

"As part of the budget, the Biden Administration will allocate $200 million to support the Technology Modernization Fund, a program that gives over 20 federal agencies ways to deliver critical services to the American public faster. We’ve seen this trend of modernization play out throughout the last several years as organizations moved to the cloud at a faster rate than ever before, and made more data available to more people so that developers, data scientists and other data innovators could better harness the value of the data. 

"However, it’s critical that federal organizations prioritize data visibility and security while taking on these modernization projects. In the height of the pandemic when other organizations were undertaking similar initiatives, one in two businesses experienced a breach due to unknown or ‘shadow’ data, lack of visibility into the network and overall disconnection between developers and IT and security teams. The move to the cloud, proliferation of shadow data, changing role of security and death of the traditional security perimeter contributed to what is now known as the “innovation attack surface,” a new threat vector that resulted from the massive, decentralized, accidental risk created by individuals driving innovation for the business. 

"We encourage federal agencies to rely on agile data security tools that allow for automated and continuous monitoring of data assets — before, during and after modernization projects are complete. Having total observability will enable these important agencies to automate data discovery and data security policy enforcement, especially across multi-cloud environments, control data exposure and enable data-centric environment segmentation.” 

Tyler Farrar, CISO of Exabeam, sees increased funding allocated to implementation of Executive Order 14028 as a positive sign:

"The large boost in funding towards Executive Order 14028, 'Improving the Nation’s Cybersecurity,' will aid in implementing a comprehensive yet ambitious strategy to safeguard the country's key digital infrastructure and work toward creating a more reliable digital ecosystem. I am excited to see our national administration acknowledge the sophistication of the threat landscape, particularly in the software supply chain, and implement a security budget that bears the full scope of the government's authority and resources in protecting and securing the data environment across Treasury systems, as well as providing guidance for the private sector. 

"With an increased budget, and the guidelines set forth by the White House National Cybersecurity Strategy, resources can be allocated towards enhancing protection against foreign adversaries and rebalancing responsibility for cybersecurity away from individuals, small businesses, and local governments and onto the organizations that are best positioned to reduce risks for all of us. These positive steps acknowledge the difficulties for individuals, small organizations, and even federal agencies, to protect themselves from cyber threats and places greater responsibility on the larger organizations that can better bear the burden of cybersecurity.

"This constructive move acknowledges that the government is well-positioned to supply instruments of national authority in a coordinated manner to safeguard economic growth, public safety, and national security. However, it is essential for the government to recognize that regulations, policies, procedures, compliance frameworks, and even a bigger budget, alone do not inherently mitigate risks. A larger budget is beneficial, but allocation by itself does not guarantee an organization’s imperviousness to suffer a data breach.

"Overall, the increase in the cybersecurity budget appears to emphasize the government’s dedication to coordinated and collaborative action to achieve a unified approach to cybersecurity across different sectors and stakeholders. These investments and actions will help create a more secure and resilient digital ecosystem, not just in the United States but also globally. By leading the way in developing safe and resilient next-generation technologies and infrastructure, the United States can help shape the future of cyberspace in a way that promotes security, innovation, and economic growth.”

Arti Raman, founder and CEO of Titaniam, sees the Federal government's increased spending on cybersecurity as being in line with trends in the private sector:

“President Biden’s recent budget announcement underscores the importance of cybersecurity efforts on a national scale. Increasing concern regarding international relations and the state of the economy have made cybersecurity a primary focus of discussion in the government and within our nation’s organizations and citizens. Biden’s National Cybersecurity Strategy cites a desire to make the United States’ digital ecosystem 'defensible, resilient, [and] values-aligned.' By investing in cyber defense, data protection, and upgraded technology, we are investing in this mission. 

"As 92% of enterprises increased their 2023 cybersecurity budgets, it is promising to see our government do the same. With this announcement comes the confidence that we can prevent attacks from taking place. We are excited to see progress in ensuring data, specifically personal identifiable information, remains secure, and businesses can continue to profit without concern about being compromised.”

Aaron Sandeen, CEO and co-founder of Securin, sees the President's priorities in the light of the ways in which they'll affect state and local governments:

“The White House revealed its proposed budget for the 2024 fiscal year, and it shed light on the president’s priorities for increasing the federal government’s security posture against malicious actors. Securing federal government networks that millions of people depend on is crucial, as we’ve seen nation-states suffer as a consequence of cyber attacks on their networks, but we cannot forget the digital infrastructure on the state level. 

"The budget increases the Cybersecurity and Infrastructure Security Agency (CISA) total funding, but it’s unclear whether these funds will be further allocated to individual states. There is specific funding for enhancing the security of the energy supply chain with extra assistance diverted to States and local governments for emergency planning and preparation, but States have many other vulnerable networks. Securin passively scanned and discovered 262,000 internet-facing assets across the 50 US states and discovered 64 unique vulnerabilities overall in all the states with exploits available in the public domain.

"This underpins the complex issue of cybersecurity in the US, and budget planning is just the beginning of creating a national cyber defense strategy. The budget will inform further legislation to ensure every State is equally protected against the worst threats.”

Richard Bird, Traceable AI's CSO, offered some animadversions. He's less pleased by what he sees as some old-school and discredited thinking the Budget embodies:

“While it is encouraging to see the White House continue to emphasize and increase investments in cybersecurity, it is disappointing to see a focus on old ways of thinking. Faster incident reporting is not a security improvement, no more than an alarm system that goes off two days after you have been robbed is a security improvement. It's time for the US government to get serious about legislating actual cyber protections for citizens and consumers in our nation, instead of taking half measures and half steps like this.

"The White House continues to show commitment and focus to defining and funding cybersecurity improvements for our nation. But, neither Congress nor the Executive Branch are showing the necessary courage and urgency to address the massive legislative gap in protections for citizens and consumers in this country. Until they do, much of this spending will be sub-optimized.”

(Added, 11:15 AM ET, March 10th, 2023. ​Javed Hasan, CEO and Co-Founder of Lineaje, sees the President's Budget as validation of earlier Administration orders and strategies, and urges organizations to look to the document for guidance as they shape their cybersecurity priorities.

“With specific cybersecurity allocations, today’s White House Budget announcement is a big step in the right direction towards securing our nation against cyber threats and attacks. This move validates the importance of government mandates like the upcoming U.S. Executive Order 14028 that directs agencies to use only software that complies with secure software development standards and creates a self-attestation form to help software producers and agencies understand what’s in their software and what software components are unknown and, therefore, at risk. The more funding we have towards these initiatives will help create an industry that values strong accountability of knowing what’s in their software and how they can mitigate cyber threats.

"With further investment into government oversight and regulations coming in the future, it’s crucial for organizations to take steps now to evaluate and analyze their Software Bill of Materials (SBOM) at all levels. They must be able to publish and maintain an accurate SBOM to detect vulnerabilities and ensure software supply chain security. 

"Overall, it’s great to see $98 million in the budget towards the Cyber Incident Reporting for Critical Infrastructure and we hope to see similar funding of this kind in the future. We welcome more initiatives and executive orders from the government that will mandate cybersecurity measures that are critical to the basic functioning of our economy, the privacy of our data, the protection and operation of our critical infrastructure, and our overall national security.”)

(Added, 6:45 PM, March 14th, 2023. Jason Soroko, SVP of Product at Sectigo, sees incipient regulatory moves in the budget. "While the government have historically chosen to not be prescriptive, the White House directly calls out the need for digital identity ecosystems. PKI and certificate lifecycle management (CLM) will play a fundamentally important role in this. Investment will need to occur to create visibility to human and machine identities, and strong credential form factors such as certificates will become even more ubiquitous," he wrote. "Thankfully the legislation also calls out for preparation for our post quantum future. This is especially important as we look ahead to a post-quantum future that will require a new set of cryptographic algorithms. Future proofing ourselves will require a huge exercise by the entire industry, including vendors, consumers and the government.")