Biden’s cybersecurity budget good start; Congress needs to fill the gaps
The White House released the President’s Budget Request for Fiscal Year 2023 on the heels of the recently passed Consolidated Appropriations Act, which provided a jolt of cybersecurity funding for 2022 but missed important opportunities. For its part, the FY23 Budget request contains a number of critical cybersecurity investments but falls short on cyber education and critical infrastructure resilience and does not adequately fund the National Institute of Standards and Technology (NIST). Congress should now move decisively to fill those gaps, as it often has in previous years.
The FY23 Budget prioritizes securing the federal government’s digital systems and networks with an 11 percent ($10.9 billion) increase in enterprise cybersecurity and IT funding for departments and agencies. For example, the White House requests an increase of $197 million “to protect and defend sensitive agency systems and information” at the Department of the Treasury. Similarly, the Budget cites improving the Pentagon’s network security and strengthening cybersecurity standards for the defense industrial base as priorities. This growth and prioritization align neatly with Executive Order 14028 on Improving the Nation’s Cybersecurity which, the Budget notes, emphasizes “enhancing the security of Government-procured software [and] improving detection of cyber threats and vulnerabilities on Federal systems.”
The White House also recognizes the need to expand the federal cybersecurity workforce, increasing funding for the National Science Foundation’s (NSF) “CyberCorps: Scholarship for Service” program by $12 million over the FY22 appropriation. CyberCorps is a critical pathway for post-secondary cybersecurity education and recruitment. The Budget, however, neglects K-12 cybersecurity education as it requests no funding for the Cybersecurity Education and Training Assistance Program (CETAP) housed at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The administration similarly marked CETAP for elimination in the FY22 request, but Congress ultimately appropriated $6.8 million for FY22 to continue this congressionally authorized program. The FY23 Budget provides no reason for eliminating CETAP funding other than suggesting NSF will take over some element of the work. As they have in the past, congressional appropriators should resolve the confusion by funding this critical cybersecurity education program in its current home at CISA and ensuring that any increased funding for K-12 education activities at NSF are truly additive, rather than coming at the expense of CETAP or existing NSF educational programs like CyberCorps.
While defending its own networks, the federal government must also protect Americans’ digital lives and livelihoods by supporting public-private collaboration to secure national critical infrastructure. This was an area where last year’s Budget request struggled, but to the White House’s credit, its newest funding request shows a growing recognition of the government’s role. For example, the Budget requests $22 million for the new Office of the National Cyber Director in part to “improve national coordination in the face of escalating cyber-attacks on Government and critical infrastructure.” The White House is also requesting an increase of $52 million for the Department of Justice to enhance its cyber investigative capabilities and efforts to combat ransomware.
One of the most important ways the federal government elevates critical infrastructure cybersecurity is through sector risk management agencies (SRMAs) — the links between government cybersecurity experts and critical infrastructure owners and operators. Here, the FY23 Budget is decidedly inconsistent. On the positive side, the Department of Energy requests a nearly 30 percent increase relative to FY21 spending for its Office of Cybersecurity, Energy Security, and Emergency Response. The Department of Transportation requests a much needed $25 million increase for cybersecurity at the Federal Aviation Administration. And the Environmental Protection Agency requests $25 million within a grant program to improve cybersecurity in the water sector. These are all smart investments.
At the same time, however, the Department of the Treasury, the financial sector’s SRMA, requests an increase of less than $300,000 for the Office of Cybersecurity and Critical Infrastructure Protection despite its own admission that its “staffing level is insufficient to handle the actual volume of incidents” targeting the financial sector. Three hundred thousand dollars will not fix much. Most problematically, CISA requests a $163,000 decrease for support to SMRAs compared to its FY22 request. Congress is likely to ignore this decrease given that appropriators doled out a $39 million increase for CISA’s SRMA support role in the FY22 appropriations bill last month.
The overall budget for CISA is $377 million higher than the FY22 budget request. The 18 percent increase is a clear signal that the administration is prioritizing the expansion of CISA’s work. As remarkable as that increase is, it is actually almost $82 million less than the amount Congress appropriated for FY22, making it appear as a budget cut rather than an increase. Given that the president signed the delayed FY22 appropriations bill into law only two weeks before submitting the FY23 Budget request, the White House had likely already finalized its request for FY23 and likely thought its request for CISA would be a significant increase, not an $80 million dollar decrease. The fact that the administration was functionally upstaged by Congress does not detract from the clear show of White House support for the cybersecurity agency. Congress itself now has the opportunity to reconcile the differences and produce a larger CISA budget for FY23.
The administration is also moving in the right direction, albeit slowly, at the State Department. At the beginning of April, State officially launched its new Bureau of Cyberspace and Digital Policy (CDP) diplomacy “to encourage responsible state behavior in cyberspace and advance policies that … uphold democratic values.” The CDP bureau is as much a realignment as a new creation, pulling together three existing teams that had evolved separately across the department. As such, in announcing its FY23 Budget, State added a new budget line retroactively announcing $6.4 million for the new bureau for FY22. The FY23 Budget increases this request by $2.6 million to support seven new positions within CDP. The FY23 Budget also sets aside $37 million for CDP in the Economic Support Fund, which the new bureau would likely spend as part of international cybersecurity capacity building projects. While that figure also likely includes a mix of realigned and new funding, it is encouraging to see the department recognize the importance of cybersecurity support for partners and allies. The new bureau has a lot more growing ahead of it, but the FY23 request is a step in the right direction.
Finally, FY23 Budget requests a 20 percent ($18 million) increase for NIST’s cybersecurity and privacy work. While this is a welcome increase after years of constrained growth, much more is needed to execute NIST’s growing mission. NIST not only maintains frameworks and resources that serve as keystones of global cybersecurity, it has taken on new responsibilities under EO 14028 and oversees a new workforce development grant program. In light of NIST’s pivotal role in enabling better cybersecurity nationwide, the congressionally mandated Cyberspace Solarium Commission previously recommended nearly doubling its cybersecurity and privacy budget to $142 million.
Despite the occasional misses, President Biden’s Budget request for FY23 is an overall win for cybersecurity. It is now up to congressional appropriators to carry forward the wins, address the gaps, and build on last year’s investments to further strengthen cybersecurity for all Americans.
Retired Rear Admiral Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation (CCTI) and is a senior fellow at the Foundation for Defense of Democracies (@FDD), a Washington, D.C.-based, nonpartisan research institute focusing on national security and foreign policy. Montgomery also directs CSC 2.0, an initiative that works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he served as executive director. Follow him on Twitter @MarkCMontgomery
The Hill has removed its comment section, as there are many other forums for readers to participate in the conversation. We invite you to join the discussion on Facebook and Twitter.