Biden's $10 Billion Cybersecurity Proposal: Is It Enough?Security Experts Say Proposal Amounts to a 'Down Payment'
President-elect Joe Biden’s $1.9 trillion proposal for COVID-19 relief includes nearly $10 billion in cybersecurity and IT spending.
See Also: Determining the Total Cost of Fraud
Tucked away near the end of the "American Rescue Plan" is a proposal to spend $9 billion to help the U.S. Cybersecurity and Infrastructure Security Agency and the General Services Administration complete cybersecurity and IT modernization projects.
The Biden administration also proposes spending $1 billion for several other cybersecurity and IT initiatives, including:
- $200 million for the rapid hiring of security experts to work for the Office of the U.S. Chief Information Security Officer as well as the Digital Service unit in the White House;
- $300 million to fund additional IT projects within the GSA;
- $690 million for a CISA project designed to improve monitoring and incident response across federal agencies.
The proposed new spending on security and IT improvements is in direct response to the SolarWinds supply chain hack, which has affected federal agencies, including the Treasury, Commerce, Homeland Security, Justice and Energy departments, as well as numerous private firms. Biden said earlier the hacking incident reflected a gap in U.S. cybersecurity capabilities (see: How Will Biden Administration Tackle Cybersecurity?).
Some cybersecurity experts are hopeful the Biden proposal is just a down payment on a much larger initiative.
"Broadly throwing additional funds toward agencies without strategic objectives doesn't yield the best or desired results," says Greg Touhill, a retired U.S. brigadier general who served as the country's first federal CISO. "We can't continue to invest in the same strategies and technologies that have proven themselves inadequate against modern threats. This initiative ought to be focused, as the issues aren't always about lack of funding as much as inadequate strategy and architecture and poor execution."
Touhill, who is now the CEO of Appgate Federal, says the Biden administration needs to champion such issues as federal agencies implementing a zero trust approach to network and perimeter defenses this year.
The incoming administration should also update the Federal Information Security Act to further empower the office of the federal CISO and provide it with additional funding and staffing, Touhill says.
And the White House needs to develop a plan that would allow smaller federal agencies, such as those not covered by the 1990 Chief Financial Officers Act, to share resources and invest in managed security services to help save money while building better defenses, the former federal CISO adds.
"While there is lots of good in the [Biden] proposal, it would be even better with some specific targets that are feasible, acceptable, suitable and affordable," Touhill says.
For example, he calls for funding of penetration testing and red team programs in every federal department and agency as well as a bug bounty program.
Tom Kellermann, who served as a cybersecurity adviser to President Obama and is now head of cybersecurity strategy at VMware, believes that any cybersecurity proposal needs to look beyond domestic issues and focus on addressing nation-state threats.
"I applaud the progressive action being taken to buttress American cybersecurity, but it is a down payment," Kellermann says. "[The Biden administration] should consider immediately the expansion of threat hunting to root out the Russian and Chinese threat actors and make a significant investment in cloud security and workload security across the United States government."
Mike Hamilton, a former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, also called the $10 billion cybersecurity and IT spending proposal a down payment, noting that he would like to see these areas addressed in a separate bill and not lumped in with COVID-19 relief.
Hamilton also notes that one area not addressed by the proposal is state and local governments that need help with cybersecurity because they're not equipped to handle issues such as ransomware and other types of attacks.
"The area that needs investment right now is local government," Hamilton says. "Cities and counties are more important at the scale of U.S. life than the federal government is, and the services provided are unquestionably critical. "
Staffing and Leadership
The 2021 National Defense Authorization Act, which Congress recently enacted by overriding a veto by President Trump, includes 77 security provisions, including restoration of the position of national cyber director at the White House (see: Defense Funding Measure Includes 77 Cybersecurity Provisions).
The co-chair of the Congressional Cybersecurity Caucus, Rep. Jim Langevin, D-R.I., who pushed for restoring the cyber director position, noted on Twitter that Biden's proposal for even more security spending is long overdue, especially in light of the SolarWinds hack.
I’m also grateful to see the President-elect pushing for investments in #cybersecurity in the wake of #SolarWinds. We have missed leadership like this in the White House. I hope he will consider expanding IT modernization efforts to state and local governments as well.— Jim Langevin (@JimLangevin) January 15, 2021
Biden has already tapped Anne Neuberger of the National Security Agency to take over a newly created cybersecurity role within the National Security Council. But Joseph Neumann, director of offensive security at consulting firm Coalfire, believes the White House will need to do more to attract and keep top talent to fill out the rank-and-file cybersecurity positions in the executive branch.
"The revolving door will continue to go the other direction as the private sector looks at and identifies real-world experience more than any formal education due to the ability to apply versus hypotheticals," Neumann says. "Once individuals get enough real-world experience, they quickly jump to contractor or private-sector positions that are more lucrative and faster-paced."