President Joe Biden and members of Congress face a moment of truth when it comes to whether they are willing to spend significant dollars to shore up U.S. cyber defenses.
Three weeks after a ransomware attack crippled fuel supplies along the East Coast, Biden plans to unveil his spending request for fiscal 2022, where officials aim to boost cybersecurity funding. Simultaneously, Democrats and Republicans in Congress attempt to negotiate an infrastructure spending plan that may include cyber-related programs.
The budget debates "serve as an opportunity to test our seriousness of purpose, to learn whether we have the resolve to put our money where our mouth is," according to David Kris, a former U.S assistant attorney general for national security and a founder of Culper Partners.
So far at least, some cybersecurity experts and government officials say cyber spending has fallen far short of what is needed to defend against devastating cyberattacks. One oft cited example: The president is seeking $2 trillion in an infrastructure proposal called the "American Jobs Plan" that ties dollars to improved cybersecurity but doesn't specify money to protect new transportation networks, water systems and other projects against hacks.
An official at the Office of Management and Budget — who was granted anonymity to speak about the forthcoming budget — said recent cyberattacks reinforced the need to enhance government cyber capabilities. Amid growing threats, the budget will reflect the administration’s recognition that the U.S. needs to invest in modernizing government systems and its workforce, the official said, without providing any specifics on cybersecurity funding.
Annual cybersecurity budgets for U.S. civilian agencies have been about $19 billion a year, according to a government estimate. By comparison, the Navy is spending about $12.5 billion on its next generation aircraft carrier.
Concerns over digital security have long been ignored, postponed or underfunded, despite periodic vows to get serious following major attacks. The nonpartisan Government Accountability Office has continually harped on the issue, saying in March that while the U.S. government has made some improvements, "it needs to move with a greater sense of urgency commensurate with the rapidly evolving and grave threats to the country."
By then, the U.S. was already aware of a sophisticated breach by Russian hackers, revealed in December, that exposed flaws in the digital supply chain. The hackers installed malicious code into updates for popular software from Texas-based SolarWinds, ultimately infiltrating nine U.S. government agencies and about 100 private companies via the SolarWinds backdoor and other methods.
Then, in late February and early March, China-linked hackers compromised tens of thousands of servers through a flaw in Microsoft's Exchange software for email. Earlier this month, the ransomware attack on Colonial Pipeline paralyzed the operator of the largest fuel pipeline in the country.
The Biden administration has repeatedly emphasized that cybersecurity is a priority, including creating partnerships with the private sector to address digital security of the electrical grid and launching initiatives to combat ransomware. Less than a week after the Colonial attack, Biden issued an executive order that called for better coordination with the private sector and the adoption of improved safety practices throughout the government.
But as the Chamber of Commerce was quick to point out, it requires funding to succeed, which is largely the domain of Congress.
The Biden administration and Congress have approved some additional cybersecurity funding. The American Rescue Plan, which was signed in March to provide pandemic assistance, included $1 billion for the Technology Modernization Fund to upgrade federal technology. The plan also included a $650 million boost for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, known as CISA, the agency that oversees civilian government networks.
In April, Biden released a budget blueprint for fiscal 2022, which included $2.1 billion for CISA — $110 million more than in 2021 — and an additional $500 million for the technology fund.
Biden's initial infrastructure proposal included certain incentives and other spending that the administration maintains would improve cyber defenses. For instance, $20 billion is proposed for state, local, and tribal governments to modernize their energy systems and $2 billion to ensure power grid resilience — both of which are contingent on meeting cybersecurity thresholds. In addition, replacing antiquated power stations, oil and gas machinery and water infrastructure can allow utilities and state and local governments to install more sophisticated defense systems to hunt for hackers. But that proposal didn't include any money specifically set aside to protect all the new infrastructure from cyberattacks.
"Even after the Colonial Pipeline hack, it's unfortunate that the Biden administration neglected to include robust funding to secure our critical infrastructure as part of the initial American Jobs Plan," said Representative Jim Langevin, a Democrat from Rhode Island and a member of the Cyberspace Solarium Commission, which makes cyber defense recommendations to Congress.
Cybersecurity experts are waiting to see if the budget can both fund Biden's executive order and advance it, and if the recent spate of attacks will prompt Congress — which has been notoriously stingy with cybersecurity money — to provide more for U.S. cyber defenses.
“The question is: Is cyber being prioritized?” said Mark Montgomery, executive director of the Cyberspace Solarium Commission and a senior fellow at the Foundation for Defense of Democracies, which advises Congress on cyber strategies. “We are hoping to see more.”