Congress

Congress Invests in National Cyber Resilience but Misses Important Opportunities in the Consolidated Appropriations Act

Mark Montgomery
Friday, April 1, 2022, 8:01 AM

The new appropriations bill is sound overall, but it addresses only half of the federal government’s cybersecurity mandate.

The U.S. Capitol building in Washington, D.C. (Ben Schumin, https://tinyurl.com/sz59uwym; CC BY-SA 2.0, https://creativecommons.org/licenses/by-sa/2.0/)

Published by The Lawfare Institute
in Cooperation With
Brookings

Congress’s newly completed annual appropriations bill provides significant funding increases for a number of critical cybersecurity programs, including for the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security. This investment will likely drive transformational improvements in federal and national cybersecurity capabilities. At the same time, however, Congress failed to make similar investments in supporting programs at other agencies, like the National Institute for Standards and Technology (NIST), that serve as enablers of better cybersecurity in the federal government and nationwide. 

Welcome Support for CISA, the National Cyber Director and the Department of Energy

The overall growth in CISA’s new budget reflects Congress’s mounting concerns after a year marked by alarming cybersecurity incidents in government and critical infrastructure. The Consolidated Appropriations Act of 2022 expands CISA’s budget by more than 28 percent relative to the budget enacted for fiscal year 2021 (and more than $460 million over the administration’s request for fiscal year 2022).

In a March 2021 letter, leaders from the congressionally mandated Cyberspace Solarium Commission recommended that appropriators increase CISA’s main funding pool by at least $400 million, on top of the administration’s requested increase of over $100 million. The omnibus bill tops them both, providing CISA with an overall increase of almost $569 million—a landmark investment in America’s cybersecurity.

This increase enables major investments in the tools that allow CISA to serve as a key enabler of cybersecurity across the federal government and nationwide. In particular: 

Sector risk management agencies (SRMAs)—The Department of Homeland Security serves as the primary connection point for eight of the 16 critical infrastructure sectors (chemical; commercial facilities; communications; critical manufacturing; dams; emergency services; information technology; and nuclear reactors, materials, and waste). In the administration’s annual budget request, CISA asked for roughly $18.2 million for SRMA management, an increase of about half a million over the prior year’s budget. The omnibus bill provides an increase of $39 million above the administration’s request. This investment will revolutionize CISA’s ability to support critical infrastructure sectors and to serve as a resource hub for all SRMAs across government.

Voluntary threat detection—Voluntary threat detection programs are key points of collaboration between CISA and critical infrastructure owners and operators. Most notably, the CyberSentry program places sensors on critical infrastructure networks where corporate networks meet industrial control systems. Under CISA’s fiscal year 2022 budget request, funding for this program would have held steady at roughly $8.2 million, but the omnibus bill provides an astounding $95.5 million increase over the request. These additional funds will establish a program management office as well as procure critical hardware and software to deploy sensors across more critical infrastructure sectors and develop better tools to analyze this collected data. This rapid growth in funding both signals confidence in the program and sets a very high bar for CISA, which will need to move quickly to obligate these funds before the 2022 fiscal year ends on Sept. 30.

Cybersecurity Education and Training Assistance Program (CETAP)—Properly funding cybersecurity education is an investment in the future of national resilience, and the homeland security section of the omnibus bill delivers on that goal. CETAP, an established program that Congress codified in the National Defense Authorization Act (NDAA) for Fiscal Year 2021, provides cybersecurity curricula and professional development to K-12 educators nationwide. After the administration recommended eliminating CETAP despite its successes, Congress instead appropriated $6.8 million for the program and required CISA, the Office of the National Cyber Director (ONCD), and the Office of Management and Budget to work together to clarify interagency leadership of cybersecurity training and education programs.

And there is more. Congress increased CISA’s budget for the Joint Cyber Defense Collaborative (JCDC), an evolution of the Joint Cyber Planning Office mandated in Section 1715 of the 2021 NDAA. That funding will make major inroads toward operational planning and coordination with the private sector. Congress also appropriated $200,000 for a report on a Continuity of the Economy (COTE) planning effort, though future appropriations bills will likely reflect that implementing a plan to restart the nation’s economy after a large-scale cyberattack requires far more resources than the initial report.

Furthermore, lawmakers are demanding a briefing on cyber hiring, which will serve as a first step toward addressing persistent delays and limitations in CISA’s mission support services. The appropriations bill also provides additional guidelines for the Cyber Response and Recovery Fund created by the Infrastructure Investment and Jobs Act. In the appropriations report, Congress requires CISA to establish rules specifying details like when the fund will be used, when costs will be reimbursable and other practical points of implementation. Finally, funding for a Cybersecurity Advisory Committee will reinforce CISA’s ability to draw expert advice.

Outside of CISA, appropriators’ comments about the ONCD merit attention. While acknowledging that the office received healthy funding of $21 million in the Infrastructure Investment and Jobs Act, lawmakers noted that they anticipate future appropriations for the ONCD “beginning in fiscal year 2023.” In the meantime, the bill reaffirms ONCD’s role in cyber workforce development, reinforcing the office’s work on the issue.

A final welcome highlight: Congress also increased funding for the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the Department of Energy by $29 million over last year, for a total appropriation of almost $186 million. The president’s budget had requested more—an increase of $45 million—but a 19 percent increase is nevertheless good news in the critical world of energy cybersecurity. As the SRMA for the energy sector, the Department of Energy, through CESER, provides technical assistance, guidance, training, and outreach to critical infrastructure owners and operators in the sector. The added funds will enable CESER to improve the resiliency of energy infrastructure and develop tools to provide greater situational awareness of the environmental and cyber risks that could lead to sector disruption. In particular, Congress appropriated up to $20 million for the Cyber Testing for Resilient Industrial Control Systems program. Lawmakers also required the department to provide greater detail on its cyber research plans in the coming year’s budget request, making this an interesting area to watch for future appropriations.

Underfunding the National Science Foundation and NIST

While the new appropriations bill is sound overall, it missed several key opportunities. Some departments and agencies with significant cybersecurity portfolios did not see meaningful increases. The issue is not the information technology budgets that federal agencies use to secure their own networks but, rather, the programmatic funding some agencies receive to enable better security nationwide. Outside of CISA, the latter category of funding is largely missing from the omnibus bill. The disappointments are most notable in the National Science Foundation (NSF) and the National Institute of Standards and Technology, where Congress failed to follow its own guidance from separate House and Senate versions of the appropriations bills passed last summer.

NSF’s CyberCorps: Scholarship for Service (SFS) Program has a proven track record of providing high-quality cyber education to a diverse population of students across the country and then recruiting hundreds of those students into the government every year. This program received $60 million in fiscal year 2021. The Cyberspace Solarium Commission advocated for a $20 million increase but welcomed the $10 million increase reflected in the president’s budget and in the House and Senate versions of the appropriations bill filed earlier in 2021. However, the final bill’s modest 5 percent increase for a total budget of $63 million is both a disappointment and a missed opportunity to mitigate America’s shortage of cyber professionals, one of the most intractable challenges in federal cybersecurity. 

Congress can fix this specific issue when it reconciles the House and Senate “China Bills” next month. Section 10304 of the House version contains appropriate SFS funding, which, if retained, would resolve this issue for the next five years. Relatedly, the House version of the report filed in summer 2021 called for a robust statistical analysis program at the National Center for Science and Engineering Statistics, focused on the cyber workforce. However, the final spending agreement includes a watered-down version of that plan, merely encouraging NSF to build on a tangentially related report from 2017. 

The shortages in funding for NIST are even more dramatic. The Cyberspace Solarium Commission had recommended an increase of nearly $65 million to NIST’s cybersecurity and privacy budget for fiscal year 2022, noting NIST’s growing mandate and central role in the cybersecurity ecosystem. The commission found this dramatic increase to be appropriate because NIST provides tools used across sectors and worldwide, such as the National Vulnerability Database, the NIST Cybersecurity Framework and the NICE Workforce Framework for Cybersecurity. Additionally, NIST’s mandate has expanded significantly in recent years. Section 9401 of the 2021 NDAA authorizes a new nationwide cybersecurity workforce development effort through “regional alliances and multistakeholder partnerships.” Likewise, Executive Order 14028, issued in May 2021, tasks NIST with publishing guidance on security measures for critical software, minimum standards for software testing, enhancing software supply chain security, and a long list of other topics. NIST must do all of this, plus a full slate of equally critical work on privacy, on a budget that for years has hovered at just under $80 million.

While Congress’s joint explanatory statement accompanying the omnibus bill references a prior House report that included a $15 million increase, the final agreement apparently reduces that increase to only $1.5 million over fiscal year 2021 enacted spending. This represents a meager 1.9 percent in year-over-year growth in NIST’s budget for cybersecurity and privacy and significantly less than the modest 6 percent increase requested by the administration.

NIST’s work requires an extremely skilled and experienced workforce. If Congress and the administration continue to add to the agency’s list of unfunded and underfunded mandates, NIST will begin to lose that workforce. That would do irreparable damage to cybersecurity not only in the United States but globally. NIST products are a keystone of the cybersecurity ecosystem, and the agency’s ever-growing and critical work should be funded accordingly.

Congress’s Missed Opportunities at Treasury and State

Although the omnibus bill provides $80 million for the Treasury Department’s Cybersecurity Enhancement Account, those funds are meant to secure the department’s networks. Treasury is ideally placed to support an external cybersecurity role, which is not covered by the newly appropriated funds. The appropriations bill does not adequately resource the Treasury’s Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), which serves as the SRMA for the financial services sector. Providing private-sector connectivity on cybersecurity issues to global finance, local credit unions, insurance companies, investment firms, and more, Treasury is a particularly important node in the SRMA network. For two years running, the Cyberspace Solarium Commission leadership has recommended increases to the OCCIP budget to support its role as the SRMA for financial services. It is disappointing to see the missed opportunity again in this agreement.

Meanwhile, the world is watching in real time as a case study in cybersecurity capacity building unfolds in Ukraine. As National Security Agency Director Paul Nakasone noted before Congress in early March, Ukrainian work on cybersecurity has helped prevent serious Russian cyberattacks amid the invasion of Ukraine. Notably, the United States has invested tens of millions of dollars to support Ukrainian cybersecurity capacity building in recent years. With scenarios like this in mind, the Cyberspace Solarium Commission recommended increases to the State Department’s Economic Support Fund; the Assistance for Europe, Eurasia, and Central Asia Fund; Foreign Military Financing; and the Digital Connectivity and Cybersecurity Partnership. The recommended increases would total $50 million to advance this type of cybersecurity capacity building in strategically important countries around the world.

Unfortunately, the appropriations bill does not increase funding for cybersecurity capacity building in any of these funds. The State Department is currently undergoing a significant reorganization on cyberspace policy, so Congress may be waiting for that structure to take shape before increasing funding significantly. However, given the demonstrated success of current international cyber capacity building efforts, it is hard to see the lack of funding increase as anything other than a missed opportunity.

Conclusion

The omnibus bill’s significant appropriations increases for cybersecurity-focused organizations such as CISA are welcome and badly needed. But providing for internal federal cybersecurity addresses only half of the federal government’s cybersecurity mandate. National cyber resilience will fall short if Congress and the executive branch continue to overlook the indirect but important impact that other departments and agencies can have on national cybersecurity. Even as Congress just concluded fiscal year 2022 appropriations, planning for fiscal year 2023 budgets has already begun. Congressional and executive branch leaders should build on this year’s progress by helping other government agencies enable better cybersecurity for Americans nationwide.


Topics:
RADM (ret) Mark Montgomery serves as senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and an FDD senior fellow. He also directs CSC 2.0, an initiative that works to implement the recommendations of the congressionally mandated Cyberspace Solarium Commission, where he served as executive director and as senior advisor to the co-chairs. Previously, he served as Policy Director for the Senate Armed Services Committee under the leadership of Senator John S. McCain. Mark served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. He was selected as a White House Fellow and assigned to the National Security Council, serving as Director for Transnational Threats from 1998-2000. Mark graduated from the University of Pennsylvania with bachelor’s and master’s degrees in history. He subsequently earned a master’s degree in history from Oxford University and completed the U.S. Navy’s nuclear power training program.

Subscribe to Lawfare