Relief Package Includes Less for Cybersecurity$2 Billion for Security and IT, Rather Than $10 Billion as Originally Proposed
The $1.9 trillion economic relief package known as the American Rescue Plan, which the House approved Wednesday and President Biden signed Thursday afternoon, includes about $2 billion for cybersecurity and IT modernization, rather than the $10 billion the president originally proposed.
The cybersecurity and IT funding includes $650 million allocated to the U.S. Cybersecurity and Infrastructure Security Agency for "cybersecurity risk mitigation" as well as $1 billion for the General Services Administration to spend on IT modernization projects throughout the government. Another $200 million is set aside for the U.S. Digital Service to hire additional security experts and provide additional services to agencies. The package does not include any further details.
Before I took office, I promised you that help was on the way. Today, I signed the American Rescue Plan into law, and can officially say: help is here. pic.twitter.com/uuEZAkGloz— President Biden (@POTUS) March 11, 2021
In its original COVID-19 relief proposal, the Biden administration called for allocating a total of nearly $9 billion to CISA and GSA for cyber and IT modernization projects, as well as $1 billion to other agencies to improve security (see: Biden's $10 Billion Cybersecurity Proposal: Is It Enough?).
A 'Down Payment'
Several security experts and analysts say the cybersecurity and IT modernization funding in the massive stimulus legislation amounts to a fraction of what's needed to address security issues that have come to light following the SolarWinds supply chain attack and the hacking of Microsoft Exchange servers.
"The funding in the stimulus bill is helpful, but a down payment only," says Phil Reitinger, a former director of the National Cyber Security Center within the Department of Homeland Security who's now president and CEO of the Global Cyber Alliance.
"It is increasingly difficult to pretend that cybersecurity is not one of the two most important national security issues, along with domestic extremism," Reitinger adds.
Rep. Jim Langevin, D-R.I, who serves on the House Homeland Security Committee and worked on the U.S. Cyberspace Solarium Commission, says he was pleased that the bill included $2 billion for cybersecurity and IT modernization, but the amount is only a down payment for much larger needs in these areas.
"We need significant, sustained increases in CISA’s budget to ensure it has the personnel and tools to succeed in its vital missions," Langevin tells Information Security Media Group. "We need to replace our antiquated digital infrastructure at both the federal and state and local levels [and] to improve operational efficiency and tighten security. We also need to enact a national cybersecurity assistance fund to provide prioritized investments in critical infrastructure based on a careful analysis of intersectoral risk."
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, says any stimulus money spent on cybersecurity will be effective only with a formal, strategic vision for the government's overall approach to security.
"It's not very transparent what they're going to be spending the money on," says Touhill, referring to the allocations for cybersecurity in the stimulus package. "And that's part of my concern. Throwing money to spending wildly is not the answer - it needs to be strategic."
Touhill notes that over the last year, in the wake of COVID-19 and the shift to work-from-home, many government and private organizations spent money on outdated VPN technologies instead of taking more modern approaches, such as retiring older network access controls and investing in software-defined perimeters to improve security.
While increasing funding for cybersecurity is important, Touhill believes that CISA and other departments responsible for security need to have strategic plans in place. He advocates implementing a zero trust framework across all federal agencies' networks.
"We need to have that 'North Star' strategic vision to accomplish what we need to do and protect the American people's data. And that's really why I'm convinced that the zero trust security strategy is critical for the U.S. government to formally embrace and implement," says Touhill, who now serves as CEO of Appgate Federal, which provides security and other services.
"Certainly, the recent events with SolarWinds and Microsoft Exchange - and I'm sure there are many others out there we don't know about - have highlighted the fact that the software supply chain and the hardware supply chain are at risk," Touhill says. "And if you can't trust your software or your hardware, you've got to implement zero trust."
Reitinger offers a similar assessment.
"I'd also note that spending technology modernization funding the right way - to drive the transition to the cloud and shared services with cybersecurity built into the service from the start - is an essential response to the endemic challenges demonstrated by SolarWinds," Reitinger says.
Tom Kellermann, head of cybersecurity strategy for VMware and a member of the Cyber Investigations Advisory Board for the U.S. Secret Service, wants to see federal funds dedicated to expanded threat hunting across federal networks as well as hiring more dedicated security staff for federal agencies.
He also calls for agencies to work toward better integration of endpoint protection platforms with network detection and response tools.
The cybersecurity money in the stimulus package "will not stop the digital hemorrhaging," Kellermann says. "It is a minimal down payment. America is dealing with a cyber insurgency, and billions more are necessitated."
While CISA did not receive as much funding for cybersecurity under the stimulus package as originally proposed, the agency could gain greater responsibility for security issues in the months ahead.
After the House held two public hearings last month concerning SolarWinds, several lawmakers voiced support for CISA taking on additional authority to conduct threat hunting exercises across federal networks and coordinate intelligence sharing with private firms (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).
While the Biden administration has filled certain national security positions, including secretary of homeland security, director of national intelligence and federal CISO, it has not yet nominated a permanent leader for CISA and for the newly restored national cyber director position in the White House.
Touhill notes that while it's important to have people in these leadership positions, having the right staff in place to execute policies is the more urgent need.
"It's not that we haven't had good policies; it's that we haven't executed them well. So my advice is that we should be focusing on executing the policies we have," Touhill says.