Is Congress Spending Enough on Cybersecurity?

Recent developments underscore legitimate concerns about our capacity to defend against a growing threat.

By
9

A hacker tried to poison a Florida community’s water supply earlier this month by gaining remote access to a water plant’s computer system and attempting to increase sodium hydroxide levels. A vigilant plant operator noticed the breach and stopped the tampering before the community was affected, and the county says other safeguards were in place. But the intrusion, which could have poisoned thousands, demonstrates the seriousness of the cybersecurity threats facing the United States.

For Congress and the Biden administration, the Florida water plant breach and other recent cybersecurity incidents should prompt new questions about whether the federal government is investing enough in cybersecurity to address the growing threat. 

President Joe Biden had proposed including $10 billion for information technology modernization and upgrading federal cybersecurity in the administration’s latest stimulus package. But the fate of that funding is unclear as it works its way through Congress. 

Investing resources to defend American government and private sector information technology could earn bipartisan support on Capitol Hill given the growing cybersecurity threat. But the White House and congressional leaders must answer longstanding concerns about critical federal cybersecurity programs to lay the groundwork for sustained investment. Recent developments—including the massive SolarWinds breach—underscore legitimate concerns about the federal cybersecurity technologies and the government’s capacity to defend against a growing threat. 

Keep reading with a free account
Create a free Dispatch account to keep reading Get Started ALREADY HAVE AN ACCOUNT? SIGN IN
9
By
Comments (9)
Join The Dispatch to participate in the comments.
 
  1. Doug Davidson

    I work in cyber on the commercial side as a consulting manager that runs a team focused on cybersecurity in the mid market business space. The gap isn't because of funding. It is because of awareness, understanding of what are actually extremely complex issues. And interest.

    Cyber article gets 8 posts including mine. Purple Manchin majesty gets 120. Something on Trump this or Trump that hundreds.

    The man on the street doesn't understand the cyber problem - an industrial control system doesn't have to be "on the Internet" to be attacked. Same thing with that computer in your car.

    We've read about the deep freeze one of the vaccines needs to be stored to stay viable. What if I can connect to the intelligence in the freezers?
    Traffic signals are networked together to help manage traffic flow. Like the FL water plant what if someone attacked city traffic signals during rush hour.
    One of our leaders is diabetic. The insulin pump is controlled by a phone app but is insecure. What if I can use that vulnerable app to alter the flow of insulin?
    And it goes on and on ...

    This stuff used to be the thing of movies but it is very real.

    The narrow focus of the article -- should Congress spend more $$ on cyber is a yes -- but technology purchasing standards, vendor risk management of the firms the feds by from (this is being addressed in the DoD supply chain with a compliance program called CMMC (Capability Maturity Model Certificatoin -- but it is behind schedule), rational security & privacy regulations, and continued outreach to the private sector are, among other things, required to get us into a better posture nationally.

    The proposal below reminded me of the books Enders War ... but it isn't the Top 25 kids after just a couple of years. To really "do cyber" well requires some level of experience and military unit-sized rosters, not just a double dirty dozen.

    But cyberwarriors isn't my concern. I feel we have more of them than we know. It is cyber resiliency. Can we take a hit and bounce back? Old man winter "hacked" the Texas grid pretty well with the weather. What if that had been a concerted attack on control systems and part of the attack damaged the control systems?

    We need to be able to take the hit and bounce back up. I am not confident we can do that today.

    Collapse
    1. PJHansen

      Great post! Thank you for your contribution.And yes, I wish more folks would pay attention to this topic.

      Collapse
  2. Avatar photo
    Pat Riot

    World War III is happening as we speak, and it's not at all what we thought it would be. No bombs. No nuclear devastation. No neighbors banging on the door to your backyard bomb shelter.

    Just a silent encircling of our heads in a virtual noose.

    This war isn't is as expensive to execute as the ones done with previous generations of technology (spears, bows, cannons, tanks, planes, nukes), but that's good news and bad news as our enemies can fully engage us and our big fat American pocket book won't give us a built-in advantage like it did before.

    Whether we're spending enough is up to the bean counters, but the answer to "how much" should be a blank check.

    And given the emphasis on *brains* here over numbers, Americans need to get over their old notions of GI Joe with is C-rations and compete directly with Silicon Valley for the best minds in the country no matter how much that costs.

    Collapse
  3. Avatar photo
    DougAz

    Proposal:
    To fight and win in Cyberspace, you need Cyberwarriors that match up to the Chinese and Russian State hacker-warriors. So:

    a. Draft every 18 year old for 2 years.
    b. Aptitude test them for the top 25 cyber hacker warrior genius.
    c. Pay the top 25 --- $2 million a year for 2 years. gotta pay VC-market prices
    d. Let the rest go on with their lives, or offer the next 25-50 nice $500k bonuses to stay in and get a government trained cyber-warrior education
    e. Rename ROTC Reserve Officer Training CYBERwarriors
    f. Eliminate 35% of the DoD hardware budget

    Collapse
  4. Mathew A

    I'm all for the government taking cyber security more seriously, and I'm fine with some additional funding.

    But for key infrastructure the only way to be really secure is to not be connected to the internet. In particular the electric grid needs some serious attention both in cyber protection, and also hardening against EMP threats (see the excellent book "lights out".

    Without electricity modern society simply doesn't function. But our electric grid is a fragile system with many areas of vulnerability.

    Government reports on EMP have estimated that 90% of the population would be dead within 1 year from an EMP strike. A cyber attack would be less deadly, but could still run into the trillions if properly executed or combined with some targeting of key infrastructure (see the small arms attack of a sub station in CA).


    Collapse
  5. EPluribusUnum

    A disappointing article. The author asks the question but doesn't answer it. He doesn't point out exactly where and how we fall short, what can we do about it, at what cost, and at what benefit. Comparisons to the costs of fighter jets don't count unless it is shown that there are lesser benefits from having the fighter jets.. Why not compare it to the cost of the theatre of airport security, cowboy poetry grants, or subsidies to light rail construction?

    The answer to the question is most probably no, but I was hoping for more than just one level above click bait.

    Collapse
  6. Avatar photo
    Victor Clairmont

    The honest answer is no but we are heavily in debt....

    But the cyber wars can be done well even with limited resources. Sadly like North Korea is proving.

    But we still have quite the game behind the scenes also.

    Collapse
  7. Ross

    Great piece...would be really interested in the viability of some type of federal cyber security x-prize. Public/political confidence in federal agencies ability to execute complex cyber/IT projects is so low and (maybe because?) there is so much talent that is likely not interested in the GS life.

    Collapse
  8. Avatar photo
    Chris L

    I knew someone who worked in the Los Alamos nuclear labs in cybersecurity that, at least ten years ago, acknowledged that the US, China, and Russia had already "rooted" each other, thus rendering cyberwarfare as this era's version of MAD. As Iran and North Korea are also proving, it does not take a lot of money to have effective cyberwarfare, just smart allocation of resources (which has unfortunately not been our strong suit for decades now).

    Collapse