Is Congress Spending Enough on Cybersecurity?

Recent developments underscore legitimate concerns about our capacity to defend against a growing threat.

A hacker tried to poison a Florida community’s water supply earlier this month by gaining remote access to a water plant’s computer system and attempting to increase sodium hydroxide levels. A vigilant plant operator noticed the breach and stopped the tampering before the community was affected, and the county says other safeguards were in place. But the intrusion, which could have poisoned thousands, demonstrates the seriousness of the cybersecurity threats facing the United States.

For Congress and the Biden administration, the Florida water plant breach and other recent cybersecurity incidents should prompt new questions about whether the federal government is investing enough in cybersecurity to address the growing threat. 

President Joe Biden had proposed including $10 billion for information technology modernization and upgrading federal cybersecurity in the administration’s latest stimulus package. But the fate of that funding is unclear as it works its way through Congress. 

Investing resources to defend American government and private sector information technology could earn bipartisan support on Capitol Hill given the growing cybersecurity threat. But the White House and congressional leaders must answer longstanding concerns about critical federal cybersecurity programs to lay the groundwork for sustained investment. Recent developments—including the massive SolarWinds breach—underscore legitimate concerns about the federal cybersecurity technologies and the government’s capacity to defend against a growing threat. 

Congress has been ‘admiring the problem’ for decades.

In 1997, the nonpartisan Government Accountability Office added “information security” to its annual list of the federal government’s high risk areas. At the time, many in the government were only beginning to understand how advances in information technology would change society as well as create new national security vulnerabilities. In 2003, GAO expanded its high-risk warning to include protecting the nation’s critical infrastructure.

Today, nation-states and other adversaries exploiting cyber vulnerabilities have become one of the nation’s most serious national security threats.

“China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways—to steal information, to influence our citizens, or to disrupt critical infrastructure,” the intelligence community’s 2019 unclassified worldwide threat assessment warned. 

State-sponsored economic espionage has been described as “one of the largest transfers of wealth in human history,” and China’s cyber espionage—including intellectual property theft and economic espionage—alone has cost the United States as much as $600 billion over the last two decades, according to James Lewis of the Center for Strategic and International Studies. Traditional espionage against government networks, such as the 2015 Office of Personnel Management breach and the recent hack of IT firm SolarWinds, have exposed government secrets and likely jeopardized national security in ways that are impossible to quantify.

Ransomware attacks have disrupted municipalities, school districts, hospitals and other organizations in recent years. Reports of these financially motivated incidents increased by 100 percent last year, according to one estimate. With the new confirmed threat to the water system, it’s increasingly clear no sector of the economy is safe from risks of potential cyber attacks. 

Congress has updated several federal cybersecurity laws and policies to attempt to strengthen federal cybersecurity and promote private sector defenses. However, lawmakers have not prioritized cybersecurity appropriations in a manner proportional to the growing threat. 

The federal cybersecurity budget compared to other spending priorities.

For 2021, the Trump administration requested $18.8 billion in reportable cybersecurity funding (level with 2020 budget) while explaining that some aspects of the federal budget are not included because of sensitivities. The Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security (DHS) had a budget of about $2 billion for 2021. CISA’s responsibilities include securing critical infrastructure, as well as supporting federal and nongovernmental networks, among many other responsibilities. 

Given the threats we face, is this level of spending sufficient to address the risks we face? Is it time for Congress to reprioritize some of what is invested in other national defense priorities?

For example, in 2020, the Trump administration’s Defense Department budget included a request for, “79 F-35 Joint Strike Fighters ($11.4 billion), 15 KC-46 Tanker Replacements ($3.0 billion), 24 F/A-18 E/F Super Hornets ($2.1 billion), and 52 AH-64E Attack Helicopters ($1.2 billion),” as part of the more than $750 billion national defense budget. Altogether, these proposed new investments for the air domain are nearly the same as what the White House proposed spending on the reportable cybersecurity budget. 

Considering the relative and immediate threats in the cyber and air domains, should Congress be investing more on cybersecurity than the air or other domains? Are there other areas that should be reprioritized to strengthen the nation’s cyber defenses? These are questions that Congress should be asking. 

Addressing government programs weaknesses and capacity to build confidence. 

Questions about the effectiveness of key programs—and the capacity of government agencies to execute their responsibilities—present an obstacle to funding increases.

For example, the federal government has an “intrusion and detection” system known as Einstein that prevents intrusions with a signature-based approach. That's great for blocking “known fingerprints”—i.e., previously identified patterns of malicious data or malware—but is unable to stop new malware or other exploits that haven’t been used before. And those are the kinds of tools that well-equipped adversaries are able to use.

Congress authorized and mandated the use of Einstein in 2015, with the requirement that DHS test the system continuously and move beyond signature-based detection. In early 2016, GAO warned DHS and Congress about the program’s limits and, in 2018, reported that the agency was still four years away from deploying technology to “assess agency network activity and identify any anomalies that may indicate a cybersecurity compromise.” 

That’s not all. Federal agencies have their own internal problems with cybersecurity. A bipartisan investigation by Sens. Rob Portman and Tom Carper found that the Department of Homeland Security has “failed to address cybersecurity weaknesses for at least a decade” and “continued to use unsupported systems, such as Windows XP and Windows 2003.” It’s no surprise that one of the areas where Congress has continued to focus reform is to improve the federal cybersecurity workforce. 

To be fair, CISA has responsibilities that have recently involved everything from supporting communication system recovery efforts in Puerto Rico after Hurricane Maria to leading a national school safety initiative, regulating chemical facilities’ security, and protecting election systems from attack. A strong case can be made that the agency, which has existed for more than a decade but was rebranded in 2018, would benefit from streamlining to focus its mission on the highest priorities, including protecting the federal government’s networks and promoting cybersecurity best practices. 

A bipartisan opportunity in the 117th Congress. 

President Biden has signaled his interest in finding bipartisan agreement on key policy areas. The president and his team should acknowledge that reforms are needed across the government and particularly within CISA. A good place to start would be to commit to upgrading the Einstein system to provide better protection for federal agencies and to prioritize the federal government’s cybersecurity among CISA’s many mission areas. 

The United States has been playing defense and losing in the cyber domain for the first two decades of the century. It is time that Congress recognizes that cybersecurity is now a top responsibility for securing the common defense and to fund that mission appropriately and efficiently.

Dan Lips is vice president for national security and government oversight with Lincoln Network.