The President’s budget request for Fiscal Year 2016, released last week, notes that the Administration is requesting $14 billion for “cybersecurity efforts across the Government” – a significant and growing investment of federal dollars to address a critical security and economic issue. (This $14 billion is only the unclassified portion of federal spending on cybersecurity, so the real number is publicly unavailable but likely to be substantially larger).
The budget request identifies a few priority initiatives within this $14 billion of proposed spending, including enhancing the Department of Homeland Security’s role in securing federal networks and funding research and development on cybersecurity technologies.
But the Administration’s top-level budget documents provide only scant detail about overall federal government spending on cybersecurity, making it difficult to assess the return on investment that the American people are getting for the government’s significant spending in this area. Although some agencies provide detailed information within their budget requests on their cybersecurity programs, there is currently no crosscutting, agency-by-agency breakdown of such funding. That makes it difficult to assess whether agencies are being appropriately resourced to carry out their respective missions.
For example, offices within the Department of Homeland Security have significant responsibilities in law and executive order to protect federal civilian networks, interact with the private sector on cyber threats, and investigate cyber threats. But DHS’s share of federal cyber funding is less than 10% of this $14 billion – a relatively small share of the pie in relation to their significant responsibilities.
The Administration also provides no clear definition as to what it considers to be cybersecurity funding, within the scope of this $14 billion. It is likely that many agencies are using a relatively broad definition of cybersecurity, leading to back-office IT investments by federal agencies (e.g. firewalls, installations of antivirus software) being lumped together with more strategic, high-level activities such as private sector outreach initiatives, cyber threat analysis, and programs to counteract sophisticated cyber threats to critical infrastructure. By lumping together basic IT spending with more strategic activities, it is difficult to assess the value of the government’s overall investment in cybersecurity.
This lack of transparency and clarity about cybersecurity spending also makes it difficult for Congress to assess the relative effectiveness of existing programs, establish priorities and make well-informed tradeoff decisions about federal spending on cybersecurity. And because cybersecurity touches upon so many committees’ areas of jurisdiction, this budget reality reinforces stovepiped oversight, and encourages unnecessary or duplicative investments in many areas of cybersecurity, including in areas such as private sector outreach, training, and research and development.
Given this situation, Congress should require that the Office of Management and Budget develop an annual unified budget cross-cut focused on cybersecurity, similar to the one that it provides each year on homeland security spending, and publish it as part of the Administration’s annual budget request. This budget cross-cut should be precise about what the government considers to be cybersecurity spending, and should segment cybersecurity spending within each Department or agency into categories such as IT hardware and software, training, research and development, investigations, and threat analysis.
This requirement will facilitate efforts by OMB to assess proposed cyber investments in the process of developing budget requests, and will improve the role of Congress in authorizing and funding such requests. And ultimately such budget-related initiatives will enhance the effectiveness and efficiency of the nation’s cybersecurity efforts, a strategic necessity given the growing severity of the cyber threats facing the nation.