Cyber protections might accidentally tumble down fiscal cliff

The good news: Government cybersecurity spending could jump by more than 9 percent in fiscal 2013. The bad news: If Congress falls over the fiscal cliff, then across-the-board cuts to federal information technology programs could inadvertently chop off protective components of systems.

President Obama’s budget proposals for military and civilian agency data defenses, combined with warnings about cyberwarfare, ordinarily would increase cyber funding by 9.1 percent annually, with spending reaching $13.3 billion in fiscal 2015, according to market research firm Deltek.

A continuing resolution that funds the government through March 27, 2013, already has banked away $328 million for Homeland Security Department network security deployments, plus $218 million for “continuous monitoring” of federal systems and intrusion detection programs. The military is devoting more than $3 billion annually to cybersecurity, Defense Secretary Leon Panetta said on Oct. 11. And Obama has requested a jaw-dropping 74 percent increase to the Homeland Security cyber budget for fiscal 2013, DHS Secretary Janet Napolitano said Sept. 28.

Despite all this, if Congress fails to broker a deficit reduction deal, then sequestration will near-evenly hack off $109 billion from Pentagon and nondefense accounts at the start of January 2013 -- including cyber elements.

“Generally speaking cyber will be subject to the same kind of cuts that everything else will,” said Trey Hodgkins, senior vice president for global public sector government affairs for trade association TechAmerica. “At best you would see a downturn and then a leveling off” in computer security spending. TechAmerica analysts decided to stop delineating annual dollar figures for cyber programs because, they argued, network protections increasingly are inseparable from IT expenditures. In other words, if an IT program is cut, then the cyber components will be zeroed out too.

Deltek analysts who calculated the spike in spending absent sequestration are more optimistic about cybersecurity clearing the cliff.  “The executive branch will salami-slice virtually every non-exempt account in about the same way. But they have not revealed how the pain will be allocated among the programs within any one account. I think that cyber programs will fare well in that allocation and many of them will grow,” said Ray Bjorklund, chief knowledge officer for Deltek.

Hodgkins agreed that agencies can shelter programs clearly identified as cybersecurity-related, by cutting less important activities inside the same account, but he added most cyber dollars are no longer demarcated that way. “There’s been a very conscious effort to proactively build that security in -- whether it’s a device, or a system or the cloud -- on the front end, not something that’s added on, on the backend,” he said. TechAmerica “did not try to make a forecast for cyber spending this year because the dollars have become so embedded in the programs.”

In October 2011, TechAmerica Foundation expected the accelerating severity of breaches to bolster Defensewide cyber spending -- totaling more than $13 billion annually by fiscal 2016 if the country suffers a cyberattack resembling what Panetta often refers to as the next Pearl Harbor.

Hord Tipton, a former Interior Department chief information officer, said he would be surprised to see much, if any, increase in cyber spending during the next few years. “It is likely that security budgets will remain level or demonstrate a slight increase, with a focus on the more critical areas such as agencies associated with critical infrastructure protection,” or defenses for industrial computers essential to American life, like transportation systems, he said.

Tipton experienced a period of frozen federal assets while serving as a Bureau of Land Management assistant director during a government shutdown that lasted from Dec. 16, 1995, to Jan. 6, 1996.

Under the cliff, “Defense cyber spending will be slightly higher, and civilian spending could actually drop,” said Tipton, currently executive director of (ISC)2, an association that issues cybersecurity specialist credentials. Agencies may be hard-pressed to find additional money for continuous monitoring hardware -- the sensors and other tools that enable real-time tracking of security risks, he said. They also may struggle to find “adequately trained and certified security personnel that come with a high-price tag,” he added.