recommended reading

Sequestration could hurt cyber defense programs

A cybersecurity analyst looks at code in the Homeland Security Department's malware laboratory.

A cybersecurity analyst looks at code in the Homeland Security Department's malware laboratory. // Mark J. Terrill/AP

Impending cuts of about $900 million from Homeland Security Department infrastructure and network protection funds and other federal cybersecurity accounts could knock out support for private sector cyberdefense programs, some budget analysts say.

Research and development grants, forensics equipment for prosecuting cybercrime cases and other corporate network security assistance could be scaled back, the experts said. But front-line security of government networks likely would dodge cuts.

The Obama administration on Friday released initial estimates for dollars that could be subtracted from agency accounts in January 2013. Homeland Security infrastructure protection and information security activities are confronting a $911 million cut under sequestration, unless Congress can pass a budget alternative.

“Deep across-the-board cuts will make it hard for the federal government to demand anything regarding cybersecurity out of industry,” said Christopher Bronk, a former State Department diplomat who is now a fellow in information technology policy at Rice University. The victims could be “the national labs that work on securing the grids,” he said. Energy Department support for cybersecurity industrial control systems “would go away,” creating a situation “where the power companies are pretty much on their own.”

Should sequestration go through, agency accounts would be shrink by roughly equal percentages but departments could choose to reduce programs within accounts in proportion to each activity’s importance, said Ray Bjorklund, chief knowledge officer at federal sector market research firm Deltek. For example, funding for Homeland Security emergency communications may face a steeper cut than cybersecurity.

“You just don’t gut the important missions,” Bjorklund said. “But there probably will be some degree of an impact on cyber -- who knows how the agencies are going to go about it.” Perhaps FBI investigators could see money for evidence collecting and travel get the short-shrift, he said.

Another possibility is the National Science Foundation could pare backing for academic research, Bronk said. The funding that goes to the “universities would be tamped down and that’s where much of the innovation goes on,” he said.

And public-private partnerships within the Commerce Department could be delayed, Bjorklund conjectured. One casualty, for instance, could be the National Strategy for Trusted Identities in Cyberspace, a venture aimed at creating a login network similar to the credit card payment system that would let computer users access separate websites without reentering personal information or creating new passwords.

Wartime cybersecurity operations would not be affected, but Cyber Command hiring and long-term development of offensive cyber weapons could be hurt, White House sequestration planning documents suggest.

“While the Department of Defense would be able to shift funds to ensure war fighting and critical military readiness capabilities were not degraded, sequestration would result in a reduction in readiness of many nondeployed units, delays in investments in new equipment and facilities, cutbacks in equipment repairs, declines in military research and development efforts, and reductions in base services for military families,” stated comments accompanying the projected cuts.

Bjorklund postulated that the pace of the Pentagon’s Plan X rollout may be slower than initially planned. Plan X is a broad initiative to lay the foundation for Defense’s activities in offensive computer warfare operations.

That said, the National Security Agency, which has a classified budget, likely would withstand much of the cost-cutting, Bronk said. NSA, a Pentagon branch, conducts cyberespionage and supports Homeland Security, as well as U.S. Cyber Command activities.

Since its activities are so secret, adversaries still may be left with the impression that the United States has its guard down in cyberspace.

“The bigger risk is to all the other programs and to the foreign perception of U.S. capabilities,” said Jim Lewis, a cybersecurity researcher at the Center for Strategic and International Studies, who advises Congress and the administration. “They would decide we are more vulnerable and less competent.”

He doubts the ax would hit Plan X before the military sets aside money for expected research.

Most observers predict Congress, between the November elections and the end of December, will reach a budget deal because neither Republicans nor Democrats want to see sequestration kick in.

“It’s hard to believe Congress would fumble this badly,” Lewis said.

Bjorklund said, “It’s going to be another brinksmanship between the parties and the White House and the Congress.”

Some pessimists say Washington may not broker an agreement until January, which would mean enduring uncertainty “maybe for a week or for a month. I hope it doesn’t happen but it’s entirely possible,” Bronk said.

Threatwatch Alert

Credential-stealing malware / User accounts compromised / Software vulnerability

Android Malware Infects More than 1M Phones, Adds 13,000 Devices a Day

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

    Download
  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

    Download
  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

    Download
  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

    Download
  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security

    Download
  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

    Download

When you download a report, your information may be shared with the underwriters of that document.