Biden Budget Ups Request for Civilian Agencies’ Cybersecurity

The White House is asking Congress to appropriate $9.8 billion for federal agencies to improve their cybersecurity in a proposal that highlights the breach of IT management contractor SolarWinds at the end of last year.  

“The President’s Budget includes approximately $9.8 billion for civilian cybersecurity funding, which supports the protection of Federal IT and our Nation’s most valuable information including the personal information of the American public,” reads an analytical perspective the administration released Friday along with the budget proposal.

That’s about $1.2 billion more than the administration estimates civilian agencies will spend on cybersecurity in 2021, a 14% increase, according to the document.

The budget proposal repeatedly mentions the SolarWinds hacking campaign that compromised nine federal agencies and hundreds of private-sector companies. The government attributed the intrusion to Russia’s Foreign Intelligence Service and the budget reflects a focus on the Kremlin along with Beijing.

“The Budget prioritizes the need to counter the threat from China while also deterring destabilizing behavior by Russia,” the White House said.  

The administration’s plan to improve the government’s cybersecurity is closely tied to generally modernizing its information technology.

“To support agencies as they modernize, strengthen, and secure antiquated information systems and bolster Federal cybersecurity, the Budget provides $500 million for the Technology Modernization Fund, an additional $110 million for the Cybersecurity and Infrastructure Security Agency, and $750 million in additional investments tailored to respond to lessons learned from the SolarWinds incident,” the proposal reads.

The analytical perspective includes a breakdown of how the administration anticipates Chief Financial Officer Act agencies will spend the requested funds according to the five functions of the National Institute of Standards and Technology’s cybersecurity framework. Most of the money—$3.6 billion—would go toward protection, followed closely by identification, then detection, response and recovery, the administration said.

An appendix the administration released on agency-specific spending also mentions SolarWinds by name in noting the Energy Department’s Office of the Chief Information Officer will need to dedicate more resources to addressing cyber vulnerabilities following the event, and the status of a Cybersecurity Enhancement Account at the Treasury Department.   

“The account supports Department-wide and Bureau-specific investments for critical IT improvements including the systems identified as High Value Assets,” according to the appendix. “The centralization of funds allows Treasury to more nimbly respond in the event of a cybersecurity incident as well as leverage enterprise-wide services and capabilities across the components of the Department. The Budget includes an increase of $114 million above base CEA resources to strengthen Treasury's cybersecurity posture and address the impacts of the SolarWinds incident.”

Energy and Treasury were among the agencies on record as having been compromised through the SolarWinds campaign.

The spending estimates in the analysis use programmatic information collected on the executive branch’s efforts to protect information systems and “also on activities that broadly involve cybersecurity such as the development of standards, research and development, and the investigation of cybercrimes,” the document said.

That points to work that will be done at Commerce agencies NIST and the National Telecommunications Administration, as well as the Justice Department’s National Security Division and the FBI. The budget requests increases for all of those entities and others, in addition to CISA.

The FBI is requesting “$40 million to bolster its cyber investigative program, $18.8 million to address threats posed to the Nation by foreign intelligence actors … and $15.2 million to defend the organization against cybersecurity threats,” for example, according to the appendix.

Specific cybersecurity callouts in that document also include $4 million for NTIA to implement Executive Order 13873 from former President Donald Trump on Securing the Information and Communications Technology and Services Supply Chain.

“This funding will help NTIA meet its requirements to oversee, mitigate, and manage supply chain risks to our nation's telecommunications infrastructure,” the appendix reads. 

Supply chain risk management is something all agencies will need to work on as well as coordinated vulnerability disclosure programs outlined in a binding operational directive from CISA, the administration noted. 

Of the approximately $1.7 billion the president requests for CISA, the agency’s cybersecurity program will get the lion’s share—$913 million—with $20 million reserved for a cyber response and recovery fund. The administration’s analysis also mentions “critical government-wide protections provided by [The Department of Homeland Security] through the Continuous Diagnostics and Mitigation (CDM) Program.”  

“The President’s proposed Budget will invest in our broad mission set, including preventing terrorism; keeping our borders secure; repairing our broken immigration system; improving cybersecurity; safeguarding critical infrastructure; and strengthening national preparedness and resilience,” DHS Secretary Alejandro Mayorkas said. “The Budget will provide DHS with the resources we need to keep our country safe, strong, and prosperous.”

Sen. Maggie Hassan, D-N.H., chair of the Senate Homeland Security emerging threats subcommittee, expressed concern the request meant DHS funding would remain “flat” and wouldn’t address “myriad threats” facing the country.

Fresh off reports the U.S. Agency for International Development was breached by Russian hackers, the State Department highlighted investments in secure communications tools.

“An increase of more than $100 million for State’s cybersecurity is crucial to mitigating the evolving cybersecurity threat landscape. The Department and the Agency remain prime targets of malicious state- and non-state actors, as evidenced by the recent attacks,” according to an agency press release.

The State Department, where Congress is exploring the development of a new bureau, is also seen as an important part of the government’s strategy for building global alliances on cybersecurity.

The job of coordinating all this activity across the various civilian agencies will fall to the office of the national cyber director. The marquee recommendation of the congressionally mandated Cyberspace Solarium Commission, the national cyber director’s office—which is expected to have a staff of more than 70 personnel— should be funded at $15 million, according to the budget request.

See an agency by agency breakdown of IT and cybersecurity spending here.