Debt deal could be a blow for cybersecurity

Agencies are putting off spending on new staff and technologies aimed at defending critical networks against intrusions.

The $2.1 trillion debt-cap pact that Congress passed Tuesday could hurt economic and national security as agencies postpone plans to invest in cybersecurity technology and hire more network specialists due to uncertainty over potential program cuts, computer security advisers say.

The legislation automatically chops about $1 trillion from federal activities outside of entitlement programs through spending caps between 2012 and 2021. Separately, a $1.2 billion across-the-board cut will kick in if a joint congressional committee cannot reach agreement on additional deficit reduction measures by December.

The belt-tightening is happening at a time when nation-states are believed to be stealing market-moving and security-sensitive information from computers belonging to corporations and policymakers. And businesses cannot afford or are unwilling to pay for the security to do anything about it, according to some experts.

"The main problem is that the call to shrink government and rely on the private sector and markets to address public problems guarantees weak cybersecurity," said James A. Lewis, a cybersecurity specialist at the Center for Strategic and International Studies who has advised the Obama administration on policy matters. "A government small enough to drown in a bathtub is no match for advanced foreign opponents."

Agencies already are behind in meeting 2008 goals put forth by the congressional co-chairs of the CSIS Commission on Cybersecurity for the 44th Presidency -- chiefly to regulate critical computer networks and build a skilled cyber workforce.

"We don't have enough people manning the walls," said Tom Kellerman, a former World Bank cybersecurity official who also served on the commission. "We don't have the technologies that we identified three years ago that we need because people are waiting on their budgets." Congress will decide when and where the funding caps will hit agencies during the annual appropriations process.

The Homeland Security Department had been hoping for $233.6 million in 2012 to complete Einstein 3, a system that monitors traffic on federal computer networks for intrusions and can automatically thwart certain threats. Whether Congress will appropriate those funds is yet to be seen.

"Nothing is being bought," Kellermann said. "No one is being hired until they deal with this . . . What I worry most about from the debt crisis is that a lot of new programs that are supposed to be enhancing cybersecurity are not moving forward," partly because agencies do not know if they will have the salaries to fill the many positions that do exist.

Cyber hiring also may be curtailed by agency spending limits. Estimates of the size of the workforce required to defend cyberspace range from 10,000 to 30,000. Homeland Security, the lead civilian cyber agency, currently has about 260 cyber professionals on hand.

The timing of the debt resolution does not bode well for the nation's networks, either, said Kellermann, now chief technology officer at mobile security firm AirPatrol Corp.

"What's more nerve-racking now is that you've got big conferences, vacations and whatnot," he said, referring to this week's Black Hat and DEF CON computer security conventions. "August is the best time in the world to hack the U.S. government."

Lewis said most foreign countries already know the best time to whack the United States is either August or December, during the holiday season. "They might be encouraged by the disarray, and assume it means we'll never get our defenses in order, but there's a good chance they'd reached that conclusion before the debt crisis," he added.