Op-Ed: Agency IT Budgets Aren’t Keeping Pace with Malware Threat

If federal agencies hope to fight malware and cybersecurity threats in 2015 they need to allocate more IT funds towards cyber.

Over the past few years government leaders have consistently prioritized and increased funding for cybersecurity initiatives. In the administration’s proposed budget for 2015, the cyber goals are no less lofty, but funding has not increased enough to effectively address the issue. In fact, cybersecurity spending is slated to drop by about $30 million. Lawmakers will have to increase budgets to attain the goals, or agencies will have to sacrifice some of their planned initiatives.

Recently, the Homeland Security Department released the first in a series of annual reports on cybersecurity trends from the U.S. Computer Emergency Readiness Team. According to the publication, “US-CERT Security Trends Report: 2012 in Retrospect,” the most significant conclusion from the analysis is that malware in particular is becoming more prevalent and its threat to cybersecurity more complex.

US-CERT collected data from both public and private sources, including the department’s EINSTEIN system. The data showed that roughly 8 percent of consumer grade users experienced a malware infection in 2012; one in five infections was caused by unintentional installation of malicious or infected software. The most common way malware was introduced to a device was through vulnerabilities in programs such as Microsoft Office, Adobe Reader, and Java.

The most prevalent malware is Sality, according to the report (it was involved in 56 percent of malware cases). Zeus and its 26 identified variants follows closely at 54 percent. Sality has been used to relay spam, proxy communications, exfiltrate data and carry out distributed denial of service attacks, to name a few of its uses; Zeus has compromised financial and banking transactions all over the world. The majority of these infections could have easily been avoided by practicing proper patch management. Updates for vulnerable programs are released regularly: If your software is not up-to-date, your device is at risk.

What does this increase in malware mean for cybersecurity spending? Let’s compare 2015 requested and 2014 actual budget numbers across federal agencies. Cybersecurity-related spending would see some increases in certain areas in 2015, on paper at least. Proposed 2015 budgeting in cybersecurity across all agencies is approximately $1.41 billion, compared with $1.44 billion in 2014. Areas seeing increased levels of funding include threat and vulnerability management, data integrity and privacy management, access control and data recovery. But other areas would see a decrease in funding, include continuity of operations, continuous monitoring, and identification and authentication.

Although the proposed decrease looks like bad news, cybersecurity will remain a top priority for the government. An omnibus budget bill that provides agencies with new appropriations for the remainder of 2014 will have a greater share of spending going toward cybersecurity, and we remain hopeful that Congress will increase spending for cybersecurity in 2015.

On the bright side, with new appropriations come new requirements. This could mean a greater demand for more sophisticated cybersecurity products, which may pave the way for a higher share of IT budgets dedicated to cybersecurity. Government needs to combat the increasingly complex cyber threat landscape and the only way to do that is with better funding and more comprehensive technology.

Mohamad Elbarasse is an Analyst with immixGroup, which helps technology companies do business with government. He can be reached at Mohamad_Elbarasse@immixgroup.com.

(Image via Pavel Ignatov/Shutterstock.com)