Want to Avoid Another OPM? Spend More, Industry Says
Melpomene/shutterstock.com
By
Frank Konkel
The Department of Homeland Security’s cybersecurity budget – projected at approximately $900 million in the coming fiscal year – is only 75 percent of what two of the nation’s leading banks will spend on cyber in 2016.
Tech executives told Congress today the U.S. government needs to spend more on cybersecurity if it wants to avoid breaches like the Office of Personnel Management hack that released sensitive data on 21.5 million Americans.
“This is not an IT problem; it’s an economic problem,” said Larry Clinton, chief executive officer at the Internet Security Alliance.
Clinton and other industry cybersecurity leaders were asked today to share insights before the House Committee on Science, Space and Technology. Congress hasn’t been able to get sufficient answers about the OPM breach and lawmakers continue to seek solutions to the nation’s growing cybersecurity threats, according to Rep. Barry Loudermilk, chairman of the House science committee’s oversight subcommittee.
In many ways, Loudermilk said, cybersecurity has become a national embarrassment.
“Having continuously subpar cybersecurity in government systems is embarrassing and must stop,” Loudermilk said.
For industry execs, the solution lies in more funding.
Clinton cited the Department of Homeland Security’s cybersecurity budget – projected at approximately $900 million in the coming fiscal year – as only 75 percent of what two of the nation’s leading banks will spend on cyber in 2016.
Private sector spending on cyber, he said, has “doubled in the past few years” to approximately $120 billion annually. In the coming year alone, estimates suggest a 24 percent increase in cyber spending by the private sector, he added.
Comparatively, the federal government – excluding the Defense Department – is spending “between $6 billion and $7 billion,” Clinton said. And while cyber spending will increase across the government in 2016, it’ll do so at an increase of 11 percent -- a much slower rate than industry.
“Quite simply, we need to spend more,” Clinton said.
John Wood, chief executive officer of the Telos Corporation, said the federal government’s tendency to accept the “lowest price, technically acceptable” solution when contracting for goods and services has hurt its cybersecurity posture as a whole.
“Cybersecurity is just too important to do on the cheap,” he said. “Lowest price, technically acceptable contracts can be very risky in a field that has so little room for error. This is a big issue the government needs to address because in cybersecurity -- you get what you pay for.”
Wood said cybersecurity experts at Telos Corporation assigned to the government tend to be paid less than those assigned to private sector business – sometimes as much as “200 to 300 percent” less. Industry, he said, understands the value in cybersecurity investment better than government does thus far.
“We’ll see a much higher rate for those individuals when we’re working commercially because commercial companies tend to value the capabilities our security professionals have,” Wood said.
Wood underscored his point by pointing toward the estimated spend for the U.S. Cyber Command, the military’s cybersecurity arm.
“Cyber Command has been funded at a level this year that represents a mere one-thousandth of the overall DOD budget,” Wood said. “By contrast, just four banks – JP Morgan Chase, Bank of America, Citibank and Wells Fargo – are spending three times that amount on cybersecurity.”
(Image via Melpomene/Shutterstock.com)