Officials: Yearly budgeting stifles cybersecurity

Current and former federal cybersecurity officials say the government needs to move from a one-year budget cycle to address critical cybersecurity and IT needs.

"Structurally, from a budgeting perspective, we're not set up for success," said Thomas McDermott, acting deputy assistant secretary for cyber policy at the Department of Homeland Security.

"The way that the federal budgeting process works with one-year money, it makes it much harder to spend long term [on] upgrading infrastructure as opposed to continuing to patch old, sometimes indefensible IT systems," he added during a panel discussion at FedScoop's Lowering the Cost of Government with IT Summit.

"Cybersecurity is a key element of fiscal security," he said. "We've seen that the costs of incidents are huge, both financially and reputationally."

McDermott argued that the federal government needs to incorporate cybersecurity as part of agencies' budgeting process.

"If we're saying cybersecurity is a key part of our national security...we need to be addressing it as such," said Kiersten Todt, executive director of the Presidential Commission on Enhancing National Cybersecurity.

The 12-member commission is in the process of preparing a report, due Dec. 1, that will make recommendations on national policies to strengthen cybersecurity and secure the digital economy over the next decade. One of the central topics will be budgeting.

"We have a budget structure that's set up to look a year at a time," Todt said. "If you talk to any successful CEO and if you look across the board, you can't plan and activate effectively on an issue like cybersecurity if you're looking at that one year at a time."

That will be one of the messages in the report, which will also serve as a transition document for the next president, Todt said. She added that there is an opportunity for the next administration to prioritize cybersecurity and move it forward.

"President Obama has been emphatic that this is really about looking forward and how...we set up cybersecurity for the future," she said.

The administration has been pushing a plan to create a $3.1 billion revolving fund outside the appropriations process to help agencies upgrade their legacy IT. Panelists argued that in addition to moving toward longer-term budgeting, the government must make upfront expenditures to save costs over the long run.

"I think strategically, if you can reduce the need to respond to [cyberattacks], you are saving a lot of resources -- time, energy, money -- and you're better able to get your job done," said Bob Gourley, partner at the technology consultancy Cognitio and former CTO at the Defense Intelligence Agency.

Still, there are savings available on the front end as well. McDermott cited DHS' Continuous Diagnostics and Mitigation program as an example of an initiative that is increasing efficiency and reducing costs.

CDM offers a suite of tools and acquisition vehicles that allow agencies to take advantage of bulk savings. So far, McDermott said the program has saved $46 million over what agencies would have spent purchasing the tools and capabilities through the General Services Administration's schedule program.

McDermott said that to budget efficiently in a world of limited resources, agencies must identify their most critical data and assess the security of that data.

Todt said the government and the private sector must see cybersecurity as a facilitator and enabler rather than an inhibitor of innovation.

"The only way to view cybersecurity spending is as critical to reducing the overall cost of government and having more efficient and effective government operations," she said.

Editor's note: This article was updated Aug. 26 to include Bob Gourley's current job title.