The Biden administration’s budget plans for CISA and federal cyber programs are a good start, according to the Cyberspace Solarium Commission’s Mark Montgomery, but the actual proposed growth in funding fails to match the increased responsibilities placed on the cyber agency through recent legislation or the growing cybersecurity needs across government.
“At a macro level the proposed increases are fantastic but at a micro level, a lot of priorities are being left behind,” Montgomery said. “At the micro level, when you look at the budget, CISA only grows six percent and they have so many new responsibilities” under the fiscal 2021 National Defense Authorization Act.
“We recommended that they grow at 20 percent,” he said. “If cyber is a priority, the funding should be growing appropriately.”
Reps. Jim Langevin (D-RI) and Mike Gallagher (R-WI), both members of the Cyberspace Solarium Commission, in April wrote to House Appropriations Chairwoman Rosa DeLauro (D-CT) and ranking member Kay Granger (R-TX) seeking a $400 million boost for CISA above the $2.1 billion sought in the Biden proposal for fiscal 2022.
Likewise, House Homeland Security ranking member John Katko (R-NY) has written appropriators requesting over $2.5 billion in fiscal 2022, putting “CISA on track to be a $5 billion agency within the next five years.”
Industry groups have also urged appropriators to significantly increase the funding level for CISA.
In addition, Montgomery said, a significant topline budget increase for the National Institute of Standards and Technology masks the fact that NIST cyber and privacy programs are slated to grow by only six percent in fiscal 2022 under the Biden budget. “We recommended an 83 percent increase” for those programs, he noted.
Montgomery suggested that a functioning Office of the National Cyber Director would’ve strengthened the proposed Biden budget, contributing insight and expertise on cybersecurity needs across the government to the Office of Management and Budget’s annual efforts to develop spending plans.
The Senate Homeland Security and Governmental Affairs Committee on Thursday considered the nominations of Chris Inglis to serve as NCD and Jen Easterly to serve as CISA Director. The committee will vote Wednesday on the nominees, clearing the way for floor action probably after the July Fourth recess.
Creating the NCD post was a pivotal recommendation of the Solarium Commission, which argued that the position was key to implementing its other proposals. The new position was mandated in the fiscal 2021 NDAA.
Montgomery, senior advisor to the Solarium Commission and a senior director at the Foundation for Defense of Democracies, discussed the state of cyber policy efforts and the priorities of the commission in an interview Thursday with Inside Cybersecurity. He is a retired rear admiral and former policy director for the Senate Armed Services Committee.
The Cyberspace Solarium Commission was established by the fiscal 2019 NDAA and its charter was extended in the fiscal 2021 NDAA to assist with implementation of recommendations in its landmark 2020 report and subsequent policy papers.
The commission’s “four big purposes” this year include “supporting appropriations work” to ensure CISA and other agencies have enough money to implement Solarium recommendations now in law, Montgomery said.
The commission is also supporting additional legislation including the Cyber Diplomacy Act, which he hopes to see pass this summer, and measures to create a “cyber state of distress,” a Joint Collaborative Environment around cyber info-sharing, and defining in law “systemically important critical infrastructure.”
The so-called SICI designation springs from the need to establish “a better compact” between government and the operators of the most critical infrastructure, he explained. The operators would have “higher security responsibilities” including a requirement to report incidents, and would receive benefits such as some form of liability protection, he said.
The other two “big purposes” are producing an assessment of current government cybersecurity efforts, which should be completed in the coming weeks, he said, and completing two white papers -- on how the federal government’s information technology security posture should look in the next three-to-five years, and on disinformation. Montgomery said to expect the white papers in late summer. – Charlie Mitchell (email@example.com)