Anticipated sharp budget cuts will undermine agencies’ efforts to guard against cyber attacks, federal and industry officials say.
There is a “resource crunch we’re all facing today, whether that’s sequestration or whether that’s just the fact that IT budgets are getting rounded down,” said Jeff Eisensmith, chief information security officer at the Department of Homeland Security. “As IT budgets [decline], we’ll also see our security budgets falling as well.”
That means some agencies may be unable to afford robust software tools that can monitor critical networks for intrusions and mitigate intrusions when they occur. Likewise, some agencies may not be able to afford software that can automatically generate required reports on their security status that otherwise are done manually at much greater cost.
For some civilian agencies, tighter budgets will mean spending less on lower-priority cyber measures, such as rooting out counterfeit technology that can make systems more vulnerable.
“In this environment where we don’t have unlimited funding, you just have to cherry pick,” based on cost and the level of security that’s provided, said Eisensmith, who spoke at a Feb. 22 event in Washington.
Moreover, many information technology executives worry that budget cuts are happening at a time when cyber intrusions are becoming more malicious.
Cyber criminals and intruders used to try to remain under the radar with the intent of silently collecting sensitive data, but now the focus of many is shifting to disrupting systems and networks, said Alma Cole, chief systems security officer at DHS’ Customs and Border Protection.
“You’re not going to be able to stop intrusions,” said Kenneth Brodie, senior information assurance officer for the Air Force. “What we need to focus on is our most mission-critical applications and systems, making sure they are protected ... and start working toward things like contingency, [and] COOP [continuity of operations plans]. How do we survive … [and] continue our missions under attack?”
Brodie said his primary focus at the Air Force is to defend against increasingly sophisticated and frequent attacks that have already penetrated many federal and contractor networks. Experts often refer to these types of attacks as the advanced, persistent threat, or APT.
But doing so on a reduced budget would mean fewer dollars to address security shortfalls.
“Sequestration really just highlights the [security] cracks that are already there, and with fewer dollars they are not able to address those cracks that they already know are there,” said Deniece Peterson, director of federal industry analysis at market research firm Deltek. “And they are less equipped to deal with any new cracks that show up.”
Peterson said that while cybersecurity would be low on the list for any targeted cuts, sequestration requires all spending be subject to cuts, so cybersecurity cannot be spared.
In short, agencies can never make their networks impenetrable, in part because of the high cost and because the threat is constantly changing and evolving, Brodie said. His focus now is protecting mission-critical systems the Air Force relies on and how to be resilient and continue operations when systems are attacked.
“We know adversaries have burrowed into our networks,” Brodie said at the Washington event. “We know they are resident there. It’s kind of like a timer that’s … ticking on our network.”
In recent months, agencies have been placing special emphasis on being able to continually monitor their networks for intrusions using powerful software tools. Agencies will be relying on a new DHS program to fund those tools and employ countless sensors that can provide tens of billions of security checks across federal networks at least every 72 hours.
Many agencies have struggled to adopt this level of automated monitoring, including DHS.
For now, there is funding allocated for the program. But some worry that the sequester may delay the awarding of a DHS contract that aims to make monitoring systems available to all federal agencies, said Steve Vinsik of Unisys Federal Systems, part of a team vying for the contract. If the contract is delayed, that could delay some agencies from getting those monitoring systems.
And even if agencies can get those monitoring systems, many may not have the tools available to analyze the massive troves of security data those systems generate.
Quickly sharing that information with the right people is another challenge, said Rich Naylor with the Defense Security Service.
John Bordwine, chief technology officer for Symantec’s public sector, said agencies could improve their cyber security while reducing costs by doing better at sharing cyber data with each other. This would save the cost of having to recover from cyber attacks after the fact.
DHS is responsible for overseeing agencies’ compliance with federal security reporting, and it has been urging agencies to shift away from manual paper-based reports in favor of automated reports that can be done by software. But agencies have far to go and tighter budgets will almost surely delay those efforts.
“How do we get out of the box of every three years having to create a 300-page binder that costs me a fortune?” DHS’ Eisensmith said. “And all those resources, if I could use them in a way that will get a better return on investment from a cybersecurity standpoint, that would be a very powerful thing indeed.”