We must invest in defending our critical infrastructures

When it comes to cybersecurity, the Biden administration is failing to put its money where its mouth is. Over the past month, the administration has released a flurry of well-constructed strategic documents outlining the importance of public-private collaboration to secure critical infrastructure. But the president’s budget, released a month earlier, fails to provide adequate funding to achieve this lofty goal.

In what may become the administration’s most important cybersecurity policy document, the administration issued National Security Memorandum 22 on April 30, updating a decade-old policy on how the federal government works with critical infrastructure owners and operators. While maintaining the designation of federal agencies as sector risk management agencies to work with the private sector, the update appropriately shifts the focus toward more robust risk management and cross-sector coordination.

It also recognizes the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency as the national coordinator for critical infrastructure security. But even though they may be of critical importance, national security memoranda have no money attached — that comes from congressional budgets and appropriations — and the president’s annual budget tells a different story.

For instance, the office within the Department of Health and Human Services that helps hospitals address risks from cyber and physical threats has requested only a $12 million increase over the previous year’s budget, despite a doubling of the number of ransomware attacks against the healthcare and public health sector. These funds will increase the number of personnel dedicated to helping healthcare providers mitigate risks from the two people currently doing this task to seven, but this is only about a third of the funding increase that was needed.

And the administration’s claims that it is investing $1.3 billion in healthcare cybersecurity are misleading at best. The funding is aspirational; it’s a notional 10-year grant program that would not even begin for another two years.

The Department of Agriculture, meanwhile, is requesting only an additional $500,000 and one full-time employee to support its sector risk management responsibilities. The entire office, which is also responsible for foreign investment reviews of agricultural land purchases and biodefense threat assessments, previously had a budget of only $1.4 million.

The shortcomings in HHS and Agriculture are particularly notable because the administration’s updated plan to implement the national cybersecurity strategy specifically notes efforts to improve the cybersecurity of the healthcare and public health sector and education facilities subsector. Once again, the rhetoric does not match the numbers.

Both of these departments, however, are still better off than the Department of Education, which does not even mention how much it plans to spend on securing schools against hackers who steal student records and shut down schools with ransomware attacks. Worse still, the department has tasked the Office of the Chief Information Officer, an office usually focused exclusively on internal cybersecurity, with fulfilling its sector risk management responsibilities. While the lack of transparency in budget documents makes a precise accounting impossible, it would appear the department is spending less than $1 million on sector risk management agency responsibilities.

Most concerning of all: The current budget proposal contains no dedicated funding for the U.S. Coast Guard to safeguard the maritime transportation systems subsector, despite the fact that a recent executive order expanded and clarified the Coast Guard’s roles and responsibilities in protecting vessels, harbors, ports, and waterfront facilities from cyber threats. The Coast Guard needs proper resources and personnel to implement the increased requirements.

Despite these problems, there is some good news for critical infrastructure resourcing. The sector risk management agency for the energy sector, the Office of Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, is requesting steady funding of $200 million. These funds would enable it to offer grant programs, provide training, and conduct research that supports the sector’s cybersecurity. Additionally, the administration is investing in improving the cybersecurity of pipelines, railroads, and other surface transportation by requesting a $7 million increase in cybersecurity resources for the Transportation Security Administration’s surface programs.

The Environmental Protection Agency, the sector risk management agency for the water and wastewater sector, is requesting an additional nearly $24 million to support critical infrastructure protection for the sector, part of which will be dedicated to cybersecurity resilience. The budget also proposes a $25 million competitive grant program to assist water and wastewater utilities in improving their cybersecurity. Congress has failed to fund previous attempts to create this grant program, so the administration will need to do a better job convincing Congress of the importance of this program.

The Biden administration’s National Security Memorandum 22 and national cybersecurity strategy implementation plan illustrate the unrelenting process required to improve cyber resilience. While these documents are packed with benchmarks and strategic insights, it is imperative that the sector risk management agency budget offers sufficient funding to support the agencies that execute these efforts.

This summer, Congress will need to step in to increase funding for sector risk management agency responsibilities — at the departments of Education, Health and Human Services, and Agriculture and the U.S. Coast Guard at a minimum. This will be crucial for the federal government as it grinds toward its goal to ensure that all sector risk management agencies are properly prepared to meet the challenges of emerging threats.

Retired Rear Adm. Mark Montgomery is senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies and also directs CSC 2.0. Jiwon Ma is CCTI’s senior policy analyst and contributes to the CSC 2.0 project.