The automatic budget cuts that went into effect March 1 aren’t expected to dramatically affect President Barack Obama’s new push for cybersecurity.
“I don’t believe overall it will be catastrophic to our security programs, because we prioritize those pretty highly,” White House Cybersecurity Coordinator Michael Daniel told the Information Security Media Group last Friday, during a conference in San Francisco.
He noted that there could be some delays as agencies seek to comply with the president’s Feb. 13 executive order urging government and business to begin coordinating on cybersecurity, but the spending cuts wouldn’t cause significant damage.
“I don’t think the impacts on federal government cybersecurity are probably the main driving factors to be worried about [in] the sequester,” Daniel said.
The initiatives started by the executive order are largely the responsibility of the Departments of Commerce and Homeland Security. Commerce’s National Institute of Standards and Technology has roughly a year to work with companies responsible for things like water plants, oil and gas pipelines and other entities whose hacking would be catastrophic to create a “cyber framework” of best practices. The order is also aimed at encouraging more frequent communication about threats between the federal government and the private sector.
If the sequester were implemented as written, according to the Office of Management and Budget’s March 1 report, the NIST would lose $38 million (5 percent), $29 million of which would come from research money, while Homeland Security’s Infrastructure Protection and Information Security program would see a $91 million cut (about 8 percent of its funding for the year).
The Department of Defense would lose the most funding, but it’s unclear how much of a hit cybersecurity would take since it’s hard to pin down to one program, according to Blaise Misztal, associate director of foreign policy at the Bipartisan Policy Center.
“Cyber is so spread out, even within DoD,” Misztal said. “It’s so diffuse that it’s really hard to gather in one place.”
The U.S. Cyber Command, which the Pentagon pledged in January to roughly quintuple in size, is mostly already staffed, according Misztal, who said that much of the hit to cybersecurity would come down to how much flexibility agency heads would get in making the cuts.
Much of the Pentagon’s cyber efforts fall under its Operations and Maintenance Account. The House Republican stop-gap funding bill introduced Friday would give the O&M account a $10.4 billion boost over current funding levels, $2 billion more than the department requested. The bill also includes extra provisions for cybersecurity funding for the FBI ($129 million) and DHS ($284 million).
The initiative’s biggest cost is paying government employees and contractors such as NIST engineers who are spending the next year collaborating with private-sector counterparts on building a safer cyber system. So far, the NIST project has not visibly suffered: its first workshop on standards is still scheduled for April 3, in Gaithersburg, Md., regardless of the sequester.
Meantime, Democrats and Republicans will haggle over the best way to replace the current continuing resolution funding the government, scheduled to expire March 27. House Republicans’ opening bid funnels money to Defense, while Senate Democrats are expected to counter with an offer that would protect the accounts associated with implementing the health care reform law and the Dodd-Frank financial reform law.
Even if impacted agencies don’t see their funds restored, though, there’s a good chance they’ll get some breathing room from whatever CR deal emerges, according to Bill Hoagland, the former GOP staff director of the Senate Budget Committee and current vice-president of the Bipartisan Policy Center. Congress, he said, will likely pass a “vanilla” spending bill that would maintain the sequester’s budgetary caps but include language granting agency directors the flexibility to prioritize funding and spare the most important programs. Federal agencies would be able to keep up their most pressing duties while allowing visible, irritating lapses to occur.
If past budget scuffles are any indication, part of Democrats’ strategy as the cuts begin to take effect is to allow obvious components of the government to twist in the wind — closing the Washington Monument to visitors, for instance, and furloughing Transportation Security Administration employees who keep airport security lines moving relatively quickly. The public outcry, in this scenario, would pressure Republicans on taxes in negotiations over the next scheduled crisis, the expiration of the debt limit sometime in July.
“You almost get the impression,” Hoagland said, “that the strategy on the part of the Democrats in the Senate and the president himself is, ‘O.K., so you want the sequester, well let’s see what it looks like.’”
But cybersecurity is both more important than museum access to the country’s economy and security, and largely invisible to the public.
“Cyber is not a very evident political football,” Misztal said. But “it is a big enough concern and priority within the department that I think they’re going to continue to fund it as best they can.”
Congress is this week holding two hearings specifically aimed at shoring up the nation’s cyber defenses.