When sequestration hit on March 1, it couldn’t have happened at a worse time for federal employees charged with protecting the nation’s public and private networks – in fact, events in the weeks leading up to it seemed designed in direct defiance of the idea of federal cybersecurity cuts: In late January, the Pentagon announced a more than fivefold expansion of its 900-person Cyber Command, to include 4,900 troops and civilians. In mid-February, a 75-page report released by Mandiant alleged that the Chinese Army was behind widespread cyberhacking and espionage against large U.S. corporate networks. Though its conclusions were disputed by some experts, the report nevertheless outlined several significant incursions into American networks.
When the Departments of Defense and Homeland Security, along with every other federal agency, suffered deep across-the-board budget cuts for the remainder of FY2013, the sequester invited rampant speculation about how cybersecurity programs might be affected. While DoD and DHS are the main federal actors in cybersecurity, other agencies, including the National Science Foundation, the Department of Commerce, and the Department of Energy, play key niche roles in research and developing standards – and their efforts seemed destined to lose momentum under the sequester, with program scalebacks and employee furloughs scheduled for the near future.
As if to push back against the idea of cutting federal cybersecurity programs, Director of National Intelligence James Clapper, in a March 12 appearance before the Senate Select Committee on Intelligence, testified that large-scale cyber attacks constituted the top transnational threat to U.S. security – a more significant threat than large-scale terrorist attacks, or the financial crisis that was judged the top threat in 2009. The cyber threat, said Clapper, placed “all sectors of our country at risk, from government and private networks to critical infrastructures.”
In the wake of sequestration, U.S. lawmakers moved to address consequences they believed made the nation more vulnerable. After bipartisan action by the Senate, the House of Representatives approved a Continuing Resolution (CR) that would fund the federal government for the remainder of the fiscal year – until Sept. 30, 2013.
While the CR, signed by President Barack Obama on March 26, keeps sequestration in effect for the remainder of FY13, it also provides some federal agencies – particularly the Departments of Defense, Homeland Security, Commerce, Justice, State, Veterans Affairs, and Agriculture – with more flexibility in implementing their sequestration cuts. The CR also enacted additional funding for DHS cybersecurity programs. It now seems likely that DoD and DHS will be able to shuffle things around enough to fund their most important cyber programs for 2013.
In the short term, then, federal cybersecurity efforts won’t be too greatly affected by the sequester – but the longer term is murkier. The White House’s 2014 budget proposal called for an increase in the DoD’s Cyber Command, and boosted the budget for DHS’s government-wide information-sharing program – even as it shrank DHS’s overall budget by $615 million.
This would be promising, if there were any signs that Congress and the White House were getting better at working together to develop budgets based on strategic plans. A continuing resolution – an emergency stopgap, basically parroting the previous year’s appropriation – is by definition not strategic; it doesn’t take into account new threats or vulnerabilities, which arguably arise more quickly in the cyber realm than in the physical world.
Jim Lewis, senior fellow and Director of the Technology and Public Policy Program at the bipartisan Center for Strategic and International Studies, believes that eventually, Congress got around to doing the right thing for cybersecurity in the 2013 budget. But he also thinks the way the legislature approaches budgeting now – artificial deadlines and self-imposed crises that produce non-strategic outcomes such as sequestration and continuing resolutions – is detrimental in more than one way.
First, Lewis said, budget uncertainty – and the rhetoric often used in debating the budget – is likely to encourage a brain drain among federal cybersecurity professionals. “Especially among these younger [people] – they’re smart. They have a skill that’s in demand,” he said. “They could make more money in the private sector. And here’s somebody telling them they’re not valued, and maybe they’ll be furloughed. There’s a self-selection process, and it increases the pressure for talent to flow out of the government. I’ve heard that from a couple of agencies, at the Assistant Secretary and Deputy Assistant Secretary level. Is it a huge flow? No, but we’re not helping ourselves, when it comes to recruitment, with all the furlough talk.”
A second consequence of the current budgeting process, Lewis said, may be that it leads outside observers to believe the United States is weaker than it really is – the news of the sequester made a big splash, for example, but the fixes that followed in the CR were not as widely reported.
“All the noise and debate and rhetoric leading up to it, that’s what foreigners read,” said Lewis. “We’re talking about perceptions of U.S. power – and the perception is that we’re in decline … I’ve even had Chinese people tell me that: ‘Hey, come on, you guys are a serious power, and you can’t even agree to pay the bills.’ A lot of people have said it’s sending a signal to the rest of the world about America’s ability to be a great power.”