February 25, 2013

Sequester could stall momentum on cybersecurity

The mandatory budget cuts looming over Washington threaten to forestall work on cybersecurity just as the president’s new executive order gets off the ground.

Without prompt congressional intervention, sequestration could hamstring the Pentagon, the Department of Homeland Security and other federal agencies tasked only this month with protecting the nation’s critical infrastructure from crippling cyberattacks and digital spies.

The perils of mandatory subtraction aren’t unique to federal efforts shoring up the country’s digital defenses. And there’s widespread belief that cybersecurity funding might ultimately be safe, given Washington’s recognition of the threat at hand. But the potential for initial, broad cuts — on top of an already flat budget — still stand in stark contrast to the policy vision unveiled by President Barack Obama earlier this month and raises the possibility of early delay.

In time for his State of the Union address, the president signed the executive order meant to solicit new, voluntary cybersecurity standards for the nation’s power grid, financial sector and other key institutions while helping government and the private sector share data about emerging threats. The order outlines a strategy across agencies to protect federal and private systems from cyberattack and cyberespionage.

For its part, the administration has said it doesn’t believe its order carries with it a new, steep price tag. “For [fiscal year] 2013, agencies will be able to cover the costs of [executive-order] implementation within existing resources,” White House spokeswoman Caitlin Hayden told POLITICO.

“Although we can’t comment on future budget requests at this point, the administration will consider the requirements of [order] implementation in determining agency resource requests; that said, we do not believe the costs of implementing the [order] will be very large across the government,” she continued.

Still, it may not be so simple if the sequester ax drops on Washington, which has operated for months under a bare-bones continuing resolution that mostly mimics funding from last year. Some agencies, including the Department of Defense, have spent into this year under the presumption they may receive a fuller appropriation in 2013 — creating the possibility for double the budget trouble in some wings of the government

“Sequestration is bad, the CR is bad; if they both hit, it’s very bad,” said Irving Lachow, director of the Technology and U.S. National Security program at the Center for a New American Security. DOD, in particular, could face furloughs and other reductions that could ultimately hurt its cybersecurity operations and workforce.

Implementation of the president’s executive order also remains at risk. Take the National Institute for Standards and Technology, the agency tasked with convening the owners and operators of critical infrastructure and developing the voluntary standards meant to protect those institutions from attack.

NIST is only now embarking on the yearlong endeavor while the agency continues its related work serving as a hub for cybersecurity research and development. NIST, though, faces a roughly $38 million shortfall in the event of sequestration, according to an administration source, a series of cuts that the Commerce Department previously said would “fall on grants, contracts, equipment procurements, deferment of open positions and cuts in the repair and maintenance of NIST facilities.”

“Helping strengthen cybersecurity for critical infrastructure is vital to U.S. security and economic growth,” a spokeswoman for the Commerce Department, which houses NIST, told POLITICO. “A reduction in NIST’s overall resources from sequestration would certainly make it harder to quickly make progress on important initiatives like this.”

To many, the cuts might not totally hamper implementation of the order, given it’s the private sector that must ultimately choose to implement any new cybersecurity standards.

However, the companies and industry groups preparing to work with NIST still see the situation as evidence the agency needs more — not fewer — federal dollars as the government commits more seriously to the nation’s digital defenses.

“The funding under the continuing resolution [in place now] did not contemplate an executive order, and what additional resources agencies may need to execute under the EO,” said Trey Hodgkins, senior vice president of global public sector at TechAmerica. “And so you have everybody stuck in [fiscal year] 2012, and that includes what they can do for cyber.”

The impact far surpasses NIST and may not be as hypothetical.

Under the order, the Department of Homeland Security is to play a significant role coalescing industry around the voluntary standards NIST is trying to develop. DHS also has a critical job disseminating information to private companies about looming cyberattacks.

Those capabilities, too, may be in jeopardy. Secretary Janet Napolitano said in a Jan. 31 letter that sequestration or similar cuts could “significantly scale back cybersecurity infrastructure protections that have been developed in recent years” while hamstringing existing programs to protect federal computers and research new technologies.

Napolitano never mentioned the executive order, which had not been released at the time of her note to the Senate Appropriations Committee.

But her agency has long braced for the impact of sequestration on its cyber dollars. A report by the Office of Management and Budget, issued under congressional orders last year, predicted at least $90 million in cuts to come to a few DHS programs tasked in part with securing the country’s digital defenses.

There’s still indication, however, that long-term federal cybersecurity spending is safe. Amid a torrent of hearings and public events this month on sequestration, top administration officials have emphasized the nation’s digital security is both a top policy and budget priority. The president’s forthcoming, 2014 fiscal year budget is expected to reaffirm that focus, building off big increases to cybersecurity spending that Obama backed for 2013.

The fear, then, is that lingering uncertainty over the bigger budget picture continues long after the latest battle over sequestration.

“A lot of the work, the initial few months of what they’re doing, I don’t know if sequestration is going to have a lot of impact on executive-order implementation,” said Jeff Greene, senior policy counsel for cybersecurity at Symantec, noting the real concern might be if “sequestration is kicked down the road” and agency budgets remain in flux.

In that case, he said, “everything would take a hit” — including the federal workforce — which would “make implementation more complicated.”