Experts and officials are warning of the negative effects that another stopgap funding bill would have on cybersecurity, as Congress finds itself embroiled in another budget showdown.
Lawmakers are expected to pass a continuing resolution (CR) later this month to avoid a shutdown and fund the government past April 28, when the last spending deal expires.
Analysts and officials say the use of a continuing resolution hinders the federal government’s cybersecurity efforts, delaying and damaging the work that is being done across various government agencies.
“A CR doesn’t give you that flexibility to increase your spending in a particular high-need area,” Rep. Jim Langevin (D-R.I.), a member of the House Armed Services and Homeland Security Committees, told The Hill. “Cyber is certainly potentially one of them.”
“A government shutdown would be the worst-case scenario,” he said. “But, a CR isn’t much better because you’re dealing with past years’ budgets and you’re not able to make those incremental adjustments in spending and training and bringing on new personnel.”
Congress has repeatedly relied on continuing resolutions to fund the federal government in recent years. The stopgap measures essentially extend funding of agencies and departments at the levels of previous years.
“It’s just not regular order,” said James Norton, a former Department of Homeland Security official who helped set up the agency’s first cybersecurity team. “When you’re on a CR, agencies can’t move forward on new programs of record.”
Eric Trexler, director of national security and civilian programs at the cybersecurity firm McAfee, agreed that a stopgap funding bill pushes the government’s efforts “to the right,” delaying new initiatives and upgrades to technology.
“Cybersecurity is a very dynamic, constantly changing field,” Trexler said. “They end up with older technology, the inability to modernize or upgrade and work on new programs, new initiatives.”
“If we don’t have a budget or we have a continuing resolution, it limits the defender’s ability to do their jobs effectively,” he said. “We’re just giving more of an advantage, from a cybersecurity perspective, to the adversary.”
DHS is largely responsible for defending federal networks and the nation’s critical infrastructure, in particular, from cyber threats. The agency also partners with industry to share critical cybersecurity information.
The Defense Department plays a major role as well. It has been developing offensive and defensive cyber capabilities as foreign nations increasingly turn to cyber and information operations to achieve strategic objectives.
Military leaders have repeatedly complained of the negative effects that continuing resolutions have on force operations. Last week, Mark Milley, the Army’s chief of staff, said that the stopgap bill would prevent the service from maintaining training levels of its cyber teams and fielding cyber protection teams in the National Guard.
“The CR will likely have a negative effect on the recruitment of the best talent that we have out there to be cyber warriors,” Milley added.
Once Congress passes a short-term bill to fund the government, lawmakers will turn their focus to the next fiscal year — and the prospect of actually passing appropriations bills that reshuffle agency priorities.
The Trump administration has proposed allocating $1.5 billion for DHS to protect federal networks and critical infrastructure from cyber threats in a fiscal year 2018 budget blueprint released in March. While congressional Republicans plan to write their own budget, the Trump blueprint signals to Congress that the White House sees cybersecurity funding as a priority.
Some Democrats have pointed to Trump’s proposed cuts at other agencies and departments — such as the Department of Energy and IRS — as potentially harmful to cybersecurity efforts across the government.
“It appears from the outline that cybersecurity has been spared these cuts; however, until we have a full budget, it is premature to say what we can expect,” Langevin said. “I strongly encourage the president to support robust cybersecurity spending, but I suggest he scrap his outline before laying out a full plan.”
Langevin said that Congress should make it a top priority in the next budget to reform information technology acquisition by creating a revolving fund to pay for the replacement of insecure legacy systems.
Meanwhile, Rep. John Ratcliffe (R-Texas), who chairs a subcommittee on cybersecurity and infrastructure protection, said that he is optimistic about the new administration’s commitment to cybersecurity.
“My subcommittee has been working with the Appropriations Committee to advocate for the prioritization of cybersecurity funding,” Ratcliffe said. “The president’s blueprint budget reinforces my optimism that his administration acknowledges the importance of DHS’ cyber mission.”
Experts say IT upgrades are of critical importance, pointing to the massive Office of Personnel Management data breach, which has been largely blamed on the department’s legacy systems.
IT modernization has been a priority of lawmakers in both parties, with Reps. Will Hurd (R-Texas) and Gerry Connolly (D-Va.) planning to reintroduce legislation in the new Congress that would rid the federal government of outdated systems.
“While we can shore up an old bridge to lower the risk of damage from earthquake, the result would be far less safe than utilizing a modern design, materials and building techniques,” Trexler said. “The same is true of securing federal networks, which protect valuable national data, assets and lives.”
Legislators have also looked to set up new federal grant programs to help states with cybersecurity, including one proposal that would incentivize states to adopt newer and more secure voting systems.
Fears about cybersecurity weaknesses — especially in voting infrastructure —have been compounded by last year’s Democratic National Committee hacks, which the intelligence community has linked to a broader campaign by the Russian government to influence the 2016 presidential election.
Additionally, Langevin said that Congress should expand funding for federal workforce development programs in cyber — such as the Pentagon’s persistent training environment — and invest more in research and development.
“Cybersecurity is never an issue we’re going to solve. You’re never going to get to a point where we can say we’re 100 percent secure—there’s no such thing. But, what we can do is we can buy down our risk to something that’s much more manageable than it is right now,” he said.