White House Cybersecurity Budget Prioritizes Defense, Resilience
A White House memo released June 27, 2023, outlined plans for cybersecurity budget priorities for the fiscal year (FY) 2025, with a focus on strengthening the software supply chain, protection of critical infrastructure and defense against ransomware.
The Biden administration aims to align cybersecurity investments with the five pillars of its national cybersecurity strategy, focusing on critical infrastructure defense, disrupting threat actors, secure software design, resiliency and international partnerships.
In a memorandum signed by Acting National Cyber Director Kemba Walden and Office of Management and Budget Director Shalanda Young, federal agencies are advised to prioritize spending on secure and sustainable solutions.
Protecting Critical Infrastructure
Edward Debish, director, public sector at Tanium, said the budget priorities enumerated are very comprehensive, but the first pillar, “Defend Critical Infrastructure,” must be the number one priority.
“This is akin to defending the homeland,” he explained. “The other pillars are support pillars to defending critical infrastructure. Modernizing federal defenses is imperative; legacy, weakly secured and non-upgradable technologies leave our nation’s critical infrastructure at significant risk.”
He added that legacy technology also wastes precious resources in managing technical debt.
“Prioritizing technology modernization should not only be based on systems reaching end-of-life or end-of-service but also prioritized by the greatest risk to our nation if compromised,” Debish noted. “Lastly, I would move ‘strengthen the workforce’ from pillar four into pillar one to highlight and increase the importance of people.”
He noted that each process or technology, to some degree, is overseen or managed by a human.
“Investing in and strengthening our cybersecurity workforce is paramount to ensure the modernization investments are fully capitalized,” Debish said.
Aligning Investments With Key Priorities
Sounil Yu, CISO at JupiterOne, said the explicit requirement to demonstrate how an agency’s FY 2025 budget submissions supported the goals established in the National Cybersecurity Strategy showed that the White House is serious about ensuring that agency investments align with key cybersecurity priorities.
“One of the core pillars of this strategy is the implementation of zero-trust architectures to strengthen the security posture of federal systems, and the budget memo seems to be more specific in terms of expectations for tangible progress made against this pillar,” Yu added.
He added that while shifting toward a zero-trust model is a well-known best practice, it may take years to migrate existing agency systems to this type of architecture.
“As agencies undergo technology modernization, they should seek solutions that demonstrably incorporate zero-trust principles from the beginning so that they are more secure by design rather than having to retrofit them after the fact,” he explained.
Darren Guccione, CEO and co-founder at Keeper Security, pointed out that the continued unification of disparate cybersecurity efforts government-wide indicated further progress toward a cohesive approach to cybersecurity as a true economic and national security priority.
“Zero-trust is at the heart of these initiatives,” he said, adding that the White House Executive Order 14028, CISA’s Zero Trust Maturity Model, Office of Management and Budget (OMB M-22-09) and the DoD’s zero-trust strategy and roadmap coalesced to make zero-trust a current reality across numerous government agencies.
From his perspective, the federal push toward zero-trust is critical for the development and deployment of secure and resilient next-generation technologies and infrastructure.
Guccione added that the FedRAMP marketplace is a critical resource for agencies to find and compare credible and secure authorized vendors through a trusted public-private partnership.
By working with FedRAMP-authorized solution providers that offer the highest levels of security and privacy, government agencies can comply with federal government zero-trust cybersecurity directives as outlined in the Five Pillars.
“This helps to reduce duplicative efforts, inconsistencies and cost-inefficiencies that have plagued cybersecurity in the federal government,” he said. “It also ensures that the government is in lockstep with the most advanced cloud-based software and services that are driving the high-stakes capital markets.”
The memo also noted that agencies should ensure their “investments lead to durable long-term solutions that are secure by design.”
Samuel Kinch, director of technical account management at Tanium, pointed out that ‘secure-by-design’ requires building new cybersecurity capabilities from the ground up with security as a primary capability and not as an afterthought.
“The federal government’s desire to require a software bill of materials (SBOM) is a fundamental and positive step forward to success,” he said.
He added that the DoD and federal organizations like DHS’ Cybersecurity and Infrastructure Security Agency (CISA) would provide strategy, direction and possible solutions, but ultimately, it is the agency that is responsible for implementing the solutions—including the costs.
“Secure by design also does not happen instantly or with tools that are point solutions,” Kinch added. “The next generation of cybersecurity requires a platform approach to create the foundational cybersecurity hygiene required to defend against malicious actors.”
