Security funding only seems set to rise next year
The devil is in the details in figuring out IT security funding
When it comes to IT security, 'the government isn't leading by example,' SANS Institute's Alan Paller says.
IT security funding is slated to rise 10 percent, to $4.7 billion, in fiscal 2004.
But agencies will find themselves stretching that money thinner next year because $4.7 billion would merely keep pace with current spending levels'about 8 percent of federal IT spending.
Meanwhile, the nation's first cybersecurity czar is departing. Richard Clarke, who took the job after Sept. 11, 2001, announced shortly before President Bush released his budget proposal that he would leave after the final National Strategy to Secure Cyberspace comes out this month.
Clarke, who shepherded the security strategy's development, has been in government service for 30 years and worked at the White House for 11 years, advising presidents Clinton and Bush on counterterrorism and cybersecurity.
The budget proposal gave a first glimpse at the Office of Management and Budget's findings about the state of government IT security, which will be reported to Congress this spring under the Federal Information Security Management Act, formerly the Government Information Security Reform Act. Last year's GISRA report found widespread weaknesses across all agencies.
'Initial review of agency and IG reports are mixed,' the budget analysis said. Some agencies'the Justice, Labor and Transportation departments'have 'demonstrated clear progress over the last year,' the proposal said. OMB said it is enforcing a longstanding policy that existing IT security weaknesses must be dealt with before the administration will approve new IT investments.
The budget proposal did not break out money earmarked for IT security, leading one observer to question how effectively such funds would be spent.
'Where that money is, is difficult to find,' said Alan Paller, research director of the SANS Institute of Bethesda, Md. 'The allocation emphasizes studies and risk assessment, and almost no money is targeted for remediation.'
The $4.7 billion would be enough, he said, but there isn't enough emphasis on fixing problems. 'The government isn't leading by example,' Paller said.
The few details on IT security in the proposed budget mentioned $3.5 million for the National Institute of Standards and Technology to develop a biometric standard. NIST would get $12 million more to develop homeland security standards, including physical elements such as high-rise building safety as well as cybersecurity. NIST's overall budget would shrink by 11.5 percent to $498 million, however.
The Justice Department would get $60 million to investigate cybercrime. The FBI would receive $37 million to improve its security, including information security, plus $12 million to link federal, state and local law enforcement information systems.