Is DHS cyber under-resourced?

While the cybersecurity mission at the  Department of Homeland Security has been steadily expanding, some think the agency may not have the resources to protect federal civilian networks.

Funding levels proposed in the Trump administration's budget for cybersecurity operations at DHS would remain more or less flat at $1.9 billion, including $1.1 billion for the Cybersecurity and Infrastructure Security Agency (CISA).

"What I was looking for was really a bump to be commensurate with the fact that DHS is now the hub for protecting federal civilian cyberspace, and that's what I think was missing," said Chris Cummiskey, former deputy undersecretary for management at DHS. 

In particular, Cummiskey pointed to the need for more money to fund Continuous Diagnostics and Mitigation (CDM), the National Cybersecurity Protection System (dubbed Einstein) and the National Cybersecurity and Communications Integration Center as their portfolios have continue to expand over the past several years.

Rep. Dutch Ruppersberger (D-Md.), a member of the House Appropriations Committee, said that he believes DHS cybersecurity priorities are under-resourced at current budget levels, particularly given DHS Secretary Kirstjen Nielsen's public comments about the rising importance of protecting federal networks and critical infrastructure to the department's mission.

Ruppersberger said the department must start considering how the changing federal workforce – with its expanding number of remote employees and increased reliance on the cloud -- affect the threat landscape patrolled by DHS.

Like many others, he took the administration to task for proposed cuts to the Science and Technology Directorate, noting it could have repercussions for cybersecurity down the line. "Research and development should be a strategic asset, and I fear the department is trying to be too tactical with their precious R&D dollars," Ruppersberger said.

Former DHS officials also expressed dissatisfaction at the amount of proposed funding support at DHS and CISA. Along with Cummiskey, Suzanne Spaulding -- who led CISA's predecessor agency, the National Protection and Programs Directorate -- said the department's latest budget does not adequately fund the agency's current mission and objectives.

She pointed to the need to beef up deployment of cybersecurity advisors to assist state and local governments and build in greater resilience between federal, state and local governments as well as industry against cross-sector cyber threats.

"The work of the National Risk Management Center and the ICS CERT to fully understand interdependencies and cascading risks is also something that could be expanded," Spaulding said.

Strategy, not dollars

Not everyone believes more money is the answer.

Trevor Rudolph, who served as chief of the Cyber and National Security Unit at the Office of Management and Budget under the Obama administration, said he believes CISA and DHS have enough money, instead questioning whether key programs like Einstein and CDM are appropriately structured to provide the most value to customers and stakeholders.

"I think some of the key questions that appropriators need to ask moving forward is are we getting the right bang for our buck?" said Rudolph, now vice president of global digital public policy at Schneider Electric. "I would argue that with programs like Einstein, they need to take a serious look at whether they're working and … whether DHS is focused on the right outcomes. Talking to CISOs, it's blatantly obvious that they can't use Einstein indicators because they're not helpful and they're late, so why are we spending millions of dollars [to push them out]?"

Rudolph has expressed similar misgivings about the structure of other agencywide cybersecurity programs managed by DHS. His larger point is that poor structure and strategy -- not lack of money -- sits at the root of the federal government's cybersecurity shortcomings, and fattening CISA's budget further won’t fix the problem.

If the government moved to a shared-services approach for core IT capabilities, connectivity and basic applications, he argued, much of its now-dispersed network monitoring and security activities could be centralized and improved, likely at a lower cost than the government pays now.

In line with the visions of Congress and the executive branch, he said DHS and CISA could play a prominent role in federal civilian cybersecurity by building and owning these capabilities, but continuing to operate under the status quo only ensures that another OPM-like breach is "just a matter of time."

Michael Daniel, president and CEO of the Cyber Threat Alliance and former White House cybersecurity coordinator under the Obama administration, raised similar concerns. With federal funding for cybersecurity receiving steady year-over-year increases since the mid-2000s, DHS probably doesn't need more dollars unless its mission or mandate expands further, either for protecting federal networks or providing new capabilities to the private sector.

Like Rudolph, Daniel said the federal government could make better use of its dollars by re-examining the way it splits resources between DHS and individual agencies for certain cybersecurity functions, like protecting federal networks.

"One key question is whether the balance is right between what DHS funds centrally and what individual agencies pay for," Daniel said. "That's difficult to assess from the outside, but in general, I am in favor of greater centralization … because I think that approach is more efficient and effective."

A longer version of this article was first posted on FCW, a sibling site to GCN.