Cyber

Federal cyber officials search for funding solutions to keep up with growing demands

State Department and CISA officials voice concerns and potential answers for a lack of cyber funding.

October 3, 2024

(Getty Images)

Keeping up with zero trust implementation and other governmentwide cybersecurity mandates will require different approaches, including a “fundamental change” in how those efforts are funded, a pair of federal officials said Thursday.

Speaking during an ATARC Federal Zero Trust Summit event, State Department and Cybersecurity and Infrastructure Security Agency tech leaders shared potential solutions around funding for technology transformation, including via a shift that would establish cybersecurity projects similarly to modernization efforts.

Donald Bauer, the chief technology officer within State’s Office of Technology Services, said there is a “need” for “fundamental change in the way the government’s approaching funding some of these efforts. What if Congress or the appropriators created another lane called cybersecurity? I think we’ve probably reached a point in our ecosystem, as a federal government, where … we have our modernization money and we have our cyber money.”

Bauer said 25% of his team’s budget goes towards cybersecurity — primarily remediation — but they have faced a 28% cut in modernization funds.

“The squeeze is on, but there’s no relief in sight,” Bauer said.

Some of that relief can come from the Technology Modernization Fund. Shelly Hartsook, the deputy associate director of capacity building at CISA, pointed to the TMF as well as advancing the continuous diagnostics and mitigation (CDM) program to help agencies build toward their own cyber stack.

While CDM, a program that aims to deliver cybersecurity tools and integration services to agencies that want to improve security posture, “does not provide every tool that every agency might want,” Hartsook said, it “does provide a lot of them.”

“That’s really where we’re trying to go in the future,” she continued, “where you might only be able to make an incremental investment based on your budget situation, working with the program so that these things are working in concert. And that we’re helping build towards your own cyber stack and not a competing set of tooling that’s tied into CDM.”

Hartsook, a TMF board member, pointed to the funding vehicle as something that could still help agencies looking to fund zero trust implementation projects and initiatives.

“I know it is not the be all, end all, but we do still want to see zero-trust proposals,” Hartsook said. “For folks who are not seeing that budget line item increase for their own shop, again, the TMF is still an option around that.”

But Bauer said his dealings with TMF and other avenues have been a mixed bag, calling out a “huge disconnect” in interactions with his Office of Management and Budget representative on funding issues. For TMF, he said, “it’s not just ask and you get it. You have to compete, compete, and it’s a mortgage of your future. You’re borrowing future dollars for today.”

“But if Congress were to say, ‘Hey, here’s the cybersecurity funding effort, we’re going to give you 5 million against cyber,’ I’m happy to show you where every single penny goes for that particular investment,” he added. “I feel like that’s the disservice that I felt, like I’ve gotten when I see an executive order come over [that] says I have to comply and there’s not” enough funding for it.

Zero trust isn’t Bauer’s only tech-related worry: the CTO also expressed concern about executive branch guidance, specifically the White House’s artificial intelligence executive order.

“I have AI coming at me in seven different directions, from people who want to dump a bunch of data in there to get an answer, which I have to make sure that they don’t do that,” Bauer said.

Bauer said his organization also needs “a lot of help” in understanding how to unwind legacy technology.

“I’m sorry, I just don’t have the latest and greatest tools — I have plain old vanilla … servers,” Bauer said. “I pride myself on not being bleeding edge because I am 24/7. I don’t have the luxury of putting something out there that might work or might not.”

But State’s Office of Technology Services does “a lot of our own software,” Bauer noted, and his organization is getting ready to have dynamic scanning using artificial intelligence.

“It raises the level of your whole organization, because what happens with us as we run it through our scans and it comes back and says, ‘here’s a vulnerability,’” Bauer said. “We force our developers that didn’t own that code but have similar technology to go and look for that same vulnerability in their software, so that we bring the whole level of the organization up.”