The Biden administration boasts that it plans to invest $13 billion in cybersecurity for federal civilian agencies, but the White House's plan ignores important programs such as basic research and standard-setting.
Once again, the government is asking far too little from the National Institute of Standards and Technology (NIST), which develops cybersecurity standards and guidelines for the entire government. The White House has directed NIST to play a critical role in its most important cybersecurity priorities, but it has not provided the agency with funding commensurate with its importance. Without Congressional intervention, NIST will be unable to perform its assigned tasks, jeopardizing the success of the administration's cyber ambitions.
The National Institute of Standards and Technology, part of the Department of Commerce, conducts technical research on emerging technologies while developing risk mitigation frameworks. Its most visible results are more than 200 directives that establish cybersecurity standards, technical specifications, and guidelines that governments and private industry use as benchmarks. NIST also maintains the Cybersecurity Framework, a detailed system for managing cybersecurity risks. It provides a methodology for identifying and prioritizing an organization's assets and securing those systems. Critical infrastructure operators, government contractors, and federal agencies all measure the effectiveness of their cybersecurity procedures against this framework.
Over the past three years, the administration has added new responsibilities to NIST's already robust mission. Just months after his inauguration, President Biden issued a comprehensive executive order to improve national cybersecurity, specifically to develop guidelines on how to identify critical software and how to protect the software supply chain. Mandated by NIST.
Two years later, the White House announced a new national cybersecurity strategy to protect U.S. interests in cyberspace and position the nation to “realize the full benefits” of digital technology. NIST is the lead or contributing agency for nearly 20% of the efforts to implement the strategy. Building on her NIST's existing work on cyber talent development, the administration has tasked her NIST with establishing core competencies for cybersecurity-related work and supporting education and training programs.
Last summer, the U.S. government announced the US Cyber Trust Mark, a new certification and labeling program to help consumers identify baseline security standards for smart devices and Internet of Things technologies. Although the program is run by the Federal Communications Commission, NIST develops the basic cybersecurity requirements and collaborates extensively with the FCC.
Most recently, the government issued an executive order aimed at addressing the “promise and perils” of artificial intelligence. Officials have once again chosen to make his NIST responsible for the technical backbone of establishing standards for the development, use, and evaluation of AI. Publish guidelines and best practices for AI safety and security. Evaluate the effectiveness of privacy protection. We will publish the AI in Global Development Playbook, which incorporates risk management principles as well as global governance and human rights best practices.
But despite the National Institute of Standards and Technology's centrality to U.S. cybersecurity policy, its funding has not kept up with its mission. Back in 2020, the Congressional-mandated Cyberspace Solarium Committee (of which this essay's co-author served as executive director) found that NIST was “meeting increasing demands on staff and expanding mission requirements.” “We lack the resources necessary to support this,” he warned. The White House requested just $79.4 million for NIST's cybersecurity and privacy program in fiscal year 2020.
As a result, the Committee's Congressional Co-Chairs have asked their appropriations colleagues to increase funding for NIST's FY21 cybersecurity and privacy program to $107.5 million, to no avail. NIST's budget remained relatively stagnant. Two years later, the committee co-chairs again called for an increase to $135.9 million for NIST's cybersecurity and privacy program, pointing to additional mandates through executive order.
However, NIST's budget remains well below the recommendations of the Cyberspace Solarium Committee. This year's budget calls for just $96.8 million for the program, less than the committee co-chairs recommended four years ago. The difference becomes even more pronounced when inflationary pressures are taken into account.
This decline is alarming. Without adequate funding, NIST will be unable to conduct important research that directly impacts the cybersecurity of the American people. As the Administration and Congress continue to increase NIST's workload, NIST will need more resources to hire staff to perform its work in a timely and efficient manner.
NIST's Cybersecurity and Privacy Program will increase its fiscal year 2025 request for $96.8 million to invest in hiring and retaining a well-skilled workforce and expand the program to support additional research and development responsibilities. An increase of at least $50 million is required. I was given a mission. Within this increase, NIST should receive an additional $20 million specifically for its cybersecurity education efforts. $7 million for AI-related initiatives. $6 million to support Internet of Things security programs, including U.S. CyberTrustmark initiatives.
Without adequate funding, NIST will be forced to choose between its traditional role of creating much-needed cybersecurity frameworks and guidelines and devoting resources to ambitious, high-profile government initiatives. It will be done. Either way, US national security will be compromised.
Spending $13 billion on cybersecurity is not enough. That money needs to be invested in the right place. The Biden administration and Congress are missing the mark by underfunding NIST. This failure gives both adversaries and cybercriminals an advantage in their hostile cyber ambitions. This is an advantage we cannot afford.
Major General Mark Montgomery (retired) Cyber & Technology Innovation Center At the Foundation for Defense of Democracies. He directs his CSC 2.0. CSC 2.0 previously served as Director General of Cyberspace He is working on the implementation of the recommendations of the Solarium Commission.follow him @MarkCMontgomery. Michael Sugden is a research analyst and editor of his CCTI at FDD.
Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
