Cybersecurity and Obama budget proposal

Although critics are savaging the Obama administration's proposed budget over its unprecedented deficit spending, industry observers are hailing its plans to set aside $355 million for cybersecurity efforts.

In its fiscal 2010 budget proposal, released today, the White House said it aims to put the money toward making government and private-sector network infrastructure more resilient and secure.

"The threat to federal information technology networks is real, serious, and growing," the budget proposal read. "To address this threat, the President's 2010 Budget includes substantial funding for cybersecurity efforts; such activities will take an integrated and holistic approach to address current cybersecurity threats, anticipate future threats and continue innovative public-private partnerships."

A large portion of the financing -- which will go into effect Oct. 1 -- will land at the Department of Homeland Security (DHS). The outlay includes money for the DHS National Cyber Security Division (NCSD), which works with public, private and international entities to secure cyberspace and America's network assets.

It also will allocate funds to DHS's Comprehensive National Cybersecurity Initiative (CNCI), an effort to reduce the number of potentially vulnerable government Internet access points, improve DHS monitoring technology and encourage government vendors to sell hardware and software only in secure configurations.

While the president's cybersecurity proposal also mentions plans to fund efforts in other areas -- like intelligence and the military -- the budget did not break out this spending, which is typically classified.

The proposal marks a step toward addressing concerns among security experts that the national cybersecurity infrastructure is badly in need of repair. In the wake of a slew of attacks, security lapses and data breaches in several U.S. government agencies and businesses, the Center for Strategic & International Studies (CSIS), a bipartisan think tank, called for the Obama administration to take action on cybersecurity.

Earlier this week, CSIS also joined with a number of U.S. departments to issue guidelines aimed at helping businesses and government agencies enact tighter security.

Supporters of those efforts now see the Obama plan bearing out a number of their key recommendations.

"The good news is that the Department of Homeland Security in previous years had seriously underfunded research in cybersecurity, which was never a priority for the previous administration, and now something's being done," James Lewis, policy director at CSIS, told InternetNews.com.

The current fiscal year's budget, drawn up during the Bush administration, set aside $242 million to maintain and expand the capabilities of one cybersecurity unit within NCSD, the United States Computer Emergency Readiness Team (US-CERT).

While the funding enabled US-CERT to develop additional network defense measures and increase its malware and intrusion analysis capabilities, that portion of the 2009 budget (available here as a PDF document) did not provide for additional cybersecurity measures elsewhere.

Avoid throwing money away

The current administration's proposed budget for fiscal 2010 instead directs IT security spending to the NCSD itself. (That portion of the budget is available here in PDF format.) As a result, DHS initiatives like CNCI will also receive funding.

"This budget is a positive sign that the new administration will continue to invest in and emphasize cybersecurity," Shannon Kellogg, a member of the CSIS commission that compiled its report, told InternetNews.com.

But Kellogg, who is also director of information security policy at RSA, the security division of storage giant EMC (NYSE: EMC), also warned that the work's far from over.

In particular, he said the White House needs to devise effective short-, medium- and long-term strategies to deal with U.S. cybersecurity, rather than simply throw money at the problem.

RSA's Kellogg added that so far, the Obama administration is already showing signs it intends to do just that. In particular, he lauded an executive order earlier this month that set in motion a two-month review of the federal government's cybersecurity programs.

The review is being spearheaded by Melissa Hathaway, a former consultant with Booz Allen Hamilton who worked under the director of national intelligence during the Bush administration.

"That's what I think the 60-day review that they initiated is about -- looking at its efforts with the intent to update the national strategy and update how we improve cybersecurity," Kellogg said. "That's the right thing to do."

Despite the praise it's receiving, Kellogg said it's possible that the outlay for network security could change by the time the budget receives Congressional approval. That may be especially true given the immediate criticism Obama's budget has sparked over its vast predictions of deficit spending.

Kellogg added that he expects the Obama administration to continue reviewing its proposal in the interim.

"I don't think it's by any means complete, but there's time to look at the strategy and where and how money will be allocated over the next 60 days and as the budget process proceeds in Congress," he said.

This article was first published on InternetNews.com.