Cyber Agency Funding Woes Limit Surge Power to Respond to Hack


By Shaun Courtney and Jack Fitzpatrick

  • Stopgap spending law complicates DHS cybersecurity money
  • Contracts for surge capacity face cuts at critical moment

Bloomberg Government subscribers get the stories like this first. Act now and gain unlimited access to everything you need to know. Learn more.

The federal agency charged with protecting federal cyber infrastructure lacks the funding it needs to pay a surge of private contractors to counter the Russian-backed breaches of government networks, cyber firms and a former official say.

“They don’t have the money to spend to do the kinds of things that I imagine that they need to do right now, which is really drawing on their contractors for surge support,” Bryan Ware, former assistant director for cybersecurity for the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, said in an interview. “All hands on deck—that’s just not there.”

Ware left CISA last month — one of several officials who were pushed out as the agency backed the integrity of an election that President Donald Trump says was rigged.

CISA’s budget troubles stem in part from how it has been spending money without a full-year funding law in place. Contractors also say the agency needs additional funding to fulfill its mission.

CISA relies on the Continuous Diagnostics and Mitigation program to protect federal agencies during a time of increasing attacks and as more agencies telework during the Covid pandemic, Ware said. The revelation that Russian-backed hackers compromised government systems demonstrates the types of vulnerabilities CISA would use its contractors to help understand and address.

U.S. Agencies Exposed in Attack by Suspected Russian Hackers

Philippe Huguen/AFP via Getty Images

The leaders of Booz Allen Hamilton Holding Corp., CACI International Inc., CGI Federal Inc., and ManTech International Corp. wrote the top homeland security appropriators in Congress Dec. 5 warning that congressional budget negotiations and the reliance on a short-term continuing resolution made the government less safe.

The four companies have contracts under the Continuous Diagnostic and Mitigation program, but absent additional funding those contracts can’t be fully staffed and they “will be unable to fully protect vital government networks, as the cyber security workforce will be reduced by hundreds of people,” the leaders wrote. The letter called for an additional $150 million in funding for the program above the president’s fiscal 2021 budget request.

Spending Laws

After Congress passed a stopgap funding measure starting Oct. 1, CISA began spending at a lower rate set by the president’s fiscal 2021 budget request, rather than continuing at the higher fiscal 2020 funding level, Ware and a congressional aide said.

Neither DHS nor the Office of Management and Budget responded to requests for comment.

Lawmakers are, however, finalizing negotiations on a full-year spending package that could soon resolve the issue.

“The reported cyberattacks are incredibly concerning. I am hoping that we can come to an agreement in the FY21 budget that will address any funding needs that CISA may have as they assist in addressing these cyberattacks,” Rep. Chuck Fleischmann (R-Tenn.), ranking member of the House Appropriations Homeland Security Subcommittee, said.

“It is my hope and my goal to include an increase and avoid the proposed cuts in the budget in any funding bill we can pass this week,” Sen. Shelley Moore Capito (R-W.V.), leader of the Senate Homeland Security Appropriations Subcommittee, said in a statement. The Senate spending bill released this fall included an increase for CISA’s work.

DHS Hampered

“The Department of Homeland Security is aware of cyber breaches across the federal government and working closely with our partners in the public and private sector on the federal response,” DHS Assistant Secretary for Public Affairs Alexei Woltornist said in a press release Monday.

Ware noted the CISA team is responding without key leaders — like former agency Director Christopher Krebs, who Trump fired on Twitter — or the critical additional support of paid private partners.

“The bottom line is we need our tools to be robustly in place, we need the people in place, and the incident response right now is the real shame of Krebs not being there,” Rep. Jim Langevin (D-R.I.) said in an interview.

The agency has the tools in place to fight off nuisance attacks, but it relies on rapid contracting to be able to respond to more sophisticated adversaries, Ware said.

“We’re so hampered right now by a loss of leadership, the additional burden of transition, and coupled with this continuing resolution,” he said.

With assistance from Rebecca Kern

To contact the reporters on this story: Shaun Courtney in Washington at scourtney@bgov.com; Jack Fitzpatrick in Washington at jfitzpatrick@bgov.com

To contact the editors responsible for this story: Robin Meszoly at rmeszoly@bgov.com; Sarah Babbage at sbabbage@bgov.com

Stay informed with more news like this – from the largest team of reporters on Capitol Hill – subscribe to Bloomberg Government today. Learn more.