Listen to this article
IT spending at many of the US government agencies hit by devastating cyber attacks is being cut, even as the threat to national security and privacy is escalating, an analysis of budget reports has found.
The Department of Health and Human Services (HHS), which oversees medical and insurance providers hit by large-scale cyber breaches, saw the sharpest decrease in total IT funding, falling by about 10 per cent each year from 2014 to its proposed 2016 budget. HHS’s spending on cyber security decreased by 5 per cent to $170m in 2014, according to the Office of Management and Budget’s latest report.
The Internal Revenue Service, which disclosed in May that hackers stole tax data for 104,000 individuals, spends about 20 per cent of its budget on IT but 80 per cent of that goes to operating and maintaining systems, IRS commissioner John Koskinen told Congress this year.
Legacy technology systems, unpatched software vulnerabilities, and weak login credentials are some of the basic security steps many US agencies have failed to take to shore up their networks from potential intruders, according to a FT review of dozens of reports from the Government Accountability Office, OMB and inspectors general.
The White House has touted cyber security as a top priority and the 2016 budget includes $582m for the Department of Homeland Security to help federal agencies improve their cyber defences.
But Obama administration officials have also urged Congress to pass White House proposals on information sharing with the private sector and establishing national data breach standards.
“There is a vigorous debate on Capitol Hill among Republicans who want to slash funding for agencies that will necessarily have an impact on a wide variety of priorities that these agencies confront, including basic cyber security,” White House spokesman Josh Earnest said last week.
More funding is not a silver bullet. The government faces other challenges that are unique to federal agencies, such as a cumbersome hiring process and a bureaucratic procurement system, which cannot be solved by more spending.
“This particular problem was not a question of resources,” the IRS’s Mr Koskinen told Congress. “It’s really a shot across the bow. The overall ongoing challenge of dealing with sophisticated criminals around the world is the security of the entire system. That’s where the weaknesses in our antiquated system come to bear.”
Last year Congress passed the Federal Information Technology Acquisition Reform, which will empower chief information officers with some authority over their technology budgets, hiring, and spending. In June, OMB issued guidance to agencies as they begin to implement the new law.
Across the US government, information technology budgets have increased from $78.6bn in 2013 to a proposed $86.3bn for 2016. The 2016 budget, if approved, would be a 2.3 per cent increase from the prior year.
Of the amount spent on IT, budgets for cyber security across all government agencies saw a much larger 22 per cent increase from 2013 to 2014, according to the most recent OMB report.
The defense department IT budget will increase by almost 3 per cent for 2016 proposed spending, after facing a more than 3 per cent drop last year. DOD has been the target of numerous breaches, some of which have affected national security. DOD cyber spending increased 26 per cent from between 2013 and 2014, to $8.9bn.
Nasa, which has suffered thousands of breaches over the past few years, will see its IT spending drop by almost 2 per cent for 2016, coming in at about $1.4bn.
The state department, which suffered a breach earlier this year that has been linked to Russia, saw its IT spending fall slightly last year but is asking for a 15 per cent increase this year. An OMB review revealed the department has a poor cyber security record in several areas despite a 33 per cent increase in cyber spending from 2013 to 2014 to $114m.