Small US Cyber Agencies Are Underfunded & That's a Problem

COMMENTARY

The term "government cybersecurity agency" probably conjures up a range of images, from men in dark suits to rooms filled with huge screens and people typing away at keyboards. It likely does not prompt people to think of a small underfunded agency in the Department of Commerce. Although organizations like the National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) receive the most attention regarding cybersecurity, many other government agencies perform critical cybersecurity functions and are chronically underfunded and short-staffed. 

The digital ecosystem can suffer far-reaching negative impacts if these agencies cannot perform their missions. If the US wants to maintain its cybersecurity edge, Congress must allocate appropriate funding for agencies across the cybersecurity ecosystem to protect networks and critical infrastructure. The Commerce Department's National Institute of Standards and Technology (NIST) and the National Vulnerabilities Database (NVD) provide an excellent case study for this problem. 

The NVD is a catalog of known IT software and hardware vulnerabilities that bad actors can exploit to carry out malicious activities, such as breaking into a network to steal data or accessing a control system to sabotage equipment. 

Software vendors, cybersecurity providers, and network operators want to know about vulnerabilities so they can patch them and prevent bad actors from exploiting them. The NVD serves as a foundation for almost all vulnerability analysis, assessment, management, or remediation activities in the US, the European Union, and throughout much of the world. 

The US government has operated the NVD since 1999 under NIST. A relatively small agency by US government standards, it has a well-deserved reputation for quality, industry collaboration, and integrity; its expertise in standards development is unparalleled. The agency plays an outsized role in the cybersecurity ecosystem due to the extensive use of its standards, guidelines, best practices, and other cybersecurity products. 

How the NVD Started and Developed

The NVD started as a research project. As the vulnerability management process evolved, NIST staff began adding certain data fields to the NVD entries, a process that became known as enrichment. As the number and importance of vulnerability tracking increased — and businesses and network operators increasingly relied on the data — maintaining the NVD and its enriched data became an essential operational requirement for cybersecurity across the entire ecosystem. NIST continued to manage the NVD, despite not being an operational agency.  

This status quo persisted until mid-February 2024, when NIST stopped enriching the NVD entries without much warning. 

While the reasons for the outage are not fully known, long-time observers assert that a lack of resources played into NIST's decision. This abrupt change created major problems across the cybersecurity ecosystem because so many organizations relied on the enriched NVD data for their vulnerability management systems. While the resulting outcry eventually forced the US government to cobble together a solution and restart the process, the decision to stop enriching vulnerabilities measurably increased global cyber-risk for several months. 

The Problem: Widespread Underfunding of Government Security

This process breakdown shows what happens when we rely on underfunded government organizations for critical Internet security functions. Unfortunately, the NVD is hardly an outlier. A review of executive orders, presidential guidance documents, and national strategies would show many new tasks for NIST, but decreased funding in the financial year 2025 budget. NIST isn't the only agency in this situation. The Environmental Protection Agency, the Coast Guard, and the Department of Agriculture all have cybersecurity missions and are critical players in increasing our cyber resilience. The State Department and the US Agency for International Development are also responsible for carrying out our cyber policies abroad. Yet the collective resource allocations for these agencies and programs don't reflect their contribution to our overall cybersecurity. The allocated resources are not commensurate with our national security, economic prosperity, and public health and safety needs. 

As a country, we should recognize the importance of these functions and resource them appropriately. We should also think critically about who performs these tasks; for example, in the case of the NVD, should a government research organization maintain a foundational operational capability, or should another agency take over the function? For that matter, we should consider whether a function should be moved out of the federal government to a private sector entity or nonprofit. 

The structures, policies, and resource allocations that worked when the Internet was a "nice-to-have" no longer suffice. Now that the Internet is a "critical function," underpinning public health, safety, and global economic prosperity, we need to invest in the cybersecurity capabilities needed to keep the Internet functioning. We must shoulder our responsibilities appropriately, including allocating sufficient resources to meet our collective needs. 

Unfortunately, the current approach to funding government agencies by continuing resolution simply compounds the resourcing problem. Continuing resolutions are better than a government shutdown, of course, but they are otherwise bad for cybersecurity. They keep agencies at the same funding level as previous years, making no changes for inflation or mission, and they do not permit agencies to start new programs. Their short duration creates uncertainty and effectively freezes the federal government in place. We need Congress to pass annual appropriations bills and provide the resources necessary for our cybersecurity. As the recent McCrary Institute Presidential Transition Task Force report states, "The misalignment between policy objectives and funding is a recurring issue that compromises the effectiveness of national cybersecurity efforts." That's why the report dedicates an entire section to funding and resource recommendations — without adequate resources, the best policies will not achieve their intended effects. 

The US is still a cyber superpower, but that status is not guaranteed to last — we could squander it. If the US wants to maintain its lead in cybersecurity, we need to act like adults and make the tough funding decisions that are demanded of us. Growing up is hard to do — but the alternative is very unattractive.