Photo: tang90246/Adobe Stock
Washington is at a pivot point on how government does business. That pivot must be away from old, buggy, patchworked information technology (IT) and toward a recapitalized, modern IT system that is secure and ready for the AI revolution, as laid out in the Department of Government Efficiency (DOGE)’s agenda. The first step in the change will be to upend how the federal government budgets for IT.
Relying on outdated infrastructure and software is slow, expensive, and dangerous. A 2019 study by the Government Accountability Office, for example, found that 10 critical federal IT legacy systems alone cost about $337 million annually to operate and maintain. Similarly, the U.S. Department of Housing and Urban Development estimated that moving five of its most critical systems from an on-premise mainframe database to the cloud would save the department $8 million annually. Finding and retaining staff with sufficient knowledge about outdated systems drives up staffing costs.
A failure to shore up security and modernize has resulted in costly incidents. In January 2023, the 30-year-old Federal Aviation Administration (FAA) Notices to Air Missions (NOTAM) database failed, causing thousands of flight delays and cancellations and costing the country millions of dollars. While the failure was attributed to human error, the widespread flight cancellations raised concerns about the age of the system and the potential for similar disruptions. Although both the 2012 Pilot’s Bill of Rights and the 2018 FAA reauthorization law required the NOTAM system to be modernized, the lack of funds made it difficult for the FAA to prioritize such projects.
Further, the United States has large and costly gaps in cyber defenses. Starting in mid-2020, hackers linked to the People’s Republic of China (PRC) stole at least $20 million worth of Covid-19 relief benefits from the U.S. government, including unemployment insurance and Small Business Administration loans. The U.S. Secret Service reported that it was only able to recover about half the stolen funds, meaning the U.S. government’s poor cyber defenses cost U.S. taxpayers at least $10 million. This is hardly new: In 2015, the PRC cost the U.S. government more than $1 billion when it hacked the Office of Personnel and Management (OPM) and compromised the sensitive data of 21.5 million Americans. The House Committee on Oversight and Government Reform found that the OPM data breach was “preventable” and that OPM leadership “failed to prioritize resources for cybersecurity.”
Agencies are often forced to rely on antiquated technology because current funding streams favor short-term patches to legacy systems rather than long-term upgrades. A chief information security officer explained to CSIS that these systems are like an old car: “It is significantly easier to come up with $2,000 per year to maintain the car than $20,000 to buy a new one . . . We run the old one into the ground until something really, really bad happens.” Meanwhile, the security team is stretched thin trying to shore up an outdated system. Where rip-and-replace is desperately needed, they only get band-aids and duct tape.
Moreover, oversight of federal cybersecurity and IT is nearly impossible. There is little to no consistency in how federal departments and agencies define or track cybersecurity and IT spending. Some agencies lump cyber accounts in with other seemingly irrelevant projects such as building repairs and improvements, travel, rent, mail, printing, and telephone services. It’s impossible to discern where funds are going and provide appropriate accountability for cybersecurity spending.
The DOGE, working with congressional appropriators, can fix this problem in year one. It should take the following eight steps:
First, DOGE should help departments and agencies make the case to Congress for a major cyber overhaul. The threat of cyberattacks and the high cost of these inefficiencies are real. Congress needs to understand that it must recapitalize IT now to save money later. Budget requests should also clearly tie to federal cybersecurity requirements and map to a framework for cybersecurity such as the Federal Information Technology Acquisition Reform Act (FITARA) scorecard, National Institute of Standards and Technology (NIST) Cybersecurity Framework, or some other alternative measure that is consistent over time. Budget requests should crosswalk from the goal to cost, to the line item where these costs reside. This will ensure federal funds are spent effectively on the most pressing needs and allow for greater oversight of department and agency cybersecurity spending.
Second, mandate standards for how departments and agencies report cybersecurity spending to Congress and the Office of the National Cyber Director (ONCD). Appropriations could be contingent on departments and agencies reporting budget breakdowns for cybersecurity that separate it from line items such as facilities management or infrastructure improvement.
Third, a few funds already exist to solve this problem, but they have been poorly implemented. The Technology Modernization Fund (TMF), a government program meant to jumpstart IT recapitalizations with small pockets of money, has an arduous and complex application process, which has prevented agencies from using it successfully. As of May 2022, only 23 out of 130 proposals were successful, or about 18 percent. The administration should reissue guidance on the TMF, reinstate TMF explainer sessions, and match prospective applicants with successful applicants in a mentoring relationship. Similarly, the opaque process for obtaining an IT working capital fund (IT WCF) has meant that only half of the agencies listed in the Chief Financial Officer Act that have the authority to establish such a fund have done so. Some agency leaders do not believe they have the legal authority to develop an IT WCF, and other agencies have attempted to obtain an IT WCF but have not been granted one and received no justification for the decision, causing frustration and confusion. The administration should pressure Congress to expand the availability of IT WCFs or create a new multi-year funding mechanism that allows agencies to reinvest savings into IT modernization and cybersecurity upgrades.
Fourth, the administration should revise the Federal Information Security Modernization Act and FITARA metrics to better reflect desired outcomes. The new criteria should be specific enough to be measurable while not being tied to any one technology to allow for consistent measurements as technology changes. Further, where possible, the criteria should be outcome-based with a focus on creating resilient systems that can recover quickly in the event of an attack or outage.
Fifth, agency and department heads must understand the cyber threat and take it seriously. They should be held personally accountable for cyber breaches. The White House should require new leadership to sit down with briefers from the intelligence community to discuss the scope and severity of cyber threats from criminal actors and nation-states. After the briefing, department and agency heads should write a letter to the president and to congressional oversight committees previewing where they will be requesting additional resources to respond to the threat.
Sixth, the Office of Management and Budget (OMB) leadership should create stronger ties between the management and budget sides of the office. A disconnect today means multiple unfunded mandates. The management side should solicit cost estimates from the budget side before they issue new cybersecurity guidance. The two sides should agree that improving federal cybersecurity is a presidential priority, and OMB needs to look favorably upon budget requests for additional funding for cybersecurity improvements.
Seventh, the DOGE should review procurement processes for critical cybersecurity-related technology. It should seek to dramatically shorten the procurement lifecycle, expand the use of the Multiple Award Schedule IT subcategory (Schedule 70), and expand the other transaction authority for cybersecurity. In a major step, the administration could create an executive branch cyber fund controlled by ONCD to serve as jump-start money for new mandates. The funds could create a bridge: providing immediate funding for new executive orders or congressional mandates until departments and agencies can incorporate efforts into their budgets two or three years later.
Finally, the administration could also create groups of four to five smaller agencies to share cybersecurity services. Small groups with similar risk profiles and needs could share Security Operations Centers and contracts, thus helping create economies of scale. If the shared model works, larger departments and agencies might join voluntarily.
The cybersecurity funding model is fragmented, slow, and reactive because cyber budgets and acquisition practices have not kept pace with the expanded cyber threat and rapidly changing technology ecosystem. For too long, Congress has been fixing up an old car, which is now slow and dangerous. The Trump administration should seize this opportunity for a quick win that will create massive efficiencies.
Julia Dickson is a research associate for the Intelligence, National Security, and Technology Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Emily Harding is the director of the Intelligence, National Security, and Technology Program and vice president of the Defense and Security Department at CSIS.
