America’s Cyber Strategy Has a Budget Problem

The request would bring CISA’s budget down to just over 2 billion. That’s well below the roughly 2.6 billion Congress had been prepared — on a bipartisan level — to provide to the agency prior to the partisan blow up over the Department of Homeland Security’s budget because of a dispute over immigration enforcement.Over the past year, the agency has already been weakened by layoffs and reduced support for state and local cybersecurity efforts. The new budget would accelerate that trend. The administration has framed the cuts as a refocusing of CISA on its “core mission,” shuttering supposedly unnecessary initiatives like the Stakeholder Engagement Division. But the reality is that modern cybersecurity does not operate in a vacuum. Defending critical infrastructure — energy grids, transportation systems, water utilities, and telecommunications networks — depends on constant coordination with state and local governments, private sector operators, and international partners. Dismantling the very offices designed to enable that coordination undermines the mission the budget claims to prioritize.At the same time, the broader federal cyber ecosystem is also being thinned. The Office of the National Cyber Director would see a 3 million reduction in funding. The State Department’s cyber apparatus has been reorganized in ways that risk diluting its effectiveness. The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response would see budget 40 million below FY25 enacted levels of 200 million. And there has been a noticeable pullback in engagement with the private sector and international cyber community — two pillars of any credible cyber defense strategy.The contradiction becomes even clearer when viewed against the broader threat environment. The United States faces sustained cyber pressure from sophisticated adversaries, including China, Russia, Iran, and North Korea. These actors are not just targeting federal systems; they are probing the connective tissue of American society – ports, pipelines, hospitals, and supply chains. Many of these systems are owned and operated by the private sector or local entities that rely on federal support, guidance, and information sharing to defend themselves.To be clear, not every line in the budget moves in the wrong direction. There is a modest 15 million increase proposed for Treasury’s “critical cyber capabilities, sanctions targeting, and combatting illicit financial activity.” State Department funding to improve its own IT infrastructure would also see a slight boost. These are useful investments, but they are not substitutes for a coherent, whole-of-government approach.The most striking aspect of this budget is how misaligned it is with widely accepted cybersecurity priorities. For years, policymakers from both parties have emphasized the need for stronger public-private collaboration, improved information sharing, and deeper international partnerships. Yet, the proposed cuts target precisely those functions.This raises a more fundamental question: what is the administration’s theory of cyber defense?If the goal is to reduce federal overreach, that is a legitimate policy debate. But the current approach does not simply scale back — it selectively removes the connective infrastructure that enables decentralized defense to work. Without federal coordination, the burden shifts to actors who often lack the resources, visibility, or expertise to manage nation state cyber threats on their own.Congress has seen this dynamic before. In prior budget cycles, lawmakers from both parties rejected proposals to significantly cut cyber funding, recognizing the mismatch between rising threats and reduced investment. There is little reason to believe the underlying risk calculus has changed. If anything, it has intensified.The United States is entering a period of heightened geopolitical tension, where cyber operations are increasingly integrated into broader military and economic strategies. In this environment, underinvesting in civilian cyber defense is not a cost-saving measure — it is a strategic liability.A credible cybersecurity strategy requires more than strong rhetoric. It requires sustained investment in the institutions, partnerships, and capabilities that make defense possible. Right now, the budget and the strategy are moving in opposite directions. Congress should close that gap.Jiwon Ma is the senior policy analyst at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation, where she contributes to the work of CSC 2.0.The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals. Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.Read more expert-driven national security insights, perspective and analysis in The Cipher Brief