White House outlines cyber budget priorities, including making ransomware ‘no longer profitable’

The White House said Wednesday that it wants agencies across the U.S. government to prioritize disruption campaigns that are “so sustained, coordinated, and targeted that they render ransomware no longer profitable.”

Office of Management and Budget (OMB) Director Shalanda Young and Acting National Cyber Director Kemba Walden sent a letter to the heads of every executive department and agency outlining the Biden administration’s cybersecurity investment priorities for the 2025 fiscal year budget.

The letter says departments and agencies need to prioritize five different cybersecurity efforts when constructing their budgets: the defense of critical infrastructure, investments in resilience, international partnerships, using government purchasing power to shape the software market and dismantling threat actors.

One key focus of the letter is on offensive measures needed to stop hackers and cybercriminals.

“The Administration is committed to mounting disruption campaigns and other efforts that are so sustained, coordinated, and targeted that they render ransomware no longer profitable,” Young and Walden wrote.

“Budget submissions for departments and agencies with existing, designated roles in the disruption of ransomware should demonstrate how they: prioritize staff to investigate ransomware crimes and disrupt ransomware infrastructure and actors; prioritize staff to combat the abuse of virtual currency to launder ransom payments; and ensure participation in interagency task forces focused on cybercrime.”

The letter also urges agencies and departments to partner with international allies in efforts to identify and disrupt malicious cyber activity.

Federal agencies with overseas cybersecurity missions need to outline how they plan to create a “readiness posture to engage and assist partners when facing significant cyber attacks” as well as build or strengthen international partners’ cyber capacity.

The FBI and Justice Department, for example, took down the infrastructure of the Hive ransomware group in January after agents spent months inside the group’s systems. That operation came after the FBI and an unnamed foreign government hacked the servers of REvil in the summer of 2021, hiding in its systems until U.S. Cyber Command blocked its website by hijacking its traffic.

While both actions were lauded by experts, some questioned the long-term ramifications of conducting similar operations without the ability to arrest those behind the ransomware gangs – many of whom live in Russia or other countries where they have local protection from extradition.

Experts have called for similar offensive hacking actions to be taken against prolific ransomware gangs like LockBit and Clop, which have attacked hundreds of governments, companies and organizations in 2023.

Modernizing defenses and zero trust

Much of the letter focused on providing departments and agencies with basic guidelines on what should be prioritized for the 2025 budget. OMB and the Office of the National Cyber Director (ONCD) will review agency responses in their budget submissions and provide feedback on whether they adequately address the government’s overall cybersecurity strategy and policy.

Young and Walden urged agencies to make “durable, long-term” investments in cybersecurity solutions that are secure by design and mesh with the Federal Zero Trust Strategy – which at its core assumes that devices on a network should never be trusted.

Zero trust as an overarching strategy has gained traction among federal cybersecurity officials in recent years after attacks like the SolarWinds breach and Microsoft Exchange hack illustrated what can happen once hackers have already broken through perimeter defenses.

The letter also implores agencies to prioritize technology modernization where agency systems are reaching end of life or end of service. Public-private partnerships also need to be scaled in an effort to defend critical infrastructure, the letter said, noting that all Sector Risk Management Agencies need to “develop a resource-informed plan to mature its capabilities, improve processes, and make use of technology solutions.”

The letter references one sent earlier this month by Young that reiterates the need for federal agencies to not only create a full inventory of the software they use but also “ensure software producers attest to conformity with secure software development practices.”

Companies producing software have to submit self-attestations to agencies that confirm their development practices meet minimum secure software development requirements.

Young and Walden also outline several ways agencies can use federal grants and more to build out security programs and beef up the cyber workforce.

Agencies are also asked to address potential threats that quantum computers may pose to encrypted data and systems by using services and software to “automatically inventory cryptographic systems and to begin transitioning agencies’ most critical and sensitive networks and systems to post quantum cryptography as directed to do so by OMB.”