U.S. FY 2024 Budget Proposal Indicates Global Cybersecurity Spending Trends

The U.S. administration proposed the nation’s FY 2024 budget last month (March 2023), seeking US$26.2 billion in cybersecurity allocations, which includes US$12.7 billion for civilian agencies, and US$13.5 billion for defense through the Pentagon. In comparison, this year’s (FY 2023) spending included approximately US$10.9 billion of budget authority for civil­ian cybersecurity-related activities, and US$11.2 billion for the Department of Defense (DoD).

While the DoD cybersecurity budget was almost flat in 2020 and 2021, standing at US$9.6 billion and US$9.8 billion, respectively, the recent increases indicate how cyberthreats are now perceived as a top risk by governments. The proliferation of digital crime, coupled with a spike in state-sponsored and hacktivist attacks after the Russian invasion of Ukraine have contributed to higher spending among states and the private sector. Other countries are following suit and some like China, Israel, and Germany indicate higher cybersecurity spending growth rates than the United States, although their overall spending is lower.

Along with more spending, governments are also increasing their footprint in cybersecurity regulation, enforcing minimum expected cybersecurity practices. For example, in the United Sates, most recently this month, the White House released its much anticipated “National Cybersecurity Strategy” seeking tighter regulation for industries and critical infrastructure vendors. The Biden administration seeks to push critical infrastructure industries to adopt secure-by-design principles and “ensure that systems are designed to fail safely and recover quickly,” the strategy says. In keeping with its substantial cybersecurity budget increases, the document also calls for “strategic investments” in the digital ecosystem, suggesting that increased funding for cybersecurity will be a continued trend in the foreseeable future. The strategy also allows for cyber-offensive operations instead of a purely defensive strategy, which could lead to new areas of spending and expansion.

News about the probability of a recession has been around for a while now. Regardless, the cybersecurity market will most probably display resilience in the face of an economic slowdown. Governments in North America and Europe are proposing larger  and costlier cybersecurity packages every year, while the private sector now views cybersecurity as a top priority, too. A big chunk of cybersecurity budgets is allocated to defense—more than half of cybersecurity spending in the case of the United States.

ABI Research forecasts that this trend will endure, especially given the fact that defense technology, and even military operations, are increasingly happening in the digital domain. This means a substantial portion of government budgets will ultimately go to defense and civilian contractors working in tandem with the government sector.

Still, almost half the other portion of the U.S. cybersecurity budget goes to civilian agencies. Part of this budget is allocated to increase critical infrastructure resilience in the energy sector, modernize public health data systems, and help the Department of Justice address security concerns regarding digital assets. Cybersecurity spending will be even more durable given that, in addition to operational and reputational risks, vendors can now be fined in some regions like the European Union (EU) if they do not take the necessary measures to secure their systems. Under the EU NIS 2 Directive, entities that do not abide by EU cybersecurity standards face “fines of a maximum of at least [€10 million] or of a maximum of at least 2% of the total worldwide annual turnover.”

While the FY 2024 U.S. budget faces an uphill battle to pass a Republican-controlled House of Representatives and will most likely experience modifications, the increase in spending proposals corresponds with the Biden administration’s goal to modernize federal cybersecurity. Considering the Biden administration’s 2021 cybersecurity executive order, a sweeping mandate for government agencies to adopt zero-trust security frameworks, and ongoing geopolitical tensions that involve some of the most active governments in state-sponsored attacks, future administrations are unlikely to change course in this area. It is most likely that cybersecurity spending in defense-related industries and critical infrastructure will continue to receive bipartisan support, similar to the support seen in the FY 2023 budget. The budgetary trends, along with the growing interest of government regulators in securing critical infrastructure, coupled with geopolitical tensions and state involvement in offensive cyberwarfare, indicate a burgeoning market for players in the cybersecurity landscape. These include industrial vendors, hardware and software Original Equipment Manufacturers (OEMs), and system integrators that can design and implement systems that are resilient to cyberattacks. The recent release of Washington's offensive cyber strategy may result in the emergence of new areas of conflict between the United States and its geopolitical rivals. This, in turn, could lead to the growing monetization of cyberwarfare, similar to conventional defense markets.