We are running out of excuses. Budgets are finite. Threats are not. Leaders must stop treating cyber and physical border security as separate budget lines and start treating them as one fight. The wrong balance will create predictable gaps that adversaries and criminal networks will exploit.
Federal posture has shifted toward a major push on cyber defense. The Biden Administration’s National Cybersecurity Strategy and follow-on agency plans signal a deliberate rebalancing of responsibility toward network owners and technology providers, and an intent to invest at scale in federal cyber capabilities and resilience. That matters because defensive cyber failures cascade across sectors and can cripple border operations that now depend on networks, sensors, and industrial control systems.
At the same time the frontline reality at our physical borders remains acute. Customs and Border Protection has invested heavily in non-intrusive inspection and other detection technologies at ports of entry to disrupt trafficking and smuggling. Congress and appropriators have continued to push funding for personnel, surveillance, and border technology because interdiction on the ground is still decisive for stopping lethal flows such as fentanyl. You cannot defend the border by cyber alone. You also cannot secure modern border systems by piling hardware at the line and ignoring the networks that run them.
There is a structural mismatch in how we plan and spend. GAO has repeatedly flagged cybersecurity as a high-risk area for the federal government and identified persistent workforce and oversight shortfalls. That underlines the simple fact that more money without better governance and measurable outcomes will not close the cyber gap. At the same time, metrics for physical border investments are often weak, and programs such as fencing, sensors, and towers are sometimes procured or deployed without rigorous, comparable measures of effectiveness. The result is parallel underperformance in both domains.
A pragmatic allocation framework
1) Prioritize by mission criticality and domino effects. Allocate first to capabilities whose failure would cascade into multiple critical national functions. Network integrity for border control systems, for example, is priority one because breach can disable screening networks, corrupt manifests, and blind interdiction sensors. Invest in cyber controls for these systems before expanding physical deployments that depend on them.
2) Fund the defenders you need, where you need them. GAO-level workforce fixes are not academic. Hire, train, and retain cyber personnel attached to border missions. Situate cyber teams alongside operational units that run ports of entry and maritime and air operations. This creates faster detection and fixes operationally relevant vulnerabilities rather than siloed ticketing queues.
3) Treat technology as integrated systems. Procurement must require secure by design and supply chain assurances for scanners, sensors, and command-and-control platforms. CBP’s own push to apply AI and machine learning to non-intrusive inspection image analysis is an example of capability modernization that must be matched with secure software practices and incident response planning. Investing in advanced detectors is useful only if their firmware, network interfaces, and back-end analytics are hardened and monitored.
4) Invest in cross-domain force multipliers. Counter-UAS, persistent ISR, remote sensing, and resilient communications provide returns in both domains. A robust C-UAS program protects checkpoints and detention facilities from drone-enabled smuggling and protects critical comms nodes from physical attack. Persistent ISR, when paired with hardened data pipelines and rapid analytic push to operators, multiplies every dollar spent on boots and sensors.
5) Measure outcomes and reallocate dynamically. Create a single cross-cutting set of metrics that compares marginal risk reduction per dollar across cyber and physical investments. If scanning throughput at a port of entry yields measurable interdictions per million dollars spent and cyber hardening of that port reduces systemic failure probability by a larger margin, prioritize the cyber fix. If interdiction at the line reduces lethal shipments directly and immediately, fund it. Decisions should be driven by modeled risk reduction, not sacred program budgets.
Concrete short-term steps for policymakers and program managers
-
Mandate cyber risk assessments for all border technology procurements, with required mitigations funded as part of the acquisition package. No more buying sensors and scanning portals without a funded plan to patch, monitor, and log them.
-
Create integrated cyber-operations billets embedded at CBP and Coast Guard regional commands. Those billets must have authority to pause or isolate systems when indicators show compromise.
-
Direct a portion of border technology appropriations to defensive cyber tooling and workforce for the systems that those technologies rely on. In practice this means tagging a percentage of border technology budgets for software assurance and operational security.
-
Require scenario-based joint exercises that stress both cyber and physical layers. Test adversaries who combine supply chain attacks, malware, and targeted physical diversion to see which investments hold and which fail.
-
Adopt outcome metrics and sunset poorly performing programs. If fencing, towers, or a particular sensor class consistently show low marginal benefit compared to other investments, reallocate. The alternative is budget inertia that locks in past mistakes.
Bottom line
This is not a binary choice. The question is not cyber versus physical. The question is what mix of cyber and physical investments reduces risk faster, cheaper, and with measurable effect. Right now federal strategy rhetoric and reality are misaligned. National strategies emphasize cyber. Appropriations and operations continue to pour money into physical posture. Both are necessary. The smart move is to stop pretending these are independent fights and to budget, measure, and execute accordingly. Do that and you will get more security for each dollar. Fail to do that and you will get expensive toys, brittle systems, and predictable failures the next time adversaries combine a network hack with real world violence.