Proposed budget legislation for the Department of Homeland Security will provide a $334.1 million boost to the Cybersecurity and Infrastructure Security Agency if it passes in its current form.
Lawmakers on the Department of Homeland Security subcommittee will tomorrow mark up draft fiscal 2023 funding legislation before it is considered by lawmakers on the full House Appropriations Committee.
Under the proposals, CISA will receive $2.93 billion, $417.1 million more than its request, split among cyber and infrastructure security, emergency communications, integrated and risk management operations, stakeholder engagement and requirements, and mission support.
Lawmakers cited increased cyberattacks and threats to critical infrastructure — particularly in light of the Russian invasion of Ukraine and encroachment in the Arctic — as the reason for the additional funding. But CISA’s mission set, under the direction of Chris Krebs and now Jen Easterly, has been expanding in spite of the agency’s newness.
“Russia is clearly an accelerator of increased cybersecurity spending and management, which is to the good,” Jonathan Reiber, vice president of cyber strategy and policy at AttackIQ, told FedScoop. “But these investments are long overdue to bring the U.S. government into a place where it is in a strong enough position commensurate with the threat.”
CISA now handles red teaming and penetration testing for agencies at all levels of government, breach notifications, reporting and analysis, alerts, and technology recommendations and oversight.
The Shields Up campaign helping individuals and organizations defend against cyber intrusions, particularly from Russia, exemplifies the “good work” CISA does on the prevention side, Reiber said.
“But then you need to validate those shields are working,” he added.
AttackIQ finds security programs generally operate at about 30% to 50% effectiveness against known cyber tactics, techniques and procedures.
CISA has historically struggled to help states ensure their election security infrastructure is effective through red teaming and penetration testing due to staffing, technology and process limitations, Reiber said.
Reiber would love to see CISA use any additional funding it ultimately receives from Congress to launch an automated testing function that remotely helps states improve their cyber effectiveness continuously.
Many states are lucky to test their systems once a year, which is why CISA has begun pivoting to automated security control validation, Reiber said.
Other areas where CISA needs additional funding include outreach, tabletop exercises like those conducted by the Joint Cyber Defense Collaborative, and forensics and analysis capabilities that have already improved thanks to the MITRE ATT&CK framework, he added.
CISA’s budget is a far cry from that of the Department of Defense’s at about $500 billion or even the FBI’s at about $50 billion, but it continues to tick up.
Additional funds were flagged for border security, Coast Guard maritime security, a new pay system for Transportation Security Administration on par with other federal workers, and more dignified migrant processing.
House Appropriations seeks about $100 million for border technology, $20 million for innovative technology and $50 million for non-intrusive inspection technology at points of entry within Customs and Border Protection.
The bill would further restore $4 million in TSA pipeline security funding cut in fiscal 2022.
Lastly the DHS Science and Technology Directorate would see an increase of $77.4 million to $963.8 million for, among other things, research, development and innovation and University Centers of Excellence.
“From dramatic investments in our nation’s cyber infrastructure to prevent increasingly pervasive cyberattacks to ensuring our Coast Guard has the tools it needs to protect our country from Russian aggression in the Arctic, this bill is key to bolstering our national security,” said Rep. Rosa DeLauro, D-Conn., the committee chair.