3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks
Biden Seeks to Boost CISA's Budget by $110 Million
Additional Money Would Address a Range of Cybersecurity IssuesPresident Joe Biden is asking Congress to boost the Cybersecurity and Infrastructure Security Agency budget by $110 million to help enable the agency to address a range of cybersecurity issues following several high-profile incidents in the past six months. The increase is part of Biden's $1.52 trillion spending proposal for the coming fiscal year.
See Also: Gartner Market Guide for DFIR Retainer Services
The funding request for CISA in fiscal 2022 amounts to $2.1 billion, up $110 million from fiscal 2021. This would also build on the $650 million provided to CISA under the American Rescue Plan Act, the COVID-19 stimulus package signed into law in March, which sought to better protect federal and civilian agency networks during the pandemic.
The proposed funding for fiscal 2022 seeks to strengthen CISA by investing in cybersecurity tools and hiring qualified experts, Shalanda Young, the acting director of the Office of Management and Budget, noted in a letter to Congress on Friday.
Young wrote that the discretionary request will also prioritize countering threats from China and Russia - especially in the wake of the COVID-19 pandemic and the recent SolarWinds supply chain attack that led to follow-on attacks that federal investigators say affected nine federal agencies as well as 100 companies (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
"The COVID-19 pandemic and the significant cyber incident impacting agencies through products such as SolarWinds continue to highlight the urgent need to modernize federal technology, with particular emphasis on mission essential systems and citizen-facing digital services," Young noted in her letter.
Budget Provisions
Key cybersecurity provisions contained within the FY2022 discretionary budget proposal include the following allotments:
- An additional $110 million for CISA, including $20 million for a Cyber Response and Recovery Fund, which seeks to assist organizations in purchasing equipment as part of their rapid response and recovery;
- $500 million for the Technology Modernization Fund, which supports organizations' infrastructure modernization from initial concept development to final deployment;
- $750 million as a reserve for federal agencies' information technology enhancements;
- $128 million to expand scientific and technological research at the National Institute of Standards and Technology.
Bolder Vision Sought
Although security experts welcomed the proposed additional budget allocation as a good start, some suggested the amount is insufficient to effectively counter emerging cyberthreats and called for a bolder vision.
"In the face of growing cyberthreats, President Biden has demonstrated a robust commitment to improving our nation’s cyber defenses, and I applaud his recognition of this urgent need," Rep. Jim Langevin, D-R.I., the co-chair of the Congressional Cybersecurity Caucus, notes. "While I believe the $110 million increase for CISA is a good start, I think we can be even bolder in our vision for the nation’s premiere cybersecurity agency. I look forward to working with the Biden administration to use this proposal as a starting point as we combat the threats of the 21st century."
Others were more critical.
"The cost to attack is far cheaper than the cost to defend, and organizations are struggling to protect themselves," says Monti Knode, director of customer and partner success at the security firm Horizon3.ai, who's the former commander of the Cyberspace Operations Group at the U.S. Air Force. "Agencies like CISA must play a critical role in helping secure not only our federal government, but U.S. businesses and people - all part of a vital public-private supply chain - from cyberthreats. $110 million is a nominal down payment for what will be a long and expensive endeavor."
Joseph Neumann, cyber executive adviser at the security firm Coalfire and a former network operation officer in the U.S. Army, says the proposed amount will only help CISA to put a Band-Aid on federal security issues. "As seen from the SolarWinds breach, CISA does not have a good inventory of all federal systems and possible compromise and entry points," he says. "The organization is reactionary at best. CISA would benefit more from wider reforms of federal information security to centralize security and responsibilities under one organization. Until centralization and consolidations occur, no matter how much additional $110-million-dollar asks CISA does, it is like throwing cups of water on a raging forest fire."
Speaking at an event on Wednesday, Christopher Krebs, the former CISA director, said the federal government should provide more funding to state and local agencies to enhance their cybersecurity infrastructure and help mitigate the risk of ransomware attacks (see: Krebs: States Need a Cyber Funding Boost).
"I really think that it is well past time for a 21st-century digital infrastructure investment act, where we provide the equivalent of block grants to state and local [agencies], where they can modernize their IT infrastructure," said Krebs, who now runs a security firm, the Krebs Stamos Group, with former Facebook CISO Alex Stamos.
But Austin Berglas, former assistant special agent in charge of cyber investigations at the FBI's New York office, and now global head of professional services at cybersecurity firm BlueVoyant, described the additional funding as potentially a very big win for the U.S. government "if utilized properly, with the purchase of additional technology properly balanced with the appropriate onboarding of experienced personnel."
Biden Administration Initiatives
In March, President Biden unveiled a $2 trillion infrastructure spending plan that the White House says will create new jobs and boost the economy. Some analysts faulted the administration for not offering more specific cybersecurity provisions within the plan, but others believe investments in improving infrastructure, such as modernizing the nation's electrical grid, will translate into better security (see: Biden's Infrastructure Plan: 3 Cybersecurity Provisions).