The Department of Homeland Security’s cyber division, a key government agency charged with helping stop and respond to cyberattacks, might be getting ready for a bigger role in the spotlight.
One key House committee advanced legislation in July to give the Cybersecurity and Infrastructure Security Agency an extra $400 million. Then, another committee on Sept. 14 separately advanced its take on legislation that would provide an additional nearly $800 million to the agency, which has a $2 billion total budget in the current fiscal year.
Those proposed funds come on top of another extra $650 million that Congress and President Joe Biden already provided to CISA in March through the American Rescue Plan focused on COVID-19 relief. And the recent moves on Capitol Hill to bolster CISA, an agency formally established only three years ago, aren’t limited to cash.
Both chambers of Congress are contemplating legislation that would make CISA the hub where vital companies would report major cybersecurity incidents, following the string of monumental cyberattacks that began with the SolarWinds breach in December. There’s also a renewed push to make the CISA director’s tenure a five-year term, mimicking the 10-year stretch granted to FBI directors on the principle that staggering terms across more than one presidential administration would insulate them against politics. (Former President Donald Trump fired ex-CISA Director Chris Krebs for his role in trying to boost refute misinformation around the 2020 election results.)
Together, it all adds up to a trend that has gathered momentum in the last couple years and has picked up even more steam lately: Many in Congress wants to make CISA more powerful.
“CISA is in a position now where Congress has publicly indicated, not just through words but through money and investment, both the trust and expectations it has in CISA,” said Matt Masterson, the former top election security official at CISA who’s now a non-resident fellow at the Stanford Internet Observatory.
The question now is not only whether those ideas become law, but whether Congress needs to do even more and if lawmakers even have the power to bolster CISA in the ways it needs.
“I’m hesitant to say we’re doing everything that needs to be done because I’m not even sure all of these things are absolutely certain yet,” said Josephine Wolff, an associate professor on cybersecurity policy at Tufts University.
Wolff fears that the Defense Department overshadows the relatively fledgling CISA on cyber, and isn’t sure how to rebalance that: “I don’t think it’s an easy question: How do you change the belief or the the mythology around who’s good at cyber and who’s not in the government?”
First you get the money…
There are long-running debates about how much the federal government spends on cyber offense (the specialty of U.S. Cyber Command at DOD) versus how much it spends on cyber defense (the chief role of CISA). Biden’s budget blueprint for fiscal 2021 provides more unclassified DOD funding for cyberspace than for the entire federal civilian total combined.
But some of the congressional proposals on the table would enhance the defensive side.
In its first budget under the name “CISA” in fiscal 2018, the agency got a boost from when it was known as the National Protection and Programs Directorate, rising from $1.8 billion to $1.9 billion. That figure dropped in fiscal 2019 to $1.7 billion, before jumping again to $2 billion in fiscal 2020 and a little more in 2021.
For fiscal 2022, the Democratic-controlled House Appropriations Committee has approved$2.4 billion in CISA spending, a nearly 20% increase. The DHS spending measure awaits House floor consideration, while the Senate, which is also controlled by Democrats but more split politically, has yet to act on a DHS spending bill at any level.
Elsewhere, House committees have taken their turns putting their stamps on their respective sections of a $3.5 trillion tax-and-spending “Build Back Better” package. Under that process, last week the House Homeland Security Committee approved an extra $865 million for CISA — $400 million of which would be devoted to implementing Biden’s May executive order on cybersecurity. That overall bill faces more difficult prospects on the other end of Capitol Hill.
Rhode Island Rep. Jim Langevin, a Democratic member of the House Homeland panel, hailed the committee’s CISA funding boost as a “transformative investment.” Still, the top GOP member of the panel, New York’s John Katko, thinks CISA needs to have a budget closer to $5 billion to be the federal cybersecurity “quarterback.”
If lawmakers are able to get those funding boosts to the finish line, however, they’ll need to keep expectations in check about how quickly CISA can take advantage of it, said Masterson.
“It takes time to take those investments and turn them into tangible support, into tangible hiring and personnel moves that lead to the types of support services that Congress expects from CISA,” he said.
…then you get the power
Congress last year gave CISA a number of boosts to its authority in the annual defense policy bill. Perhaps the most prominent move was granting the agency the power to issue administrative subpoenas to track down owners of critical infrastructure with vulnerabilities that the agency discovered. CISA previously struggled at times to alert critical infrastructure operators with vulnerable systems.
This year, prominent proposals include cyber incident notification legislation, and the proposal to set the length of the CISA director’s term. Both ideas have the backing of top committee members with homeland security jurisdiction.
Several bills would give CISA varying degrees of power to compel critical infrastructure owners and operators, as well as perhaps other companies, to disclose when they’ve suffered a major or potentially major attack. The idea is give CISA a jump to alert companies to urgent dangers before they spread.
Congress “really needs to be giving them the authority so that businesses have to report stuff to them so that there’s there’s not this decision to just say, ‘We don’t want to engage with this at all,'” said Wolff.
Bipartisan leaders of the House Homeland Security introduced in early September would the CISA director’s term at five years. Although the idea has floated around Congress for years, backers say it took on extra meaning once Trump fired Krebs, as well after as the SolarWinds attack that compromised nine federal agencies.
“With cyber attacks on the rise, CISA, the lead federal civilian cybersecurity agency for the United States, needs consistent and stable leadership presiding over our nation’s cyber preparedness,” said chief sponsor Rep. Andrew Garbarino, R-N.Y., the top Republican on the House Homeland Security Committee’s cyber subpanel.
Other prospective bills could give CISA a role in determining the most vital, hackable systems and develop a mix of regulations and incentives for protecting them, as well as figuring out ways to further enhance information sharing at CISA.
Some of Capitol Hill’s work on invigorating CISA involves not just money and legislation, but oversight questions. The House Homeland Security Committee also recently held a closed-door briefing with National Cyber Director Chris Inglis on the lines between his authority, CISA Director Jen Easterly and that of Anne Neuberger, deputy national security adviser for cyber and emerging technology.
But if Congress gives CISA too much new authority too quickly, that, too, could create different problems, said Tatyana Bolton, policy director for cyber at the R Street Institute think tank. Cybersecurity “is one of the only places of bipartisan agreement” in Washington, Bolton said, suggesting that CISA could be a beneficiary of that cooperation. Yet the agency has spent years organizing for efficiency, meaning that more power could result in more yet more reshuffling.
“So, throwing a lot of new authorities at it can be challenging,” she said.