Lawmakers Seek to Expand CISA's RoleProposals Call for More Funding, Greater Responsibility
Several bipartisan congressional initiatives are seeking to expand the mission of the U.S. Cybersecurity and Infrastructure Security Agency.
The recently announced proposals call for CISA to beef up its staff, provide additional incident response services to organizations outside the government, conduct a five-year national risk management cycle review and take the lead in notifying the federal government about major breaches in all sectors.
Push for Additional Funding
On Monday, Reps. Jim Langevin, D-R.I., and Mike Gallagher, R-Wis., released a letter sent to the House Committee on Appropriations asking for a $400 million increase in funding for CISA as part of the fiscal 2022 federal budget so the agency can expand its mission.
"Despite the critical functions that CISA is currently performing, far more is required of the agency in order to build meaningful security in federal networks and national resilience to significant cyber incidents," Langevin and Gallagher - who each served on the Cyberspace Solarium Commission, which made a series of cybersecurity recommendations in 2020 - wrote in the letter.
CISA is continuing to investigate two major cyber incidents that happened in recent months - the SolarWinds supply chain attack and the hacking of vulnerable on-premises Microsoft Exchange email servers.
Langevin and Gallagher said their proposed boost in funding for CISA would enable the agency to hire more staff to help it better communicate with companies that oversee critical infrastructure and tackle other tasks. Some $20 million in funding would be provided to create a Cyber Response and Recovery Fund, which would enable CISA to provide additional incident response services to organizations outside the government.
"As CISA's statutory mission set grows, appropriations must grow to match the mandate," the lawmakers write in the letter.
The request for additional funding for CISA from Langevin and Gallagher comes a few weeks after the Biden administration asked Congress to boost the agency's budget for the fiscal year 2022 by $110 million to $2.1 billion to help enable the agency to address a range of cybersecurity issues. This would build on the $650 million provided to CISA under the American Rescue Plan Act - the COVID-19 stimulus package signed into law in March (see: Biden Seeks to Boost CISA's Budget by $110 Million).
Expanding CISA's Role
Other lawmakers have introduced proposals that would expand CISA's mission.
On Friday, Sens. Maggie Hassan, D-N.H., and Ben Sasse, R-Neb., introduced the National Risk Management Act. It would require CISA, which is part of the Department of Homeland Security, to conduct a five-year national risk management cycle review that would identify risks to the nation's critical infrastructure and report those results to the White House and Congress.
Once that assessment is complete, the president would then report to Congress on how the administration is working to address these risks and describe any action that may be necessary. By using a five-year cycle, the bill would help ensure CISA stays ahead of emerging threats, Hassan and Sasse say.
An assessment the U.S. intelligence community released earlier this month found that nation-states, including Russia and China, remain a threat to vulnerable critical infrastructure, such as the power grid and water treatment facilities (see: Intelligence Report: 4 Nations Pose Serious Cyberthreat to US).
"China and Russia are increasingly brazen in their use of cyber tools to get inside American critical infrastructure networks," Sasse says. "These critical systems must be more resilient. It’s time to get serious about the future of war and how we protect the systems that allow our daily life to run smoothly."
Meanwhile, Sen. Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, introduced the Cyber Response and Recovery Act, which would require the secretary of the Department of Homeland Security to declare a "significant cyber incident" when there is a major breach or attack on a public or private network.
Since the SolarWinds attack was revealed last year, lawmakers have been pushing for a national law requiring breach notification (see: Senators Push for Changes in Wake of SolarWinds Attack).
The bill introduced by Peters and Portman would also establish a Cyber Response and Recovery Fund under DHS and CISA that's similar to the fund proposed by Langevin and Gallagher.
"Extensive breaches and attacks of public and private networks in just the last few months have compromised our national security and shown our nation is not adequately prepared to tackle evolving cyberthreats," Peters says.
A five-year national risk management cycle review by CISA, as called for by Hassan and Sasse, is needed to better address threats to critical infrastructure, says Tim Wade, a former network and security technical manager with the U.S. Air Force. He's now a technical director at the security firm Vectra AI.
"Failure to have a credible and timely recovery strategy places nontrivial strain on detection and response requirements, whereas protecting and enabling rapid recovery removes tension from the entire system," Wade says. "This move marks a step in the right direction, and even as the road ahead is long, we all have a vested interest in its success."
The various Congressional proposals regarding CISA could go a long way toward addressing threats to IT and operation technology networks, says Joseph Carson, chief security scientist and advisory CISO at security firm Thycotic.
"One of the most vital areas to focus on is regaining visibility and control of the network as a whole, including the disparate IT and OT systems. In particular, this means having a firm command of how systems are accessed," Carson says.