The new omnibus appropriations act provides CISA $2.6 billion to fund its operations for fiscal 2022, a large increase that shows the value of the cyber-focused agency and a sign of confidence from lawmakers, according to Ari Schwartz, a former White House cyber director and private sector leader on cybersecurity.
The appropriation is $460 million above the White House’s request and provides significant increases for threat hunting, vulnerability management and stakeholder engagement.
“The White House and CISA’s requests showed confidence in what the agency can do going forward but the final result shows a real confidence and expectation from the appropriators and oversight committees for CISA and what they are going to do in the future,” Schwartz said.
President Biden signed the major government spending bill into law on Tuesday, a package including 12 fiscal 2022 appropriations bills and funding to address the Ukraine crisis. As part of the package, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act, which sets up a regime for mandatory reporting under CISA.
Schwartz leads Venable’s cybersecurity risk management group and coordinates the Cybersecurity Coalition, which his firm describes as “a group of leading cybersecurity companies dedicated to educating policymakers on cybersecurity issues and promoting a vibrant marketplace for cybersecurity technology solutions.” Schwartz worked at the National Security Council as senior director for cybersecurity under the Obama administration.
He reflected on how far the Department of Homeland Security has come in the past 10 years on cybersecurity in an interview with Inside Cybersecurity, saying there were a “lot of doubters” at the time who questioned whether DHS “could be competent” in addressing cyber.
He said, “There are people now who are willing to say ‘We are on the verge of them being competent and competent enough that we need to fully invest in CISA doing this work moving forward.’ So that’s the turning point that I see in this bill.”
According to a bill summary, the legislation contains “$271.9 million to further advance CISA’s Cybersecurity Operations, including”:
- a $119.5 million increase for threat hunting, including $95.5 million for the CyberSentry program;
- a $64.1 million increase for vulnerability management;
- an $11 million increase for the Multi-State Information and Analysis Center, for a total of $38 million for the center; and
- a $32.4 million increase for the Continuous Diagnostics and Mitigation program for a total of $357.8 million for the program.
The legislation also includes $45.7 million for risk management operations and $19 million on “Stakeholder Engagements and Requirements.” The summary says the stakeholder funding includes a $10.5 million increase for Sector Risk Management Agency Management.
On vulnerability management, Schwartz said it was a priority for DHS in 2020 and “it’s a vote of confidence that they were able to do some of that. You hear that from industry as well, that they are working more closely [on it] and they hope CISA can do more.”
The 2021 cyber executive order tasks CISA with carrying out several mandates to help agencies secure their networks.
Schwartz said the appropriation “helps CISA to realistically get staffed up to do some of the things they have been doing the planning for from the EO,” while noting that it will be a “gradual process.”
‘When the EO came out,” Schwartz said “the government had been under-investing in cybersecurity for a long time and this is demonstrating that Congress understands that and the fact that you had to get the skills and policies in place so when the money came in, it would actually be used in the right way.”
He added, “We’ve had a year of planning from the EO, now you get some of the pieces to implement it.”
When it comes to incident reporting, Schwartz said “the bill gives CISA an incredible amount leeway on the writing process” and the rulemaking will need to be “written in a way” that will not overwhelm the agency in terms of the volume of reports.
Schwartz said, “It means they have to either truly staff up to deal with all of the reports they get or more hopefully they focus on the reports they want from each sector [so] they get things they can actually handle in the right way.” Automation can help with the volume, Schwartz said, and another approach is to “not jump on every potential incident and focus on the major ones, themes.”
“If they start to see three or four similar incidents from the same sector,” Schwartz said, “CISA could focus on those “rather jumping onto every one that comes in.” The FBI and interagency counterparts will also need to be involved, he said.
Robert Sheldon of CrowdStrike also weighed in on what the upcoming incident reporting regime will mean for industry.
Sheldon said in a statement, “To assist victims and reduce impact, it’s important that CISA and other relevant government agencies get timely access to information about significant cyber threats and ransomware attacks. Cyberattacks targeting critical infrastructure have grown increasingly severe and impactful over the past couple of years, and U.S. agencies have relevant authorities and capabilities that can help combat these malicious activities.”
Sheldon, CrowdStrike’s director of public policy and strategy, said, “Importantly, this law closes some visibility gaps for investigators and responders, and this can help strengthen infrastructure sectors’ security posture overall. But individual providers should still endeavor to utilize security best practices for the purposes of proactive defense. These include priorities identified in the May 2021 Executive Order on Improving the Nation’s Cybersecurity, like use of zero trust, endpoint detection and response, and sound log retention practices.”
He added, “Some critical aspects of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 must still be resolved through rulemaking. CrowdStrike will engage in industry consultation processes during that phase as appropriate.” -- Sara Friedman (sfriedman@iwpnews.com)