Cyber Hacks Spur Policymaker Response

The latest well-publicized attacks on computer systems — from the SolarWinds breach to the Oldsmar, Florida, water treatment system attack — have sparked more interest in cybersecurity in Washington. The hacks exposed serious fault lines in the U.S. cyber posture, and we expect the Biden Administration and Congress to try to correct these deficiencies.

Congressional attention to protecting the nation’s technology, data, and critical infrastructure from intrusions was on the increase even before the recent attacks. Expanded telework and telehealth during the pandemic raised the bar for protecting essential government networks. 

Recent legislative actions include the FY21 National Defense Authorization Act, which was written before the SolarWinds hack was publicly reported. The bill includes more than 75 cyber-related provisions, including 25 recommendations of the Cyberspace Solarium Commission, a bipartisan group of policymakers and experts charged with developing a strategic approach to protecting the U.S. against cyber attacks. Among the enacted recommendations are the establishment of a Senate-confirmed National Cyber Director who will be the principal advisor to the President on cybersecurity policy and strategy, increased authority for the Cybersecurity and Infrastructure Security Agency (CISA) to protect federal networks, and creation of a biennial National Cyber Exercise.

President Biden has prioritized cybersecurity. In a February 4 speech at the State Department, Biden announced the launch of “ an urgent initiative to improve our capability, readiness, and resilience in cyberspace.” While details of this initiative have not yet been announced (as of March 5), Anne Neuberger, the new Deputy National Security Adviser for Cyber and Emerging Technology, stated on February 17 that executive action is being considered “to address the gaps we have identified” from the SolarWinds hack investigation. 

Expect strategies to address cybersecurity in Biden’s first speech before a joint session of Congress, likely in March, and in his first budget to Congress. We  expect Biden’s “Build Back Better” infrastructure plan to include technology funding. Further, the President’s COVID-19 “American Rescue Plan” originally proposed $9 billion for the Technology Modernization Fund (TMF) and $690 million for CISA. Early on March 6, the Senate approved a version of the American Rescue Plan that includes $1 billion for TMF and $650 million for CISA. That version of the bill will be considered by the House the week of March 8 and is expected to be approved by the House and signed by the President. 

In addition to Neuberger, who has the lead on the administration’s SolarWinds response, other key cyber personnel have been named by the Biden Administration. Chris DeRusha, a former OMB and Department of Homeland Security (DHS) cybersecurity official, is OMB’s new Federal Chief Information Security Officer. Nitin Natarajan, who served as President Obama’s director of critical infrastructure policy at the NSC, is Deputy Director at CISA. CISA’s Executive Director for Cybersecurity is Eric Goldstein, who served at DHS during the Obama Administration. Although announcements have not yet been made regarding National Cyber Director and CISA Director, leading candidates have reportedly been identified.

Leaders of key congressional committees are also elevating cyber policy. On February 3, House Armed Services Committee Chairman Smith (D-WA) announced the creation of a new Subcommittee on Cyber, Innovative Technologies, and Information Systems, chaired by Rep. Langevin (D-RI), to focus more directly on cyber issues. In the Senate, Homeland Security and Governmental Affairs Committee Chairman Peters (D-MI) and Ranking Member Portman (R-OH) announced shortly after the SolarWinds disclosure that they will “hold hearings and work on bipartisan comprehensive cybersecurity legislation.” On February 23, the Senate Intelligence Committee held a hearing on the SolarWinds breach.

We’ll take a closer look at a key House committee hearing held on February 10. The Homeland Security Committee heard from experts on “Assessing Cyber Threats and Building Resilience.” Among those testifying was Chris Krebs, the former CISA Director who was fired by President Trump in November. Krebs called for a “bolder vision from government” and offered five recommendations to improve the nation’s defenses against cyber attacks.

Recommendations of Former CISA Director Krebs

Continue to invest in CISA’s National Critical Functions (NCFs) Initiative, improve our understanding of the risk facing our Nation’s infrastructure, and expand roll out to highest risk functions. Prioritize identification of systemically important enterprise software and services, update federal contracting for greater transparency and sharing, and launch operational defensive partnerships called for in the 2021 National Defense Authorization Act. Launch a national countering ransomware initiative to improve defenses, disrupt the ransomware business model, and use broader set of authorities against actors. Proceed with Department of Commerce rulemaking on Executive Order 13984, “Taking Additional Steps to Address the National Emergency With Respect to Significant Malicious Cyber-Enabled Activities” to counter adversary abuse of Virtual Private Servers. Improve Federal cybersecurity posture through enhanced governance, increased funding, and centralized services offered by CISA.

Source: Testimony of Christopher C. Krebs Before the Committee on Homeland Security, U.S. House of Representatives, February 10

Krebs discussed the need for additional funding in CISA’s budget. He noted that within CISA’s total budget ($2.1 billion in FY20), about $1.2 billion (57%) goes to cybersecurity investments and programs. Of the $1.2 billion, about $800 million is for two programs: Continuous Diagnostics and Mitigation and the National Cyber Protection System. This leaves a few hundred million dollars “for incident response and actually very little, frankly, for broader engagement with the critical infrastructure community.” Krebs stressed the importance of additional CISA funding to engage directly at the state and local levels on critical infrastructure. 

He also advocated for investing in private sector cyber capabilities and increasing support to “all levels of government,” including federal IT modernization and state and local government grant programs. Further, he suggested that information sharing with CISA be allowed in federal agency IT contracts so CISA can be better informed about the specifics of agency cyber incidents.

“Cyber security risk management, supply chain risk management, third party trust and assurance, and critical infrastructure protection are now inexorably linked.”

House Committee on Homeland Security Ranking Member Katko (R-NY), February 10 

The experts testifying at the House Homeland Security Committee hearing agreed that CISA’s legal authorities to oversee and improve the federal government’s cyber posture need to be enhanced. They asked the committee to consider increasing CISA’s operational responsibilities over federal civilian cyber defenses by becoming a shared services provider for agencies’ cybersecurity needs. They also discussed CISA taking over from OMB the responsibilities of Chief Information Security Officer for civilian agencies (we expect OMB to object). The overarching premise of these proposals is to increase centralization of civilian agency cybersecurity under CISA.

Legislation is required to move forward on these proposals, and, while Committee members were receptive, there is no certainty on how Congress will proceed. The House Homeland Security Committee is in a good position to act. A DHS reauthorization is expected during the 117^th Congress, and the Committee locked in an agreement to work collaboratively on the reauthorization with other House committees that have jurisdiction over DHS components. This collaboration is evident as the Homeland Security Committee and the Oversight and Reform Committee held a joint hearing on February 26 regarding “Weathering the Storm: The Role of Private Tech in the SolarWinds Breach and Ongoing Campaign.”

Real progress toward strengthening cybersecurity will require more than policy legislation. Increased funding is essential, and it falls to the House and Senate Appropriations Committees to fund increases to federal cyber resources and IT modernization. New Senate Homeland Security Appropriations Subcommittee Chairman Murphy (D-CT) stated that cybersecurity will be an important focus area for the subcommittee. On March 10, the House Homeland Security Appropriations Subcommittee will hold a hearing with CISA officials on “Modernizing the Federal Civilian Approach to Cybersecurity.” How the Appropriations Committees will proceed on funding will become more evident once the FY22 Biden budget is released and the committees hold budget hearings. Cybersecurity is traditionally a bipartisan issue, and we predict that the Appropriations Committees will increase funding to improve the nation’s cyber defenses.

FORECAST

Cybersecurity policy and funding will be major initiatives in the 117^th Congress, with significant funding in an infrastructure initiative and in FY22-23 appropriations

Editor’s note: an earlier version of this article was included in the February FBIQ monthly report.