House approves cyber funds in relief package as officials press for more

The House on Wednesday allocated almost $2 billion toward cybersecurity and technology modernization as part of passing the American Rescue Plan, which officials described as a “down payment” on the funds needed to fully confront recent massive foreign cyberattacks. 

The COVID-19 relief bill, which was approved Wednesday by the House along party lines and now goes to President Biden for his signature, included $650 million in funding for the Cybersecurity and Infrastructure Security Agency (CISA). The funds are meant to boost federal cybersecurity and protect the vaccine supply chain, which has come under attack by hackers. 

The legislation also included $1 billion for the General Service Administration’s Technology Modernization Fund to update outdated IT systems and $200 million for the U.S. Digital Service.

Biden is expected to sign the bill, which was approved by the Senate last week, on Friday. The cyber funds were not originally included by the House in its version of the COVID-19 relief package and fall far short of the almost $10 billion in cyber and tech funding originally proposed by Biden. 

The funds were included in the administration’s proposal in part due to the ongoing fallout from what has become known as the SolarWinds hack. 

The incident, ongoing for a year prior to discovery in December, involved sophisticated Russian hackers gaining access to up to 18,000 customers of IT company SolarWinds, with at least nine federal agencies and 100 private sector companies compromised by the breach. 

The hacking incident has been compounded over the last week by the discovery of a new massive cyber espionage incident. This involved state-sponsored Chinese hackers and several other hacking groups exploited previously unknown vulnerabilities in a Microsoft email application to compromise potentially thousands of U.S. and global organizations. 

CISA is one of the key federal agencies responding to both incidents as well as to a recent unsuccessful effort by a hacker to poison the water at a water treatment facility in Oldsmar, Fla.

In the face of this massive array of threats, acting CISA Director Brandon Wales on Wednesday urged Congress to provide more funds and resources to allow CISA to better protect the nation. 

“$650 million … is a down payment. It accelerates some of these efforts, but this is going to require sustained investment,” Wales testified to the House Appropriations Homeland Security Subcommittee on Wednesday. “It will also increase the visibility for agencies themselves, and those agencies themselves are going to need additional resources to make sure they can fully leverage the improved capabilities that we will be deploying.”

Eric Goldstein, the executive assistant director of cybersecurity at CISA, also urged Congress to provide further cybersecurity funds beyond the $650 million in the COVID-19 relief package, in particular to enable CISA to ramp up threat vulnerability hunting in agency networks and its incident response capacity.

“This investment will absolutely make a demonstrable impact in federal cybersecurity, but at the same time, it is an incremental step,” Goldstein testified at the same hearing.

Bipartisan members of the subcommittee expressed support for further resourcing CISA in the face of its mounting workload.

Subcommittee Chairwoman Lucille Roybal-Allard (D-Calif.) pointed to the SolarWinds and Microsoft incidents along with the Florida water poisoning incident in stressing that “it is clear that we need to be investing much more in preventing, mitigating, and responding to cyber intrusions and attacks.”

Subcommittee ranking member Chuck Fleischmann (R-Tenn.) praised CISA for executing its sometimes “thankless” job in protecting federal critical infrastructure with limited resources. 

“Given the speed at which technology advances and the skills and abilities of bad actors with it, we must ensure we are doing everything we can to keep up with new advancements, allowing ourselves the ability to both better recognize our shortcomings and better protect, identify and respond to any future attacks,” Fleischmann said at the hearing.

When asked about a dollar amount to spend on cybersecurity, Goldstein was unable to quantify it. Rep. Dutch Ruppersberger (D-Md.) responded that the amount would likely “knock our socks off.”

“I believe that we need to look at cybersecurity as independent of this committee and have a direct line to the president, this is so serious,” Ruppersberger said Wednesday. “If we don’t start taking this seriously, we are going to put all our citizens in this country at acute risk.”

The Biden administration, with CISA a key element, is currently engaged in responding to and investigating both the SolarWinds and Microsoft incidents, and Biden’s recently released interim national security strategy stresses the need to make cybersecurity “an imperative across the government.”