Jim Langevin, Mike Gallagher: Cybersecurity agency needs $400 million more

The Cybersecurity and Infrastructure Security Agency is set up to fail unless it receives at least $400 million more in funding, a bipartisan pair of lawmakers warned.

The agency has collected $650 million from COVID-19 relief spending this year but recently disclosed that hacks mean the government must spend much more, the congressmen said.

Democratic Rep. Jim Langevin of Rhode Island and Republican Rep. Mike Gallagher of Wisconsin said coronavirus relief money would help fill gaps in the federal government’s networks, but the funding covered only one part of the CISA mission. They wrote to appropriators to plead for an immediate boost of hundreds of millions of dollars more of taxpayer dollars.

“Congress was right to give the agency new authorities that allow it to better defend our interests in cyberspace, but without requisite funding, we’re setting CISA up for failure,” Mr. Gallagher said. “It’s imperative we ensure CISA has the additional $400 million it needs to fulfill its mission in the coming year.”

Mr. Gallagher and Mr. Langevin are members of the Cyberspace Solarium Commission, which was created by Congress to develop a consensus approach to national cybersecurity policy and was modeled on the Eisenhower administration’s secret Project Solarium that studied options to confront the Soviet Union during the Cold War.

The lawmakers called for $400 million more for CISA, stressing a list of what they described as crucial needs:

• Expand engagement with the critical infrastructure sector;

• Targeted outreach including to state and local governments;

• Improving federal network resilience;

• Creating a cyber response and recovery fund for non-federal partners.

The total cost in the fiscal 2022 would be “no less than $2.425 billion,” the lawmakers said in the letter.

“Unless Congress steps up and funds CISA at the level our national security requires, our federal and critical infrastructure networks will remain vulnerable to threats from our adversaries,” Mr. Langevin said in a statement. “CISA must have the necessary funding to protect and defend Americans in cyberspace — our national security depends on it.”

Vulnerabilities in the federal government’s cybersecurity strategy became glaringly obvious last year with hacks involving SolarWinds computer network management software and Microsoft Exchange servers. The Biden administration identified Russia as the culprit of the SolarWinds intrusions that compromised nine federal agencies. Microsoft has pointed to China-based cyberattackers as responsible for hacking its servers.

The Biden administration imposed sanctions on Russia in response to the SolarWinds attack, and President Biden separately pushed for the $650 million of funding for CISA as part of his larger $1.9 trillion COVID-19 relief package.

A CISA spokesperson previously told The Washington Times that part of the $650 million would go toward improving cloud security across the federal government and “increase the visibility that CISA and other agencies have into federal civilian cloud environments.”

The COVID-19 relief spending was not expected to be a recurring expenditure, but Mr. Langevin and Mr. Gallagher vowed to push for more than $200 million of cybersecurity spending on an ongoing basis.

“While some of the activities enabled through ARPA funding will be one-time capital investments and discrete projects that will end by FY23, many of the most impactful expenditures — which we estimate could amount to $200-250 million — will require sustained funding to maximize the benefit to national security,” the lawmakers wrote. “Spending in future years will be further shaped by the need to sustain these new efforts to secure federal civilian networks.”