Despite “evolving intelligence about potential plans” that prompted the Department of Homeland Security to warn public- and private-sector entities to put their “shields up” to guard against malicious cyber activity, Russia has not been seen inflicting “specific attacks” on U.S. targets to date during the course of its war on Ukraine, Cybersecurity and Infrastructure Security Director Jen Easterly told the House Appropriations Subcommittee on Homeland Security at a Thursday hearing to discuss CISA’s FY2023 budget request.
But Easterly stressed that CISA is “very concerned that as the war drags on, that there may, in fact, be retaliatory attacks given the very severe sanctions that we have imposed on the Kremlin.”
“There may be ransomware attacks or there may be cascading attacks as we saw with the destructive malware NotPetya in 2017,” she said.
The director told lawmakers that $2.5 billion requested for CISA by the Biden administration “represents a marked increase, nearly 18 percent more than last year’s request.”
“And it really recognizes our growing role in the security and resilience of our nation, the confidence in our ability to execute, and the intent to ensure that we have the tools necessary to keep our communities safe and secure,” she added.
Easterly stressed that “to effectively execute our role as the operational lead for federal civilian cybersecurity, the protection of the .gov, we have to advance our ability to actively detect threats targeting federal networks and gain granular visibility into the cybersecurity of federal infrastructure.”
“The budget provides federal cybersecurity funding, an increase — a total of $1.5 billion for CISA cybersecurity programs and activities that enable CISA and our federal partners to detect, analyze, mitigate, and respond to cybersecurity threats,” she said. “Within this amount, the budget includes $71 million for the [Joint Cyber Defense Collaborative] to ensure that we can continue cyber operational planning and partner engagement that are so critical to our nation’s collective cyber defense. The budget also includes $407 million for NCPS, $425 million for continuous mitigation and diagnostics, very important for that federal cybersecurity, to provide that technological foundation to really secure and defend federal civilian executive branch networks.” In addition, $174 million would “annualize what we got with the American Rescue Plan Act, incredibly important to continue, again, in protecting the .gov.”
“The budget also makes critical investments in mission-enabling. As we grow as an agency and being the newest federal agency in the U.S. government, we have to grow commensurately in the engine that drives mission,” Easterly continued. “So, procurement, facilities, human capital, our budgeting, it’s incredibly important to the success of everything we’re trying to do to include the execution of our budget. To support our operational capabilities, we’ve also asked for $175 million in infrastructure protection; $187 million for our growing field force that I’m incredibly excited about, working on the front lines with many of your constituents; $170 million for our emergency communications mission.”
“It also fully funds our risk management activities to include $115 million for our National Risk Management Center that deals with things like securing our supply chains, incredibly important. Finally, at the heart of our mission is partnership and collaboration. And that’s why $72 million for our stakeholder engagement activities, fostering collaboration and coordination, and, really, that culture of shared responsibility that is so important and foundational to our collective defense of the nation.”
Days before Russia invaded Ukraine in February, CISA advised that “all organizations — regardless of size — adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” as the U.S. government was “mindful of the potential for the Russian government to consider escalating its destabilizing actions in ways that may impact others outside of Ukraine.”
Asked about the state of that cyber threat, Easterly told lawmakers that “malicious cyber activity is part of the Russian playbook.”
“And as we heard from the president, we know of evolving intelligence that the Russians are planning for potential attacks on our nation. And so, we have actually, for the past five-plus months, been working with our partners across the federal government, across private industry, and with our state and local partners to enable us to share threat information at declassified and unclassified levels with our Intelligence Community partners and all of the mitigation guidance that partners need to follow to ensure that they can drive down risk to their networks,” she said.
The director predicted “we could see three things… the threat that we see going on pretty aggressively, Russian cyberattacks against Ukraine. They could cascade out of the region and have an impact on the U.S. We saw that in NotPetya in 2017, a destructive malware that cascaded out of Ukraine, affected multinationals.”
“We could see Russian-aligned cybercriminals launch ransomware attacks, as we saw last summer in the Colonial Pipeline and JBS Foods,” Easterly continued. “Or we could see a deliberate attack by Russian state-sponsored actors against our critical infrastructure. And that’s why we’ve been working to ensure that everybody has their shields up and working collaboratively with our Joint Cyber Defense Collaborative, specifically with the technology companies, with the financial companies, with the energy companies, to ensure they have all the guidance they need to protect themselves.”
Easterly emphasized throughout the hearing the need for smaller public- and private-sector entities with small security staffing or budget to be able to have the capability to defend against cyberattacks.
“I think as we grow as America’s cyber defense agency, as we see a very complex threat environment that continues to get more complex and threat actors that continue to get more sophisticated and are very well-resourced, we look forward to working with this committee to make sure that we do have the capacity and the capability to be able to defend federal networks and to work with our critical infrastructure partners, some of which that are very target-rich but resource-poor,” she said. “Think of the small hospitals, the small schools, the water utilities. We need to be able to continually provide them no-cost services, tools, and assessments to ensure that they can raise that cybersecurity baseline. That’s why the grant programs are so important.”
The SolarWinds hack first reported by FireEye in 2020 “was really a wake-up call… that taught us a couple of key things,” Easterly told lawmakers.
“One, it taught us that we do not have the requisite visibility into the federal civilian executive branch networks to be able to effectively protect and defend them,” she said. “So, all of the improvements that we’ve looked to make over the past nine months to increase that visibility, to improve our architecture, to modernize, to be able to put in place Zero Trust, to really build more than just a network perimeter security mechanism is so important to really getting after that visibility issue.”
“And we have spent a lot of time doing that and some of our budget request speaks to those types of capabilities.”
Easterly highlighted how the partnerships CISA is forging with the private sector “who oftentimes are going to detect that malicious activity before we do are so absolutely critical in forging that collective defense.”
“And so, as we build more detected capabilities, as we continue to mature our continuous diagnostics and mitigation program, as we instantiate Zero Trust and secure cloud and multifactor authentication and endpoint detection and response, making sure that we’re also bringing together the private sector and the public sector,” she added. “To really build that common picture of the threat environment, I think, is going to be critical to solving this really challenging and complex problem.”