Homeland Security Secretary Alejandro Mayorkas told lawmakers Thursday that he’s a proud “cheerleader” for the Cybersecurity and Infrastructure Security Agency as some on the Hill expressed concern about adequate funding for the component in the face of massive cyber attacks such as those conducted on SolarWinds and Colonial Pipeline.
In the House Homeland Security Committee hearing to review the president’s budget request for the Department of Homeland Security, Mayorkas highlighted a $655 million investment toward modernizing land ports of entry, $345 million for U.S. Citizenship and Immigration Services to tackle its backlog of applications and increase refugee admissions, $532 million above fiscal year 2021 for climate-change resiliency, and $131 million to counter domestic terrorism.
“In recognition of the growing threat of cyber attacks against both the public and private sectors, the president is requesting new resources for the Cybersecurity and Infrastructure Security Agency, which leads DHS in interagency efforts to defend against today’s threats and promote cyber resilience,” Mayorkas said.
“[The budget request] provides $2.1 billion for cyber activities, which builds on the $650 million already provided to CISA in the American Rescue Plan to respond to government-wide breaches and boost cyber defenses,” he said. “It will also allow CISA to enhance its cybersecurity tools, hire qualified experts, and obtain support services to protect and defend critical infrastructure and federal information technology systems.”
Chairman Bennie Thompson (D-Miss.) said that the Biden administration “has sought to improve federal network defenses, better manage supply chain risk, and work with the private sector to improve cybersecurity across critical infrastructure sectors,” while “much more must be done to provide funding, personnel, and authorities to address this growing threat.”
“While the president’s request makes modest increases to CISA’s budget, CISA needs sustained, robust funding to carry out its mission and nimbly respond to evolving threats,” Ranking Member John Katko (R-N.Y.) said. “In the past six months, CISA has worked to mitigate multiple significant cyber incidents facing federal networks as well as a sharp increase in devastating ransomware attacks on our nation’s critical infrastructure.”
“You have also acknowledged that CISA needs to be the quarterback of the dot.gov domain and I appreciate that. And I fully agree,” Katko added. “But this budget fails to do that. I believe that CISA needs to be a $5 billion agency in five years and that is not going to happen with meager increases like you proposed in this budget.”
Mayorkas told Katko that the two agree on the “mission of CISA, its criticality, as well as funding its future.”
“We have to make sure that the additional funds that we receive are expended wisely, efficiently, and effectively,” Mayorkas said. “We have requested additional funds for CISA. We so greatly appreciate your support, this committee’s support, and Congress’ support for the additional money we’ve already received for that agency.”
“Mr. Secretary, you’d admit, would you not, that CISA is completely overwhelmed with the amount of work they have right now?” Katko asked.
“I would not say that. I would say we are extraordinarily busy,” Mayokas responded. “We are incredibly focused on this, one of our most critical, urgent priorities, the cybersecurity of our nation.”
Katko countered that “given my discussions with the folks at CISA, it’s clear to me that they need more resources, and I would ask you to reconsider and speak to the administration about plussing this up.”
“We’re going to have to do this in the appropriations process,” the congressman said. “You are the one that’s going to be the guy that’s going to be the cheerleader for CISA. And a 6 percent increase, given what’s going on with cybersecurity in this country right now, just isn’t cutting the mustard.”
“I’m an incredibly proud to serve as the cheerleader for CISA, and I am undaunted and unrelenting in that regard,” Mayorkas replied.
The Senate Homeland Security and Government Affairs Committee sent President Biden’s nominee to run CISA, Jen Easterly, to the full Senate for a vote this week, along with Chris Inglis, nominated to serve as the first national cyber director. But Sen. Rick Scott (R-Fla.), who said he supports Easterly’s nomination, declared afterward that he is placing a hold on all DHS nominees until Biden visits the Mexican border.
“We’re hoping for her swift confirmation,” Mayorkas told the House panel.
Rep. Elissa Slotkin (D-Mich.) said that recent cyber attacks striking infrastructure sectors such as energy and food have underscored how “these attacks have really started to affect the average American.”
“You all at CISA are really the 911. You are the 911 call center for cyber attacks for our businesses, our local governments, and it’s critical that you be well-funded and well-staffed and ready to take on that responsibility,” she said. “…We are waiting for your questions, your concerns, your asks on money and resources.”
Mayorkas praised “champions on this committee with respect to the work of CISA” and said he was “grateful for the support that Congress has provided.”
“The model that we rely upon and that we are advancing is the public-private partnership. That is what is critical,” he said. “Not only the partnership across the federal enterprise, with respect to all of the government agencies that are invested in and dedicated to this effort, but a partnership with the private sector as well. It is so critically important. That is our focus.”
Rep. Yvette Clarke (D-N.Y.), who leads the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, said she’s “concerned that we seem to keep relearning the same lessons from each other, each of these attacks.”
“We’ve asked CISA to do an enormous job, but we’ve given them next to no regulatory authority over privately owned critical infrastructure, nor do they have sustained visibility into threats on private networks,” Clarke said, adding that she’s working on legislation that would require critical infrastructure owners and operators to report cyber incidents to CISA and authorize capabilities CISA has built through a pilot called CyberSentry to monitor and detect threats to industrial control systems and operational technology in real time.
“I do believe that CISA’s visibility into what is happening across the country is critical to securing our homeland against cyberattacks. It is why the public-private information-sharing architecture is central to its strategy,” Mayorkas said.
“We are very focused on resourcing CISA,” he stressed. “We appreciate this committee’s and Congress’ support of CISA. We have developed teams that most effectively deploy to public entities as well as private entities, to assist them in remediation, to assist them in securing their cyber or enhancing their cyber hygiene, working with them to provide tools, education, and our expert resources when they are otherwise ill-equipped to do so.”
“We are very engaged in the partnership. The funding that we have obtained and that we hope to continue to obtain will further resource CISA to deploy those teams across the country. Because in cyber, as I’ve said repeatedly, we’re only as strong as our weakest link.”