CISA director says cutting agency’s budget would return it to ‘pre-SolarWinds world’

Pointing to the growing cybersecurity threat from China and the need to better safeguard U.S. critical infrastructure, Cybersecurity and Infrastructure Security Agency Director Jen Easterly defended the administration’s request to increase her agency’s funding by around 5% over last year to $3.1 billion.

The agency plans on prioritizing its work with state and local partners and smaller critical infrastructure operators that need more federal support to shore up cybersecurity defenses, Easterly told House Appropriation members during a Tuesday morning hearing. Any reduction in funding, she said, would “severely negatively impact” the work the agency has been doing with those stakeholders.

Furthermore, she said, if the agency’s budget falls below 2022 totals of around $2.6 billion or if the agency has to cut back on its regional partnerships, it would “put us back in a pre-SolarWinds world where we’ll lose that visibility that we’ve developed and that’s harmful to our security as a nation.”

A significant portion of the funding for CISA in President Biden’s fiscal 2024 budget — or about $100 million — would go toward implementing the Cyber Incident Reporting for Critical Infrastructure Act, which requires certain critical infrastructure operators to reports cyberattacks to the agency within 72 hours and ransomware payments within 24 hours. A rule making notice for the act is expect next March and full implementation of the law in September 2025.

Hiring is also a major priority for the agency. Easterly said that CISA is on track to hire more than 600 people by the end of the year.

The director also had a series of sober warnings on some of the emerging and current threats facing the nation. She called out machine learning, social apps such as TikTok and a Chinese-invasion of Taiwan as growing concerns the agency is monitoring. She warned that China is paying close attention to U.S. involvement in Ukraine and could consider a retaliatory cyberattack against American critical infrastructure if the U.S. were to get involved in any future Taiwan conflict.

The U.S. could potentially see Chinese cyberattacks against pipelines, she said, “because the big lesson of Colonial Pipeline is: what a great way to create panic, to incite societal panic to essentially up end how Americans are thinking about their safety and security,” Easterly said.

Easterly also added to the chorus of national cybersecurity officials warning about TikTok and China’s ability to potentially “influence the American public.” But while she supports a complete ban of the app in the U.S., Easterly noted it would be difficult to implement. Beyond TikTok, she said, there is “all sorts of Chinese technology that’s in our critical infrastructure supply chain. We need to be very concerned about that.”