Lawmakers push back on Trump's cyber budget, press on COVID-19 response
- By Derek B. Johnson
- Mar 11, 2020
The Cybersecurity and Infrastructure Security Agency will need an assist from Congress to implement some of the broader recommendations from the Cyberspace Solarium Commission and coordinate federal and nonfederal responses to emerging threats.
At a March 11 House Homeland Security hearing with CISA Director Chris Krebs, lawmakers sought to tease out what funding and resources the agency might need after the president's spending plan called for hundreds of millions of dollars in cuts to the agency's budget. Rep. Cedric Richmond (D-La.), who chairs the Cybersecurity and Infrastructure Protection Subcommittee, said he didn't "understand how a cut of that magnitude makes communities trying to defend themselves against ransomware attacks, federal networks or critical lifeline services from power to communications any more secure."
He wasn't alone in his skepticism, with Rep. John Katko (R-N.Y.) stating that cutting CISA's budget "is really not a good idea at all." Rep. Mike Rogers (R-Al.), ranking member for the full committee, offered even blunter words.
"I can tell you these cuts are not going to take place," Rogers stated.
Members were more interested in what additional resources they could provide to the agency, particularly on the heels of a new report released by the Cyberspace Solarium Commission that dubbed CISA "the key" agency to coordinate cybersecurity reform within the executive branch and called on Congress to strengthen and empower the agency further.
The report also called for Congress to beef up a pre-existing integrated cyber center at the agency that brings different public- and private-sector groups together to focus on critical infrastructure and the creation of a Joint Cyber Cell to coordinate cybersecurity planning and readiness in the federal government and private sector.
Richmond's subcommittee sits at the legislative nexus of many of those reforms, and he pressed Krebs to outline what his agency needed to implement the report's recommendations.
Krebs suggested the enhancements in coordination proposed in the report would require creative thinking to create a centralized collaborative space, noting that his agency has nine different facilities across the national capital region, and it's not always easy for other stakeholders to get cleared for access in a timely manner.
"We just need to make sure that we have the access for our private-sector partners to the facility so that we can accommodate [them] and make it an experience they want to participate in," Krebs said.
Other recommendations, like strengthening the National Risk Management Center to focus on continuity of the economy and bolstering CISA's cybersecurity workforce, will likely require congressional action, Krebs said. The agency currently has 655 job vacancies -- including 151 that focus on cybersecurity -- and the hiring process "from identifying the job to actually getting a person in a seat with a PIV card and a machine ready to go" takes an average of 240-260 days.
CISA has set up a task force to explore where the bottlenecks in the hiring process are and has explored ideas like reducing and creating seasonal positions that focus solely on the hiring process. Ultimately, fulfilling the vision laid out by Congress and the Solarium will require an investment that allows the agency to send employees out across the country on different missions.
"To be successful in this space, to be truly a customer-centric organization, I have to have personnel out in the field," he said. "Not just engineers here in D.C., but customer service professionals out where our partners are, and that's going to require significant investment in personnel."
Coronavirus and cyber
Lawmakers were also keen to get a better sense of how the agency was dealing with some of the cybersecurity implications of the ongoing coronavirus outbreak. The government and private industry have warned of a steep rise in phishing attacks that leverage concern over COVID-19 to entice users to click on malicious links. CISA also put out guidance in the past week on risk management strategies to protect industry, critical infrastructure and supply chains from infection and logistical failures during the outbreak.
As federal agencies loosen restrictions on telework in an effort to slow the spread of the virus, CISA has started to examine how a surge of remote employees could affect the security of federal networks. Such a shift changes the attack profile for many employees who take their work computers home with them and connect from less secure private home networks. Krebs advocated for the use of virtual private networks that are patched and up to date.
There has also been a surge of disinformation around the virus in recent weeks. Sen. Mark Warner (D-Va.) wrote a March 11 letter to the White House task force led by Vice President Mike Pence to say he was "deeply concerned" about the administration's approach to combatting false information about the outbreak. In particular, he accused President Donald Trump of amplifying false information about the severity of the problem and urged the task force to develop a strategy for countering misinformation and disinformation from foreign and domestic actors.
"I believe that, left unaddressed, this misinformation and conflicting messaging will undermine our ability to respond to COVID-19 by reducing public confidence in ongoing public health efforts, creating economic uncertainty and causing the public to respond in counterproductive ways," Warner wrote.
Officials are also grappling with how false information campaigns about coronavirus might be weaponized to impact the presidential elections taking place in November. Krebs said CISA stood up a coordination cell in early February that has been focused on how the virus could impact the federal government, the upcoming 2020 elections and the general public.
"We had a call last week with about 600 state and local election officials about … what are we seeing in the [disinformation] space and how can we dispel any sort of coronavirus or COVID impacts on voter turnout for instance," said Krebs.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.