The US Cybersecurity and Infrastructure Security Agency’s efforts to combat disinformation about US elections and election infrastructure — a tiny part of its overall mission — may lead to budget cuts that affect CISA’s two principal responsibilities: defending federal networks and aiding critical infrastructure operators against cyberattackers.
Last month, half of House Republicans voted for an amendment to cut funding to CISA by 25%. In the US Senate, Senator Rand Paul (R-KY) has repeatedly blocked cybersecurity legislation, at least 11 times, over concerns that CISA and its parent, the US Department of Homeland Security, are censoring free speech.
Those legislative efforts are already hampering CISA from taking care of its responsibilities, and any deep cuts could disrupt its hard-won progress, says Josh Corman, former chief strategist for the COVID Task Force at CISA.
“I think cuts would be pretty catastrophic,” Corman says. “We are seeing increasing attack density across the 16 critical-infrastructure sectors. They should be growing the budget to handle those attacks, not cutting back.”
Among its efforts, CISA has embarked on extensive outreach to private industry, software makers, and cybersecurity firms. The agency releases dozens of advisories and guidance documents every month, such as a September warning covering the Snatch ransomware-as-a-service operation, and maintains a list of known exploited vulnerabilities that has become a boon for patch prioritization. CISA has also taken a major role in partnering with the software industry and open source communities to improve the security of open source software, even releasing its own tools for cyber defenders. Finally, the agency has committed to helping “target rich, cyber poor” organizations, such as small and midsize businesses and state and local governments.
Any funding cuts would reverse a history of bipartisan budget increases for CISA over the five years of its existence. For the latest fiscal year, Congress passed a $2.9 billion budget for 2023, up from $2 billion in 2020. The Biden administration requested $3.1 billion for the agency for 2024, allocating about 58% of the funds for the Cybersecurity Division, about 25% for missions support and basic services, 8% for integrating operations with state, local, and tribal partners, and 6% for infrastructure security, according to written testimony by CISA Director Jen Easterly to the House Appropriations Committee.
Overall, CISA has been fairly successful in getting programs up and running and in becoming a central resource for the federal government and critical infrastructure sectors, says Benjamin Jensen, a senior fellow with the Future War, Gaming, and Strategy group at the Center for Strategic and International Studies (CSIS).
“Do not underestimate even just the bureaucratic effort to set the organization up and to align the funding to build the workforce to … scale up the number of crisis response, critical infrastructure, and attack games they run,” he says. “The interagency coordination has been a monumental challenge.”
Critical Infrastructure Needs CISA
Since its creation in 2018, CISA has had to fight against both entrenched bureaucratic cultures and a tight cybersecurity labor market — forces that have hindered its effort to become a central repository of cybersecurity knowledge and a central service provider for both the federal government and critical infrastructure operators. In 2022, the Government Accountability Office (GAO) concluded that the agency had provided benefits to its stakeholders but needed to work more toward improving critical-infrastructure protection efforts and its cybersecurity services.
How much budget cuts would hamper the agency’s successful efforts with cybersecurity advisories, vulnerability management, and open source software security remains uncertain, but a lack of funds would certainly slow the agency down in running its programs. It stands to reason that security teams using the KEV catalog as part of their vulnerability management programs or relying on the open source tools for enterprise defense could potentially be affected if CISA’s work was throttled.
“As our nation continues to face complex and urgent cyber threats, funding at levels below the amounts that the administration has requested would put the safety and security of the critical infrastructure Americans rely on every day at serious risk,” says CISA spokesperson Avery Mulligan. “CISA’s expertise, combined with our partnerships with state, local, tribal, and territorial governments, as well as the private sector, have greatly improved our nation’s cybersecurity posture. Now is simply not the time to reduce our ability to carry out this critical mission.”
Right now, CISA’s progress among federal agencies and critical infrastructure sectors is significant but uneven. Some sectors, such as the Department of Health and Human Services and the healthcare sector, is “an unmitigated disaster,” says strategist Corman. The environmental sector and the food and agriculture sectors had minimal cybersecurity resources, he says.
“With 700 ransoms per year for hospitals, CISA is going to have to step up to help protect them,” Corman says. “A 25% cut will only further tie [America’s] hands behind our back. If we need more action on the designated critical infrastructure sectors — and we do — we will not be ready.”
Debating CISA’s Future
Despite the need for CISA to continue to bolster US cybersecurity, the agency is facing growing opposition from some members of Congress, angered by CISA’s statements validating the integrity of the 2020 election and by the agency’s efforts to combat election disinformation.
“CISA’s involvement in policing alleged mis- and disinformation, as well as malinformation — truthful information without ‘sufficient’ context — is a direct and serious threat to First Amendment principles,” states a report released by the Select Subcommittee on the Weaponization of the Federal Government, a group created by Republican representatives in January.
CISA gained authority for election security as part of its critical infrastructure duties, a responsibility inherited from its predecessor, the National Protection and Programs Directorate, following Russian attacks on the 2016 election. However, policing false statements about elections is arguably not among their responsibilities, especially if it threatens the agency’s operational missions due to the hyperpartisan nature of today’s politics, says Corman.
“CISA overly expressed one of its jobs — specifically, election security — and under-expressed their focus on critical infrastructure,” he says. “Misinformation seems pretty far afield from critical infrastructure, and when it comes to idea content, stay away from that.”
Funding Is Part of a Bigger Problem
Maintaining an adequate budget is not the only hurdle on the horizon for CISA. A major challenge continues to be hiring and retaining cybersecurity professionals. In August 2022, the most recent data available, CISA’s Cybersecurity Division was understaffed by 38%, a larger gap than the 33% shortfall a year earlier, according to a March 2023 report by the office of the inspector general at the Department of Homeland Security.
Funding will be critical to solving that problem and filling that pipeline, says CSIS’s Jensen.
“They’ve patched the flood of cyberattacks, but they now need to start anticipating where those next one will be through using that integrated data environment, through the joint collaborative environment, and then matching those to a cyber workforce that can actually get out in front of problems,” he says. “So more fire marshals, less firefighters.”