UPDATE: March 11, 2021: President Joe Biden signed the American Rescue Act into law Thursday.
Dive Brief:
- The House of Representatives passed the $1.9 trillion American Rescue Act (ARA) Wednesday, which President Joe Biden is expected to sign into law Friday. Included in the bill is $650 million for the Cybersecurity & Infrastructure Security Agency, short of the $690 million initially proposed.
- The law also promises $1 billion for the Technology Modernization Fund for FY2021, less than the $9 billion the Biden administration initially asked for.
- The U.S. Digital Services received $200 million, expected to remain available until September 2024, according to the law.
Dive Insight:
The Technology Modernization Fund historically received $25 million per budget cycle since it was authorized within the National Defense Authorization Act for FY2018. The jump to $1 billion will aid the fund's efforts in modernizing projects across agencies.
The appropriations to technology and cybersecurity within the ARA come as the federal government and private industry respond to two major hacks: SolarWinds and Microsoft Exchange.
Former President Donald Trump's FY2021 budget for CISA exceeded $1.7 billion, with $1.1 billion dedicated to the Continuous Diagnostics and Mitigations (CDM) program and National Cybersecurity Protection System (NCPS).
The agency wants its "resources fortified to ensure that we can meet demand in the future," said Eric Goldstein, executive assistant director of cybersecurity within CISA, during a House of Appropriations hearing Wednesday. "Going forward, we must shift to a persistent threat hunting model.
CISA's additional budgets will likely go to the agency's "urgent improvements" in strategic growth areas, outlined by Goldstein:
- Increase CISA's cybersecurity risk visibility throughout the federal civilian executive branch
- Expand CISA's incident response abilities
- Improve data analysis for better threat response and mitigation
- Increase adoption of defensible networks, including zero trust solutions
On Feb. 18, the White House confirmed at least nine federal agencies and 100 companies were impacted by the SolarWinds software supply chain attack. While the attack remains in the realm of cyber espionage, officials say the scope of the hack has the potential of escalating to greater disruption.
"One of the things that bothers me about the SolarWinds and the Exchange hacks is that they appear on the surface to be espionage," Senator Angus King, I-ME, said in an emailed statement to Cybersecurity Dive. "It strikes me as intuitively likely that there is more to be known about what they have done, what they did," or plans to activate further malware.
Limiting the damage of the SolarWinds hack to espionage is an open question as Microsoft speculates the adversarial operations were performed by at least 1,000 engineers, according to King.
The Microsoft Exchange compromise thus far hasn't impacted any federal agencies, according to Goldstein.
Goldstein said the majority of Microsoft Exchange servers across federal agencies have been patched since CISA issued its emergency directive.
CISA has taken steps to mitigate risks in the technology supply chain, including the Federal Acquisition Supply Chain Security Act in 2018. But the SolarWinds compromise highlighted how "we need different approaches to work with them," following the malicious Orion patch, said Brandon Wales, acting director of CISA, during the hearing.
The White House is also drafting an executive order focussed on software security and the supply chain. Deputy National Security Advisor Anne Neuberger wants organizations to be able to determine how the"level of visibility has to match the consequences of the failure of the systems," she said during a webcast March 5.