Spending bill includes large funding increase to boost cybersecurity

The Hill
·2 min read


The government funding bill sent to President Biden includes a surge in funding to the agency that oversees the nation's cybersecurity infrastructure and includes language that requires companies in critical sectors to alert the government of potential hacks.

The omnibus spending bill has a total $2.6 billion budget for the Cybersecurity and Infrastructure Security Agency (CISA), a $568 million increase above last year's funding level that surpasses the amount requested by the president.

The funding arrives as the U.S. braces for possible Russian cyberattacks following the West's forceful condemnation of its invasion in Ukraine and punishing economic sanctions.

Included in the budget is an extra $119.5 million increase for threat hunting and a $64.1 million increase for vulnerability management.

CISA's Integrated Operations Division, which provides services to state and local governments, will get a $17.1 million increase to aid in its regional support.

The bill also includes a Senate-passed measure that instates reporting requirements for companies that have been hacked.

Senate Homeland Security and Governmental Affairs Chair Gary Peters (D-Mich.) one of the authors of the bill, called it the "first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation's most essential systems back online."

Though the Cyber Incident Reporting Act had passed the Senate unanimously, it had not yet been taken up by the House.

It requires major companies like oil pipelines, banks, electric grids and transportation systems to report cyber attacks within 72 hours and any ransom payments made within 24 hours.

Though the bill's reporting requirements mark a significant change, the FBI said it was left on the sidelines even after language was adjusted to allow CISA to share information with other agencies within 24 hours.

"In its current form it would make the public less safe from cyber threats - slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats," FBI Director Christopher Wray said in a statement last week when the bill passed the Senate.

CISA, however, called the legislation a critical step forward.

"Put plainly, this legislation is a game-changer," the agency's director, Jen Easterly, said in a statement.

"CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims."

Updated 5:19 p.m.