House Committees Seek to Spend Millions on CybersecurityCISA And FTC Could Benefit From $3.5 Trillion Budget Reconciliation Bill
A pair of House committees this week said they want to spend additional millions on cybersecurity by injecting funds into both the U.S. Cybersecurity and Infrastructure Security Agency and the Federal Trade Commission, as part of the debate over the Biden administration's $3.5 trillion federal budget proposal for 2022.
On Tuesday, the House Homeland Security Committee approved an amendment as part of the markup debate over the $3.5 trillion reconciliation bill that would give CISA $865 million to fund various security programs. Included in that funding is nearly $400 million to help implement President Joe Biden's executive order on cybersecurity.
In addition, the House Energy and Commerce Committee voted Tuesday to approve $1 billion for the FTC to create a bureau dedicated to data security privacy as well as fighting identity theft.
The money allocated to both CISA and the FTC would be spread out over 10 years, according to copies of the amendments that have passed both committees.
Whether CISA and the FTC receive the money to fund these cybersecurity initiatives remains to be seen. The House must first pass a final version of the 2022 federal budget reconciliation bill, and that measure must then be reconciled with the version that the Senate has already passed. Once a final federal spending bill has been agreed upon, it needs to pass the Senate and House before Biden can sign the legislation into law.
In addition to the $3.5 trillion federal spending bill, Congress is debating an additional $1 trillion infrastructure spending measure that provides additional millions in funding for cybersecurity through the Department of Homeland Security and CISA. A version of this bill has passed the Senate, and the House is expected to vote on its version later this month (see: Senate Passes Infrastructure Bill Boosting Cyber Funding).
As part of the $865 million amendment that passed along party lines in the House Homeland Security Committee, CISA will receive $400 million over 10 years to help implement the cybersecurity executive order as well as another $100 million to boost cyber education and training programs.
Besides that money, CISA is slated to receive $200 million as part of the amendment for the agency's general operations, according to the markup amendment.
"As our nation’s premier federal agency focused on protecting Americans from all nature of cyberthreats, CISA is responsible for preventing malicious hacks and mitigating their potential damage," said Rep. Jim Langevin, D-R.I., who sits on the Homeland Security Committee and has been a vocal advocate of CISA.
Even before this week's action, CISA had already started to help shape how federal agencies need to adopt the provisions outlined in the executive order. For example, when the Office of Management and Budget published a memo earlier this month outlining steps for executive branch agencies to begin adopting "zero trust" policies, CISA published a "Zero Trust Maturity Model" describing how agencies and departments could adopt this approach to security (see: White House Pushing Federal Agencies Toward 'Zero Trust').
CISA is also working with the National Institute of Standards and Technology to develop definitions of "critical software" that would allow federal departments to begin taking new approaches to how they evaluate and buy software for use within their networks (see: NIST Publishes 'Critical Software' Security Guidance).
The money that lawmakers are looking to invest in CISA is needed to ensure that the agency can fulfill its current workload, but also hire enough security professionals to take on other tasks and requirements, says Mike Hamilton, the former vice chair for the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council.
"The focus of these amendments seems to be ensuring that CISA can bring on the workforce it's going to need to have a prayer of completing these tasks, some of which seem very open-ended," says Hamilton, who is now the CISO of security firm Critical Insight. "CISA is in the best position to attract and - hopefully - retain the qualified practitioners that will be necessary, which is likely the reason that NIST is not more prominent in these particular funding requests."
While the amendments for CISA are more specific, the proposal for the new bureau within the FTC is less specific and the House Energy and Commerce Committee did not release any additional details about the measure.
The FTC amendment does note that the new bureau would work to "accomplish the work of [the FTC] related to unfair or deceptive acts or practices relating to privacy, data security, identity theft, data abuses and related matters."
Besides the new House amendment, other lawmakers and the White House are looking to increase the powers of the FTC to enforce data privacy standards and improve cybersecurity. In July, Biden signed another executive order that asked the commission to establish rules over how tech firms can collect and use data from their customers as a way to offer more privacy protections for American consumers (see: Biden's New Executive Order Looks to Address Data Privacy).
In March, U.S. Rep. Suzan DelBene, D-Wash., reintroduced a bill that would create a nationwide data privacy standard to be enforced by the FTC (see: Federal Privacy Bill Reintroduced in Congress).