House appropriators in June finished marking up a dozen spending bills for fiscal 2023 that would altogether provide at least $15.6 billion for cybersecurity efforts across federal departments and agencies.
The largest chunk of cybersecurity spending, $11.2 billion, would go to the Defense Department, followed by $2.9 billion for the Cybersecurity and Infrastructure Security Agency, or CISA.
CISA would get $417 million more than the White House requested, and the Pentagon appropriations would match the administration’s request.
The “dramatic investments in our nation’s cyber infrastructure” are intended “to prevent increasingly pervasive cyber-attacks,” House Appropriations Chair Rosa DeLauro, D-Conn., said in a statement.
Increases in cybersecurity funding come as the Biden administration focuses on boosting preventive measures, improving information sharing between government agencies and private sector companies, and pushing agencies to adopt a so-called zero-trust posture that assumes anyone accessing a computer network could be a threat.
The measures follow dramatic cyberattacks in late 2020 and early 2021 that left hundreds of top U.S. companies and a dozen federal departments and agencies scrambling to protect themselves.
President Joe Biden in May 2021 issued an executive order urging federal agencies to adopt higher cybersecurity standards.
Congress providing CISA with an increase in funding would help the administration meet its cybersecurity goals spelled out in the executive order, said Tom Gann, chief public policy officer at cybersecurity research firm Trellix.
The extra money appropriated for CISA would go toward key services it provides to other federal agencies, including continuous diagnostics and mitigation, endpoint detection and other cyber services as part of the agency’s National Cybersecurity Protection System, Gann said. Endpoint refers to a cellphone, laptop or other device.
"I think for fiscal year 2023, CISA will be in a good position to ramp up its service provider capabilities and increase its threat hunting capabilities — which is a big initiative — and clearly implement things in meeting the executive order,” Gann said.
The House appropriators also addressed cybersecurity funding and needs at the Energy, Commerce, Health, Justice, Treasury, Transportation and State departments.
With the $11.2 billion for the Pentagon’s cybersecurity efforts, lawmakers also asked the department, which has the largest number of cyber experts in the federal government, to study ways to collaborate more with CISA.
Lawmakers asked the Defense secretary to coordinate with CISA to “provide supplementary support” in cases in which the civilian agency is responding to intrusions from Russia and China, a growing problem.
The U.S. Cyber Command and the National Security Agency, which are part of the Pentagon, have large cadres of cyber professionals. The Cyber Command operates 133 Cyber Mission Forces or teams that conduct defensive cyber missions. Gen. Paul Nakasone, commander of the U.S. Cyber Command, has told Congress that he plans to add five more Cyber Mission Force teams in 2023.
House appropriators also noted in the report accompanying the fiscal 2023 Defense appropriations bill that the Pentagon has multiple cybersecurity related offices and agencies but it is not clear which office is responsible for what.
“It remains unclear to the Committee which offices and positions at the Department of Defense are responsible for cyber, cybersecurity, and cyberspace policy and activities,” the lawmakers wrote.
In addition to the Cyber Command positions, the Office of the Secretary of Defense appears to have as many as six senior officials with responsibilities for cyber policy.
“Along with the plethora of positions and organizations in the Office of the Secretary, each of the Services has its own cyber establishment,” the lawmakers wrote, asking the Defense secretary to report to Congress with an organizational chart listing the responsibilities of each office.
The Treasury Department’s Cybersecurity Enhancement Account would get $135 million in fiscal 2023, a $55 million boost from fiscal 2022 but still less than the department’s request for $215 million. The decision to provide less than requested appears to be due to unused funds from previous years. Lawmakers used the Financial Services Appropriations report to direct the department to explain how the unused funds would be spent during the next fiscal year.
The Treasury account is a dedicated one “designed to identify and support department-wide investments for critical [information technology] improvements, including systems identified as high-value assets,” according to a report accompanying the bill.
The Office of the National Cyber Director, a new position at the White House established by a 2021 law and funded by the Financial Services spending bill, would get $22 million to help “coordinate federal cybersecurity policy and strategy." The office is led by Chris Inglis, a former NSA official.
The federal judiciary would receive $128 million to assist with “judiciary security, cybersecurity, and information technology modernization.”
The Energy Department would get $205 million for its Office of Cybersecurity, Energy Security, and Emergency Response, a $19 million increase from fiscal 2022.
Lawmakers said the funding would help “secure the nation’s energy infrastructure against all hazards, and reduce the risks of and impacts from cyber events.”
The department’s chief information officer would receive $125 million to boost cybersecurity across the department, and $20 million would go toward a program called Cyber Testing for Resilient Industrial Control Systems.
The Justice Department would get $75 million as part of its Justice Information Sharing Technology program. The money was needed to “address immediate cybersecurity response needs and modernize cybersecurity capabilities” in the aftermath of the 2020 SolarWinds attack, which affected the department, the lawmakers said in the Commerce-Justice-Science spending bill report.
Justice would receive another $31 million to “strengthen essential DOJ cybersecurity and supply chain workforce development.”
The department’s Office of the Inspector General would get $136 million to pay for “critical increases for secure facilities and information technology infrastructure” that would help the office meet its “growing data analytics and cyber forensics workload.”
The FBI would get about $109 million, including $52 million to address cyber crime, and about $37 million for its own cybersecurity needs.
The National Science Foundation would receive $74 million for a CyberCorps Scholarships program, an $11 million boost from fiscal 2022 designed to “help recruit and train the next generation of U.S. cybersecurity professionals.”
The National Institute of Standards and Technology, which is part of the Commerce Department, would get $121 million to help research and design cybersecurity standards.
In the Department of Health and Human Services, the chief information officer would get $132 million, an increase of $61 million, for technology cybersecurity and to strengthen the entire department’s cybersecurity posture, according to the committee report.
The committee recommended that the State Department’s Bureau of Cyberspace and Digital Policy receive $37 million. The newly launched bureau, which began operations in April 2022, is intended to coordinate the department’s work on cyberspace and digital diplomacy.
The Transportation Department would get $48 million for its cybersecurity work, and another $5.5 million would go toward research and engineering work related to cybersecurity.
The Agriculture Department’s chief information officer would get at least $77.4 million toward cybersecurity across the department.