Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly told lawmakers on April 30 that the Biden administration’s fiscal year 2025 request for CISA will help fund agency activities in three key areas, including to fight malign Chinese cyber actors.
The administration earlier this year requested $3 billion of funding for CISA for FY2025 –$136 million more than the agency’s FY2024 enacted budget.
“As we look at the threats to our nation, none is more serious than Chinese cyber actors that are burrowing deep into our critical infrastructure to prepare to launch disruptive and destructive attacks in the event of a major conflict,” Easterly said during her opening statemen at the House Appropriations Homeland Security Subcommittee FY25 budget hearing for CISA on Tuesday.
With its current budget, Easterly said CISA has deployed threat hunting teams across multiple sectors “to find and eradicate these Chinese cyber actors, and we’ve shared insights with others before they become victims.”
“These PRC hunting missions are just part of our larger hunting missions. In just FY23, we conducted 97 hunting engagements to eradicate threat actors from U.S. critical infrastructure. We shared over 1,100 cyber advisories to enable risk reduction at scale,” Easterly said.
She also highlighted that CISA is leveraging its CyberSentry Program – which currently has 30 companies, with 15 more joining – to drive down risk to the most important critical infrastructure, like pipelines, energy generation, large airports, and critical manufacturing.
“Our Joint Cyber Defense Collaborative, or JCDC, now with 320 private sector companies, has an active planning effort with key industry partners to mitigate risk from Chinese targeting as part of a broader risk reduction effort, which has produced 93 joint cyber alerts and 14 cyber defense plans,” Easterly said.
The CISA lead said that providing resources for critical infrastructure owners and operators is another key area of investment for the agency.
“Based on the budget you’ve given us, we’ve stood in to support [critical infrastructure],” Easterly testified. “Specifically, we’ve grown our field presence across the nation by 35 percent – quadrupling the engagements that we have across the country fourfold from (FY)22 to (FY)23.”
Easterly also noted progress CISA has made in its ransomware initiatives. “We’ve leveraged our Pre-Ransomware Notification Initiative to do 1,900 such notifications – schools, water facilities hospitals – to prevent organizations from suffering from ransomware,” she said. “We’ve also used our [Ransomware] Vulnerability Warning Pilot: 2,000 notifications to organizations driving mitigation of over 3 million vulnerabilities across 7,600 organizations since 2022.”
“Our ability to proactively warn businesses will only increase when we implement Cyber Incident Reporting. And FY25, that will be the year that we need to ensure we have the infrastructure in place to analyze and report in accordance with the law,” she added.
The final key area of investment for CISA’s budget is Federal cybersecurity, Easterly said. The CISA lead said that the agency uses around $600 million of its budget to defend .gov civilian networks.
“Through Congress’s support, we’ve been able to detect and respond faster than ever before,” Easterly said. Through the Continuous Diagnostics and Mitigation (CDM) Program, CISA has been able to remediate over 25 million unpatched vulnerabilities and reduce the number of vulnerabilities that have been exposed for 45 days or more by 72 percent, she said.
“We’ve deployed endpoint detection and response tools to over 50 agencies covering 900,000 devices, [and] deployed detections that allowed us to find over 1,900 threats so that we could mitigate risk to .gov networks,” she said.
Easterly continued, “Our shared services deployed to 100 Federal agencies are saving taxpayer dollars. Our protective domain name solution service, for example, has blocked more than 692 million malicious connections since the start of this fiscal year.”
When questioned on China’s cyber threat to the U.S. by subcommittee Ranking Member Henry Cuellar, D-Texas, Easterly noted what CISA is seeing today “is only the tip of the iceberg.”
For its current enacted FY2024 budget of $2.8 billion, CISA took a $34 million slash from its FY2023 funding levels – and a more than $183 million cut from what the agency requested for FY2024.
While Easterly said she supports the President’s budget request of $3 billion for FY2025, “of course, we can do more with more.”
The agency lead said $150 million more for FY2025 would allow CISA to do three things.
“The first one would be to continue to build on that CyberSentry capability, which is really best in class and can be deployed at the most important critical infrastructure owners so that we can detect and prevent significant damage to the infrastructure that we believe Chinese cyber actors are going after,” Easterly said.
“Two, to increase our capacity to be able to hunt,” she said. “Our hunt teams, as I mentioned, 97 engagements on domestic infrastructure in FY23, but we can do more with more.”
“Finally, to continue to grow our field force,” Easterly said. “I’m very proud that since 2021, we’ve grown by almost 1,700 people, and a lot of that is in the field but we need to continue to grow our cybersecurity advisors, our physical security advisors to enable us to help the small and medium businesses, the critical infrastructure owners and operators that are under duress from these very serious nation state threats.”
