WASHINGTON — Cutting the budget of the federal cyber defense agency will severely weaken the government’s protection against foreign cyberattacks, cybersecurity officials told lawmakers Wednesday.
“A significant cut to our budget would be catastrophic. We would not be able to continue [or] even sustain some of the core functions across programs,” said Eric Goldstein, an executive assistant director of the Cybersecurity and Infrastructure Security Agency, to lawmakers on the House Homeland Security Committee’s cyber subcommittee.
CISA, an agency within the Department of Homeland Security, was created in 2018 under former President Donald J. Trump and put in charge of protecting federal civilian agencies and private infrastructure companies from cyberattacks.
However, the agency has recently come under intense scrutiny. Some Republican lawmakers have accused CISA of colluding with social media companies to censor information the White House deemed damaging to the Biden administration.
The belief among Republicans that CISA was, according to a report by the House Judiciary Committee, chaired by Rep. Jim Jordan (R-Ohio), the “nerve center” of federal “surveillance and censorship operations” led to a legal battle between Republican state attorneys general and the Biden Administration. The Supreme Court on Friday agreed to hear the case and temporarily blocked a lower court decision that limited communication between the government and social media companies about content moderation.
In September, more than 100 House Republicans, including Jordan and the newly elected House Speaker Mike Johnson (R-La.), also supported an amendment to the Department of Homeland Security Appropriations Act that would cut funding for CISA by 25%. The amendment ultimately failed.
A 25% budget cut of CISA’s $3 billion budget would make the agency unable to carry out key functions, such as its Continuous Diagnostics and Mitigation Program that provide a range of network and data security tools and services to federal agencies, Goldstein said. It will also expose vulnerabilities that foreign adversaries will exploit.
Similarly, a government shutdown would force CISA to pause all of its nonessential operations, including the devising and deployment of new protections, Goldstein said.
Chris DeRusha, the federal chief information security officer in the Office of Management and Budget and a deputy director at the Office of the National Cyber Director, agreed that cutting CISA’s budget would weaken the U.S.’s ability to protect its cyberspace.
During the hearing, Goldstein touted CISA’s achievements in safeguarding federal agencies against cyberattacks. He said the agency has improved on many measurable metrics of cybersecurity, including a 79% decrease in known exploited vulnerabilities across federal networks from last year.
He said the agency has also made significant investments in modernizing and expanding its programs to reflect the changing technological landscape, such as the adoption of mobile and cloud-based services.
Rep. Carlos Gimenez (R-Fla.), however, dismissed Goldstein’s claim that CISA cannot afford a deep budget cut and said he “never heard somebody in a bureaucracy telling me that a cut to their budget would not be catastrophic.”
But Democrats on the subcommittee shot back. Rep. Troy Carter (D-La.) called the idea of cutting CISA’s budget “very dangerous,” and Rep. Eric Swalwell (D-Calif.), the subcommittee’s ranking member, said partially defunding CISA would leave the U.S. vulnerable to cyberattacks from its geopolitical rivals.
“At a time when there are conflicts in multiple parts of the world, I cannot comprehend how we would do anything to reduce our ability to defend against cyberattacks,” Swalwell said.
Just hours before Thursday’s hearing, House Republicans elevated Johnson after three weeks without a Speaker of the House. Johnson, a constitutional lawyer, played a major role in crafting and promoting theories to overturn the 2020 presidential election.
Considering that CISA’s responsibilities include the securing of elections, discussion around the new speaker was notably absent from the hearing. Every House Republican voted for Johnson in the Speaker’s election. The cyber subcommittee chair Rep. Andrew Garbarino (R-N.Y.), a supporter of CISA, also put out a statement Thursday afternoon announcing his support for Johnson’s speaker bid and for him to lead the House’s appropriations process.
In Thursday’s hearing, lawmakers were also curious about CISA and ONCD’s plan for artificial intelligence. President Joe Biden is slated to formally announce his executive order on federal AI guidelines on Monday, and DeRusha said he expects the executive order to include safeguards that address the security threats the new technology poses.
Goldstein said CISA is actively monitoring the risk of AI on cybersecurity. At the same time, the agency is also examining ways to harness AI’s power in analytics and threat detection.
“We want to make sure that our operators, our analysts can leverage AI tools so that they can do less of the work that machines can do and more of the work that only humans can do,” Goldstein said.