Cybersecurity

Biden budget includes $750M to help agencies recover from SolarWinds hack in proposed budget

President Biden’s proposed budget for the upcoming fiscal year includes $750 million to address the ongoing fallout from the SolarWinds hack, even as lawmakers continue to press the administration to include more funding for a key cyber agency. 

The proposed fiscal 2022 budget designated the funding to go towards “agencies affected by the recent, significant cyber incidents to address exigent gaps in security capability,” pointing specifically to the SolarWinds hack.

The incident, first discovered in December, involved Russian hackers exploiting a vulnerability in a software update from IT group SolarWinds to compromise at least nine federal agencies and 100 private sector groups for months for espionage purposes. 

U.S. intelligence agencies formally attributed the hack to Russia earlier this year, with Biden announcing a sweeping set of sanctions against the country in retaliation shortly after. 

The $750 million was included in the budget as part of a larger proposal of $9.8 billion to go toward a variety of cybersecurity efforts.

As part of this funding, $15 million was set aside for the newly established White House national cyber director’s office. Biden nominated former National Security Agency Deputy Director Chris Inglis for the role in April, and he is awaiting a Senate nomination hearing. 

The Cybersecurity and Infrastructure Security Agency (CISA) was given a $2.1 billion proposed budget for 2022, $110 million more than the previous year, which is in addition to the $650 million given to the agency as part of the American Rescue Plan Act signed into law earlier this year. 

The proposed increase in CISA’s budget was lower than some lawmakers have argued for in recent months. 

Reps. Jim Langevin (D-R.I.) and Mike Gallagher (R-Wis.) sent a letter to the leaders of the House Appropriations Committee in April asking them to carve out $400 million in additional appropriations for CISA as compared to last year’s budget.

The lawmakers pointed to CISA’s leading role in responding to both the SolarWinds and to new vulnerabilities in Microsoft’s Exchange Server that allowed Chinese hackers to potentially breach thousands of organizations.

“Despite the critical functions that CISA is currently performing, far more is required of the agency in order to build meaningful security in federal networks and national resilience to significant cyber incidents,” they wrote. 

House Homeland Security Committee ranking member John Katko (R-N.Y.) also threw his weight behind increasing CISA’s budget by $400 million, submitting a budget proposal earlier this month to give the agency $2.5 million in the next fiscal year.

In the wake of the detailed budget being formally rolled out on Friday, Sen. Maggie Hassan (D-N.H.) on Friday sent a letter to Acting Office of Management and Budget Director Shalanda Young expressing concerns that the overall proposed budget for the Department of Homeland Security, which CISA falls under, was “essentially flat.”

“I am concerned that a flat DHS budget will not provide enough resources to address growing cybersecurity, border security and vetting, and violent extremism threats facing the United States,” Hassan wrote to Young, pointing specifically to the SolarWinds hack and other recent major cyber incidents. 

Mark Montgomery, a senior advisor to the Cyberspace Solarium Commission and a senior fellow at the Foundation for Defense of Democracies, told The Hill Friday that the “mathematics” of the budget needed to be “worked on.”

“There are some other things in there that are palliative, but at its core, CISA is the agency that is going to drive federal IT network security, and it needs to be resourced effectively,” Montgomery said.