A hacker tried to poison a Florida community’s water supply earlier this month by gaining remote access to a water plant’s computer system and attempting to increase sodium hydroxide levels. A vigilant plant operator noticed the breach and stopped the tampering before the community was affected. The intrusion, which could have poisoned thousands, demonstrates the seriousness of the cybersecurity threats facing the United States.
For Congress and the Biden administration, this and other recent cybersecurity incidents should prompt new questions about whether the federal government is investing enough in cybersecurity to address the growing threat.
Investing resources to defend American government and private sector information technology could earn bipartisan support on Capitol Hill given the growing cybersecurity threat. But leaders must answer longstanding concerns about critical federal cybersecurity programs to lay the groundwork for sustained investment. Recent developments—including the massive SolarWinds breach—underscore legitimate concerns about the government’s capacity to defend against growing threats.
Congress has been ‘admiring the problem’ for decades.
In 1997, the nonpartisan Government Accountability Office added “information security” to its annual list of the federal government’s high risk areas. Today, nation-states and other adversaries exploiting cyber vulnerabilities have become one of the nation’s most serious national security threats. China, Russia, Iran, and North Korea increasingly use cyber operations to steal information, to influence citizens, or to disrupt critical infrastructure.
Traditional espionage against government networks, such as the 2015 Office of Personnel Management breach and the recent hack of IT firm SolarWinds, have exposed government secrets and likely jeopardized national security in ways that are impossible to quantify.
Ransomware attacks have disrupted municipalities, school districts, hospitals and other organizations in recent years. Reports of these financially motivated incidents increased by 100 percent last year, according to one estimate.
The federal cybersecurity budget compared to other spending priorities.
For 2021, the Trump administration requested $18.8 billion in reportable cybersecurity funding (level with 2020 budget). The Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) had a budget of about $2 billion for 2021.
Considering the relative and immediate threats in the cyber and air domains, should Congress be investing more on cybersecurity than the air or other domains? Are there other areas that should be reprioritized to strengthen the nation’s cyber defenses? These are questions that Congress should be asking.
The federal government has an “intrusion and detection” system known as Einstein that prevents intrusions with a signature-based approach. That’s great for blocking “known fingerprints”—i.e., previously identified patterns of malicious data or malware—but is unable to stop new malware or other exploits that haven’t been used before.
Federal agencies have their own internal problems with cybersecurity. A bipartisan investigation found that the Department of Homeland Security has “failed to address cybersecurity weaknesses for at least a decade” and “continued to use unsupported systems, such as Windows XP and Windows 2003.”
A bipartisan opportunity in the 117th Congress.
The president and his team should acknowledge that reforms are needed across the government and particularly within CISA. A good place to start would be to commit to upgrading the Einstein system to provide better protection for federal agencies and to prioritize the federal government’s cybersecurity among CISA’s many mission areas.
The United States has been playing defense and losing in the cyber domain for the first two decades of the century. It is time that Congress recognizes that cybersecurity is now a top responsibility for securing the common defense and to fund that mission appropriately and efficiently.
Summarized from thedispatch.com