Speaking at an event organized by the Information Technology Industry Council (ITI), Rep. Clarke said, “I’m hopeful that we will be able to provider additional funding soon” for the TMF, which is now seeking proposals from Federal agencies on pressing IT modernization projects. The Biden administration asked for an additional $500 million of TMF funding in its recent FY2022 budget request.
Rep. Clarke also advocated for more funding for CISA to carry out its expanding portfolio of cybersecurity missions – beyond this year’s $650 million infusion and the $110 million increase sought by the Biden administration in its budget request. CISA, she said, “will likely need a significantly larger increase this year to address all operational needs” as its mission scope grows.
“When it comes to security … mark my words, we cannot be penny-wise and pound-foolish,” Rep. Clarke said.
Supply Chain Priorities
Speaking at length about the supply chain security implications of President Biden’s cybersecurity executive order issued in May, Rep. Clarke said that high-profile software supply chain attacks in recent months have created the impetus for action to improve security in Congress, the Biden administration, and in the private sector.
“There is momentum for progress, and we must work together to harness it and implement policies that will make sure we are more secure in the future,” she said. “We must learn from the last 18 months and build resilience into our network security practices and supply chains.”
Citing supply chain security and ransomware attacks that have made headlines, Rep. Clarke said
“we may need to update some of our Federal framework to better contemplate the physical and supply chain consequences of cyber-attacks,” including through requirements for sharing threat and attack data between the private sector and government and by giving Federal authorities a better window into private sector networks through cyber incident reporting requirements – among other steps contemplated by the cybersecurity executive order.
Some of the biggest lesson learned from recent attacks, she said, are that doing a better job at implementing steps some of the basic “fundamental” security steps like multi-factor authentication and endpoint detection and monitoring would help blunt the impact of those attacks.
More basic security steps like those, she said, “are the starting point, not the finish line.”
Rep. Clarke also pointed that many private sector companies appear to be suffering from some degree of confusion as to who they need to partner with in the Federal government regarding cybersecurity. “We need industry to work with the government, but we also need to make it easier to work with the government,” she said, and suggested that the incoming National Cyber Director work to make those relationships more clear.
The congresswoman further suggested that the private sector needs a similar assist from the Federal government on supply chain security issues, and pointed to CISA’s Information and Communications Technology Supply Chain Task Force, and the Federal Acquisition Security Council as good existing hubs.
“I’m very supportive of the work of the task force, and I encourage their continued growth and development,” she said.
State and Local Cyber Funding
Rep. Clarke updated legislative activity on the State and Local Cybersecurity Improvement Act, which was approved last month the by House Homeland Security Committee. The bill would provide $500 million per year in grants to help state and local governments approve cybersecurity.
“We’re looking now to the Senate for … a companion bill to be introduced,” Rep. Clarke said today.
“There’s no doubt that the [cybersecurity] crisis on the state and local level is an urgent call to us to action,” she said. “When we look at … municipalities, police departments, hospitals, when we look at school districts, there are so many vulnerabilities, and they need our help.”
“I’m really optimistic that we will pass this legislation, and that it will be signed into law,” she said. “There is not a district or a state that has not had to pay a very dear price” from cyber attacks, she said.