Article

Resources

expect

Article

Insights

The Omnibus Bill and the Cybersecurity Investment

By: Alexander L. Turner, CIPP/US

With cybersecurity risks increasing and evolving moving into 2023, the federal government is taking steps to help secure our cyber infrastructure. The recent passing of the 2023 omnibus spending agreement included additional funds for a variety of federal agencies in order to strengthen our cybersecurity apparatus. The Cybersecurity and Infrastructure Agency (“CISA”) received $1.3 billion for its cybersecurity programs. This is a $230 million increase over last year. While this increase in funding is intended to help CISA improve the country’s cybersecurity, it does come with some significant strings. CISA is currently a year late in providing Congress with its force structure assessment, which includes its organizational planning, staffing, and budgeting. In order to force CISA to provide the necessary documentation for Congressional oversight, the omnibus funding included a caveat that CISA will be fined $50,000 for every day it is late in providing Congress with its quarterly briefing. Congress is getting serious about holding CISA accountable, and will not allow it to continue to skirt Congressional oversight.
 
The omnibus also included additional cybersecurity funding for other federal agencies. $200 million has been allocated for the Department of Energy’s Cybersecurity, Energy Security, and Emergency Response (“CESER”) in order to protect our vulnerable power grid. The Treasury Department also received $100 million in funding for the Treasury Department’s Cybersecurity Enhancement Account, which is a $20 million increase over last year. Congress also allocated $50 million funding to protect against cyberattacks by foreign adversaries like Russia, China, Iran, and North Korea. This included tasking the Federal Trade Commission to collect and report on international cyberattacks committed by foreign actors. While this increase in funding indicates that Congress is taking cybersecurity more seriously, the U.S. still lacks a comprehensive cybersecurity law that streamlines cybersecurity compliance throughout the entire country. As it stands now, companies operating nationally have to comply with a myriad of cybersecurity and privacy laws, which leads to confusion and increased costs. If Congress wants to positively impact cybersecurity in the U.S., it needs to pass comprehensive cybersecurity and privacy legislation.