Cybercriminals and state-sponsored organizations successfully launched some of the biggest cyberattacks to date in 2024, targeting U.S. critical infrastructure and businesses. As the year ends, those attacks show no signs of letting up.
Last week, federal investigators revealed that a hacker organization allied with the Chinese government, known as the Salt Typhoon, infiltrated eight major U.S. telecommunications companies. The breach, U.S. officials say, provided the Chinese government access to communications of senior government officials and political figures like President-elect Donald Trump and Vice President-elect JD Vance.
“Cybersecurity is a huge problem,” Sen. Susan Collins told NOTUS. “The recently publicly reported infiltration by the Chinese into our telecom sets some great example of the extreme damage that cyberattack could do.”
“We’re gonna have to shift over time because that’s the new modern warfare battlefield,” Rep. Richard McCormick told NOTUS. “The times are changing and our focus has to shift with it.”
But the agency in charge of defending against cyberattacks — the Cybersecurity and Infrastructure Security Agency — is often derided by Republicans, despite the fact it was created under Trump’s first administration. Then in 2020, CISA’s then-head Chris Krebs was vocal in debunking Trump’s election fraud claims — Trump fired him shortly after — and since then, Republican lawmakers have had the agency in their crosshairs.
“I’d rather answer by what the agency shouldn’t be focused on, which is on making up election integrity issues when none exist,” Rep. Andy Harris, chair of the Freedom Caucus, told NOTUS when asked what CISA should focus on as they respond to increasing cyberattacks. “And that’s the problem with the current agency right now.”
Harris and others allege that CISA has stifled free speech and targeted conservatives in the name of tracking down foreign misinformation campaigns.
“When they decide that our enemies or cybersecurity enemies are those around the world and not Americans, then we can talk,” Harris said.
Trump has yet to name who he’ll tap to lead the agency next year, but it’s clear that congressional Republicans aren’t interested in spending another dime to shore the agency up.
Earlier this year, Rep. Andrew Clyde, another Freedom Caucus Republican, introduced an amendment to flatline CISA’s $3 billion budget.
While that amendment failed, Clyde said there shouldn’t be any additional funding to respond to the increasing threats that foreign actors pose.
“Efficiency,” Clyde said when asked what he expected to see from CISA as they adapt to this new playing field. “And stick to their job and their mandate and not silence free speech.”
Outgoing CISA Director Jen Easterly has argued that additional funding might be needed to combat attacks from places like China in the short term.
“If I were to advocate for additional funding in the near term, it would really be about this counter-[People’s Republic of China] campaign,” Easterly said on Wednesday during a cybersecurity conference.
“I was up in New York City and I saw my friend, former Congressman John Katko,” Easterly added. “He had always talked about CISA as a $5 billion agency. And I think eventually, there will need to be growth in both capability and capacity.”
CISA’s supporters say funding the agency should not be a partisan issue. “CISA protects us from foreign actors who are doing everything to disrupt and destroy our privacy and our data,” Democratic Rep. Eric Swalwell told NOTUS.
“They’re not doing it to hurt Democrats or help Democrats and hurt Republicans. They’re doing it to hurt Americans. So a robustly funded CISA protects all Americans, hard stop,” Swalwell said.
Republican Rep. Jay Obernolte said Congress should make sure CISA has “the tools and the resources necessary to fulfill their responsibilities.”
“I met with the Trump transition team on technology earlier this week, I’m actually very encouraged with how seriously they’re taking the transition, and they’re obviously hitting the ground running,” Obernolte said.
Despite some lawmakers now taking cybersecurity more seriously, industry experts say that the federal government is still hesitant to support serious efforts unless there’s a clear threat or emergency.
This lack of support leads to agencies running outdated software and making them a target for cyberattacks.
“We may have trouble understanding some of the intricacies, but the reality is there are a lot of IT modernization plans that simply don’t make the cut to ever be implemented,” said Jim Richberg, security adviser and policy head for cybersecurity company Fortinet, during a hearing in the Homeland Security Committee.
During that hearing, Srinivas Mukkamala, cybersecurity adviser and board member of El Paso Electric, a Texas-based utility company, said that outdated software that runs at the federal, state and local levels often doesn’t have the necessary support, making it a great target for cybercriminals and state-sponsored hackers.
“If you’re selling me software that is legacy, that’s vulnerable, and you have three people supporting it, do we expect nation-states not to attack us?”
—
Samuel Larreal is a NOTUS reporter and an Allbritton Journalism Institute fellow.