Opening Statement by CISA Director Jen Easterly

Before the House Committee on Appropriations, Subcommittee on Homeland Security on the Fiscal Year 2025 Budget for the Cybersecurity and Infrastructure Security Agency

Chairman and Ranking Member Cuellar, members of the subcommittee, thank you so much for the opportunity to testify on CISA's budget. As America's Cyber Defense Agency and the National Coordinator for Critical Infrastructure Security and Resilience, CISA leads the national effort to understand, manage and reduce risk to our cyber and physical infrastructure.

And I'm particularly excited to be talking to you today given this morning's release of National Security Memorandum 22, which reinforces CISA's role of managing cross sector risk to the cyberinfrastructure that Americans rely on every hour of every day. The FY'25 president's budget requests $3 billion for CISA, $136 million more than what you appropriated in FY '24. It's critically important to continue the strong and steady investment Congress has made in CISA's mission to protect the nation from increasingly complex threats.

While our mission is broad and diverse, I'm going to briefly highlight just three areas that encompass the increases that we're requesting and in response to your specific direction from last year, I'm going to point out how we've linked outcomes to appropriations, specifically how we're using the budget to materially drive down risk in communities across the nation.

First key area, federal cybersecurity. As the operational lead for, we leveraged some $600 million to defend these .gov networks as a single enterprise, protecting America's sensitive data and federal agencies. And through Congress's support, we've been able to detect and respond faster than ever before.

One, using that CDM program that the ranking member mentioned, we've been able to remediate over 25 million unpatched vulnerabilities and reduce the number of vulnerabilities that have been exposed for 45 days or more by 72 percent. Two, we've deployed endpoint detection and response tools to over 50 agencies covering 900,000 devices and deployed detections that allowed us to find over 1900 threats so that we could mitigate risk to .gov networks.

And three, our shared services deployed to 100 federal agencies are saving taxpayer dollars. Our Protective Domain Name Solution service for example, has blocked more than 692 million malicious connections since the start of this fiscal year. Second key area of investment is we look at the threats to our nation.

None is more serious than Chinese cyber actors that are burrowing deep into our critical infrastructure to prepare to launch disruptive and destructive attacks in the event of a major conflict. Now we're doing a lot on this. To your point, we can do more. But let me tell you what we're doing now with our budget.

First, we deployed threat hunting teams across multiple sectors, water, power, energy, and transportation to find and eradicate these Chinese cyber actors. And we've shared insights with others before they become victims. Now these PRC hunting missions are just part of our larger hunting missions. In just FY '23, we conducted 97 hunt engagements to eradicate threat actors from US critical infrastructure and we shared over 1,100 cyber advisories to enable risk reduction at scale.

Two, we use our CyberSentry platform that is best in class detection to enable us to drive down risk to the most important critical infrastructure, talking pipelines, energy generation, large airports, and critical manufacturing. We have 30 companies with 15 more joining. Three are Joint Cyber Defense Collaborative or JCDC. Now with 320 private sector companies has an active planning effort with key industry partners to mitigate risk from Chinese targeting as part of a broader risk reduction effort which has produced 93 joint cyber alerts and 14 cyber defense plans.

Finally, third key area of investment, while nearly all critical infrastructure sectors are priority targets for nation state actors and cyber criminals, many do not have the resources to protect themselves. So based on the budget you've given us, we've stood in to support them. Specifically, we've grown our field presence across the nation by 35 percent, quadrupling the engagements that we have across the country fourfold from '22 to '23. We've leveraged our pre-ransomware notification initiative to do 1,900 such notifications -- schools, water facilities, hospitals --  to prevent organizations from suffering from ransomware.

We've also used our vulnerability warning pilot 2,000 notifications to organizations driving mitigation of over 3 million vulnerabilities across 7,600 organizations since 2022. And of note, our ability to proactively warn businesses will only increase when we implement cyber incident reporting. And in FY '25 that will be the year that we need to ensure we have the infrastructure in place to analyze and report in accordance with the law.

Finally, I want to sincerely thank this committee for all of your support and for helping to strengthen CISA and, by extension, the security and resilience of the nation's critical infrastructure. Thank you. I look forward to your questions.