As part of the Biden administration’s ongoing infrastructure bill project, which looks to commit trillions of dollars to addressing longtime issues with the country’s vital utilities, $1.9 billion has been proposed for cybersecurity funding with more than half that amount set aside for state, local and tribal governments.
The Biden administration has made news for bolstering the cybersecurity of federal agencies and their myriad of contractors in recent months, and is now beginning to address the needs of states and localities demonstrated by attacks on critical infrastructure and government systems. The bill provides $1 billion in total in the form of grant programs that would run through the end of the 2025 fiscal year.
Infrastructure bill provides substantial aid to state and local governments
The 2,700 page bipartisan proposal includes a total of $500 billion in new spending mostly directed to states and localities. In addition to the $1 billion in grants aimed specifically at bolstering cybersecurity, the infrastructure bill includes $65 billion in spending on rolling broadband out to underserved rural areas and establishes a Cyber Response and Recovery Fund for use by the Cybersecurity and Infrastructure Security Agency (CISA) to assist both local governments and private entities that have been hit with cyber attacks. The emergency fund would be furnished with $20 million annually for seven years. The fund would be available for updating or replacing hardware and software, contracting IT or cyber personnel, vulnerability assessments, technical incident mitigation, malware analysis, analytic support, threat detection and hunting, and network protection.
To receive a grant, state and local governments would have to submit a plan outlining how the requested cybersecurity funding will be used to bolster existing defenses against hackers and other threats. Grant money would be available for four years from passage of the bill.
The remaining $900 million in cybersecurity funding would go to cyber research and development programs at the Department of Homeland Security, cybersecurity improvements for the electric grid, and an increase to CISA’s operating budget.
The infrastructure bill has bipartisan support in Congress, but is not likely to sail through the approval process given the raw amount of spending being proposed primarily by Democrats. The $1 trillion portion of the overall infrastructure bill that includes the cybersecurity funding plan passed the Senate on August 10, with approval of a budget resolution pending that would greenlight the primarily Democrat-supported full $3.5 trillion package of spending. 19 Senate Republicans joined with Democrat colleagues in approving the initial $1 trillion in spending, but there is much more resistance on the Republican side to the full infrastructure bill; the measure to vote on the budget resolution passed along entirely partisan lines with a 50-49 vote. The House of Representatives, which is in recess until September 20, must also still weigh in on both of these proposals.
A demonstrated need for state and local cybersecurity funding
Much of the worry surrounding government cybersecurity is about the potential damage that a determined nation-state hacking team could do. While there has yet to be an international incident of this sort, profit-minded criminals have recently raised the stakes (particularly in the field of ransomware) and shown that there are numerous vulnerabilities out there to exploit.
The US federal government has recently suffered a string of high-profile attacks that involved federal agencies: the SolarWinds breach was aimed specifically at federal agencies, and the breaches of Microsoft and VMWare in 2020 hit the U.S. Treasury Department among other government groups. While these were certainly serious attacks, an even longer and more concerning pattern of attacking state and local governments has been developing. For example, the infamous Kaseya breach did not appear to hit the federal government but did impact some localities that rely heavily on outsourcing for basic IT functions, such as the small Maryland towns of Leonardtown and North Beach.
The Kaseya attack was just a new development in a string of attacks focusing on smaller local governments that are lacking in IT defenses, however. A 2019 ransomware attack hit 22 towns in Texas, all of them relying on the same IT service provider due to a lack of local cybersecurity funding. And though the failure of the Texas power grid in early 2021 was due to a freak series of winter storms rather than cyber attackers, it demonstrated exactly how much damage an attacker could do by forcing an extended shutdown of water and electricity.
Ransomware gangs have been crossing new lines of real world damage in the past two years as well. The first fatality attributed to ransomware occurred in Germany in 2020 as an emergency vehicle had to be turned away from a hospital that had been crippled by a recent attack, with the patient passing away en route to the nearest alternate facility. And the Colonial Pipeline and JBS attacks earlier this year demonstrated a willingness to cause massive logistical disruption that affects large portions of a country.
Erich Kron, security awareness advocate at KnowBe4, sees the infrastructure bill funding as an absolute necessity to help beleaguered local governments keep pace with the constantly evolving threat landscape: “This is a much-needed boost for state and local municipalities and the associated service providers, such as school districts and utility providers. These organizations are often scraping for cybersecurity funding and personnel, resulting in vulnerable systems and networks and exhausted staff. While they do the best they can, the resources available to them are often so limited that they must make hard decisions about what to secure and what risk to accept … By providing assistance and funds prior to and after a cyber attack, there is a much better chance that damage can be limited and recovery will be much faster, with less of a chance of losing staff who are overworked. Cyber crime is no longer an annoyance, but a very serious threat to our critical infrastructure and government, and this is a step in the right direction.”
And Ofer Gayer, group product management for Exabeam, sees the infrastructure bill investment in cybersecurity funding as relatively minimal (despite the large-sounding price tag) and expects these small agencies will see more funds forthcoming in the future: “For anyone remotely paying attention to the rise in cyberattacks over the past year, particularly on critical infrastructure, this investment news should not come as a shock. I would even call it prudent if we compare this to the typical allocation of 10% for InfoSec from the total IT spend or 0.2% to 1% of the total budget. Allocating $1.9 billion out of a $1 trillion budget is essentially table stakes in our current threat landscape. We could probably even do with more.”