As the $1.2 trillion federal infrastructure bill moves through Congress, it is clear that cybersecurity has not been forgotten. But what is unclear is whether it is a real priority.
In looking through the fine print, it appears only $1.9 billion is earmarked directly for cybersecurity. Another $100 billion is allocated for items like power grid resilience and hardening other elements of critical infrastructure. So, it is difficult to tell how much funding might be available for cyber resilience among all the other items that might be considered necessary spending for infrastructure resilience.
For now, it appears all that we can count on in the bill is the $1.9 billion set aside for direct spending on cybersecurity, out of a total $1.2 trillion spending plan.
A Fraction of What Is Needed
While nearly $2 billion might seem like an enormous sum, in reality it is not nearly enough. Our adversaries are spending more than that in finding ways to attack our critical infrastructure.
It has to be acknowledged that this administration is taking cybersecurity seriously and putting some money behind it. But at this funding level, it will continue to fall on industry to fund real cybersecurity resiliency.
Let’s consider just one recent incident — the Colonial Pipeline ransomware attack. We don’t know the exact amount this single attack cost the company, but it certainly had to total in the hundreds of millions of dollars. Put that in the context of the funding proposed for national cybersecurity and you can see this is just a fraction of what needs to be spent.
Funding to State and Local Governments
Of the dollars allocated in the bill for direct cybersecurity funding, a significant portion is dedicated to state and local governments. Though it remains to be seen how the appropriation process will work, it is likely that this funding will go toward directly helping local and state government entities improve their ability to detect and respond to cyberattacks.
There is no question that an improved cybersecurity posture is needed at the local and state levels. Municipal water utilities are a good example. An attack on a small water utility in Oldsmar, Florida, early in 2021 was one of many close calls. In this instance, an unauthorized actor breached the city’s water treatment control system and began increasing the amount of sodium hydroxide to levels that could have been fatal to water customers if consumed. Fortunately, a water utility employee noticed the anomaly and quickly reset the system, averting a catastrophe.
Water utilities may be especially vulnerable because they are funded by water rates; governing authorities expect those dollars to be plowed back into capital improvements to keep the system operating. Cybersecurity has not been a priority, so it hasn’t been funded.
Cybersecurity on Equal Footing With Physical Safety
As we’ve seen in Florida and many other places, criminals will not hesitate to put the public at risk with cyberattacks on life safety systems. These risks are just as real as any threat to physical security at public facilities.
This begs a crucial question: What should locally funded utilities and agencies do when that grant money isn't enough to fund adequate cybersecurity measures? Does it create a false sense of security if a utility manager completes a program required by a state or federal regulator, but in reality was still insufficient?
A supervising state or federal agency may need to develop guidance that makes it clear that cybersecurity is part of the cost of doing business. This could open creative pathways to develop matching grant programs, similar to existing programs like the WIFIA (Water Infrastructure Finance and Improvement Act) that awards matching dollars for qualifying water improvement programs.
We must encourage discussion of creative ideas on methods to level up the amount of funding available for cybersecurity to where it should be to meet actual needs.
Safe Infrastructure for Smart Infrastructure
Nearly every business sector is moving quickly toward smart infrastructure — systems in which disparate components and devices are connected and thus able to perform much more efficiently. This connectivity is feeding our data-driven world, where decisions can be made instantly. While these advances may be breathtaking, this connected infrastructure presents enticing pathways for criminals.
It is clear that this imperative has caught the attention of the federal government, but it is equally clear that the capital investment needed for cybersecurity is going to need to come from a public-private partnership. While symbolic, the current infrastructure spending bill simply does not go far enough given the present reality of cybersecurity.
Learn how our team can deploy mitigating controls that help you avoid unplanned disruptions, damage or product losses resulting from cyber incidents.
