21 December 2021

Washington shouldn't pat itself on the back for its cybersecurity spending just yet

RETIRED REAR ADM. MARK MONTGOMERY

October was “cybersecurity awareness month,” but November and December are shaping up to be cybersecurity spending season on Capitol Hill. Last month, the House approved the Build Back Better (BBB) Act, and President Biden signed the Infrastructure Investment and Jobs Act of 2021 into law. Together, these bills contain nearly $2.5 billion in cybersecurity-specific spending, buying some cybersecurity wins — but Congress missed a number of opportunities to improve U.S. critical infrastructure security.

As the BBB Act moves to the Senate, and assuming the Senate clears a path to pass the bill, lawmakers will have an opportunity to address some key cybersecurity gaps.

The White House specifically extolled the infrastructure bill for making “our infrastructure more resilient to the impacts of climate change and cyber-attacks.” For example, the $1 billion grant program to address cybersecurity risks to information systems owned and operated by state and local governments is long overdue. These governments will use the grants to develop and implement cybersecurity plans to address imminent threats. Meanwhile, for the energy sector, there are two $250 million cybersecurity-specific grant programs: one for support to rural and municipal utilities to address known cybersecurity issues, the other for support to developing cybersecurity technologies in the energy sector.

The Infrastructure Act also includes some much-needed policy direction and appropriations for the Cybersecurity and Infrastructure Security Agency (CISA). These consist of granting authority to the federal government — along with $100 million in financing — to establish a “response and recovery” fund that would provide government assistance to remediate and recover from a significant cyber incident. CISA also receives $35 million in funding for its sector risk management responsibilities and another $157 million for research and development efforts. Finally, the Infrastructure Act provides $21 million in initial funding for the national cyber director, Chris Inglis, to fully staff and equip his office, which Congress created in last year’s National Defense Authorization Act.

The version of the BBB Act passed by the House, meanwhile, funds additional important cybersecurity efforts. Nearly half of its $500 million in cybersecurity funding goes to awareness, education, and training efforts. Specific funding for the Cybersecurity Education and Training Assistance Program (CETAP) and for state and local workforce initiatives is particularly well-deserved. In the past, CISA has underfunded the CETAP effort in its annual budget, relying on “congressional cover” to keep the program running. The BBB Act provides that cover.

An assessment of the two bills’ impact on cybersecurity inevitably comes down to the money. Congressional inclusion of cybersecurity-specific spending in a large omnibus bill is a major win. This development reflects both the severity of the cybersecurity challenges over the past 12 months and the identification of cybersecurity as an important issue by congressional leadership.

However, while the cybersecurity-specific funding in the bills — $2 billion in the Infrastructure Act and another $500 million in the BBB Act — is significant, it constitutes less than 0.1 percent of the total funds provided in these bills. What is missing in the infrastructure bill and the House’s BBB Act are well-funded cybersecurity efforts across other vulnerable critical infrastructures.

The shortcomings are particularly glaring in the water sector. Structurally, the water sector is most similar to the energy sector, with thousands of public utilities involved. Yet the water utilities receive just a fraction of the cybersecurity support that the bills provide to their energy counterparts. Additionally, the Environmental Protection Agency, which is the government lead for water sector utilities, needs significant budget increases in its cybersecurity support programs to hire more personnel and provide increased technical assistance.

Water sector utilities also need access to cybersecurity-specific grant programs that resemble the grants that energy utilities get. The numerous water infrastructure grant programs in the infrastructure bill total nearly $33 billion. However, the bill requires cybersecurity grant requests to compete with funding requests that address climate change, drought, sea level rise, and natural disasters. It should surprise no one that cybersecurity historically does not compete well with requests rooted in emergency scenarios. A cybersecurity carve-out from this large pie would ensure utilities can invest in resolving cybersecurity vulnerabilities.

The Water Information Sharing & Analysis Center and water associations, meanwhile, need funding to continue providing technical assistance to nearly 70,000 utilities. A new report I authored for the Foundation for Defense of Democracies provides specific recommendations for Congress and the executive branch to address these water sector shortcomings.

The infrastructure bill and the BBB Act also missed opportunities to fund similar cybersecurity improvements in the transportation sectors (like pipeline, maritime transport, and aviation) and the healthcare and public health sectors.

The Senate is now considering the BBB Act. Some senators have already indicated their intent to amend the provision heavily. This provides a critical and perhaps final opportunity to address some of these outstanding cybersecurity issues.

The interconnectivity of American critical infrastructures is such that if Washington addresses only select infrastructures (as the Infrastructure Act and the House’s BBB Act have done), it actually does little to reduce the country’s overall vulnerabilities. Let’s hope the Senate can get this right.

No comments: