- The bipartisan Infrastructure Investment and Jobs Act (INVEST) passed the Senate Tuesday, allocating about $2 billion to cybersecurity, according to a White House fact sheet. The bill will now go to the House of Representatives, which is set to reconvene Aug. 23, cutting its recess short.
- Of that $2 billion, $1 billion is designated for State, Local, Tribal and Territorial (SLTT) Cyber Grant Program within the Cybersecurity and Infrastructure Security Agency (CISA) over four years, according to a government summary, via CNN. CISA will receive a one-time investment of $35 million in risk management. DHS' Science and Technology Directorate for Research and Development will receive $157.5 million in funding over five years.
- The office of the national cyber director (NCD) will receive $21 million and the Cyber Response and Recovery Fund will receive $100 million, allocated over five years.
The cybersecurity spending will reach across federal and local IT networks to help organizations respond to cyberattacks.
Some critics are concerned about how the government has previously allocated cyber funds and what that means for future investment. "While this funding may be a great foundation for reinvigorating our cybersecurity infrastructure, we need to make sure that it is used in ways that empower users, not just for procuring more sophisticated cyber defense tools alone," Lisa Plaggemier, interim executive director of the National Cyber Security Alliance, told Cybersecurity Dive in an email.
Resiliency gives an entity the ability to anticipate, prepare for, or recover from an incident, but organizations cannot achieve resilience without resources. The infrastructure legislation wove key elements of the Cyber Response and Recovery Act, proposed in April by Senators Gary Peters, D-Mich., and Rob Portman R-Ohio. The legislation was intended to provide aid to the public and private sectors in wake of a cyberattack. A central element, the Cyber Response and Recovery Fund, was adopted in the infrastructure bill.
As part of the infrastructure bill, the Department of Homeland Security, in coordination with the NCD, will have the authority to declare "a significant cyber incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations," the April proposal states.
CISA would be granted the ability to coordinate response efforts in and outside of the federal government, as well as access funds through the Cyber Response and Recovery Fund.
The cybersecurity community isn't surprised to see the funding from the infrastructure bill, said Plaggemier, but this year in particular cemented critical infrastructure as a priority for future cyber-related funding.
DHS Secretary Alejandro Mayorkas thanked the Senate for passing the infrastructure legislation and said it will provide the agency with "resources needed to support response and recovery efforts for public and private entities impacted by cyberattacks," in a statement.
The cybersecurity and technology-related funding is only the latest for this Congress. In June, President Joe Biden's FY2022 budget proposal offered $58.4 billion for IT, including $9.8 billion for cybersecurity for civilian agencies. The National Defense Authorization Act (NDAA) Conference Committee has not finalized defense-related budgeting for FY2022 yet, but the infrastructure bill picks up on last year's bill. The NDAA for FY2021 established the office of the NCD, which Chris Inglis officially filled the title in July.
The infrastructure bill sets up a grant program for Amtrak to improve its IT systems and cyber resilience by the secretary of the Department of Transportation, according to the bill. The grants are in addition to other federal funds designated for Amtrak's cybersecurity architecture. Amtrak's use of the grants have to be consistent with practices advised by the National Institute of Standards and Technology (NIST).
Amtrak suffered a data breach in 2020 because of compromised credentials. Amtrak was able to contain and terminate the threat without the intruders accessing customers' personally identifiable information. But "unfortunately, Amtrak is a known target of cyber bad actors," said Plaggemier. With the infusion of more automation in the transportation industry, Plaggemier sees this time as the opportunity to be proactive in cybersecurity. In addition to Amtrak, the infrastructure bill also states electric vehicle charging stations are subject to cybersecurity requirements.
Within a year following the enactment of the INVEST Act, the U.S. comptroller general will conduct a study of vulnerabilities in the transportation system. The report will cover risks in intelligent transportation systems susceptible to ransomware.
"Beyond seeing spending dedicated to traditional cyber players such as DHS and CISA, it was good to see a focus on building cyber infrastructure in rural areas — which are often overlooked and particularly vulnerable as a result," said Plaggemier.