Congress passed a bipartisan $1 trillion infrastructure bill on Friday that included about $2 billion in cybersecurity funding. The bill -- now heading to President Joe Biden's desk -- includes $1 billion in state, local, tribal and territorial cyberdefense grants, $100 million for the Department of Homeland Security, and $21 million for National Cyber Director Chris Inglis.
The four-year, $1 billion grant fund is something state and local governments have been waiting for to help tackle their growing cybersecurity to-do list. To receive a portion of the millions of dollars in grant funding each year, states have to match a specified percentage of the federal dollars. The percentage starts at 10% and grows to 40% over the next four years. The idea is that states will get used to accounting for cyber funding in their budgets as a result.
The Washington Post noted that for the cybersecurity grant program, 1% will go to each state and 0.25% will go to all four US territories. Another 3% will go to tribal governments. The rest of the funding will be split between states based on their population size and specifically their rural population numbers. States are required to devote at least 25% of the funding to cyber programs in rural areas.
The bill says $200 million in grants will be handed out in 2022, $400 million will be spent in 2023, $300 million in 2024, and $100 million in 2025. The Federal Highway Administration is also required to create a tool that can help them respond to cyberattacks.
Jonathan Reiber, former chief strategy officer for cyber policy in the office of the US Secretary of Defense during the Obama administration, told ZDNet that the bill addresses some of the biggest concerns experts have about the country's cybersecurity readiness and infrastructure.
"This investment will help the country achieve a state of real cybersecurity readiness where it matters most. This bill also focuses on securing elements of our critical infrastructure that could cause national-level systemic risks if disrupted. Vulnerabilities in the energy sector present a strategic risk for the US -- from our electric utilities to oil and gas distribution, as we saw with the Colonial Pipeline attack -- and hostile actors have been targeting the energy sector for years," said Reiber, who is now a senior director at AttackIQ.
"This bill will not only help ensure cybersecurity capabilities are built and deployed -- it also calls for continuous assessments to ensure that our cyberdefense investments work as intended. It's not enough to have built the best defense capabilities; they need to be exercised and ready when the adversary attacks. These resources can help ensure effectiveness."
He added that Inglis is "one of the most talented cybersecurity leaders in the world" and that it was a positive step to see the amount of money given to support the office of the National Cyber Director.
Drew Jaehnig, industry practice leader of the public sector at Bizagi, honed in on the parts of the bill that focused on securing industrial or operational technology (OT) systems.
Jaehnig spent 20 years at the Department of Defense and said the increased funding for OT systems was sorely needed. He noted that it was also "well overdue" for the federal government to provide support for state, local, tribal, and territorial cyber training, recruitment, and non-profit security grants.
"In the long run, however, this will also require state and local officials to respond proportionally. It is interesting to note that FEMA will be responsible for the allocation and distribution of the appropriate funds to state, local, and non-profit organizations. This needs to be a preventative process to avert cyber-disasters and FEMA will need to be judicious in fund allocation to maximize the effects. State and local governments should consider consolidated actions to maximize the investment impact," Jaehnig said.
"Congress got a good start on the training aspects of cybersecurity strategy. The continued focus on CyberSentry and the hardening of the federal space are welcome advances. A nod of encouragement was given to a new generation of emergency protocols for cybersecurity, but this will certainly require additional funding from state and local partners to be successful."
Experts online noted that the grants to states and local governments specifically say the funding cannot be used for ransom payments to hackers.
Mark Carrigan, vice president of OT cybersecurity at Hexagon, said the $50 billion dedicated to improving the resiliency of power and water systems was an important part of the bill considering it protects them from cyberattacks and natural disasters. The Environmental Protection Agency and CISA will get a significant slice of the funding in the bill to beef up the security of water systems after a spate of attacks over the last year.
Implemented properly, this program could make a considerable difference by making the country's critical infrastructure more resilient to inevitable events -- hurricanes, droughts, floods, and cyber-attacks, Carrigan explained.
Some questioned whether enough people were working in cybersecurity to enact some of the measures in the bill and wondered whether government organizations would use the funding for one-time projects instead of looking at it as a recurring investment.
Lookout's federal sales engineer Victoria Mosby said the additional funding dedicated to increasing cybersecurity across all levels of the government will have a ripple effect across multiple vectors, not just the procurement of new tools.
"Funding will give many cybersecurity teams the funds needed to continue updating antiquated systems and procedures. Many of these changes will spread outside of infosec teams into general IT infrastructure and new policy adoption to account for moving certain systems to the cloud and allowing for increased remote working," Mosby said.
"Increased hiring to bolster existing security teams and training to beef up the skills of existing professionals, with the increasing reliance on the cloud and remote workforce professionals need to have a better understanding of cloud security and the concept of 'zero trust'. It would be curious to see if some of those funds funnel down into K-12 and higher education to create a new degree and certificate programs to bolster the incoming cyber workforce."
Other experts said it was important that the federal government is using the bill to request new cybersecurity programs to protect the development of new and current highways, rail, and supply chain programs.
James McQuiggan, a security awareness advocate at KnowBe4, said these programs focus on aspects of cybersecurity risk management, incident response, and require the use of the National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF).
McQuiggan touted the measures in the modernization of transportation (Division A) section that say that all-controlling and monitoring systems (SCADA) should contain security features for access control, prevent exploitation of the systems and comply with the new cybersecurity requirements for the federal government's supply chain and the use of zero trust.
He also said the billions provided for programs expanding broadband access would come with upsides and downsides.
"Throughout the bill, there are many requirements for training. Training for cyber incident response, workforce development training, safety training, but missing is the need to increase a more robust cybersecurity culture within the government at the federal, state, and county levels," McQuiggan explained.
"Several key areas in the bill seem to focus on the symptoms of an issue and not the root cause. The broadband internet section (Division F - broadband) requests the implementation of higher internet speeds to people who don't have within their areas. One item lacking is the need for the people benefitting from this to understand the internet's benefits and dangers. Broadband providers should provide free email filters for phishing and malicious attachments to reduce the risk of people falling victim to identity theft and loss of finances due to online scams."
Some cybersecurity experts echoed McQuiggan's concerns about the expansion of broadband access, noting how important it is for the country but also warning that it would introduce a host of cybersecurity issues. Perry Carpenter, chief evangelist, and strategy officer at KnowBe4, said the increased internet access for everyone would create a "richer" environment for cybercriminals.
"We are about to potentially see the largest infrastructure upgrade of our lifetimes. It will impact us, our children, and potentially our grandchildren," said KnowBe4's Carpenter. "It's imperative that we minimize mistakes of our past and start right. Build security in. Make it fundamental to how success is defined."