Infrastructure Bill Features $1.9 Billion in Cyber FundingIncludes $1 Billion Cybersecurity Grant Program for State and Local Governments
The U.S. Congress on Friday passed the $1.2 trillion Infrastructure Investment and Jobs Act, a landmark bill from the Biden administration that will inject $1.9 billion in new cybersecurity funding for the federal government. The bill, long held up in Congress amid Democratic infighting, passed the House by a vote of 228-206, and now moves to the desk of Joe Biden, who plans to hold a signing ceremony following a congressional recess.
Among its cybersecurity components, the bill includes a $1 billion grant program to assist state, local, tribal and territorial governments in guarding against cyberthreats and modernizing systems - particularly around critical infrastructure. Funds will be dispersed by the Federal Emergency Management Agency, or FEMA, over four years beginning in 2022, under guidance from the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, according to the bill.
Also wrapped into the bill: the Cyber Response and Recovery Act of 2021, providing $100 million for a Cyber Response and Recovery Fund to support cybercrime victims. The standalone measure was originally introduced in April by Sens. Gary Peters, D-Mich., chairman of the Senate Homeland Security and Governmental Affairs Committee, and Rob Portman, R-Ohio, the committee's ranking member.
The infrastructure bill also provides $21 million in hiring funds for Chris Inglis' Office of the National Cyber Director, which intends to employ as many as 25 professionals by the end of 2021, and eventually 75 to 80 overall.
The bill also mandates that the Environmental Protection Agency, or EPA, work with CISA to identify public water systems that, if compromised in a cyberattack, could jeopardize public health and safety. This measure follows new efforts from CISA to identify "primary systemically important entities," to protect systems from global cyberthreats (see: CISA Begins Program to Identify Critical Infrastructure).
The bill also aims to modernize the nation's aging infrastructure - including funds for roads and bridges, public transit, passenger and freight rail, electric vehicles, the electric grid, airports, and water and wastewater systems. It includes $65 billion for broadband access, particularly to improve internet services in rural areas via state grants.
President Biden has called the infrastructure bill the most significant advancement since the installation of the interstate highway system in the 1950s; the White House also says the funds will create some 2 million jobs per year over the next 10 years, according to The Associated Press.
"The Bipartisan Infrastructure Deal is the largest investment in the resilience of physical and natural systems in American history," the White House said in a fact sheet on the bill released on Monday. "The deal makes our communities safer and our infrastructure more resilient to the impacts of climate change and cyberattacks."
"The nearly $2 billion investment in protecting infrastructure against cyberattacks … is a good step in the right direction - particularly its focus on state and local government - but at most should be seen as a down payment," says Scott Shackelford, director of the cybersecurity and internet governance program at Indiana University.
Other cyber experts say similar legislation is crucial, as the U.S. remains vulnerable to nation-state attacks. Having a significant influx of federal dollars is "an excellent start" to "assist government areas" with their cyber posture, says Gregg Smith, chair of the Cybersecurity Association of Maryland, and co-founder and CEO of the firm Attila Security.
"There are a variety of needs that are going unaddressed, from ransomware mitigation and updating incident response plans and privacy policies, to local cyber hygiene training," IU's Shackelford says. "Hopefully, as these grant programs are rolled out, there will be opportunities to leverage trusted networks and institutions … to expand the pool and ensure that these funds are as impactful as possible."
On using the allocated funds efficiently, Lisa Plaggemier, interim executive director of the National Cybersecurity Alliance, says, "We need to make sure that money is funneled into people-centric cybersecurity strategies, such as training and awareness - not just the technology side of the equation. After all, a majority of cyberattacks still involve significant human error."
One of the bill's controversial provisions is a cryptocurrency tax reporting requirement that widens the definition of those deemed "broker," incorporating parties such as crypto miners. The measure was added to the bill in July after it was estimated that it could generate some $28 billion in new tax revenue.
The cryptocurrency clauses require all crypto transactions above $10,000 to be reported to the IRS, and despite eleventh hour efforts from a group of senators to narrow the definition of "broker," the measure moved forward unchanged.
The infrastructure bill was held up in Congress for months as Democrats grappled over spending totals and sought to tie the infrastructure bill to a separate $1.75 trillion spending plan - the Build Back Better bill - that would increase social spending.
That bill would provide another $500 million in cybersecurity funding for CISA, including $100 million for security around federal civilian systems, $50 million for cloud security, $50 million for industrial control systems, and $20 million for state, local and tribal governments.
The Build Back Better bill may face scrutiny in the Senate, where pundits expect the bill's totals to be reduced after resistance from moderate Democratic Sen. Joe Manchin of West Virginia.
Consensus on Incident Reporting
On Thursday, several senators announced that after reconciling two incident reporting bills, they aim to add a 72-hour reporting mechanism - and a 24-hour requirement for ransomware victims - to the must-pass 2022 defense spending bill (see: New Legislation Eyes Both Ransom, Incident Reporting).
Sen. Peters introduced an amendment to the National Defense Authorization Act for 2022 that would require critical infrastructure owners and operators, and civilian federal agencies to report to CISA if they experience a cyberattack and require most entities - including businesses, nonprofits and state and local governments - to report if they make a ransomware payment.
The amendment garnered support from Sens. Rob Portman, R-Ohio, and Susan Collins, R-Maine, along with Mark Warner, D-Va., chairman of the Senate Intelligence Committee, who in July co-sponsored a similar bill that narrowed the reporting window to 24 hours. Warner later said he had aimed to negotiate with his Senate colleagues and use the NDAA as a potential vehicle to passage (see: Senators Introduce Federal Breach Notification Bill).
"This bipartisan amendment will take significant steps to strengthen cybersecurity protections," Peters said in a statement. "And most importantly, (it) requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes."
This article has been updated to include comments from a White House fact sheet on the bill.