President Biden on Wednesday announced a $2 trillion infrastructure plan, offering a broad range of spending targets – including fixing roads and bridges, planting a nationwide electric vehicle charging network, greening the power grid, and rebuilding schools. Cybersecurity was not specifically mentioned as part of the infrastructure plan, but that won't prevent the plan from having profound impacts on cybersecurity.
Biden's "American Jobs Plan" comes as concerns are raised about an "overworked, understaffed" Cybersecurity and Infrastructure Security Agency (CISA) at the center of the federal government response system. With the majority of critical infrastructure in private hands and espionage and criminal threats only rising, many fear expanding the attack surface may exacerbate the problem.
"Right now, the government is so significantly underfunded in cybersecurity that you have to start at least by putting some money behind it. Less than $2 billion for CISA and $10 billion for Cyber Command aren't enough," said Tatyana Bolton, policy director of cybersecurity and emerging threats for the R Street Institute and a former cyber policy lead in CISA's Office of Strategy, Policy, and Plans.
"You want to be able to build the foundation of a house before you start adding window balances and putting up sconces on your walls," she said.
The infrastructure bill includes plenty of those sconces. It aims to fix 20,000 miles of roads and 10,000 bridges, modernize public transit and create EV charging stations. It seeks to institute nationwide broadband, weatherproof the electric grid and turn it green, and improve water systems, as well as "revitalize manufacturing, secure U.S. supply chains, invest in R&D, and train Americans for the jobs of the future," according to a fact sheet issued by the White House.
The ambitions of the bill, Bolton said, are important. But so, too, is ensuring the government is ready to handle that increase in workload.
Separately, at the RSA Conference on Wednesday, Homeland Security Secretary Alejandro Mayorkas outlined three 60-day "sprints" in cybersecurity for CISA, all of which will have an impact on infrastructure. The first sprint will focus on mitigating ransomware ("Let me be clear: ransomware now poses a national security threat," he said.), the second will focus on the workforce gap, and the third – most relevant to growing infrastructure – will focus on industrial control systems.
The sprints are independent of the workload that the new infrastructure plan might create for CISA.
"They're overwhelmed," said Tom Kellermann, head of cybersecurity strategy for VMware. Kellerman has served in several federal cybersecurity roles and keeps in contact with people at the agency. "There is a human capital shortage over there. And, frankly, their budget is minuscule compared to the task at hand."
Kellermann said any infrastructure bill should include funding for CISA, including salary exemptions to keep its own workforce from jumping to the private sector. He added that an increase in electric grid infrastructure should be accompanied by more regulatory authority for NERC (North American Electric Reliability Corporation) and FERC (Federal Energy Regulatory Commission), and threat hunting authority for CISA.
And all infrastructure programs could warrant their own sector-specific cybersecurity requirements. Modernizing the traffic and public transportation systems, he said, for example, might necessitate new policies or controls to prevent the exploitation of breaching of smart city systems.
In a statement, a representative for CISA told SC Media "“As technology and the threat landscape evolve, CISA must also. The agency is looking at ways to build upon our existing strengths and improve our capabilities going forward. The American Rescue Act makes a down payment on these efforts. Updating the cybersecurity defenses and the technology backbone for our critical infrastructure is essential as we work together collectively to defend today and secure tomorrow.”
Though Biden's proposal does not explicitly mention cybersecurity, it does address the resiliency of the nation's electric grids in the context of natural disasters. Considering the Biden administration's earlier rhetoric about addressing industry-specific concerns within a year, Tobias Whitney, vice president of energy security solutions at Fortress Security and former senior manager of critical infrastructure security at NERC, believes that leaving out cybersecurity was deliberate.
"It was not terribly surprising to me that, at least right out of the gate, there wasn't an express focus, an explicit focus on cybersecurity," he said. "However, I think there's more of an implicit focus to make sure that we're safeguarding critical infrastructure, that we're focusing on resiliency."
Newer technology could be a boon to security, but it can also rub against some of the dogma associated with industrial control security.
"An enormous part of the cyber risk to critical infrastructures is due to technology obsolescence," said Grant Geyer, chief product officer for infrastructure security provider Claroty.
"Even without specific provisions earmarked for cybersecurity, an investment in improving the obsolescent infrastructure would be a nontrivial opportunity to address a lot of long-standing challenges that threaten resiliency," Geyer continued.
Newer equipment is easier to harden, but increased functionalities – particularly cloud-based platforms – create a growing number of fronts to secure.
But any benefits to security could dissipate over time, Geyer noted, if there is no additional investment in creating new workforce or maintaining and continually hardening the infrastructure.
"The devil is in the details," Geyer said. "Or else we'll wind up in the same situation several years down the road."