President Joe Biden speaks about the $1.2 trillion Infrastructure Investment and Jobs Act at the Port of Baltimore on November 10, legislation he’s expected to sign today. Columnist Sam Curry of Cybereason, says that while the $2 billion allocated for cyber is a drop in the bucket, the Biden administration’s continued focus on cybersecurity bodes well for the industry. (Photo by Drew Angerer/Getty Images)

President Biden today will sign the Infrastructure Investment and Jobs Act that Congress finally passed a little more than a week ago – landmark legislation that commits $1.2 trillion to upgrading and modernizing the nation’s infrastructure. While it’s a drop in the bucket of the overall $1.2 trillion, the new law will commit nearly $2 billion specifically to improving the nation’s cybersecurity.

What can we do with $2 billion? Well, about half of that money has been provisioned for a grant program designed to help state, local, tribal, and territorial governments improve their cybersecurity. FEMA will work with CISA to allocate funds over the next four years to update their security posture and improve their ability to protect sensitive data and critical infrastructure from malicious threat actors.

Some $100 million of the money has been devoted to a Cyber Response and Recovery Fund. Congress will spread the funding out over five years to enhance the ability of the federal government to respond to cybersecurity events and intrusions quickly and effectively.

The National Cyber Director will receive just over $20 million to hire qualified personnel and build out a team. The recently created office serves as a principal advisor to the President on cybersecurity policy and strategy, as well as engagement with cybersecurity industry and international stakeholders.

More than half a billion dollars of the funds are dedicated to improving protection of the energy grid. There’s $250 million allocated for the Rural and Municipal Utility Advanced Cybersecurity Grant and Technological Assistance Program, which requires the Department of Energy to create a program to provide grants and technical assistance to help electric utilities improve their ability to detect, respond to, and recover from cyber threats. Another $350 million was targeted for various programs to enhance electric grid security and resiliency.

The legislation also includes crucial efforts to protect critical infrastructure. The bill mandates that the Environmental Protection Agency and CISA must identify public water systems that could have a significant impact on the health and safety of the public should they become degraded or disrupted by a cyberattack.

Improving our defenses and protecting critical infrastructure

Expect a significant investment in overhauling and improving cybersecurity for the nation’s infrastructure, an effort that’s been building all year. For starters, we already have other initiatives like last May’s Executive Order mandating that federal agencies deploy an endpoint detection and response solution, and the recent directive from CISA requiring government agencies to quickly address known vulnerabilities. There’s also recent efforts to coordinate with the private sector and global allies to defend against ransomware.

One word that comes up over and over in this legislation is “resilience.” There are projects to increase resilience to cybersecurity vulnerabilities for our water system infrastructure, and projects to fund resiliency of the National Highway System against issues, including cyber threats.

This shows an important shift in mindset. A focus on resilience recognizes that we cannot expect 100% prevention. The new law focuses on detection and response to identify and stop attacks, and embraces a philosophy that cybersecurity must continue to adapt as threats evolve.

That said, the cybersecurity funding in this bill represents only a start. The U.S. government and critical infrastructure are massive. While $2 billion isn’t a trivial amount of money, it’s also not nearly enough to address every cybersecurity challenge at once.

Although it’s a huge step in the right direction, let’s be clear: it is only one step. On the other hand, we are not even a full year into Biden’s term, and the President and his administration have continued to take measurable steps to strengthen our security posture. More important than focusing on the specific elements of this legislation, we must maintain the momentum and continue implementing a culture of continuous investment and improvement in cybersecurity.

Speaking of maintaining momentum, we may soon have significantly more budget allocated for cybersecurity. The Build Back Better bill—which has been working its way through the legislative process in Congress—also proposes about $500 million in cybersecurity spending. That money could potentially go to securing federal civilian systems that are not “national security systems,” improving industrial control systems security, and an effort to migrate state, local, and tribal government websites to the .gov domain.

However, with the political season in high gear, it remains to be seen whether the bill will pass, or what cyber provisions the final version will contain if it does. The cyber industry will certainly take a back seat to many other physical infrastructure projects, but over the past year, it’s now very clear that cybersecurity has become – and will remain – an important priority for the Biden administration.

Sam Curry, chief security officer, Cybereason