Nearly $2 billion in cybersecurity funds has been set aside as part of the $1 trillion bipartisan infrastructure bill recently approved by the Senate and sent to the House.
The money is designated to help the U.S. shore up its critical infrastructure against cyber attacks, such as the devastating Colonial Pipeline and JBS meat processor hijackings, allocates funds to help state and local governments fortify defenses, fleshes out funding for the brand new National Cyber Director’s office and covers other areas of commitment and concern.
If the bill achieves Congressional and President Biden’s approval, then MSSPs, MSPs and MDR service providers are certain to be influenced by the bill’s contents in customer engagements. Winners could include security service providers that work with state and local government agencies.
U.S. Cybersecurity Funding: Potential Spending Areas
A number of destinations where the money will land result from separately written cybersecurity measures introduced in Congress that didn’t or haven’t yet received an up or down vote. Should the infrastructure package pass the House, where it must navigate an increasingly mountainous trail, and maneuver around other Congressional stanchions, the cybersecurity funds will be distributed as follows:
- $1 billion in funds for state and local government grants to strengthen cybersecurity, as tied to the State and Local Cybersecurity Improvement Act.
- $140 million fund for the Cyber Response and Recovery Fund for DHS and the Cybersecurity and Infrastructure Security Agency (CISA) to provide direct support to breached agencies.
- $550 million for power grid cybersecurity.
- $157 million for DHS’ Science and Technology Directorate targeted at cyber research and development.
- $35 million for CISA's operations budget for risk management and stakeholder engagement through fiscal year 2026.
- $21 million in FY2022 for National Cyber Director Chris Inglis to stand up and staff his office, as remains from the FY2021 National Defense Authorization Act.
With the lion’s share of the cybersecurity funding potentially headed to support state and local government efforts, that portion of the bill has drawn notable attention from lawmakers and security providers.
“A cyberattack on a state or local government network can put schools, electrical grids, and crucial services in jeopardy,” Sen. Maggie Hassan (D-NH), part of a group of bipartisan lawmakers who negotiated the funding. “Even though cyberattacks are becoming more and more common in today’s threat landscape, state and local governments often do not have the adequate resources to defend against them,” she said. “This new grant program will be a crucial resource for state and local governments, and I am very pleased that it is a part of our historic bipartisan infrastructure bill.”
Infrastructure Bill and Cybersecurity Spending: A Good First Step?
The cybersecurity allocation drew measured support from the cybersecurity community. While the infrastructure bill is a good start, there’s more to be done, especially at the state and local government level, said Purandar Das, co-founder and chief security evangelist at Sotero, an encryption-based security provider.
“As recent cyber-attacks have demonstrated, state and local governments are ripe targets due to their aging infrastructures that cannot protect data about their citizens,” Das said. “Any help that can prevent the loss of privacy of citizens and prevention of their information falling into the hands of criminals is a welcome start.”
More than $2 billion in discretionary funding allocated to CISA is line-itemed in President Biden’s FY 2022 proposed budget request sent to Congress in May. The $1.52 trillion budget outline, which in actuality serves only as a White House wish list, includes $52 billion for DHS, CISA’s umbrella agency. Inasmuch as each bill needs to pass Congress before becoming official and considering the small majority held by Democrats, it’s improbable that Biden’s budget will make it through both chambers intact.
CISA Budget: Potential Investment Areas
The CISA discretionary request amounts to a $110 million increase from the 2021 enacted level. Additional provisions in the FY 2022 discretionary budget proposal include:
- $20 million for a Cyber Response and Recovery Fund.
- $500 million for the Technology Modernization Fund.
- $750 million for IT enhancements to federal agencies.
- $128 million to expand scientific and technological research at the National Institute of Standards and Technology.
In late July 2021 the House passed a package of bipartisan bills that included the State and Local Cybersecurity Improvement Act that provided $500 million for a grant program. Other bills that comprise the bundle:
- The Cybersecurity Vulnerability Remediation Act adds remediation of cybersecurity vulnerabilities to the DHS’ responsibilities. The bill previously passed the House in 2019 but did not receive a vote in the Senate.
- The Cyber Exercise Act directs CISA to create a special cybersecurity program to test the nation’s critical infrastructure defenses to thwart attacks.
- The Cyber Sense Act would require the Department of Energy to test the cybersecurity of products and technologies intended for use in the bulk-power system.
- The DHS Industrial Control Systems Capabilities Enhancement Act gives CISA the responsibility to maintain capabilities to identify threats to industrial control systems.
- The Domains Critical to Homeland Security Act aimed at addressing vulnerabilities in U.S. supply chains.