The infrastructure bill signed by U.S. President Joe Biden contains about $2 billion set aside for cybersecurity investments. Half of that funding, Cybersecurity Dive reports, “is for the State, Local, Tribal and Territorial (SLTT) Cyber Grant Program within the Cybersecurity and Infrastructure Security Agency (CISA) over four years.”
Joseph Marks reports in The Washington Post that “State and local governments are preparing for a windfall of cyber funding that could fundamentally reshape their digital defenses.” Marks continues, “The $1 billion grant program – provided in the recently-passed infrastructure bill – marks by far the largest-ever federal investment in state and local cybersecurity.” At CYRIN, we’ve written often about the rise in ransomware attacks – on corporations and municipalities and universities – and the high price tag recovering from such attacks carries. Previously, federal funding for state and local cybersecurity was a “tiny percentage of an annual Department of Homeland Security grant program aimed at combating terrorism and other threats.”
This year, funding for that program was $75 million; last year, around $50 million. But the infrastructure bill contains $2 billion in cyber money. According to Marks, “Such a huge infusion of cash has the potential to revolutionize how state and local governments protect themselves from hacking — especially small towns and rural areas that often don’t employ a single IT person, let alone a cyber expert.”
As reported in CSO, the $1 billion in cyber money is to help state, local, tribal and territorial governments protect themselves from malicious actors and modernize systems to protect sensitive data, information, and public critical infrastructure. The Federal Emergency Management Agency (FEMA), which runs the Department of Homeland Security's (DHS’s) existing grant programs, will provide the funds over four years starting in fiscal year 2022, with the Cybersecurity and Infrastructure Security Agency (CISA) serving as a subject matter expert.
The bill also incorporates the Cyber Response and Recovery Act of 2021, which authorizes $100 million over five years to help the government quickly respond to cybersecurity intrusions. Another notable provision is $21 million in funding for the newly created office of the National Cyber Director (NCD) to hire qualified personnel to support its essential cybersecurity mission. The bill further requires the Environmental Protection Agency (EPA) and CISA to identify public water systems that, if degraded or rendered inoperable due to a cyber-attack, would lead to significant impacts on the health and safety of the public.
According to The Washington Post, the program mandates that 80 percent of the $1 billion funding goes to local governments, and 25 percent must go to rural areas. The hope is that the program will encourage states and localities to invest in cybersecurity, making that kind of spending a regular part of their budgets.
Some of the priorities include:
Cybersecurity Dive is reporting that the infrastructure bill ties cyber with physical investments, signaling the government’s commitment to empowering “cross-sector information sharing, transportation-related security mandates, and identification of the nation’s most vulnerable critical infrastructure.” It’s a recognition of the vulnerabilities of critical infrastructure as well as an attempt to regulate certain industries, like transportation and energy. “Within two years of the bill passing, the legislation mandates the Administrator of the Federal Highway Administration to develop a tool for the transportation authority to identify, detect, protect, and respond to cyber incidents. The tool will incorporate frameworks provided by the National Institute of Standards and Technology (NIST) and coordinate with the Transportation Security Administration (TSA) and CISA.” In addition, “the bill calls on a public-private sector partnership for electric utilities, to in part develop voluntary implementation of maturity models, self-assessments, auditing methods, and advancing the cybersecurity of third-party vendors manufacturing components for the grid.”
There are some challenges and several groups and stakeholders aren’t all in on some of the proposed regulations being pushed by some agencies and the administration. There has been pushback from some members of congress and industry on regulations that some agencies would like to implement. In fact, there are fears that the cyber bipartisanship might fracture over regulations, The Washington Post reports: “House Republicans are lining up against expanding cybersecurity regulations to new industry sectors, calling them burdensome and ill-fitting. Their opposition complicates the Biden administration’s plans to raise the nation’s protections against a barrage of ransomware attacks.” They expressed skepticism that Congress and federal agencies can effectively regulate cybersecurity and not make a mess of it. Here’s Rep. Thomas Massie (R-Ky.): “Asking this committee to come up with standards for platforms in cybersecurity is a little bit like asking my cattle to write a term paper on one of Shakespeare’s works. We’re just not qualified to do it.”
But those in support of the bill insist it’s high time for the government to support the fight against ransomware attacks and address the vulnerabilities of critical infrastructure. As Sonia Weiser writes in The Boston Globe, “Every second, $190,000 is lost to cybercrime and the situation has only gotten more dire during the COVID-19 pandemic. According to the FBI, since the start of the pandemic, the number of reported cybercrimes has increased by 300%, and by 2025, the anticipated cost of global cybercrime will amount to $10.5 trillion.”
We’ve written a lot about the demand for and shortage of cybersecurity professionals. With this influx of funding for cyber, there will be an even greater demand for employees trained and ready to defend and protect. Where will these workers come from? There are some important U.S. government efforts located in the Department of Homeland Security. There are also new training initiatives in a bipartisan bill from Senators Hassan and Cornyn for CISA training and a program within the Department of Veterans.
The private sector has also indicated it will step up initiatives. According to Cybersecurity Intelligence, Microsoft plans to halve the United States' cyber security workforce shortage by 2025 by pouring resources into training programs. But there are still significant scarcities. Which means there will need to be a significant increase in training from other sources like CYRIN, from colleges and universities, from the private sector, and from state partnerships such as state/private sector initiatives like workforce development efforts.
At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. We offer that development with “hands-on” training and our courses teach fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote work force. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort, to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!