White House Highlights Cybersecurity Benefit in Infrastructure Package

President Joe Biden is set to sign into law a $1.2 trillion bill aimed at improving the resilience of the nation’s infrastructure in the face of physical and cyber threats, including a massive investment to defend against malicious attacks. 

“The Bipartisan Infrastructure Deal is the largest investment in the resilience of physical and natural systems in American history,” reads a fact sheet the White House released Monday reacting to passage of the bill by the House of Representatives Friday evening. “The deal makes our communities safer and our infrastructure more resilient to the impacts of climate change and cyber-attacks, with an investment of over $50 billion to protect against droughts, heat, and floods – in addition to a major investment in the weatherization of American homes.”

The bipartisan legislation passed the Senate in August. The final package includes $1 billion for state, local, tribal and territorial governments to modernize their systems to deter cyber attacks, creates a $100 million cyber response and recovery fund that will be accessible to private-sector owners of critical infrastructure, and puts $21 million toward staffing the Office of the National Cyber Director, according to a release Saturday from Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters, D-Mich. 

“Recent cyber-attacks have hit everything from government offices to critical infrastructure companies. These assaults show that adversaries and criminal organizations will continue exploiting our network vulnerabilities to disrupt American lives,” Peters said. “Now that these provisions have passed both chambers as a part of the bipartisan infrastructure bill—I urge the president to sign them into law as soon as possible so we can strengthen cybersecurity in local communities across the nation, safeguard Americans’ personal information, and provide our national security agencies with more resources to deter attacks and help public and private entities, such as critical infrastructure companies, recover from them.”

The response and recovery fund would be controlled by the Homeland Security secretary who, consulting with the National Cyber Director, would have the power to declare a significant incident that could trigger a release of its resources to address. It was originally allocated $20 million over seven years, but is now set to receive $100 million over five years, according to the Peters press release.

“Recent cyber-attacks against critical infrastructure companies, such as the network breach of a major oil pipeline, highlighted the urgent need to secure, and if necessary support recovery efforts for, these systems when they experience major breaches,” Peters said.

The final infrastructure package also includes a provision requiring the Environmental Protection Agency to work with the Cybersecurity and Infrastructure Security Agency to identify public water systems vulnerable to cyberattacks that would threaten the essential service. EPA and CISA would create a Technical Cybersecurity Support Plan for their agencies to address weaknesses in the sector with red-teaming and other appropriate cybersecurity practices.

“This plan would establish timelines for making specific services, such as penetration testing, site vulnerability assessments, and risk assessments, available to local governments,” Peters said. “The provision would help prevent cyber-attacks against public water systems, such as the breach of a Florida wastewater treatment plant's computer system last year that allowed hackers to temporarily tamper with Americans’ water supply.”