3rd Party Risk Management , Fraud Management & Cybercrime , Fraud Risk Management
Biden's Infrastructure Plan: 3 Cybersecurity ProvisionsFunding for Supply Chain Security, Electrical Grid Enhancements, R&D
Projects with potential cybersecurity components included in a $2 trillion infrastructure spending proposal that the Biden administration unveiled Wednesday include upgrading the aging and insecure electrical grid, addressing supply chain vulnerabilities and supporting research on artificial intelligence and quantum computing.
Greg Touhill, a retired U.S. Air Force brigadier general who served as the country's first federal CISO, says that while these projects are important, he had hoped the spending plan would provide funding to upgrade the nation's aging cybersecurity infrastructure.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
"I'm concerned that the public pronouncements don't give greater emphasis to investments in innovative new technologies and enablers that accelerate the 'zero trust' security strategy," says Touhill, who is now CEO of Appgate Federal. "There are some great opportunities to use this funding to retire aging and increasingly vulnerable technology, such as VPNs, and invest in modern capabilities, such as software-defined perimeter technology that is more effective, efficient and secure."
Megan Stifel, the executive director of the Americas for the Global Cyber Alliance and a former director of cyber policy at the National Security Council during the Obama administration, also notes that while the White House's proposal addresses cybersecurity at the edges, she hoped the spending bill would have more specifics. She believes the administration and Congress should craft separate legislation to address these concerns.
"I would have liked to have heard specific reference to enhancing the security of these new technologies including by adding training for the cybersecurity jobs needed for these advancements to be sustainable," Stifel says. "Including such references sends a signal not only to U.S. industry that cybersecurity is an administration priority, but also internationally, to potential customers and partners who also need to be more deliberate about their own cybersecurity."
Here's a closer look at three cybersecurity-related components of the infrastructure proposal:
1. Electrical Grid Improvements
The proposal calls for spending $50 billion on "infrastructure resilience," which includes projects designed to enhance the electrical grid, food systems, urban infrastructure and community health and hospitals.
The U.S. Government Accountability Office recently released a report that criticized the Department of Energy for failing to address cyberthreats to the grid's distribution systems, which deliver electricity directly to customers (see: Senators Raise Concerns About Energy Dept. Cybersecurity).
"This plan would do a generational investment in upgrading and reorienting our power infrastructure in this country for the carbon-free electric future that we're headed toward, investing in transmission, in storage, in grid resilience," says a senior Biden administration official who briefed reporters.
And while the proposal does not specifically target money for cybersecurity, some of the funds spent on enhancing the grid likely will be used to reduce cyberthreats, says Tom Kellermann, head of cybersecurity strategy for VMware. He's a member of the Cyber Investigations Advisory Board for the U.S. Secret Service.
"The most significant element of this plan is the modernization of the electric grid," Kellermann says. "This modernization effort is of paramount importance for the economy, and it will dramatically increase the systemic cyber risk to the sector. Vigilant digital transformation of the sector will be fundamental. Cybersecurity should be viewed as a cornerstone of this modernization effort."
Sagar Samtani, an assistant professor at Indiana University's Kelley School of Business, says that any effort to modernize the electrical grid would likely improve cybersecurity as well.
"These proposals appear to address a critical need within the U.S. of modernizing some of the nation's most critical infrastructure," Samtani says. "The grid and power services have long been the target for many malicious hackers. The infrastructure plan seems to account for this, and therefore is considering more 'cybersecurity by design' in the development of the grid services."
2. Addressing Supply Chain Issues
The Biden administration is proposing spending billions on the nation's supply chains to reduce risks and strengthen domestic manufacturing.
For example, it calls for spending $50 billion to create an office at the Department of Commerce dedicated to monitoring domestic industrial capacity and funding investments to support the production of critical goods. Plus, it recommends investing $50 billion in domestic semiconductor manufacturing and research.
In February, Biden signed an executive order requiring a federal review of supply chain risks for semiconductors as well as a review of the supply chain risks for information and communications technology and the pharmaceutical industry (see: Executive Order Focuses on Supply Chain Risk Management).
The recent SolarWinds supply chain attack led to follow-on attacks that federal investigators say affected nine federal agencies as well as 100 private firms (see: SolarWinds Attack Illustrates Evolving Russian Cyber Tactics).
The White House is likely to directly address the issues raised by the SolarWinds attack through a series of executive orders, which Deputy National Security Adviser Anne Neuberger says will be released in the coming weeks. Security experts say these orders could include sanctions against those responsible for the attack as well as changes in how the government approaches security, such as creating a rating system and security scorecard for U.S. software.
Darren Hayes, associate professor at the Seidenberg School of Computer Science and Information Systems at Pace University in New York, believes that the Biden spending plan should include provisions that give organizations even more insight into the origins of the technologies that they are purchasing.
"Ensuring that companies receive proper intelligence about the supply chain providers is critical," Hayes says. "It is not just cybersecurity tools, however, that put these companies at risk; a photocopier that is added to a network could potentially contain malware and provide a backdoor to a network for a foreign government."
3. Research and Development
The Biden proposal is also heavy on spending for research and development. For example, it calls for providing $50 billion to the National Science Foundation to address issues ranging from artificial intelligence to biotechnology.
It also calls for spending $15 billion for a host of other R&D projects, including quantum computing research.
A report released earlier this month by the National Security Commission on Artificial Intelligence found that the U.S. is in danger of falling behind China and Russia in developing AI technologies and countering cybersecurity threats that could develop as AI use becomes more widespread (see: AI Supremacy: Russia, China Could Edge Out US, Experts Warn).
Funding Already Approved
The recently enacted $1.9 trillion coronavirus relief package, known as the American Rescue Plan, allocated $650 million to the U.S. Cybersecurity and Infrastructure Security Agency for "cybersecurity risk mitigation" as well as $1 billion for the General Services Administration to spend on IT modernization projects (see: Relief Package Includes Less for Cybersecurity).