The 2,700-page $1 trillion infrastructure bill passed by the US Senate earlier this month still has the House of Representatives to get through.
In addition to sizable investments in roads and bridges, public transit, utilities, and broadband internet it includes nearly $2 billion for cybersecurity. More than half of that will go to help state, local, and tribal governments.
There's also a Cyber Response and Recovery Fund for use by the Cybersecurity and Infrastructure Security Agency (CISA) to assist both local governments and private entities hit with cyberattacks.
The bill shows a tremendous amount of desire for more public-private cooperation, said Mark Testoni, president and CEO at SAP National Security Services. "Which I think is critically important. We have to find ways for small businesses and the government to share threat information. We want to get companies to come forward and say, 'I’ve been attacked.'"
There's also money for cyber research and development programs at the Department of Homeland Security, cybersecurity improvements for the electric grid, and an increase to CISA’s operating budget.
Data center providers will need to improve security to meet government requirements but may also do more business with local governments moving from on-prem to external providers, including SaaS, cloud, hybrid, and colocation facilities.
Data center managers working for state, local, and tribal governments will now have access to funds to invest in their operations.
Private enterprise data center managers may see cybersecurity benefits as a result of CISA's increased funding and enforcement authority.
Public Cybersecurity Funds in Infrastructure Bill May Boost Security-Focused Vendors
Global data center and colocation provider Cyxtera Technologies, which has a sizable US federal government business, is already making security investments to meet growing government demand.
And it's not just government clients who will require increased security, said Leo Taddeo, CISO at Cyxtera.
"As the government ramps up cybersecurity, the private sector will be close behind," he told DCK. "For example, the financial, energy, and pharmaceutical sectors often require the same level of security as government agencies."
That means that the data center industry will need to meet the strict cybersecurity requirements in the CMMS, FISMA, and FedRAMP frameworks, he said.
Meanwhile, as federal agencies get funding and can afford to hire more cybersecurity professionals, they'll be able to accelerate their digital transformations, he said – and move to secure cloud environments.
Some of the funding will also be directed to improving resiliency, Taddeo said. "Many agencies will turn to commercial colocation providers for disaster recovery solutions."
Local Government Cybersecurity Funds in Infrastructure Bill
The bill allocates $1 billion in grant money to be given out to state and local governments to help them strengthen their defenses against ransomware and other cyberattacks.
"This grant money will give those municipalities that didn't have resources previously to implement those things that maybe were out of reach," said Mike Del Giudice, national cybersecurity leader at Crowe, a global technology consulting firm. "Like multifactor authentication, or endpoint detection and response."
The specifics, such as technologies that might be prioritized, aren't known yet, he said. "As they formalize the grant process there might be more direction. But I think multifactor and backups will be looked at favorably, as well as EDR solutions, logging solutions, things that help prevent potential security events."
Funds for Federal Cybersecurity Efforts, Including Security for the Power Grid
Of the rest of the money, more than half, $550 million, will go toward securing the power grid.
The bill also provides $140 million annually to CISA for a Cyber Response and Recovery Fund. The agency could use that money to help state and local governments respond to cybersecurity incidents.
Some of the funds CISA would get could also go to private companies. The agency would get $35 million for its operations budget for risk management and stakeholder engagement. That includes vulnerability assessments and mitigation, technical incident mitigation, malware analysis, analytic support, threat detection, and hunting and network protection. The money could also be used to help private companies and governments with hardware and software to improve their security and provide them with contract personnel support.
"The infrastructure bill gives [CISA] the authority and the funding to go into a private sector company and assist them in getting back to normal," Steve Turner, an analyst at Forrester Research, said.
He admitted that the total amount of money CISA would get for this isn't all that big compared to, say, the funds allocated for state and local governments. "That's probably on purpose. At the end of the day, the government does want to keep a balance between public and private."
There's also up to $21 million in additional funding for the newly created Office of the National Cyber Director in the Executive Office of the President. And there's nearly $160 million for the Department of Homeland Security Science and Technology Directorate to work on critical infrastructure security and resilience research, development, and testing.
It doesn't just cover the usual types of threats. For example, there's a specific provision to research defenses against electromagnetic pulses, which can be caused by lighting or EMP weapons, and against geomagnetic storms caused by solar flares.
Finally, the bill directs the Federal Highway Administration to help transportation authorities better respond to cyberattacks and directs the Federal Energy Regulatory Commission to ensure that electric utilities are investing in cybersecurity and sharing data about potential threats.
The Infrastructure Bill Is the Carrot -- The Stick May Come Later
One thing the bill does not do is punish companies or governments for not having their cybersecurity defenses and disaster recovery plans up to snuff. For example, lawmakers could make it illegal to send ransomware payments to cybercriminals, or prohibit insurance companies from reimbursing clients for ransom payouts.
"They haven't established anything like that in this bill," said Forrester's Turner. "But I'm almost certain they're building a pathway to that. They’re trying to build up all the appropriate programs and systems to get people to a good enough point, so they can build a pathway to outlawing payments to these folks."
