National infrastructure plan could replace insecure old equipment, but also strain CISA

Cyber Security News

Following on the heels of President Biden introducing his American Rescue Plan (pictured here), the American Jobs Plan is a national infrastructure initiative that will have a palpable impact on cybersecurity. (Photo by Stefani Reynolds-Pool/Getty Images)

President Biden on Wednesday announced a $2 trillion infrastructure plan, offering a broad range of spending targets – including from fixing roads and bridges, planting a nationwide electric vehicle charging network, greening the power grid and rebuilding schools. Cybersecurity was not specifically mentioned as part of the infrastructure plan, but that won’t prevent the plan from having profound impacts on cybersecurity.

Biden’s “American Jobs Plan” comes as concerns are raised about an “overworked, understaffed” Cybersecurity and Infrastructure Security Agency (CISA) at the center of the federal government response system. Yet even without a cybersecurity mandate as part of the bill, critical infrastructure experts believe merely replacing outdated equipment could provide an immediate boost to industrial cybersecurity.

“Right now, the government is so significantly underfunded in cybersecurity that you have to start at least by putting some money behind it. Less than $2 billion for CISA and $10 billion for Cyber Command aren’t enough,” said Tatyana Bolton.

“You want to be able to build the foundation of a house before you start adding window balances and putting up sconces on your walls,” she said.

The infrastructure bill includes plenty of those sconces. It aims to fix 20,000 miles of roads and 10,000 bridges, modernize public transit and create EV charging stations. It seeks to institute nationwide broadband, weatherproof the electric grid and turn it green, and improve water systems, as well as “revitalize manufacturing, secure U.S. supply chains, invest in R&D, and train Americans for the jobs of the future,” according to a fact sheet issued by the White House.

The ambitions of the bill, Bolton said, are important. But so too is ensuring the government is ready to handle that increase in workload.

Separately, at a virtual conference hosted by RSA on Wednesday, Homeland Security Secretary Alejandro Mayorkas outlined three 60-day “sprints” in cybersecurity for CISA, all of which will have an impact on infrastructure. The first sprint will focus on mitigating ransomware (“Let me be clear: ransomware now poses a national security threat,” he said.), the second will focus on the workforce gap, and the third – most relevant to growing infrastructure – will focus on industrial control systems.

The sprints are independent of the workload that the new infrastructure plan might create for CISA.

“They’re overwhelmed,” said Tom Kellermann, head of cybersecurity strategy for VMware. Kellerman has served in several federal cybersecurity roles and keeps in contact with people at the agency. “There is a human capital shortage over there. And, frankly, their budget is minuscule compared to the task at hand.”

Kellermann said any infrastructure bill should include funding for CISA, including salary exemptions to keep its own workforce from jumping to the private sector. He added that an increase in electric grid infrastructure should be accompanied by more regulatory authority for NERC (North American Electric Reliability Corporation) and FERC (Federal Energy Regulatory Commission) and threat hunting authority for CISA.

And all infrastructure programs could warrant their own sector-specific cybersecurity requirements. Modernizing the traffic and public transportation systems, he said, for example, might necessitate new policies or controls to prevent the exploitation of breaching of smart city systems.

Though Biden’s proposal does not explicitly mention cybersecurity, it does address the resiliency of the nation’s electric grids in the context of natural disasters. Considering Biden administration’s earlier rhetoric about addressing industry-specific concerns within a year, Tobias Whitney, vice president of energy security solutions at Fortress Security and former senior manager of critical infrastructure security at NERC, believes that leaving out cybersecurity was deliberate.

“It was not terribly surprising to me that at least right out of the gate, there wasn’t an express focus, an explicit focus on cybersecurity,” he said. However, I think there’s more of an implicit focus to make sure that we’re safeguarding critical infrastructure, that we’re focusing on resiliency.”

Newer technology could be a boon to security, but it can also rub against some of the dogma associated with industrial control security.

“An enormous part of the cyber risk to critical infrastructures is due to technology obsolescence,” said Grant Geyer, chief product officer for infrastructure security provider Claroty.

“Even without specific provisions earmarked for cybersecurity, an investment in improving the obsolescent infrastructure would be a nontrivial opportunity to address a lot of long-standing challenges that threaten resiliency,” Geyer continued.

Newer equipment is easier to harden, but increased functionalities – particularly cloud-based platforms – create a growing number of fronts to secure.

But any benefits to security could dissipate over time, Geyer noted, if there is no additional investment in creating new workforce, and maintaining and continually hardening the infrastructure.

“The devil is in the details,” Geyer said. “Or else we’ll wind up in the same situation several years down the road.”