Lack of cyber funds in Biden infrastructure plan raises eyebrows

Lack of cyber funds in Biden infrastructure plan raises eyebrows
© Getty Images

President BidenJoe BidenOvernight Defense: Senate panel adds B to Biden's defense budget | House passes bill to streamline visa process for Afghans who helped US | Pentagon confirms 7 Colombians arrested in Haiti leader's killing had US training On The Money: Senate braces for nasty debt ceiling fight | Democrats pushing for changes to bipartisan deal | Housing prices hit new high in June Hillicon Valley: Democrats introduce bill to hold platforms accountable for misinformation during health crises | Website outages hit Olympics, Amazon and major banks MORE's $2.25 trillion infrastructure plan does not include any funds to protect critical infrastructure against cyberattacks, even as the threat grows against targets such as the electric grid.

Experts say it was disappointing to see there were no funds set aside to defend systems critical to everyday life from hackers, particularly as the proposal calls for things like $100 billion for improving grid resiliency, the creation of new jobs and developing more clean electricity.

“It is a bit of an eyesore of not seeing a more prominent listing of cybersecurity in this, but I think there will be more to come,” said Tobias Whitney, vice president of energy security solutions at Fortress Information Security, which works with grid operators.

ADVERTISEMENT

The cybersecurity of the grid has become an area of increasing concern in recent years as hackers have ratcheted up efforts to target critical systems. Those efforts accelerated during the COVID-19 pandemic.

Officials on Capitol Hill warned last year that foreign adversaries had the ability and were actively attempting to disrupt the grid during the pandemic. The 2019 Worldwide Threat Assessment compiled by former Director of Intelligence Dan CoatsDaniel (Dan) Ray CoatsFormer Trump officials including Fiona Hill helped prepare Biden for Putin summit: report Will the real Lee Hamiltons and Olympia Snowes please stand up? Experts see 'unprecedented' increase in hackers targeting electric grid MORE found that Russia, China and Iran were all capable of launching cyberattacks that “cause localized, temporary disruptive effects on critical infrastructure.”

The Government Accountability Office, in a report last month, highlighted how distribution systems within the U.S. grid are increasingly vulnerable to cyberattacks.

The warnings aren’t theoretical either.

Grid disruptions have taken place in recent years, with a cyberattack on an undisclosed Western utility in 2019. And in February, frigid temperatures caused millions in Texas to lose power and put lives in danger, underscoring the crippling effect of any disruption to the electric grid.

Jim Cunningham, the executive director of Protect Our Power, told The Hill that “the grid is attacked millions of times per day,” and noted that his organization is urging the Biden administration and Congress to invest between $20 billion and $25 billion to secure it.

ADVERTISEMENT

“I think it is absolutely an essential part of any infrastructure plan,” Cunningham said. “The reality is the tragedy that we witnessed in Texas a short time ago thankfully only lasted a week, week and a half ... but if the grid goes down, we’re looking at months, maybe God forbid even a year. So electricity plays a critical role in the functioning of our society.”

Marty Edwards, vice president of OT security at cybersecurity group Tenable, said the Biden administration needs to make cybersecurity a component of infrastructure.

“Any critical infrastructure modernization must take cybersecurity into account from the start,” Edwards said in a statement to The Hill. “As we become more and more reliant on the electric grid, increasingly advanced adversaries are looking to disrupt our way of life in any way possible, including by attacking our most critical infrastructure.”

While the proposed infrastructure package did not include specific cybersecurity funds, the administration has taken some steps toward addressing national security risks in cyberspace, particularly in the wake of recent massive foreign cyber espionage incidents.

President Biden will soon sign an executive order that, according to administration officials, will include about a dozen actions to improve federal cybersecurity. Biden also spearheaded the inclusion of $650 million in the recently enacted COVID-19 relief package for the Cybersecurity and Infrastructure Security Agency (CISA), along with millions more in technology modernization funds.

On electric grid security, Bloomberg News reported this week that administration officials including Energy Secretary Jennifer GranholmJennifer GranholmOVERNIGHT ENERGY: Western wildfires prompt evacuations in California, Oregon| House passes bill requiring EPA to regulate 'forever chemicals' in drinking water | Granholm announces new building energy codes Granholm announces new building energy codes Annual Energy Department report finds slight recovery in energy industry jobs MORE briefed top utility executives last month on a new plan to defend the U.S. grid from cybersecurity threats.

A National Security Council spokesperson told The Hill on Thursday that the administration "is committed to safeguarding the cybersecurity of U.S. critical infrastructure from persistent and sophisticated threats” and has “launched a 100 Day Control Systems cybersecurity initiative, working closely with the private sector that manages much of this critical infrastructure like those for electricity and water, to improve cybersecurity."

There is bipartisan interest on Capitol Hill to address vulnerabilities in the grid.

A group of leading bipartisan senators on the Senate Energy and Natural Resources Committee sent a letter to Granholm last month urging her to ensure cybersecurity of the electric grid remains a priority.

“The reliability and resilience of the electric grid is critical to the economic and national security of the United States,” the lawmakers, led by Sens. James Risch (R-Idaho) and Angus KingAngus KingSenate falling behind on infrastructure Hillicon Valley: Senators introduce bill to require some cyber incident reporting | UK citizen arrested in connection to 2020 Twitter hack | Officials warn of cyber vulnerabilities in water systems Bipartisan group says it's still on track after setback on Senate floor MORE (I-Maine), wrote in the letter.

Risch told The Hill in a separate statement Thursday that “securing our critical energy infrastructure is one of the most pressing national security issues facing our nation.”

“There is strong bipartisan agreement that protecting the electric grid and other critical infrastructure is of paramount importance and must be a key component of any plan,” he added.

A spokesperson for Sen. John BarrassoJohn Anthony BarrassoOvernight Energy: Senate panel advances controversial public lands nominee | Nevada Democrat introduces bill requiring feds to develop fire management plan | NJ requiring public water systems to replace lead pipes in 10 years Senate panel advances controversial public lands nominee in tie vote Democrats seek to counter GOP attacks on gas prices MORE (R-Wyo.), the ranking member on the Senate Energy and Natural Resources Committee, criticized numerous aspects of Biden’s infrastructure plan, including the lack of specific cyber funding.

“In addition to decreasing electric reliability, renewables, like wind and solar energy, [the proposal] actually increases the exposure to cyberattacks on the electric grid, which is a prime target for America’s adversaries,” the spokesperson said. “The vast majority of the $2.25 trillion in spending will not improve our nation’s infrastructure. It is therefore not surprising that President Biden’s plan fails to address cybersecurity.”

Whitney, of Fortress Information Security, said there is now likely to be more pressure on the administration to address cybersecurity, either in the existing infrastructure proposal or in another measure.

“Given the fact that cybersecurity wasn’t a huge focus in the infrastructure plan, I think there's going to be more pressure going forward in terms of what the future sector-specific cybersecurity plans look like,” he said.