Lack of cyber funds in Biden infrastructure plan raises eyebrows
President Biden’s $2.25 trillion infrastructure plan does not include any funds to protect critical infrastructure against cyberattacks, even as the threat grows against targets such as the electric grid.
Experts say it was disappointing to see there were no funds set aside to defend systems critical to everyday life from hackers, particularly as the proposal calls for things like $100 billion for improving grid resiliency, the creation of new jobs and developing more clean electricity.
“It is a bit of an eyesore of not seeing a more prominent listing of cybersecurity in this, but I think there will be more to come,” said Tobias Whitney, vice president of energy security solutions at Fortress Information Security, which works with grid operators.
The cybersecurity of the grid has become an area of increasing concern in recent years as hackers have ratcheted up efforts to target critical systems. Those efforts accelerated during the COVID-19 pandemic.
Officials on Capitol Hill warned last year that foreign adversaries had the ability and were actively attempting to disrupt the grid during the pandemic. The 2019 Worldwide Threat Assessment compiled by former Director of Intelligence Dan Coats found that Russia, China and Iran were all capable of launching cyberattacks that “cause localized, temporary disruptive effects on critical infrastructure.”
The Government Accountability Office, in a report last month, highlighted how distribution systems within the U.S. grid are increasingly vulnerable to cyberattacks.
The warnings aren’t theoretical either.
Grid disruptions have taken place in recent years, with a cyberattack on an undisclosed Western utility in 2019. And in February, frigid temperatures caused millions in Texas to lose power and put lives in danger, underscoring the crippling effect of any disruption to the electric grid.
Jim Cunningham, the executive director of Protect Our Power, told The Hill that “the grid is attacked millions of times per day,” and noted that his organization is urging the Biden administration and Congress to invest between $20 billion and $25 billion to secure it.
“I think it is absolutely an essential part of any infrastructure plan,” Cunningham said. “The reality is the tragedy that we witnessed in Texas a short time ago thankfully only lasted a week, week and a half … but if the grid goes down, we’re looking at months, maybe God forbid even a year. So electricity plays a critical role in the functioning of our society.”
Marty Edwards, vice president of OT security at cybersecurity group Tenable, said the Biden administration needs to make cybersecurity a component of infrastructure.
“Any critical infrastructure modernization must take cybersecurity into account from the start,” Edwards said in a statement to The Hill. “As we become more and more reliant on the electric grid, increasingly advanced adversaries are looking to disrupt our way of life in any way possible, including by attacking our most critical infrastructure.”
While the proposed infrastructure package did not include specific cybersecurity funds, the administration has taken some steps toward addressing national security risks in cyberspace, particularly in the wake of recent massive foreign cyber espionage incidents.
President Biden will soon sign an executive order that, according to administration officials, will include about a dozen actions to improve federal cybersecurity. Biden also spearheaded the inclusion of $650 million in the recently enacted COVID-19 relief package for the Cybersecurity and Infrastructure Security Agency (CISA), along with millions more in technology modernization funds.
On electric grid security, Bloomberg News reported this week that administration officials including Energy Secretary Jennifer Granholm briefed top utility executives last month on a new plan to defend the U.S. grid from cybersecurity threats.
A National Security Council spokesperson told The Hill on Thursday that the administration “is committed to safeguarding the cybersecurity of U.S. critical infrastructure from persistent and sophisticated threats” and has “launched a 100 Day Control Systems cybersecurity initiative, working closely with the private sector that manages much of this critical infrastructure like those for electricity and water, to improve cybersecurity.”
There is bipartisan interest on Capitol Hill to address vulnerabilities in the grid.
A group of leading bipartisan senators on the Senate Energy and Natural Resources Committee sent a letter to Granholm last month urging her to ensure cybersecurity of the electric grid remains a priority.
“The reliability and resilience of the electric grid is critical to the economic and national security of the United States,” the lawmakers, led by Sens. James Risch (R-Idaho) and Angus King (I-Maine), wrote in the letter.
Risch told The Hill in a separate statement Thursday that “securing our critical energy infrastructure is one of the most pressing national security issues facing our nation.”
“There is strong bipartisan agreement that protecting the electric grid and other critical infrastructure is of paramount importance and must be a key component of any plan,” he added.
A spokesperson for Sen. John Barrasso (R-Wyo.), the ranking member on the Senate Energy and Natural Resources Committee, criticized numerous aspects of Biden’s infrastructure plan, including the lack of specific cyber funding.
“In addition to decreasing electric reliability, renewables, like wind and solar energy, [the proposal] actually increases the exposure to cyberattacks on the electric grid, which is a prime target for America’s adversaries,” the spokesperson said. “The vast majority of the $2.25 trillion in spending will not improve our nation’s infrastructure. It is therefore not surprising that President Biden’s plan fails to address cybersecurity.”
Whitney, of Fortress Information Security, said there is now likely to be more pressure on the administration to address cybersecurity, either in the existing infrastructure proposal or in another measure.
“Given the fact that cybersecurity wasn’t a huge focus in the infrastructure plan, I think there’s going to be more pressure going forward in terms of what the future sector-specific cybersecurity plans look like,” he said.