The “Infrastructure Investment and Jobs Act” (H.R. 3684) has passed both the U.S. Senate and House, but is still undergoing legislative reconciliation between the House and Senate versions and is currently in limbo because negotiations among the Democrats have stalled.
Parts of the bill that deal with cybersecurity are summarized in the charts below:
SE = Secretary of Energy
SHS = Secretary of Homeland Security
DCISA = Director of the Cybersecurity and Infrastructure Security Agency
FEMA = Federal Emergency Management Agency
FY = fiscal year
The Infrastructure Bill provides about $2.19 billion (out of $1 trillion) for cybersecurity over the next five years (although the Cyber Response and Recovery Fund lasts seven years).
A few observations on the bill:
1. The bill only focuses on three out of the 16 critical infrastructure sectors identified by the Cybersecurity & Infrastructure Security Agency as vulnerable. The bill only helps the water, transportation, and energy sectors. A focus on the energy sector is understandable in light of the Colonial Oil Pipeline ransomware attack in May 2021, which led to fuel shortages at airports and gas stations, as well as a rise in oil prices. But an example of another area of need would be the healthcare/emergency services sector, which was left out despite it being hampered by ransomware attacks during the COVID-19 pandemic.
2. Most of the money goes to state and local governments that can provide detailed plans about improving cybersecurity. This could include consulting and contracting with private cybersecurity companies, but that is not required.
3. The authority to administer most of these funds is given to their respective Departments: the U.S. Department of Energy ($600 million), U.S. Department of the Interior for water ($450 million), U.S. Department of Transportation (exact funding unspecified). But these funds do not only cover cybersecurity, but a broad array of threats, including natural disasters and extreme weather events.
4. However, $1.14 billion is appropriated exclusively for cybersecurity. The largest appropriation for $1 billion for the “State and Local Cybersecurity Grant Program” will be administered by FEMA (Federal Emergency Management Agency). And the $140 million “Cyber Response and Recovery Fund” will be administered by the Secretary of Homeland Security and the Director of the Cybersecurity and Infrastructure Security Agency.
5. It’s unclear how much private cybersecurity companies (such as Crowdstrike) could get involved, but private companies that are savvy should be looking for opportunities to preemptively help state and local governments improve their cybersecurity before an attack. And if the Secretary of Homeland Security “declares” a “significant” cyber attack, private companies could also be ready to tap into the $20 million per year appropriation to respond to such a cyber attack.