Cyberdefense funds in infrastructure plan
WASHINGTON — A Senate bill intended to shore up the nation’s roads, pipes and electric grid includes billions to protect that aging infrastructure from cyberattacks.
With a series of high-profile ransomware attacks fresh in their minds, U.S. Senate negotiators wove cybersecurity investments throughout the bipartisan $1 trillion infrastructure proposal, which passed the Senate in a 69-to-30 vote Tuesday and now moves to the House for a vote. The allocations are a reflection of the growing realization in Congress that a computer attack could leave Americans without water, power or other essentials.
“This is an incredibly serious threat to this country that’s only growing more serious,” said Sen. Angus King, an independent from Maine.
The Colonial Pipeline ransomware attack in May was a wake-up call that gave lawmakers and the public “a taste of what is potentially in store,” King said. The attack disrupted fuel supplies in the eastern U.S., prompting gasoline shortages and panicked buying that affected millions for days.
King said that he also is particularly wary of attacks on public water systems in the U.S., especially after a hacker in February took control of a water-treatment facility in Oldsmar, Fla. The intruder raised the levels of sodium hydroxide to a hazardous point that could have sickened users. An operator noticed the rising levels and was able to quickly intervene, but the incident highlighted the broader weaknesses at the facilities.
To King, one of the Senate negotiators, these incidents underlined that cybersecurity has to be a part of any work the government does on infrastructure.
The bill directs the Federal Highway Administration to create a new tool to help transportation authorities better detect and respond to cyberattacks, which could range from ransomware attacks on transportation departments or hacks of traffic lights and road signs.
It makes emergency funding available to respond to digital attacks on public water systems and makes grants available that can be used to help some water systems increase their ability to deal with cyberattacks as well as natural hazards and extreme weather.
It also calls on the Federal Energy Regulatory Commission to develop incentives to ensure that electric utilities are investing in cybersecurity and offering data about potential threats.
The bill also authorizes nearly $2 billion in spending for specific cybersecurity initiatives, such as the creation of a $1 billion grant program to provide federal cybersecurity assistance to state and local governments, which experts say are among the most vulnerable institutions to ransomware attacks.
The bill also would fund a new cyber director office, so that the federal government can better coordinate its response to major hacks, and would create a $100 million response and recovery fund, which the Department of Homeland Security could use to support both private companies and governments’ recoveries from cyberattacks.
Yet at least one House lawmaker has raised concerns that the measures in the Senate infrastructure package don’t go far enough. He thinks that there should be tougher cybersecurity requirements for entities that take infrastructure funding.
“The cybersecurity funding in the Senate infrastructure bill is a good start, but we’ve got a long ways to go in our battle to secure our nation against the full range of cyberthreats we face,” said Rep. Jim Langevin, D-R.I., co-chairman of the Congressional Cybersecurity Caucus. “I’d like to see broad requirements that all technology procured using these federal funds meet minimum security requirements and that money be set aside for security monitoring after it’s installed. Connected infrastructure is going to help the economy and our environment, but only if we can secure it.”