Blog
House Delays U.S. Infrastructure Bill Vote – Cybersecurity Funding in Jeopardy? And What Security Practitioners Say Needs to be Prioritized
The U.S. House of Representatives was scheduled to vote on the $1.2 trillion bipartisan infrastructure bill (H.R. 3684) on September 30, but the vote has been delayed for an undetermined length of time. With roughly $1.9 billion allocated to bolstering critical infrastructure security, helping vulnerable organizations defend themselves, and providing funding for a crucial federal cyber office, key budget items hang in the balance, threatening critical infrastructure security among other priorities.
(ISC)² conducted an online poll of 226 cybersecurity practitioners—nearly half of which work for an organization responsible for securing critical infrastructure data—to gauge their reaction to the infrastructure bill, how they believe spending should be prioritized and whether they believe state and local authorities have the expertise to make the right decisions about where the money should go.
Although practitioners are pleased that cybersecurity is getting attention, the overall sentiment echoes the primary concern highlighted in a recent Associated Press article on state cybersecurity, which found state and local governments are struggling to retain cybersecurity talent due to existing workforce shortages and meager compensation. Our polling data found that 62% of practitioners agree more dedicated cybersecurity funding is needed to make a substantial difference.
When asked if funding could prevent future data security breaches at the state, local and tribal levels, one respondent said, “It’s hard to say whether or not it is possible to prevent breaches, but we can do a lot more to mitigate the damage.” Another respondent said, “[Having good people in place can go a long way to] enable better preparation for and response to breach situations.”
Cybersecurity practitioners believe that cybersecurity should be the second highest priority for U.S. infrastructure needs following improving power and water systems. But only 0.2% of the funding is reserved for cybersecurity, more than half of which will go to state, local and tribal governments. One respondent noted, “securing infrastructure costs money, point-blank–from hiring staff, to updating legacy software and hardware, to plain old user education. If we don’t start funding these efforts, including education, we won’t get anywhere.”
A majority of the cybersecurity practitioners polled (63%) are also not confident that state and local government officials have sufficient expertise to make informed decisions about where to invest federal dollars for cybersecurity initiatives. One respondent noted, “[It’s] good to prioritize cyber, not sure if the money will go to the right places.”
When asked how state, local and tribal officials should prioritize funding received from the infrastructure bill grants, 57% suggested government mandates and enforcement of minimum cybersecurity standards. Introducing a mandate—or incentivizing the program—goes a long way to get most, if not all, government entities on board. One respondent drew comparisons to restaurant ratings and ISO inspections, suggesting non-government regulatory and certifying bodies audit critical infrastructure and pinpoint areas for improvement.
The consensus among respondents is that state, local and tribal governments are usually left to figure out security in a vacuum and lack dedicated cybersecurity staff to make necessary improvements. One respondent reasoned, “There is a need for a security strategy, and the guidance of well-rounded and experienced professionals can help on the success of this initiative.”
The second most common suggestion was government investment in skill development for cybersecurity staff (46%). The cybersecurity professionals emphasized in the poll that the focus should be on people rather than technology. One respondent noted, “[The government is] quick to buy more cybersecurity tools, but when you keep piling on the tools and do not have them properly tuned by trained personnel to take full advantage of the tool, then it is useless.”
Adequate training coupled with professional development is key to improving the security of any organization or government entity because it keeps practitioners’ skills sharp and enables them to stay up to date on the latest threats targeting their industry.
One respondent noted that to have a significant impact on security at the state, local and tribal levels, “a good place to start would be requiring certain technical and some other non-technical certifications to every employee working in cyber roles.”
Another respondent said, “Without the proper funding, personnel will be unable to adequately secure critical infrastructure. It simply costs money to employ, train and equip cybersecurity personnel, not to mention other IT staff to design, deploy, maintain, secure and properly defend the network. Both IT and cybersecurity personnel must have continuous training to stay abreast of the latest technologies and threats.”
The third most common recommendation was user awareness training (32%), a simple but effective tactic to stop breaches. Staff represent government entities’ and organizations’ first line of defense and are susceptible to manipulation by sly cyber attackers into giving up credentials or clicking on malicious links. Consistent and timely user awareness training is essential in any cyber defense strategy.
While cybersecurity has made it into the infrastructure bill, the cybersecurity community feels strongly that the funds are insufficient to prevent attacks similar to those against SolarWinds, Kaseya, Colonial Pipeline and JBS Foods.
What do you think of $1.9 billion investment in comparison to the overall $1 trillion proposed in the current bill? Is this a step in the right direction? What are your recommendations for how the funding should be allocated for cyber? Join the conversation on the (ISC)² Community .