How Much Cybersecurity Can $1.9 Billion Buy?

The Bipartisan Infrastructure Investment and Jobs Act, recently passed by the US Senate, could give a $1.9 billion boost to cybersecurity spending to protect critical infrastructure, accelerate incident response, and modernize the digital defenses of state and local governments.

However, the investment is, at best, "a down payment" on what the nation needs to defend against ransomware, nation-state attacks, and cybercriminals, security experts say. While more than half of the funds are reserved for State, Local, Tribal, and Territorial (SLTT) government agencies and organizations, when divvied up among 50 states — not to mention tens of thousands of local governments — the total purse will be spread thin, says Mike Hamilton, founder and CISO at security services firm Critical Insight and former vice chair for the State, Local, Tribal, Territorial Government Coordinating Council (SLTTGCC)

"Considering that there are 90,000 local governments in the US, that means about $11k each, which doesn't pay for much," he says. "States will winnow that down and prioritize the spending with jurisdictions that do the most critical things like water, waste, [and] public safety communications."

The bill, whose fate is currently tied up with a vote in the US House of Representatives on a larger "human infrastructure" bill, sets aside $21 million to fund the Office of the National Cyber Director, provides more than $157 million for cybersecurity research, and creates a $100 million fund over five years that allows the Secretary of the Department of Homeland Security to declare a significant incident and provide response and recovery services to public and private organizations, according to one analysis.

Some of the funding will be sufficient, but most of the investments will only be a "down payment". Still, that could do a lot of good, says Scott Shackelford, a professor of law and director of the Ostrom Workshop on Cybersecurity and Internet Governance at Indiana University.

"If we want to have a national strategy dealing with just one of the big ticket issues we are facing — such as ransomware — that could help, and the good thing is it could have a lot of positive knock-on effects," he says. "Because if you are doing the things that you should — backing up data locally and to the cloud, using multi-factor authentication, minimizing local admin privileges — that is also going to help protect these organization against other threats as well."

To maximize the funds' impacts, security experts recommended state and local governments take a risk-based approach to investing in cybersecurity. Because the services managed by local governments are extremely critical, ensuring the security of digital data and infrastructure is key, says Critical Insight's Hamilton.

"This makes the impact of an event much larger than simply paying out an extortion demand," he says. "Mitigating these exposures at the national level will require local governments to incentivize qualified security practitioners to work in the public sector … which means they need to pay closer to market rates."

Government agencies and local organizations should take the time to conduct a thorough audit to identify their biggest security weaknesses — which often amount to limited training, outdated tools, and insecure infrastructure — then tackle the biggest areas of need first.

While investing in technology or risk assessments for small government organizations will pay dividends, government agencies also need to focus on the fundamental issues that need to be solved, such as convincing users and government employees that security is a key tenet of operations, says Lisa Plaggemier, the interim executive director of the National Cyber Security Alliance (NCSA).

"While tech upgrades may be needed in many communities, unless we do a better job of engaging users and giving them the clear guidance they need, vulnerabilities are still likely to exist," she says. "To accomplish this, businesses and communities need to allocate funds towards efforts that empower everyday users and make them feel like they are active participants in cybersecurity versus unwitting bystanders."

One possibility that could spur momentum in many critical areas would be paying community college and university cybersecurity programs to train students in incident response and security assessment, and have those students work to secure local and government organizations. The solution would offer on-the-job training for future cybersecurity professionals and offset costs of training students, says Indiana University's Shackelford.

"It could be more affordable, and it would do a number of things all at once," he says. "There is enough need and enough of a win-win that I feel that kind of collaboration could be helpful to support, especially at the community level."