USA: A closer look at cybersecurity funding after the Infrastructure Investment and Jobs Act 2021
The Infrastructure Investment and Jobs Act 2021 ('the Act') was signed into law by President Biden on 15 November 2021. The Act pours over $1 trillion into strengthening the nation's infrastructure. This includes the modernisation of roads, bridges, transit, rail, airports, wastewater infrastructure, broadband, and drinking water.
The Act includes several cybersecurity related initiatives, signifying that cybersecurity is an integral part of America's infrastructure. Specifically, the Act dedicates approximately $2 billion to strengthening the nation's cyber defences, with cybersecurity funding focused on state and local governments, receiving $1 billion in funding across sectors, such as transportation, energy, water, and utilities. The Act has implications for both private and public sector entities and lays the groundwork for improvement to America's ability to prevent and respond to cyber-attacks while further increasing cybersecurity obligations for critical infrastructure. Michelle Donovan and Jessica High, Partner and Associate respectively at Duane Morris LLP, discuss the Act's notable cybersecurity appropriations in this article.
State and local cybersecurity grants
State and local government, including tribal and territorial government, received $1 billion federal dollars, disbursed over four years, appropriated to aid in strengthening state and local government information systems. This grant program provides funding to modernise state and local government IT networks, and respond to modern cyber-attacks, such as ransomware attacks. While state and local government received the biggest cyber share, they are required to provide matching funds to continue to receive federal dollars. The federal contribution decreases each fiscal year by 10%, requiring state and local government to increase their contribution annually.
State and local governments have increased cybersecurity obligations to be eligible for the grant. Applicants must develop a Cybersecurity Plan, subject to periodic federal review, to protect against risks and threats as well as describing strategies to enhance cybersecurity. More specifically, the plan must include the implementation of a 'process of continuous cybersecurity vulnerability assessment and threat mitigation practices'. The plan must also adopt best practices and methodologies, such as the standards in the National Institute of Standards and Technology ('NIST') framework. Requirements for a robust Cybersecurity Plan and NIST standards would raise the level of cybersecurity at the state and local level. Moreover, as funding is conditional, state and local governments are incentivised to devote resources and efforts to cybersecurity.
Electric utilities cybersecurity program
To promote cybersecurity for electric utilities, the Act requires the Secretary of Energy, in coordination with the Secretary of Homeland Security, to implement a cybersecurity program. The program will include the development of models and methods for assessing physical security and cybersecurity, assistance with threat assessment and cybersecurity training, the advancement of the cybersecurity of third-party vendors, the promotion of information sharing within the electric sector, and assistance for electric utilities that own defence critical electric infrastructure with engineering reviews. In carrying out the program, the Secretary of Energy will take into consideration the different sizes of electric utilities and the regions that electric utilities serve.
Rural and municipal utility and energy sector programs
The Act appropriates approximately $250 million to provide grants and technical assistance for eligible entities to help protect against, detect, respond to, and recover from cybersecurity threats. Entities can enter into cooperative agreements to carry out these requirements.
Funding and technical assistance will be prioritised to entities that have scarce cybersecurity resources. The Act does not require entities applying for funds to develop a Cybersecurity Plan. Instead, the Cybersecurity and Infrastructure Security Agency's ('CISA') Director has the discretion to determine whether funding recipients are required to submit a Cybersecurity Plan. If a plan is requested, the recipient must describe how it will maintain cybersecurity between network, systems, devices, applications, or components, as well as how it will perform ongoing risk evaluations and report known or suspected network compromises.
Enhancing grid security
Approximately $250 million in federal funds will be appropriated to advanced cybersecurity applications and technologies for the energy sector. The Act also requires the Secretary of Energy to submit a report to the U.S. Congress within the first year, assessing priorities, policies, procedures, and actions for improving the cybersecurity of electricity distribution systems and the costs for implementation.
Investment by public utilities
The Act amends the Federal Water Power Act of 1920 by adding incentives for cybersecurity investments. The Federal Energy Regulations Commission will conduct a survey and establish, by rule, incentive-based rate treatments for the transmission and sale of electricity by public utilities, to encourage investments in advanced cybersecurity technology and expand participation in cybersecurity threat information sharing programs.
Cyber Response and Recovery Fund
The Act appropriates $20 million a year, through to 2028, to a Cyber Response and Recovery Fund. Public and private entities are eligible for the funds upon a declaration by the Secretary of the Department of Homeland Security, in consultation with the National Cyber Director, that a 'significant incident' has occurred or is likely imminent. Funds can be used to respond to and recover from the incident. A 'significant incident' is defined as an incident or a group of related incidents that results, or is likely to result, in demonstrable harm to:
- national security interests, foreign relations, or the US economy; or
- the public confidence, civil liberties, or the public health and safety of the US.
CISA sector risk management
Over $20 million in funding is available to support staffing and operations for CISA.
The Act continues the Biden administration's focus on increasing security for critical infrastructure post SolarWinds, Microsoft Exchange, and the Colonial Pipeline breaches. This started with the Executive Order of 21 May 2021, which focused on modernising national cyber defences and, if passed, will continue with the Build Back Better Bill which includes $50 million in funding for CyberSentry. This new program was launched last year by CISA - monitoring traffic and detecting malicious activity on the systems of critical infrastructure and corporate networks. The Build Back Better Bill also includes $50 million to transition data to a secure cloud program.
The Act is also a continued indication of the federal government's efforts to increase cybersecurity more generally in both the private and public sectors. For example, the Federal Trade Commission ('FTC') recently amended the Safeguards Rule under the Gramm-Leach-Bliley Act of 1999 ('GLBA'), increasing cybersecurity requirements for financial institutions. The federal banking regulators also recently issued a rule requiring banking organisations to notify their primary federal regulator of any reportable computer-security incident within 36 hours of discovery. The DHS' Transportation Security Administration ('TSA') issued two Security Directives that require owners and operators of TSA-designated critical pipelines, which transport hazardous liquids and natural gas, to implement a number of security measures to protect against cyber intrusions. Additionally, the FBI and CISA have released recent alerts on ransomware and other damaging cyber activities.
In addition to increasing security requirements, we have also seen the federal government focusing on enforcement and accountability efforts. The Act follows the Securities Exchange Commission's ('SEC') recent sanctioning of several firms for cybersecurity failures resulting in the exposure of personal information for thousands of customers. Additionally, the U.S. Department of Justice launched the Civil Cyber-Fraud Initiative in October 2021. This initiative uses the False Claims Act of 2011 to pursue cyber fraud claims against recipients of federal funds, including government contractors, who knowingly fail to comply with cyber security standards or knowingly misrepresent the company's internal security controls or practices. We expect to see additional federal regulatory and enforcement activity in 2022 to encourage companies to continue to strengthen their cybersecurity posture, and hold those that don't accountable.
The Act also incentivises actors outside the federal government to comply with the comprehensive NIST standards and controls. As more entities adopt these high standards, it may impact what is considered 'industry standard' security controls under business contract terms and what is considered 'reasonable' security controls under state and federal security laws.
Michelle Donovan Partner
Jessica High Associate
Duane Morris LLP, San Francisco