The Senate’s monumental passage of the Infrastructure Investment and Jobs Act, a comprehensive bipartisan infrastructure bill that promises to modernize the nation’s physical and digital infrastructure while creating thousands of American jobs, was just the beginning.
Now, the House needs to take hold of the baton and deliver on Washington’s promise to upgrade and strengthen the nation’s infrastructure. Lawmakers in the House needs to build on the solid foundation laid by the Senate to prioritize cybersecurity’s critical role in the future of the nation’s infrastructure.
The Infrastructure and Investment and Jobs Act provides a significant cybersecurity focused investment, a much-needed whole of government approach to applying that investment, and a clear emphasis on support for the cybersecurity requirements of state and local governments.
Cybersecurity needs to remain front and center in Congress for the foreseeable future. The Senate set the example. The technology industry is asking the House to do the same and protect the nation’s physical and digital infrastructure.
Key elements in the Infrastructure Investment and Jobs Act that need to be part of any legislation coming out of the House include:
Cybersecurity must be a core part of federal infrastructure modernization efforts.
As Congress and the White House negotiate an infrastructure package, this once-in-a-generation federal investment must include significant funding to ensure that our nation’s infrastructure is resilient to all potential harms, including cyber threats. It should contain legislative provisions that will secure our connected critical infrastructure, enable robust interoperability, and ensure our society's backbone can safely support technological advances.
Investing in the resilience of U.S. infrastructure and protecting our systems from foreign and domestic cyber threats supports American infrastructure, American jobs, and national security all at once.
Funded projects or programs must incorporate baseline cybersecurity protections.
Public entities and critical infrastructure owners receiving funding from an infrastructure package should be made to conduct a cybersecurity risk assessment against the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. All projects need to identify any gaps between current cybersecurity posture and an improved posture based on the assessment. The results of the risk assessment should be used to develop a remediation plan to close identified gaps, including by deploying fundamental risk-based vulnerability management practices.
Bottom line: Any public or private entity that secures funding needs to implement the cybersecurity protections outlined by Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger in her June 2 memo.
State and local governments need cybersecurity grant programs.
To provide necessary resilience across all communities, there must be cybersecurity grant programs for state and local governments. While Rep. Yvette Clarke (D-NY) has introduced the bipartisan State and Local Cybersecurity Improvement Act (H.R. 3138), which provides a potential model for such a grant program, the Senate’s infrastructure bill is more comprehensive and allocates $1 billion more in funding.
In addition to important elements in the Senate’s bill, the House has an opportunity to expand the federal government’s approach to making cybersecurity a top priority. The most significant opportunities focus on emerging technologies such as artificial intelligence and machine learning, the creation of a federal Software Bill of Materials, and a greater investment in training the cybersecurity workforce the nation needs.
AI and machine learning are vital to creating new powerful cybersecurity tools for governments and businesses. Congress needs to support the deployment of emerging technologies and professional services to prevent and respond to cyberattacks. Legislation should support the use of vulnerability management, intrusion detection and endpoint security tools.
There is also a need for a Software Bill of Materials (SBOM), which can be an effective means for improving the integrity and security for software enabling the critical connected infrastructure supported under President Biden’s Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.
And finally, the U.S. must invest in the cyber workforce to ensure government agencies and businesses have the skilled workers needed to protect the U.S. The nation is expected to face a shortage of 1.8 million skilled cybersecurity workers by 2022, making educating the next generation of cybersecurity professionals imperative to our future national and economic security.
It is critical that the federal government continue to invest in cybersecurity training for government employees, while also seeking creative ways to fill ongoing gaps in the cyber workforce.
The Senate’s Infrastructure Investment and Jobs Act aims to strengthen the nation’s cybersecurity defenses and protect both governments and businesses. The House needs to follow the Senate’s lead and pass the bill or deliver legislation that goes even further.
David Logsdon is a senior director at CompTIA responsible for the Federal Procurement Council and Federal Cybersecurity Committee.