Cybersecurity experts say $2 billion is too little, too late
Funds from the infrastructure package are intended to help beef up US cyber defenses. Will it actually make a difference?
On Monday, President Biden signed the enormous, historic infrastructure bill into law, which includes nearly $2 billion for cybersecurity. Of that, $1 billion will be distributed to state, local, tribal, and territorial governments, while $21 million will go to the Office of the National Cyber Director, an agency responsible for advising the president on all matters related to cybersecurity. Thus far, the newly-minuted agency has not been able to compete with the private sector when it comes to hiring cybersecurity experts.
The government will also be hiring for a Federal Highway Administration cyber coordinator position, and will dedicate $100 million to handling cybersecurity incidents the Department of Homeland Security deems “significant.”
The White House announced that this bill would “make our communities safer and our infrastructure more resilient to the impacts of climate change and cyber-attacks.” However, cyber experts acknowledge that America is years behind countries like Russia or China.
“It would have been great had we done this over a decade ago,” says Theresa Payton, CEO and chief advisor for cybersecurity consulting firm Fortalice Solutions. “With cyber criminal syndicates, nation states, lone wolves, we’ve had this perfect storm coming at us and the global pandemic accelerated it.”
Here’s what you need to know about the latest, most involved effort to beef up America’s cybersecurity.
Is there reason to be hopeful?
Allison Nixon, chief research officer for the security firm Unit 221B, remains skeptical. “We [have] spent so much of the past decade just getting humiliated by Russia and China left and right,” she says.
Nixon’s concern is that America is so far behind that playing catch-up will just take too much time. “This is a decade of backlog, a decade of cybercrime growing out of control,” she says. “It’s going to take more than a billion dollars to undo that.”
She points out that this is a positive step, but it’s one that would need to be continued into the next presidential administration. “It’s an enormous task now and we finally agree that it’s a task worth doing,” she says, “but it really relies on this country being more politically stable than it is. Who knows if there’s going to be any more cybersecurity progress in four years?”
How should the money be used?
Payton, of Fortalice Solutions, says that she is asked all the time how much money is enough to spend on cybersecurity. Payton, who oversaw IT operations for President George W. Bush from 2006 to 2008, before becoming the White House’s Chief Information Officer, always says it depends on how sustainable the project is in the long term.
“People ask how much money is enough to spend to build hurricane or fireproof buildings, and because we’re talking about lives, people say well, you can’t put a price tag on that,” she says, pointing out that cybersecurity is also about people’s lives.
What Payton wants to see put in place is a maturity roadmap that can help local governments create an ongoing cyber maintenance budget. “Just because you get money today to build a bridge, doesn’t mean you have the money tomorrow to maintain it,” she says. “An injection of cash is great, but is it set up to be sustainable?”
For Payton, a long term plan would first involve locking down machine-to-machine, application-to-machine, and user-to-machine access, and instituting multi-factor authentication for all access. The next step would be peer reviewing all the security and privacy configuration that have been implemented on the cloud. The last step would be to create a third-backup of data saved in cold storage offline, disconnected from operations, to be used in the case of a ransomware attack. Those, she says, are the fundamentals, and nothing else should occur without checking those three things off a to-do list.
Most Americans have been victims of at least one cybercrime, and if they haven’t, then at the very least, they’ve definitely witnessed some terrifying ones. “When people couldn’t get gas in their gas tanks to take their kids to school, when people weren’t able to go to work because their meat processing plants were offline, when a hospital was closed, these were some critical infrastructure breaches,” says Payton. “There’s pictures, there’s real victims, there’s real impact, and it’s tangible and palpable.” Because of that, she believes this program will continue for administrations to come.
Why is our current cybersecurity so bad?
Oren Falkowitz, formerly of the National Security Agency and now the CEO of Area 1 Security in California, says companies have spent a lot of money over the last decade in cybersecurity—with zero impact. This is in part because of a lack of modernization. A surprising amount of state and local governments are not using managed cloud services, working with a service provider to keep their technology updated and their sensitive information protected and backed up.
“If you’re running your own Microsoft Exchange email server in 2021, you’re far behind the curve,” Falkowitz says. “It means every day you have to be perfect, every day you have to have the latest patches, you have to have the configurations just right.”
Then there’s how the attacks happen, which is usually the result of human error. At least nine out of 10 cyberattacks today are the result of email phishing campaigns, Falkowitz says, and for him, creating technology to prevent people from clicking on unverified email links is more important than building operations centers or coming up with exciting new ways to share information. A recent study he worked on found that over half of American state and local election officials do not have basic cyber hygiene, are unequipped to protect themselves against phishing attempts, and use their personal emails for government duties.
During his time at the NSA, Falkowitz worked with both Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, and national cyber director Chris Inglis. “They know how to get stuff done, and they know the problem really deeply and intimately from both the offensive and defensive side,” he says. “Now it’s about whether or not people will just go get it done.”