As the nearly $1 trillion infrastructure bill slowly snakes through Congress, it seems that both Democrats and Republicans can at least agree that the United States needs to invest in cybersecurity.

The spending plan includes about $2 billion for cybersecurity, and that includes funding for several programs with a focus on transportation, energy, water utilities, state, and local governments. It also earmarks millions of dollars for the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) to help prevent cyberattacks and support organizations, including private companies, that fall victim to such attacks.

And while cybersecurity professionals agree that the cyber investment in the infrastructure bill makes sense, and it should have happened years ago, there’s also wide recognition that there’s more work to do and dollars to spend to shore up our collective security posture.

“It’s painfully clear that both industry and government have historically under invested in these things,” said Philip Reiner, CEO of the Institute for Security and Technology (IST).

The funding earmarked for cybersecurity “is a move in the right direction,” he added. “Even being included and prioritized is encouraging. But $2 billion is a drop in the bucket. Thinking broader picture: [Cybersecurity] is one of the most prominent risks facing both our national security and our economy. And we have to invest accordingly.”

$2B Cybersecurity Investment Breakdown The largest chunk of funding, about $1 billion, goes to state and local government grants to improve cybersecurity and critical infrastructure over four years. Another $550 million supports electrical grid cyber and physical security efforts. Additionally, $157 million funds DHS cybersecurity research, $35 million goes to CISA for risk management and stakeholder engagement efforts, and $21 million stands up the office of National Cyber Director Chris Inglis.

“While the numbers might seem big, they are spread over several years, and the spend areas are very fragmented,” Gartner Research VP Katell Thielemann wrote in an email to SDxCentral. The wording in the bill is also important, she added. “Due to digital transformation efforts, most assets in critical infrastructure are now cyber-physical systems, so the investment in securing them along this cyber-physical continuum is key.”

The planned electric grid security funding is an example of this. “Concerns about the resilience of our electric infrastructure have been growing for years, and the cyber-physical security of these assets is of utmost criticality to national security,” Thielemann said. “As evidenced by the cyberattacks in the Ukraine and the havoc wreaked by storms in the U.S., our entire society relies on a resilient electric grid.”

Even seemingly uncontroversial line items, like the $1 billion in grants for state and local governments to improve cybersecurity and critical infrastructure, might not be so innocuous in reality. “This includes prescriptive details of what security plans need to have,” Thielemann said. “It will also come with more oversight from the federal government, so it will be interesting to see whether those jurisdictions welcome those funds or not.”

$100M Cyber Response and Recovery Fund The bill also includes a $100 million cyber response and recovery fund that CISA will allocate to help organizations, including private-sector companies, hit by cyberattacks. This fund is something that the IST-led Ransomware Task Force has been advocating, and it’s one of the 48 recommendations to combat ransomware that the group presented to the White House in April, a week before a ransomware gang breached Colonial Pipeline’s IT network.

This cyber response fund can serve as a carrot to encourage organizations to put basic cybersecurity measures in place before an attack, Reiner said.

“It can be positively used as an incentive for taking greater cyber hygiene steps upfront,” he said. “That’s something that CISA will need to figure out: If you want access to the cyber response and recovery fund there are steps you’re going to need to have taken in advance to even be eligible for those funds.”

At the minimum this should include multi-factor authentication, network segmentation, and access controls, he added. “It’s not even some evolved sense of zero trust, it’s more of here are the basic steps we’ve taken to raise the bar for the criminal and make it that much difficult for them to intrude and move around,” Reiner said. “Those are the types of things that you could tie to the availability and eligibility for those sorts of response and recovery funds.”

While ransomware specifically isn’t mentioned in the bill, the recent attacks against Colonial Pipeline and meat processing giant JBS loom large over the spending plan. In addition to this proposed spending plan, the Biden administration this week announced sanctions against Russian cryptocurrency exchange Suex that it says aided ransomware gangs.

These sanctions, along with more interagency coordination on ransomware — such as the Treasury working with DHS — also fall in line with the Ransomware Task Force’s recommendations. “And various officials have indicated that this isn’t the last type of sanction, so that would indicate to me that there’s a longer series of actions that we should be anticipating,” Reiner said.