The Washington PostDemocracy Dies in Darkness

The Senate’s $1 trillion infrastructure bill includes funding to secure Americans’ water systems and power grids from cyberattacks

A sign marking the location of the Colonial Pipeline is posted in Charlotte. Senators have woven investments in cybersecurity throughout their nearly $1 trillion infrastructure package. (Chris Carlson/AP)
Placeholder while article actions load

A Senate bill intended to shore up the nation’s roads, pipes and electric grid includes billions to protect that aging infrastructure from cyberattacks.

With a series of high-profile ransomware attacks fresh in their minds, U.S. Senate negotiators wove cybersecurity investments throughout the bipartisan $1 trillion infrastructure proposal, which passed the Senate in a 69-to-30 vote on Tuesday and now moves to the House for a vote. The allocations are a reflection of the growing realization in Congress that a computer attack could leave Americans without water, power or other essentials.

“This is an incredibly serious threat to this country that’s only growing more serious,” said Sen. Angus King (I-Maine).

The Colonial Pipeline ransomware attack in May was a wake-up call that gave lawmakers and the public “a taste of what is potentially in store,” King said. The attack disrupted fuel supplies in the eastern United States, prompting gasoline shortages and panicked buying that affected millions for days.

The Colonial hack was just one in a series of attacks on lawmakers’ minds. King said he is particularly wary of attacks on the more than 100,000 public water systems in the United States, especially after a hacker in February took control of a water treatment facility in Oldsmar, Fla. The intruder raised the levels of sodium hydroxide to a hazardous point that could have sickened residents. An operator noticed the rising levels and was able to quickly intervene, but the incident highlighted the broader weaknesses at the facilities responsible for ensuring Americans have clean drinking water.

DHS to issue first cybersecurity regulations for pipelines after Colonial hack

To King, one of the Senate negotiators, these incidents underlined that cybersecurity has to be a part of any work the government does on infrastructure, from broadband to power grids.

The bill directs the Federal Highway Administration to create a new tool to help transportation authorities better detect and respond to cyber attacks, which could range from ransomware attacks on transportation departments or hacks of traffic lights and road signs. It makes emergency funding available to respond to digital attacks on public water systems and makes grants available that can be used to help some water systems increase their ability to deal with cyberattacks as well as natural hazards and extreme weather.

It also calls on the Federal Energy Regulatory Commission to develop incentives to ensure that electric utilities are investing in cybersecurity and sharing data about potential threats.

The bill also authorizes nearly $2 billion in spending for specific cybersecurity initiatives, such as the creation of a $1 billion grant program to provide federal cybersecurity assistance to state and local governments, which experts say are among the most vulnerable institutions to ransomware attacks. The bill also would fund a new cyber director office, so that the federal government can better coordinate its response to major hacks, and would create a $100 million response and recovery fund, which the Department of Homeland Security could use to support both private companies and governments’ recoveries from cyberattacks.

The Cybersecurity 202: The bipartisan infrastructure bill could bring a cyber bounty for state and local governments

The infusion of funding follows years of warnings from across the federal government of the vulnerability of U.S. critical infrastructure to cyberattacks. A year ago, the National Security Agency and the Cybersecurity and Infrastructure Security Agency warned that critical infrastructure systems, including energy, transportation and water systems, make “attractive targets for foreign powers attempting to do harm to U.S. interests or retaliate for perceived U.S. aggression.”

Yet least one House lawmaker has raised concerns that the measures in the Senate infrastructure package don’t go far enough. He thinks that there should be tougher cybersecurity requirements for entities that take infrastructure funding.

“The cybersecurity funding in the Senate infrastructure bill is a good start, but we’ve got a long ways to go in our battle to secure our nation against the full range of cyberthreats we face,” said Rep. Jim Langevin (D-R.I.), co-chair of the Congressional Cybersecurity Caucus. “I’d like to see broad requirements that all technology procured using these federal funds meet minimum security requirements and that money be set aside for security monitoring after it’s installed. Connected infrastructure is going to help the economy and our environment, but only if we can secure it.”

Public works officials welcomed the cybersecurity provisions of the Senate bill, noting they often struggle to balance defending their systems against cyber attacks with the daily demands of keeping Americans’ lights on and faucets flowing.

“Public works makes normal happen, and cybersecurity is woven into that in every different respect,” said Mark Ray, the director of public works and city engineer for Crystal, Minn., who also represents the American Public Works Association on the National Homeland Security Consortium, which convenes public and company officials to discuss emergency responses.

Ray said his 26-person public works staff doesn’t have the time or expertise to dig into every potential cyber risk, and they look to outside experts and the federal government for direction. “The more that we understand that, the more that we understand the connection and work to improve and secure everything, it will just benefit everybody across the board,” he said.

Others warned that making more money available to address cybersecurity is just a first step, and its efficacy will hinge on how government agencies implement the funding.

“Just because we made money eligible doesn’t mean the problem is solved,” said Shailen Bhatt, the president and chief executive of ITS America, a trade group representing transportation companies. “It’s sort of the beginning of the new frontier of this battle.”

The bill also could have gone further in addressing some of the cybersecurity concerns regarding the water supply, said Mark Montgomery, the executive director of the Cyberspace Solarium Commission, which is tasked with developing a strategic approach to defending the United States from cyberattacks. He said the legislation should have included grants specifically for cybersecurity, rather than broad grants that can also be used to shore up the systems against weather events and other risks.

He said the legislation also should have done more to get the U.S. Environmental Protection Agency more focused on managing cybersecurity risks.

“I think it falls short,” Montgomery said in an interview.

The inclusion of the cybersecurity funding in the infrastructure bill reflects a growing bipartisan focus on the problem in Congress, said King. He said lawmakers’ interest in the issue had grown since 2018, when Congress first created a commission to develop recommendations for cyber deterrence. Last year, Congress passed a series of cybersecurity provisions in the annual defense bill. King predicted future legislation also will include cybersecurity spending.

“There won’t be so many bills that don’t have a cyber component,” King said in an interview.