The views expressed by contributors are their own and not the view of The Hill

Biden’s plan for cyber is a day late and a dollar short

As people worried about running out of gas are now painfully aware, cybersecurity is crucial to resilient critical infrastructure. The Colonial Pipeline ransomware attack was only the latest in a long string of cyberattacks that prove just how vulnerable we are as a nation.

The Biden administration’s new Executive Order (EO) – “Improving Our Nation’s Cybersecurity” – calls for several important actions that will help patch these vulnerable systems, including the adoption of zero-trust architecture and the creation of a Cyber Safety Review Board. The EO’s release, combined with the recent nomination of a national cyber director, suggest that the Biden administration is determined to take cyber more seriously than any previous administration. But the EO’s lack of accompanying funding raises questions about how effective his efforts will be. If Biden is truly committed to cybersecurity, he needs to ensure that the funding of the Cybersecurity and Information Security Agency reflects cyber’s new priority status. 

Biden’s administration has already faced a few cyber-related missteps. Earlier this year, President Biden revealed his grand proposal for revitalizing the American economy and renewing our critical infrastructure. The American Jobs Plan – which came with a whopping $2.2 trillion price tag – ordered a wide range of infrastructure projects, from modernizing public transportation to replacing lead pipes to constructing high-voltage power lines. But the plan ignored one of the most under-resourced components of American infrastructure: cybersecurity. 

In response to significant criticism, the administration publicly addressed the lack of cybersecurity in the American Jobs Plan on May 12 in a White House press statement in which White House press secretary Jen Psaki stated, “I think it’s clear that . . . ensuring private sector companies are hardening their cybersecurity, [and] ensuring it’s an across-the-government effort, is a priority to the President, and this will be linked now to our proposal for how specific grants should be distributed.”

The EO’s unfunded mandates and Psaki’s vague commitments about grants are steps in the right direction, but they won’t fully resolve the vulnerable state of our nation’s critical infrastructure and are a far cry from the EO’s call for “bold changes.” True, executive leadership is vital to ensuring cybersecurity receives the prioritization it deserves. But unfunded mandates lack teeth. No matter how frequently Biden talks about prioritizing cybersecurity, if agencies aren’t provided with the appropriate resources, they won’t be able to fully carry out their goals.

Federal agencies have already been told they need to shore up their cybersecurity. In 2019, the Government Accountability Office (GAO) identified the 10 most critical federal IT legacy systems in need of modernization. These systems are crucial to the functionality of each agency in question, many of which are known to be riddled with vulnerabilities and reliant on unsupported software. Yet a recent follow-up report indicated that many of these agencies have still not fully developed plans for modernizing their systems. 

Similarly, linking grants to plans for hardening cybersecurity and increasing public-private partnerships in critical infrastructure sectors is a good idea, but is also easier said than done. We’ve seen these types of “consider cybersecurity” requirements fail in Department of Defense acquisitions, where the long acquisition process has often rendered systems out of date before they arrive in the hands of the Pentagon.

Strengthening public-private partnerships and encouraging information sharing requires better resourcing of the federal agency in charge of overseeing these efforts, the Cybersecurity and Infrastructure Security Agency (CISA). After all, CISA was created to help protect our critical infrastructure from both cyber and physical attacks. The agency serves as the nation’s risk manager and the public-private coordinator for many of the nation’s critical infrastructure sectors. Yet the organization has extremely limited resources, with an annual budget of only about $2 billion.

While CISA received an additional $650 million in its budget from Biden’s American Rescue Plan, many of the agency’s efforts remain underfunded and under-prioritized. Worse, the gap between the agency’s funding and its responsibilities will only increase in the future. While the agency is still helping mop up the fallout from the recent SolarWinds, Microsoft Exchange and Colonial Pipeline hacks, the actions called for in Biden’s EO, as well as legislation like the proposed National Risk Management Act, will only continue to stretch CISA’s limited resources.

If Biden truly wants to protect our critical infrastructure, CISA will need additional funding and staff to help address new tasks. The Colonial Pipeline hack proves that any sector can suffer the effects of a cyberattack. Modernizing our infrastructure without focusing on cybersecurity is simply doubling down on the mistakes that have left our nation’s systems so defenseless. If the administration wants our country to become more resilient, then it’s time for it to put its money where its mouth is to enact real change.

Kathryn Waldron is a fellow for R Street’s Cybersecurity & Emerging Threats team, where she focuses on supply chain security, ICT security, encryption and geopolitical cyber risks. Tatyana Bolton is the policy director for R Street’s Cybersecurity & Emerging Threats team. She crafts and oversees the public policy strategy for the department with a focus on secure and competitive markets, data security and data privacy, and diversity in cybersecurity. 

Tags CISA Colonial Pipeline cyberattack Computer network security Cyberwarfare Data security Jen Psaki Joe Biden Microsoft National Cybersecurity and Communications Integration Center Solar Winds SolarWinds

Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.