April 8, 2021

This post is a one in the “Rethink Cybersecurity” series. Additional posts in this series are available here

President Biden’s massive infrastructure proposal – dubbed infrastructure for the digital age – includes a wide variety of items not traditionally thought of as infrastructure such as home health care, as well as some items that are very much digital infrastructure such as $650 million for expanded broadband networks.

But there is no money for cybersecurity.

The most fundamental infrastructure of the 21st century is our digital infrastructure.  In the last 25 years our national assets have shifted from being primarily physical in nature to digital.  Virtually every business, as well as most government operations, including defense, operate in cyberspace. Imagine what it would have been like to try to live through the COVID-19 Pandemic without the digital systems we have developed in the last 30 years.

Proposing to build vast new broadband networks without providing adequate funding to secure these networks is literally the equivalent of building highways that will assure repeated traffic accidents and deaths.

That metaphor is not excessive, if anything it understates the danger of not addressing cybersecurity as part of critical infrastructure upgrade. Unsafe roads will lead to crashes just on that one road. Cyber systems are integrated, so vulnerabilities in broadband systems serving remote areas are vulnerabilities to the entire system. We know, as evidenced by recent cyberattacks, such as SolarWinds, that adversaries look to attack systems at their weakest points and then use their entry into the system to reach more critical assets. 

As a result, addressing the laudable goal of vastly expanding broadband access, without simultaneously addressing the security of these networks is both perplexing and dangerous.

It is noteworthy that much of the broadband money may be targeted to smaller companies who lacked the economies of scope and scale of the major telecom providers to enhance their networks. However, this is the very group that most needs economic support to assure their networks are properly secured.

A recent study commissioned by the US Telecom Association found that 75% of critical infrastructure small and medium sized businesses have experienced a cyber breach. Even having this unhappy experience, most of these companies (55%) feel their company is “not prepared to prevent or recover from a cyberattack.” And these results are prior to the proposed broadband upgrade envisioned in the Biden plan. The new broadband systems while vastly expanding services also vastly expand the vulnerability to cyber attack.

Of course, it is possible the government anticipates that they will help build these new networks and it will then be up to the companies themselves to figure out how to secure them – possibly based on guidance from the government.  However, the report makes clear this is an unrealistic expectation. The study found that only 13% of small and medium sized companies involved in critical infrastructure used government guidance to make cybersecurity decisions.

If we are going to do a massive upgrade of our nation’s broadband systems, it is imperative that we do so with realistic expectations regarding its security. The US Telecom report’s number one policy recommendation is to “ensure that expectations for small and medium sized business cybersecurity are grounded in an understanding of economics and appropriate incentives are considered.” More specifically the report notes that “small and medium sized business may not be able to sustain uneconomic investments in cybersecurity beyond minimum requirements Consequently consideration must be given to what incentives may be required.”

Given the need to provide access to broadband nationwide, and the reality that even small businesses are subject to, and targets of, sophisticated cyber-attacks a sustainable system of cybersecurity must be folded into the infrastructure upgrade plan. Since the Biden plan already anticipates a tax element (i.e., raising taxes on larger corporations) perhaps balancing that proposal with tax credits to enhance the cybersecurity needs of the smaller broadband players would be a fitting addition to the proposal.

Join the Rethink Cybersecurity Community click here