Partisan Bills Hurt Cybersecurity

Congress has had a spectacular three-year run developing and passing cybersecurity legislation that both protects our national critical infrastructure and secures our federal networks. On a bipartisan, bicameral basis, hundreds of provisions to protect our national security, economic productivity and public health and safety have become law. One bill, however, undermines this record of success: the Inflation Reduction Act.

That bill, which passed via the partisan reconciliation process, did not mention cybersecurity even once in 300 pages, despite appropriating hundreds of billions of dollars to industries including electric vehicles and renewable energy that are highly vulnerable to cyberattacks.

Compare that to the Infrastructure Investment and Jobs Act. When the president signed the bill into law in November 2021, he extolled it for making “our infrastructure more resilient to the impacts of climate change and cyber-attacks.” The fingerprints of House and Senate cybersecurity committee staff and members, both Democratic and Republican, were all over the text. Investing more than a trillion dollars in the future of the U.S. economy, the statute mentions cybersecurity 277 times. The bill makes specific cybersecurity investments including a $1 billion grant program to address cybersecurity risks faced by state and local governments. For the energy sector, there are two $250 million cybersecurity-specific grant programs: one provides support to rural and municipal utilities to address known cybersecurity issues and another supports developing cybersecurity technologies in the energy sector.

Passing Congress with bipartisan support in both chambers, the bill also includes policy direction and appropriations for the Cybersecurity and Infrastructure Security Agency (CISA) including $100 million to establish a “response and recovery” fund to provide government assistance to remediate and recover from a significant cyber incident, $35 million for CISA’s sector risk management responsibilities, and another $157 million for research and development.

The Act is not without its flaws – it misses opportunities to fund cybersecurity improvements in the water sectors, transportation sectors (like pipeline, maritime transport, and aviation) and the healthcare and public health sectors. But on balance, the Infrastructure Investment and Jobs Act lashes cybersecurity to critical infrastructure investments.

In August 2022, the president signed the bipartisan CHIPS and Science Act into law. This legislation provides nearly $150 billion dollars in new funding for semiconductor development and investments in science and technology funding. This law includes 76 references to cybersecurity and specific funding for science and technology education and training efforts, cybersecurity training programs, and regional technology hubs. It also provides numerous policy authorizations including increasing U.S. engagement in international standards development. Each element of this legislation was carefully developed and shaped by Republicans and Democrats across numerous congressional committees.

In stark contrast to these two bipartisan bills and the annual National Defense Authorization Act which has consistently included dozens of bipartisan cybersecurity provisions, stands the Inflation Reduction Act. The legislation had little to no committee oversight and management, and it showed.

The bill authorized nearly $400 billion in energy and climate investments, with no acknowledgement of the cybersecurity challenges inherent in these industries. The law includes a number of government-funded programs intended to spur the adoption of electric vehicles and the use of electric-vehicle charging stations (EV stations). There are no cybersecurity requirements or funding despite the fact that these stations are at serious cybersecurity risk, with a number of well-publicized attacks already occurring.

Hackers might be seeking personal and financial data, but they could also create cascading power system outages that place regional electrical grids at risk. A virus that compromises a public-facing EV station could then infect all of the vehicles it subsequently charges. The overall cybersecurity risk is amplified by the fact that the supply chain for most EV charging station equipment runs through China, a known cyber malicious actor. This bill needed cybersecurity “guardrails” all over it.

The Inflation Reduction Act’s rushed “back-room” drafting process and the paucity of involvement of professional committee staff members contributed to the failure to include necessary cybersecurity provisions in the final legislative product. Now it will take significant intervention by the Executive Branch and strong congressional oversight to reverse engineer in cybersecurity guardrails that were needed in the legislative drafting process.

The October forum hosted by the National Cyber Director Chris Inglis on cybersecurity challenges to electric vehicles and EV charging infrastructure was an important step in the right direction. Congress, for its part, would do well to return to its proven process of developing legislation in a bipartisan, committee-based manner.

Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, where he is also a senior fellow. He previously served as executive director of the congressionally mandated Cyberspace Solarium Commission. Annie Fixler is CCTI’s deputy director and an FDD research fellow. Follow the authors on Twitter @MarkCMontgomery and @AFixler. FDD is a nonpartisan research organization focused on foreign policy and national security issues.