With new money for broadband and cybersecurity contained in the new infrastructure law to begin flowing in next year, states are poised to receive record-setting levels of funding for major IT projects.
But the grants contained in the Infrastructure Investment and Jobs Act, which President Joe Biden signed Nov. 15, won’t make much of an impact if states don’t have a “vision” for using the money, said Jim Richberg, the public-sector field chief information security officer at the security software company Fortinet.
“As I look at the state’s role, I come back to the fact the money is going to flow in one of two ways. There are parts allocated by formula … and parts that are competitive,” said Richberg, who’s also a former intelligence manager for cyber in the Office of the Director of National Intelligence.
Nearly all of the money being sent toward states will be parceled out formulaically. The $1 billion cybersecurity grant program will be doled out over four years with states, the District of Columbia, tribal governments and U.S. territories receiving predetermined cuts. But the infrastructure law requires states to commit at least 80% of what they get to their local subdivisions, which could wind up competing with each other.
“I don’t know that there’s going to be enough for each individual organization, so we gotta figure out how we share that across the collective and how we share those resources going forward,” New Jersey CISO Michael Geraghty said last month on an episode of StateScoop’s Priorities podcast.
And while $42.5 billion out of the total $45 billion earmarked for broadband development will be distributed through formulas, there are competitive grants for digital equity programs.
Still, the grant plans — particularly the cybersecurity program — will require states to submit detailed plans for how they plan to use any money they might receive. Richberg said state officials can hone their visions by focusing on a few key subjects, like interoperability and resilience.
“Pick a standard or standardized approach,” he said.
That outlook, he continued, is even more vital as states receive funds for infrastructure projects that aren’t explicitly tied to IT and cybersecurity, but still involve technological assets, such as coal-mine sealing projects that use digital emissions-monitors or traffic sensors that measure the durability of bridges and highways.
“We need to ensure there’s interoperability between all of this, because it’s all going to be digital,” he said. “The cyber industry has created ecosystems of capability. Platforms, mesh, all the sensors for all these things being instrumented, analytics can be done and they can also share commands.”
The expectation that physical infrastructure projects will include an ever-growing number of internet-connected devices means that much of the overall $1.2 trillion infrastructure plan has security implications, Richberg said. He said that creates added responsibilities for the state officials who’ll be managing how the money is spent.
“Even things earmarked without cyber in the name, you have to recognize there’s a cyber component,” he said. “That’s the challenge for the states.”
State CISOs can be a “good voice of what is the art of the possible,” he said, “but you need someone to be the point of contact [with grant-awarding federal agencies] and it depends on how a state’s government works. Now’s the time to start that foundational thinking.”