How Critical Infrastructure will be impacted by White House $13B Cybersecurity Budget Request

Reimagining and re-aligning more responsibility for cyber risks to big tech companies

The Biden administration is seeking $13 billion in cybersecurity for 2025 representing a major increase over the $11.8 billion slotted for cyber security spending in 2024, which were cut by the lack of a new budget nearly midway through the fiscal years.

The U.S. Congress is still wading through the details of cybersecurity spending for 2024, with the Biden administration outlining requests for several key cyber programs and initiatives for 2025.

What is new about this request is the emphasis the guidance places on re-aligning more responsibility for cyber risks to big tech companies, especially as it relates to critical infrastructure, and the national cyber strategy push to use government purchasing power to shape market forces to drive security and resilience.

This increase in cybersecurity funding directs prioritization of cyber investment in three areas that will support some of the most vulnerable sectors such as healthcare, critical infrastructure owned by the private sector, OT, and energy.

For 2025, the White House has directed prioritization of cyber investments for the following:

1. Secure by design technologies

The White House emphasizes prioritizing investments in “secure by design” technologies, aligning with the national cybersecurity strategy. The guidance follows President Biden’s five pillars of the national cyber strategy, with a focus on defending critical infrastructure. The guidance emphasizes that agency investments should result in durable, long-term solutions.

2. Zero Trust Architecture

The White House advises agencies to demonstrate progress in zero trust deployments, consistent with last year’s guidance.
There is an urgency for cybersecurity solutions that are secure by design and mesh with the Federal Zero Trust Strategy – which at its core assumes that devices on a network should never be trusted.

Zero trust as an overarching strategy has gained traction among federal cybersecurity officials in recent years after attacks like the SolarWinds breach and Microsoft Exchange hack illustrated what can happen once hackers have already broken through perimeter defenses.

Full implementation of zero trust principles is crucial for defending against cyber-attacks. Congressional funding priorities should prioritize zero trust cybersecurity to ensure adequate resources for its implementation beyond 2025.

3. Legacy Modernization

The guidance urges agencies to prioritize modernizing legacy systems to address concerns such as implementing phishing-proof multifactor authentication in line with zero-trust practices. It specifically directs agencies to focus on upgrading technology as systems approach end-of-life or end-of-service status, especially for High Value Asset systems unable to meet zero-trust requirements.

The latest Office of Management and Budget (OMB) report highlights challenges in mitigating security vulnerabilities in High Value Assets, with patch management identified as a top concern. The guidance emphasizes the importance of building modern, secure enterprise environments.

Re-aligning cyber risks to big tech companies

Built into the request for increased funding is a new national cyber strategy that lays out a vision for strengthening the cybersecurity of critical infrastructure sectors through baseline security requirements and re-aligning more responsibility for cyber risks to big tech companies. The direction is based on moving beyond voluntary collaboration toward establishing requirements for key parts of critical infrastructure sectors and using federal procurement as a major tool for improving accountability for cybersecurity in products and services.

The strategy fundamentally re-imagines America’s cyber collective perception of how cyber risks typically trickle down to individuals, small business, and local governments.
The strategy aims to re-balance the responsibility for managing cyber risk to those who are most able to navigate and manage it. The strategy includes five major pillars:

• Defend critical infrastructure
• Disrupt and dismantle threat actors
• Shape market forces to drive security and resilience
• Invest in a resilient future

The guidance emphasizes that budgets should advance performance-based regulations, leveraging existing cybersecurity frameworks and voluntary consensus standards. Agencies should plan to establish adaptable cyber standards across critical infrastructure sectors, while also ensuring sufficient cybersecurity capabilities and personnel for effective regulatory enforcement.

Public-Private Partnerships are Inadequate for Critical Infrastructure

“We recognize that we need to move from just a public-private partnership, information sharing approach, to implement minimum mandates,” Anne Neuberger the deputy national security advisor for cyber and emerging technology stated. “Information sharing and public-private partnerships are inadequate for the threats we face when we look at critical infrastructure.”

The guidance highlights the redistribution of cyber defense responsibilities to ensure that the most capable actors effectively oversee the cyber ecosystem. Regulators are encouraged to collaborate with regulated entities when establishing cybersecurity requirements and resource allocation.

The strategy aims to increase cybersecurity accountability in the tech sector by shaping market forces, focusing on objectives like developing secure Internet of Things (IOT) devices and advancing IoT security labels for certain products. It also proposes shifting liability for insecure products and services to software vendors with the administration collaborating with the private sector to develop software liability legislation.
The strategy states that such legislation should prohibit manufacturers and software publishers with market power from entirely renouncing liability through contracts and set elevated standards of care for software, particularly in high-risk scenarios.

Internet of Things (IOT) and Operational Technology (OT)

The Cybersecurity and Infrastructure Security Agency (CISA) 2025 cyber budget proposal allocates $469.8 million for the Continuous Diagnostics and Mitigation (CDM) program. This funding would support completing mobile and cloud asset deployments, initiating Internet of Things activities in Asset Management, addressing gaps in Identity and Access Management capabilities, and aligning with agency zero trust use cases.

CDM’s move to include more OT system data comes as part of a broader government-wide effort to better manage and secure these non-traditional systems.
Inventorying IoT assets, including those qualifying as OT, is crucial for cybersecurity as these assets are increasingly interconnected with IT systems. An inventory allows CIOs and CISOs to gain visibility, apply NIST controls, and make risk-based decisions. It also streamlines vulnerability identification and mitigation for a resilient infrastructure. Inventorying is essential for establishing a monitoring baseline to detect unauthorized or malicious activities efficiently.

From an asset management perspective, the objective remains consistent across various asset classes: achieving parity in visibility. Although IoT devices fundamentally resemble traditional endpoints, their broader implementation introduces complexities. CISA will now evaluate purpose-built products designed for IoT. Unlike traditional endpoints where deploying an agent is straightforward, IoT devices require remote sensors, necessitating specialized tools to ensure network visibility.
CISA will try to better understand the current tools and capabilities in the commercial market today and how they could take advantage of them.

Healthcare and HIPAA

The Department of Health and Human Services (HHS) has unveiled an ambitious but significant budget with innovative cyber initiatives targeting healthcare organizations. Among these, a substantial $800 million is earmarked to support financially strained hospitals in implementing vital cybersecurity measures. Furthermore, an enticing $500 million incentive program has been proposed for all hospitals to bolster their defenses with cutting-edge cybersecurity solutions.

It additionally includes $141 million for HHS to strengthen the security of its own systems, while also supporting the broader health sector. That number includes $11 million to expand and enhance capacity to protect the privacy and security of health information under the Health Insurance Portability and Accountability Act of 1996, known as HIPAA.

Supporting Private Entities in Critical Infrastructure

The energy sector, while generally proactive in security compared to other critical infrastructure sectors, remains a prime target for cyber-attacks. With a new national cyber strategy focused on critical infrastructure security, the Energy Department (DOE) is setting cybersecurity requirements for federal investments in clean energy technologies and conducting a review of digital threats to the electric distribution system.

The strategy emphasizes the importance of private entities in safeguarding critical infrastructure and their systems from digital threats and advocates for investing in sector risk management. As the energy industry becomes more digitized and interconnected, with the integration of new clean energy technologies such as solar panels, wind farms, and electric vehicle charging stations, assessing cybersecurity risks becomes crucial, particularly with the transition to more distributed energy generation.

In February, the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) also launched a joint initiative with the National Association of Regulatory Utility Commissioners (NARUC) to establish cybersecurity “baselines” states can use in regulating electric utilities.

The administration, once again, envisions a collaborative process bringing both regulators, industry, and cyber technology companies to the table to jointly develop cyber baselines for distribution systems and distributed energy resources, including policies and incentives that can be provided by DOE.

CESER also continues to build out a new Energy Threat Analysis Center and threat detection platform for the electric grid. This will bring together cyber experts from industry and government to share information about digital threats. Brought about by the Log4j response, the Center will also be connected to CISA’s broader Joint Cyber Defense Collaborative, a public-private cybersecurity hub that looks across all sectors.

The strategy focuses heavily on critical infrastructure owned by the private sector, but it also includes an emphasis on securing federal systems.

IOT security, underrecognized by the administration, requires increased attention and appropriate technological solutions for network traffic monitoring and analysis. Last year, DOE and CESER introduced a security-by-design framework for integrating cybersecurity into energy systems during development. Collaboration with the engineering community is vital to ensure cyber considerations are integrated into system designs. This involves working with standards organizations to ensure cybersecurity is a key aspect of design considerations alongside reliability, operational efficiency, and safety, aligning with advancing cyber-informed engineering practices.

Investment in AI Innovation

Following the President’s executive order on artificial intelligence( AI) last fall, the 2025 budget proposal includes substantial spending on AI-related initiatives, particularly in the realm of cybersecurity and AI safety.
The Order acknowledges that AI has immense potential to address challenges and enhance security. Simultaneously, risks associated with AI are recognized, including the potential leading to societal harms (such as fraud, bias, and disinformation) but it aims to ensure AI systems respect privacy rights.

The directive emphasizes the need for:

• Investment in AI innovation: Fostering R&D and breakthroughs in AI technologies, nurturing a skilled workforce with AI expertise, and intellectual property protection to address legal and ethical aspects.
• Safety and Security Measures: Directing actions to mitigate AI risks such as developers disclosing vital information about safety test results. Other actions include the assessment of AI risks across critical infrastructure sectors, and harmful AI efforts to prevent foreign actors from developing AI for malicious purposes.
• Innovation for Good: Encouraging responsible innovation, collaboration, and competition. By investing in AI, the U.S. can lead in AI research, development, and deployment and, ultimately, contribute to building safe and beneficial AI technologies that minimize risk.

For example, $455 million is designated for the DOE’s efforts in AI, cybersecurity, and resiliency within the energy sector. These investments bolster the department’s computing capabilities, support the development of AI testbeds, and aid in the creation of foundation models for energy security, national security, and climate resilience.

Additionally, the funding facilitates the evaluation of AI capabilities in identifying various security threats and allocates resources for training new researchers from diverse backgrounds to meet the growing demand for AI talent.

Also requested was $5 million for the establishment of a new office within the Department of Homeland Security (DHS) to coordinate AI utilization across the department, foster innovation, and address AI-related risks. Both DHS and CISA are pivotal in advancing the security of AI systems.

In Conclusion

In summary, this budget request for 2025 underscores the urgency of strengthening our nation’s cyber security posture through improved public-private collaboration with more accountability on both sides. Investing in modern technologies, ensuring zero trust principles, and building secure-by-design technologies will impact industry sectors that have been largely ignored when it comes to cybersecurity and provide them with the guidance and funding needed to protect against more sophisticated and emerging threats and nation-state attacks.

Through strategic investments in industry, establishment of robust cybersecurity frameworks, and leveraging the power of AI to protect assets, we can champion safety, security, and innovation. This approach allows us to shift the burden of managing cyber risks to those best equipped to handle it, ensuring a safer and more resilient digital landscape for all.

Author

Ann Chesbrough