Here’s what the dollar amount of the American Rescue Plan currently looks like: $2,250,000,000,000.00. In journalism and other intentionally styled writing forums a number in the millions or more isn’t often written with 12 zeroes, 10 if you want leave out the cents (not “sense,” wannabe pundits). It’s simply too long to bear meaning to our feeble minds, most particularly when it comes to money.
What does $2.25 trillion—see, somehow easier to grasp written like this—mean? It could provide a decent, $15,000 vehicle to 150 million households in the U.S. If you stacked $2.25 trillion in 100-dollar-bills onto pallets, those pallets could provide a fence around the entire White House compound, multi-layers high. Nearly half of all the gold mined to date would cost around $2.25 trillion. None of those illustrations really help us comprehend the administration’s infrastructure plan funding. Perhaps that elusive understanding is itself an indicator of the heft of the plan, the dollars intended.
With so much funding available, and the less-than-precise explanation of what exactly “infrastructure” means, it’s worth learning about what it includes. What, exactly, will be improved with trillions of dollars invested? Roads, bridges, and airports? Sure, those are commonplace infrastructure components. Communications and utilities seem infrastructure-y. I’m proud to have been involved, ever so slightly, in the White House’s Critical Infrastructure Protection Board that was convened in response to the 9/11 tragedy where we examined those societal functions and tried to protect them. Other areas include modernizing millions of buildings, academic, residential and commercial; bolstering healthcare; investing in research and development; promoting U.S. supply chains above those with foreign homes. It’s a healthy list capable of expending the amount above that none of us can truly fathom. Even broken down into scores of categories the amount is staggering.
One view of the plan that cannot escape my thoughts about it follows in step with what so much of this column surrounds. Most if not every one of these line items implicates information security and privacy. If the White House intends to provide high speed internet to all – Huzzah! So long as the cybersecurity risks do not also grow in scope. New powerline infrastructure and cleaner energy sources? Great, but will the innovations be more or less susceptible to enemy-state hackers? Even when it comes to roads and bridges, with hundreds of billions funding new projects, and therefore employing new businesses and employees, what does this scaling up of seemingly manual labor implicate in security terms? It ain’t nuthin’.
As is all too often the case, the opinions out there about whether and to what extent cybersecurity funding is part of the trillions planned to inject work and progress seem to be couched in politics. Those against the administration are crying “foul!” Their take is that of the $2.25 trillion to be spent, shinola is earmarked for cybersecurity. They opine that the $100 billion meant to improve power grid resiliency treats cybersecurity less than even an afterthought. This, they highlight, all the while that foreign nation-state actors are poised to attack our energy delivery systems. We need not look farther than Texas, or even nearer for some of you, to see what the effects of the grid’s meltdown might cause.
I feel not so naïve as to believe that trillions of dollars are planned for expenditure without consideration given to security. Like or hate the infrastructure plan, you cannot rationally read it without understanding that security and privacy are real considerations. Also, to critique the plan based only on that, whether reasonable or not, would ignore the fact that cybersecurity is part and parcel of nearly every federal government activity, planned or not, political or not. It’s simply too woven into the fabric of all swatches of life, and ergo all governmental functions, to think it’s being ignored. Thus, for example, outside of the infrastructure plan, the White House carved out $650 million just to help improve the administration’s Cybersecurity and Infrastructure Security Agency.
How much is enough? What percentage of a plan in the trillions should be intended to heighten security and privacy? The appropriate amount is my cop-out response. Part of the problem, to invoke the awful PR word, is “optics.” Cybersecurity, or any of its synonyms, maybe is not specifically, expressly contained within the plan. That would have assuaged the politicos who are adept at finding fault, or merit, in their limited view of a government issue. Again, though, we cannot escape the topic whether a line item reads “Security Expenses” or not.
Let’s look at the plan’s yen to strengthen domestic production by investing in U.S. supply chains. There’s $50 billion to create a new office or bureau within the Commerce Department that focuses on domestic chains. Another equal amount is meant to invest in the American semiconductor industry. Those buildouts will necessarily include cyber-defense, especially with the administration and the industry still reeling from Russia’s SolarWinds cyber-attacks. Another $50 billion will go to the power grid, making it more resilient. The act of modernization, which is what the grid improvements will undergo, implicitly includes efforts to improve their security. That’s by design. One would not approve of, or vote for, an energy grid modernization plan that ignored cybersecurity.
The plan and its funding are still works in progress. I leave the entire discussion about where the money comes from to others. What seems more clear to me, and also should to any logical thinker, is that the issues of information security and privacy are so engrained in the various plans’ areas that they do not need to be expressly listed in order to satisfy the plan’s critique. This, frankly, is a regrettable truism. Security and privacy need be part of any spending plan, whether for us when it’s in the hundreds, or the trillions at issue here.
Ed is a professor of cybersecurity, an attorney, and a trained ethicist. Reach him at firstname.lastname@example.org.