WASHINGTON, D.C. – Today, U.S. Rep. Anna G. Eshoo (D-CA) and Senator Jacky Rosen (D-NV) sent a bicameral letter to the Co-Chairs of the newly established Infrastructure Implementation Task Force (Task Force) urging them to ensure the implementation of the Infrastructure Investment and Jobs Act (IIJA) sufficiently protects our infrastructure investment against cyber attacks.

"New infrastructure has the potential to expand the attack surface for our adversaries. To ensure a unified front against cyber adversaries, the Task Force should establish centralized guidelines for agencies distributing funding that set cybersecurity standards for grant recipients," wrote the members. "Ransomware attacks alone cost state and local governments over $18 billion last year in recovery costs and downtime, according to Comparitech. It should not be the case that the federal government funds the development of cybersecurity infrastructure without centralized standards that grant recipients can look to for guidance."

A PDF of the letter can be found here, and the text of the letter is below:

Dear Mr. Deese and Mr. Landrieu,

Congratulations on your recent appointments as Co-Chairs of the newly established Infrastructure Implementation Task Force (Task Force) to oversee and coordinate effective implementation of the Infrastructure Investment and Jobs Act (IIJA) and related infrastructure programs. For the safety of Americans and our national security, we write today to urge the Task Force to ensure that implementation of IIJA sufficiently protects our infrastructure investment against cyber attacks.

As you know, IIJA provides significant new funding for critical infrastructure, as well as nearly $2 billion in funding for cybersecurity and related provisions. Specifically, it directs the Federal Emergency Management Agency (FEMA) to provide $1 billion over four years to state, local, tribal, and territorial governments for improvements to cybersecurity and critical infrastructure. It also provides cybersecurity funding for the electric grid, water infrastructure, broadband, and transportation systems through the Department of Energy, the Environmental Protection Agency, the Department of Commerce, and the Department of Transportation, respectively.

The Executive Order that establishes the Task Force authorizes you to invite other executive branch officials to participate in the Task Force's efforts. To ensure that infrastructure implementation efforts include effective cybersecurity measures, the Task Force should coordinate with the National Cyber Director, Cybersecurity and Infrastructure Security Agency (CISA), National Telecommunications and Information Administration (NTIA), and private sector stakeholders to develop centralized guidelines for agencies distributing funds to require entities receiving funding to maintain strong cybersecurity measures.

New infrastructure has the potential to expand the attack surface for our adversaries. To ensure a unified front against cyber adversaries, the Task Force should establish centralized guidelines for agencies distributing funding that set cybersecurity standards for grant recipients. Ransomware attacks alone cost state and local governments over $18 billion last year in recovery costs and downtime, according to Comparitech. It should not be the case that the federal government funds the development of cybersecurity infrastructure without centralized standards that grant recipients can look to for guidance.

While IIJA provides $100 million over four years for CISA to assist with "significant incidents" in both the public and private sectors, the primary goal should be to prevent any risk of significant incidents in the first place. Providing funding towards updating cybersecurity is a much-needed step towards that goal, but we should also provide leadership and direction when it comes to our nation's cybersecurity goals and not leave it to the individual agencies dispersing funding to determine. We must ensure that both the entities receiving FEMA's cybersecurity funding and the entities receiving funding to update the cybersecurity of critical infrastructure such as the electric grid, water infrastructure, broadband, and transportation systems will have state-of-the-art cybersecurity measures in place.

We have the opportunity now to protect our critical infrastructure investments, and we must take it. The Task Force has much hard work ahead, and I urge you to coordinate with the National Cyber Director, CISA, NTIA, and the private sector to ensure uniformity and excellence in our nation's infrastructure.

Most gratefully,

###