Pages

13 March 2024

Infrastructure Investment and Jobs Act: Unsung Hero Protecting Critical Infrastructure from National Security Threats

Heidi Crebo-Rediker

The Biden administration’s ambitious rebuilding of America’s infrastructure—thanks to the $1.2 trillion bipartisan Infrastructure Investment and Jobs Act (IIJA)—brings to mind visions of politicians cutting ribbons at the reopening of a repaired bridge, or celebrating newly paved highways or transit systems. All those are crucial investments for safety, competitiveness, jobs, and growth, not to mention the improvements Americans experience personally every day. Fewer potholes mean less damage to cars and bridges that no longer require “diapers” to catch the falling chunks of concrete or risk collapsing into rivers below.

Less celebrated is the investment this legislation provides for U.S. national security, and in particular resilience against cyber threats to critical infrastructure: ports, energy grids and transmission lines, railways, and the many other means by which the United States transports goods, data, energy, and people. In November 2021 Congress allocated $50 billion of the IIJA to a category called “resilience,” to defend against the impacts of climate change, extreme weather events, and cyberattacks. Last week the Biden administration announced the largest cyber resilience-related funding to draw on the IIJA since its inception: $20 billion to protect critical infrastructure over the next five years by strengthening the cybersecurity of U.S. ports. These funds are especially important given rising geopolitical competition with a host of foreign actors, including China, Russia, Iran, and North Korea, as well as vulnerability to attacks by non-state cyber criminals.

The Department of Homeland Security and the Coast Guard Cyber Command, together with the National Security Council, disclosed last week that Chinese-manufactured ship-to-shore cranes account for nearly 80 percent of cranes at U.S. ports, amounting to over two hundred Chinese-manufactured cranes. Today’s cranes are very different from the dumb machines of the past; they include advanced software and sensors and their prevalence has been deemed to pose a real risk to American security interests. China’s potential ability to disrupt critical infrastructure thus requires the United States to revamp or replace those cranes over time.

 According to the commander of the Coast Guard Cyber Command, “by design, these cranes may be controlled, serviced, and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.” Given that the U.S. military docks and deploys from or near many of those ports, and 90 percent of U.S. trade transits through them, the investment from the IIJA in critical infrastructure is indeed essential.

According to the Wall Street Journal, in 2021, FBI agents searched a cargo ship delivering a shipment of Chinese cranes to a Baltimore port and found intelligence-gathering equipment on board. Congress then requested a multiagency review in the December 2022 National Defense Authorization Act to examine whether foreign-manufactured cranes at U.S. ports were a national security threat, while ongoing administration investigations and heightened scrutiny led to last week’s announcement.

As a result of the IIJA, over the coming five years this country will see the construction and use of new cranes manufactured in the United States with the support of a U.S.-based subsidiary of Mitsui E&S, so there is also a manufacturing on-shoring element to this new investment. New cranes do not capture the public’s imagination, nor should we expect politicians to tout new cranes in their election campaigns. However, this new rollout of infrastructure is critically important for traditional infrastructure investment aims—safety, competitiveness, jobs, and growth—as well as national security.

The investment from the IIJA for resilience is a drop in the bucket to protect America’s critical infrastructure, given the investment required to ensure all major existing and future critical infrastructure is protected. The Cybersecurity and Infrastructure Security Agency, National Security Agency, and FBI released an advisory in early February confirming that Volt Typhoon, a Chinese state-sponsored cyber company, has already compromised multiple sectors of America’s critical infrastructure, including communications, energy, transportation, water, and wastewater systems. In that assessment, they warned that Volt Typhoon actors, found existing on the networks of some critical infrastructure for “at least five years”, are pre-positioning themselves with the intention to disrupt functions in the future.

Given rising geopolitical uncertainty and the increasing sophistication of these threats, future funding for resilience to protect critical infrastructure should routinely be a top bipartisan priority for Congress, the Biden administration, and administrations to come. Those investments can and should be structured as a win-win in the same way the Biden administration just did with ports and cranes to ensure benefits flow to both American workers and to America’s national security. The geopolitical clock is ticking though, upgrading or replacing infrastructure takes time. The IIJA provided funding, now we have to use it.

No comments:

Post a Comment