All Commentary
Friday, May 14, 2021 Leer en Español

Biden Administration Eyes Cybersecurity Requirements for Recipients of Infrastructure Funds

It’s easy to promote new requirements if you never think about the cost.

Image Credit: Gage Skidmore - Flickr | CC BY 2.0 (

In the wake of the Colonial Pipeline ransomware attack, cybersecurity is suddenly top of mind across the country. Not wanting to let a good crisis go to waste, President Biden ordered an overhaul of federal software systems on Wednesday. But if that already sounds like a bit too much of a top-down approach, you’ll be disappointed to hear that it doesn’t stop there.

“The Biden administration is looking to require companies to upgrade cybersecurity measures as part of its $2.3 trillion infrastructure spending plan in the wake of the ransomware attack on the Colonial Pipeline,” the Washington Examiner reports. “The administration is interested in requiring that grant recipients implement cybersecurity protections and in issuing tax credits for such improvements.”

“Part of the expectation for local authorities, states, or other bodies seeking to get funding is that there be robust cybersecurity, resilience, and planning written into that,” Transportation Secretary Pete Buttigieg said. “This is not an extra. This is not a luxury. This is not an option. This has to be core to how we secure our critical infrastructure.”

On the surface, it’s easy to think that this move is unequivocally good. After all, who is against cybersecurity? But the thing we have to remember here is that resources are scarce. If more resources will be spent on cybersecurity, then less resources have to be spent somewhere else.

So, what is being sacrificed in order to make these improvements possible? What quality standards or other projects will we have to forego? They don’t say, of course. They never mention the costs. And that’s precisely the problem.

The question here isn’t whether cybersecurity is important. That’s obvious. The question is about trade-offs. What will we have to give up for this increased cybersecurity, and is that cost really worth it?

These are questions that governments don’t like to answer, which is bad enough in its own right. But more than that, these are questions that governments are simply not equipped to answer, even if they wanted to.

Only consumers know what trade-offs they are willing to make in terms of quality, affordability, and security. But the way consumers make these preferences known is through market interactions. Governments have no way of knowing what will benefit consumers the most. The best they can do is order companies to do things that sound good and hope that it comes close to the actual preferences of consumers.

But hope is not a strategy. If we actually want resources to be allocated in ways that get the trade-offs right, we need to let consumers make their own decisions with their own money.

This development also shows how, as FEE’s Dan Sanchez warned about Biden’s economic plan in July of last year, government “investment” in business leads to government control of business, and moves the country down one of the two paths toward a command economy, as explained by Ludwig von Mises.

“He who pays the piper,” as they say, “calls the tune.”

Like this story? Click here to sign up for the FEE Daily and get free-market news and analysis like this in your inbox every weekday.

  • Patrick Carroll is the Managing Editor at the Foundation for Economic Education.