Members of the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation discussed at a June 25 hearing ways the Federal government can help state and local governments (SLGs) deal with their cybersecurity challenges, including providing funding and opportunities to collaborate.
The subcommittee heard from SLG officials, academia, and industry experts, who discussed the struggles SLGs face, as well as paths forward.
In addition to expert testimony, lawmakers talked about several pieces of new legislation to assist state and local governments.
Rep. John Katko, R-N.Y., the subcommittee’s ranking member, said he plans to introduce legislation to create two new grant programs to help state and local governments. One of the programs would be a one-time grant to assist SLGs in identifying their highest-value systems, as a way to identify what systems need protection most. The second program would provide funds to help train and prepare for cyberattacks.
Rep. Cedric Richmond, D-La., who chairs the subcommittee, said he plans to draft legislation that would provide state and local governments with Federal aid to assist with cybersecurity protections, though he provided few details.
“So far this year, there have been over 20 reported cyberattacks against government agencies,” explained full committee Chairman Bennie J. Thompson, D-Miss. “As other sectors improve their cybersecurity posture, state and local governments struggling to keep pace with technology are becoming low-cost, high-value targets. It is time for the Federal government to do more. Make no mistake, state and local governments need to invest in security, especially as they invest in smart city technology. But it is time to improve the way the Federal government helps them.”
Building off the importance of trying to “keep pace,” Thomas Duffy, senior VP of operations and security services and chair of the MS-ISAC Center for Internet Security, weighed in on the state of SLG cybersecurity.
“Regarding the question ‘has the cybersecurity posture of and local governments improved?’ – the answer is yes,” he said. “There are, however, other related and equally important questions that should be asked. If the question is ‘have and local governments kept pace with advancing threats and the rapidly expanding cyber infrastructures that need to be protected?’ – the answer is probably not. If the question is ‘are state and local governments prepared to build, maintain, and evolve their cybersecurity programs commensurate with the risks that they will face in the future?’ – the answer is again, probably not.”
Testifying at the hearing was a politician who has dealt first hand with a serious cyberattack. Atlanta Mayor Keisha Lance Bottoms was in office for just a few days when the city was hit by a massive ransomware attack in 2018, and said parts of the city’s government suffered “irreparable damage” as a result of the attack. The city refused to pay ransom demanded by the attackers, and spent $7.2 million on data recovery.
Lance Bottoms called for legislation to provide Federal funding to help SLGs prevent, prepare for, and respond to cyber incidents.
She said it’s important to “emphasize the need for the Federal government to provide emergency funding and support during an actual cyberattack. Having access to funds at the time of an attack would not only accelerate responsiveness and restoration; but, would also result in fewer municipalities paying ransoms and ultimately decrease the occurrence of local governments as targets.”
Further, the Federal government needs to empower Federal agencies to develop and share their best practices with SLGs, the mayor said. “Many small municipalities do not have the resources necessary to develop and implement these best practices,” she said. In the collaboration vein, she called for the Federal government to expand existing programs that share real-time threat information with SLGs.
Frank J. Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security, and director of the Center for Cyber and Homeland Security at Auburn University, offered the subcommittee several policy recommendations: provide direct Federal funding; offer more training opportunities; leverage lessons learned; and circumscribed election assistance.
Duffy agreed with Cilluffo’s call for a dedicated grant program, saying, “If a cyber grant program is established, priority should be given, or funds set aside, to programs that support state and local partnerships. Leveraging the combined resources of state and local governments will serve as force multiplier.”
Cilluffo explained that currently only four percent of grant monies from the Homeland Security Grant Program are directed towards cybersecurity. He said that level is untenable, and additional funds need to be dedicated to cybersecurity programs.
“A dedicated Federal grant program should have built-in safeguards to ensure that there is return on Federal investment in the form of measurable State/Local and by extension national capabilities,” he said. “Simply throwing Federal money at the problem is not the answer. Instead, there must be a thoughtful strategy and accompanying metrics to support the request for funds and any subsequent grant. The program would, therefore, be risk-based and tailored to a particular context.”
Cilluffo also addressed one of the biggest hot-button issues on the Hill these days – election security. He said the Federal government “can and should share more widely and actively its unique informational and other assets with state-level counterparts for the targeted purposes of identifying and mitigating threats [related to election security]. To be clear, this would involve concerted Federal efforts to create and maintain a rich picture of the threat from the national perspective and a companion effort to support state officials in responding effectively and timely to that dashboard as it specifically pertains to them/their State. Such a division of labor is properly respectful of the division of powers and capitalizes upon the strengths that reside at each level of government.”
As a means of oversight, Duffy called for the Federal government to adopt a “single audit” approach to auditing state programs for “compliance with the security guidelines of the cognizant Federal agencies.” A single audit approach would “promote sound financial management of government funds by non-Federal organizations, promote uniform guidelines for audits, and reduce the burden on nonprofits by promoting efficient and effective use of audit resources.”