How much funding should the State and Local Cybersecurity Grant Program get?
The State and Local Cybersecurity Grant Program, which is set to expire at the end of this month, is on track to be reauthorized, but the legislation that would do that doesn’t yet include a number. How much money does it take to protect the digital infrastructure of the nation’s state and local governments?
The Protecting Information by Local Leaders for Agency Resilience, or PILLAR, Act, was introduced Tuesday and began winding its way through committees, enjoying favorable bipartisan comments. Rep. Andy Ogles, the Tennessee Republican who introduced the bill, said that usually he wants Washington to “do less,” but that he recognized “[we must] not leave our local communities and governments exposed,” lest government wind up with an even larger tab later.
“I don’t think there is a magic number,” said Erik Avakian, Pennsylvania’s former chief information security officer. “The majority of the time, this stuff is always underfunded. They really should be asking the states: ‘What do you need?’”
Avakian, who now works as a cybersecurity executive counselor at Info-Tech Research Group, said that providing a flexible funding scheme would make sense given how things can change over the course of a decade, and because it’s difficult to predict what everyone will need.
“In Pennsylvania, we maximized that by putting out a shared service for security awareness training,” Avakian recalled of the grant’s early days. “We upped our license amount from 80,000 to like 250,000. And that reduced the cost of each license.”
He added that many in state government have viewed the $1 billion provided for the first four years of the program as a “starting point” to be built upon. Five industry groups, led by the Alliance for Digital Innovation, on Tuesday suggested to lawmakers an amount of $4.5 billion over two years.
But in its current form, the PILLAR Act would reauthorize the grants for 10 years, a timeframe favored by the National Association of State Chief Information Officers, a group that has been advocating for the grant program to be reauthorized and expanded. Alex Whitaker, NASCIO’s director of government affairs, said the group is “really happy” about the fact that reauthorization is on the table, and that the decadelong timeframe is a nice bonus.
Using the same phrasing as Avakian, Whitaker agreed that the program’s original funding amount was never considered by state or local officials to be especially lavish.
“We’ve always viewed the SLCGP as more of a starting point and we continuously need to expand, and that’s not just because states and local governments want it. It’s because the threat gets greater every year, and the attacks get more sophisticated every year,” he said.
The PILLAR Act would require states to put up a 60% price match, which Whitaker said is fairly steep, but that it at least has the advantage of consistency. In the original program, the match required by state and local governments grew each year, and some governments reported difficulty finding enough funding.
The reauthorization would also continue to require states to funnel 80% of the funding received to their local governments, and it would also continue to allow states to provide in-kind security services to meet that requirement.
“We think it’s the most efficient way to do it, because if you have to write a check to every local government that wants to apply, that money’s not going to go very far,” Whitaker said. “This way, states already have existing programs for assessments and multifactor authentication, etc., and you can just use this money to bolster those programs, rather than having local governments buy new technology and set up their own programs.”
The price match is slightly larger — 70% — for groups of governments that band together, though no one interviewed for this story was aware of any group of states that had partnered on grants for the first four years of the program. Avakian, the former Pennsylvania official, said he would like to see states set up regional partnerships to save more money on bulk purchasing, and that even grouping all 50 states together would have advantages, though he admitted that politics would likely make such a plan impossible.
One additional change the PILLAR Act would bring to the cyber grant program is AI. The term “artificial intelligence” is mentioned in the bill text 26 times. Avakian pointed out that AI has become an increasingly influential component of cybersecurity, for attackers and defenders, which could account for its inclusion.
Travis Hall, the director for state engagement at the Center for Democracy and Technology said that it’s simply fashionable, particularly by the Trump administration and Republican Party, to include AI wherever possible. The White House could scarcely have summoned more gravity around the technology, claiming last July with the release of its AI Action Plan that it would simultaneously usher in “industrial revolution, an information revolution, and a renaissance.”
Trump’s AI Action Plan calls on the Federal Communications Commission to evaluate whether state AI laws interfere with its ability to operate, and directs other federal agencies to find state AI laws that are burdensome to private industry and revoke funding until the laws are changed. Hall said it’s possible that the numerous AI mentions in the PILLAR Act were intended as a hook for the AI Action Plan, but that he favors the simpler theory that AI is in fashion. Donald Trump, after all, has not been finicky about the rules when it comes to eliminating programs or withholding funding from those he doesn’t like.
