State IT officials make a case for cyber grant reauthorization before House subcommittee
Several state technology officials on Thursday brought before a House Homeland Security subcommittee a request that Congress reauthorize funding for the expired State and Local Cybersecurity Grant Program and renew cybersecurity programs inside the Cybersecurity and Infrastructure Security Agency that have been decommissioned under the Trump administration.
Led by Rep. Andy Ogles, a Republican from Tennessee who chairs the Subcommittee on Cybersecurity and Infrastructure Protection, and who introduced legislation approved by the House last year to reauthorize SLCGP grant funding, state officials said their organizations, and the local governments they assist, are facing cybersecurity challenges can be met far more readily with aid from the federal government. Colin Ahern, New York State’s director of security and intelligence, summarized the problem in his opening statement when he said that “our states are on the front lines of multiple cyber conflicts, yet we are being asked to manage nation-state risks while our federal partners step back.”
Over the course of more than two hours, state officials explained the many benefits that the grant program had afforded their local governments over four years of funding. Tennessee Chief Information Officer Kristin Darby said that her state’s local governments, which she described as having “little or no dedicated cybersecurity staff” and are living with “a dangerous imbalance between highly sophisticated attackers and severely resource constrained defenders,” found consistent improvement in their defenses after regular participation in the grant program. Through the grant program, which provided $1 billion for states and local governments through 2021’s infrastructure bill, Tennessee secured nearly 90,000 endpoints on local government networks, said Darby, adding that “many of these local governments simply could not deploy or sustain these capabilities on their own.”
The officials said they owed much of their cybersecurity success to the federal government’s support, but also to the trend of states reorganizing their cybersecurity practices under “whole of state” models, in which states can offer cybersecurity services to local governments that might not have the funding or wherewithal to obtain them independently. Florida CIO Warren Sponholtz pointed to Florida’s state-funded cyber grant program as “one of the most important tools for reaching local communities,” explaining that “that model creates economies of scale, decreases procurement friction, reduces bureauocracy and gives small entities access to enterprise-grade solutions.” Darby, Tennessee’s CIO, stressed the value of the federal cyber grant program’s tendency to connect officials across levels of government who might not otherwise meet and to build trust in ways that have strengthened defenses.
Some subcommittee members seemed eager to support reauthorization and whatever else states might need for their cyber efforts. In introducing the hearing’s topic, Ogles said “reauthorization alone is not enough” and that lawmakers ought to be looking at the program’s history to begin optimizing it for future iterations. Rep. Delia Ramirez, a Democrat from Illinois, said the Trump administration has “eviscerated” programming at CISA, leaving open some 1,100 positions, while state and local governments have largely been left to their own devices, a paradigm she called “unacceptable.” She called for the grant program’s reauthorization.
Others became politically distracted or seemingly overwhelmed by the great amount of detail contained in an issue affecting all of the states, each with their own unique versions of the cybersecurity problem. Rep. Morgan Luttrell, a Republican from Texas who left midway through the hearing, said he supported the efforts of state and local governments — “I see the ones and zeroes” — but was apparently exasperated by the scope of the challenge. Noting that he was unsatisfied with settling on funding as an answer, he asked the state officials if they had a definite solution to disruptive and dangerous cyberattacks. Sponholtz, the Florida CIO, shared an admiration for the utility of cybersecurity “communities of practice,” such as those organized by the National Association of State Chief Information Officers, known to many as NASCIO, a group that this spring convened roughly 1,000 state officials and vendor representatives at its midyear conference, in Philadelphia. Luttrell, perhaps sensing that a conclusive solution to cybersecurity was not close at hand, ended his questioning by telling Florida’s CIO that “you just threw another acronym and institution at me that I have never even heard of. And we have to wade through that in order to give.. either appropriate or regulate it.”
Rep. Nick LaLota, a Republican from New York, used the occasion to level political attacks on New York Mayor Zohran Mamdani and his state’s governor, Kathy Hochul, whom he claimed had spent billions on services for illegal migrants, but only tens of millions of dollars on cybersecurity. Using Ahern as his rhetorical sounding board, LaLota took several passes at asking whether that financial difference “was an issue” for him: “You’re here to ask for more money. The challenge we have here is that your governor is spending 48 times more on the migrants than we’re spending on cybersecurity to protect law-abiding citizens.” Ahern responded: “Sir, I think the issue of cybersecurity is deeply important. I think the issue of public safety is absolutely essential. But we don’t believe that these are either mutually exclusive concerns or should be set in opposition to each other.”
The exchange had been noticed by Ramirez, the representative from Illinois, who later in the hearing agreed with LaLota that budgets are “moral documents.” She argued that “spending a billion dollars on a ballroom, which is what the president wants, or $1.7 billion dollars to incentivize insurrectionists, while we still are waiting for the reauthorization of this critical grant program says a lot about where priorities are right now with this administration.” (Apparently repelled by the controversial fund proposed by the president, Senate Republicans on Thursday abandoned plans to take up a bill that would have provided funding for his deportation campaign.)
Though cybersecurity can be technical and complex, the message put forth by state officials on Thursday was straightforward. Samir Jain, a vice president of policy at the nonprofit Center for Democracy and Technology, encapsulated this message when he testified that federal cuts to cybersecurity programs, at CISA and at an information-sharing group called the Multi-State Information Sharing and Analysis Center, have widened the “gap between rapidly escalating threats and the diminished federal capacity to help state and local and governments meet them.” Jain and the state officials proposed several salves for this wound, but key among them was renewing support for CISA and reauthorizing and simplifying the federal grants, which have enabled the services and coordination that act as a mitigating force to AI-fueled nation-state attacks.
When asked what was on each state’s wish list, Darby, the Tennessee CIO, said renewing the grants would give her state a fighting chance at keeping up with cyberattacks fueled by AI and to fund workforce development programs that could attract workers who understand the latest AI and cybersecurity tools. “AI has become an integral part of our operational readiness,” she said. Ahern, the New York intelligence director, said he wanted to see the cyber grants to be “more straightforward” to access. Several officials noted that the fund matching requirement in the grants’ first round had been burdensome for some localities. Darby recalled a cybersecurity incident in which a locality had requested help, but that because of rigid grant rules, the state was permitted only to provide a particular service, but not the one the locality needed.
Rep. Gimenez, a Republican from Florida, opined that for the field of cybersecurity, AI is “the only way to go” and suggested he was in favor of letting “the machines fight each other.” Sponholtz, the Florida CIO, said that the grants would allow state and local governments to keep pace with advances in AI: “We are looking at it … so that we can operate faster, more efficiently. But I think the real answer is collaboration between state, federal, private sector, to be able to develop solutions to, like you said congressman, fight fire with fire and use AI to be able to defend this nation and the governments within it.”
Picking up on the concerns raised by House Republicans of the costs associated with aiding state and local cybersecurity, Rep. James Walkinshaw, a Democrat from Virginia, suggested that “one of the most cost effective things we can do at the federal government level is play that convening role. There is no other entity that can as effectively bring together governments, the private sector, experts, to share information and develop solutions together. I think that’s a really, really good bang for our buck and we’re losing something with the elimination of that.”
