U.S. Sens. Mark Warner and Cory Gardner introduced legislation Monday that would authorize the Department of Homeland Security to give state and local governments grants to purchase additional cybersecurity resources and hire more information-security personnel.
Under the State Cyber Resiliency Act, state, local and tribal governments would be invited to put together plans to improve their overall defenses around their computer networks, communications systems and industrial control systems, such as internet-connected devices that operate environmental sensors and other “smart city” platforms. Plans would be designed with the goals of improving overall security, running regular vulnerability assessments and other threat-mitigation exercises and ensuring operational continuity — particularly public safety and law enforcement — in the event of a cyberattack.
“As cyberattacks increase in frequency and gravity, we must ensure that our nation — from our local governments on up — is adequately prepared to protect public safety and combat cyber threats,” Warner, a Virginia Democrat, said in a press release.
The bill is similar to one that Warner and Gardner introduced in March 2017, but never received a hearing.
The list of state and local governments to be the victims of cyberattacks has grown considerably in the two years since the senators last introduced their cybersecurity grant bill, with entities running the gamut from the Colorado Department of Transportation to the Pennsylvania Senate to the cities of Atlanta and Newark, New Jersey being targeted by hackers. In late March, Albany, New York, became the latest city to report its networks being compromised by a ransomware virus. In many cases, recovering from an attack like ransomware can be costly for a local government: Atlanta has spent $17 million rebuilding from a March 2018 attack that crippled systems citywide, and more recently, a small county in rural Georgia paid its hackers $400,000 to regain access to its networks.
“As the threat of cyberwarfare intensifies, it’s important that local governments are properly prepared to deter and protect themselves from cyberattacks,” Gardner, a Colorado Republican, said.
In addition to coming after waves of attacks against state and local governments, Warner and Gardner’s bill is also informed by a survey of statewide chief information security officers published last October by Deloitte. That survey found that while cybersecurity is an increasing priority for state technology policymakers, it only accounts for between 1 and 3 percent of overall IT spending in most states, much lower than most federal agencies. The Justice Department, for instance, spends about one-quarter of its technology budget on cybersecurity. Many states also struggle to hire and keep personnel, the report found.
The grants would also help states recruit and retain qualified personnel at a time when cybersecurity skills are in high demand. Nationwide, there are about 314,000 unfilled cybersecurity jobs, according to a database from the National Institute of Standards and Technology, though nearly 300,000 of those positions are in the better-paying private sector. The bill contains language about “enhancing recruitment and retention efforts,” though it does not specify any amount of money that would be put toward that purpose.
“Despite playing a vital role in protecting our nation against cyberattacks, state governments often do not have the vital resources they need to strengthen their cybersecurity capabilities or retain or recruit seasoned cybersecurity professionals,” said Rep. Michael McFaul, R-Texas, who is introducing the bill in the U.S. House with Derek Kilmer, D-Wash.
Grants offered under State Cyber Resiliency Act would be doled out by a new 15-member board chaired by the secretary of homeland security. The board would include members recommended by the National Association of State Chief Information Officers, the National Governors Association and the National Association of Counties. Homeland Security Secretary Kirstjen Nielsen, who resigned Sunday, made cybersecurity a main focus of her tenure, though it is not known how much of a priority it will be amid a departmentwide shakeup.