State IT officials and the federal government’s top civilian cybersecurity official told members of the U.S. Senate Tuesday that the federal government needs to provide state and local governments with more assistance and expertise in protecting their networks and other critical infrastructure.
Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency; Michigan Chief Security Officer Chris DeRusha; and Amanda Crawford, executive director of the Texas Department of Information Resources, each told members of the Senate Homeland Security Committee that while collaboration on cybersecurity between states and the federal government has improved in recent years, funding and resources for those activities are still in short supply.
Krebs acknowledged his agency was not built to support state and local governments when it became the Department of Homeland Security’s newest branch in late 2018. But with ongoing threats to election security and a spike in ransomware attacks against local governments, he said, “we have had to build out our support to states.”
The Senate has considered several bills recently that would increase federal cybersecurity support to state and local governments, including one calling for a new DHS-administered grant program that passed the chamber unanimously last year. DeRusha used his opening statement to remind senators that while many states’ IT and cybersecurity budgets are already strapped, local governments are even more strained.
“As difficult as the current environment is for states, it is even more perilous for counties and localities,” he said. “As much as state IT and cybersecurity programs face shortages of human and financial resources, these are even more scarce for smaller units of government.”
DeRusha added that of Michigan’s 83 counties, just three have full-time chief information security officers.
The hearing came a day after members of the House Homeland Security Committee introduced a potential counterpart that passed the Senate last year. That bill, which will be marked up Wednesday, calls for a grant program that would send $400 million annually to states to improve their cybersecurity and support similar efforts by their local governments. It was also endorsed Tuesday by the National Association of State Chief Information Officers, which has thrown its support to other recent pieces of federal cybersecurity legislation.
Dotgov act promoted
The hearing also touched on another NASCIO-backed bill that would help state and local governments move to the federally administered .gov domain, instead of the less-secure, commercially available — but cheaper — .com and .org addresses. But fewer than 5,000 of the nearly 39,000 local governments in the United States use .gov, often because the federal government charges an annual fee of $400 per domain, despite the built-in security features like two-factor authentication and the encrypted HTTPS protocol.
“Of the top ten counties in Michigan, they’re pretty much using .com and .org,” DeRusha told Sen. Gary Peters, D-Mich, the panel’s ranking member. “They represent two-thirds of Michigan’s population. By moving to .gov there’s just inherently more security built in.”
Krebs added that election officials in particular should be on the .gov domain, both to protect their systems and to reassure the public that they provide trustworthy sources of information, like voting locations.
“That should be a .gov,” he said. “Assuming we get there, that will help counter a lot of election disinformation.”
Krebs acknowledged to reporters later that fees for .gov domains can be prohibitively steep at the local level, but said that issues could be alleviated if CISA gets additional resources to help local governments.
“It’s an area of centralizing security services that we can raise the security baseline not just across the federal government but across state and locals,” he said. “$400 does add up, particularly if you have a county that has multitude of domains and subdomains. If we can figure out how to address that problem and we make it easier for them to sign up, I can do that through a number of my field resources.”
‘We see the intent’
Even without the enactment of new federal grants, Tuesday’s witnesses pointed out examples of improving cooperation between the federal government and states. Crawford, the Texas DIR director, praised CISA’s advisory role in the response to a ransomware incident last August that impacted 23 communities across her state.
“They came down and visited,” she said. “They were very open about improving communications lines.”
Crawford also said her department is making greater use of the guidance materials CISA churns out, including the recent “tabletop-in-a-box” for election security drills, which she said will be used at DIR’s statewide information security forum next month.
“We see the intent every day, DHS trying to reach out across the state,” DeRusha said. “They need more boots on the ground and have state representatives so they know where to plug in, what tailored information to give.”
DeRusha also urged senators to move on a bill that would expand CISA’s existing field staff to include dedicated cybersecurity coordinators for every state, who would facilitate information sharing between the federal and non-federal entities. Those positions could be especially helpful in trying to reach the smallest, most rural communities, many of which he said lack awareness about the need for IT security.
Still, the recent flurry of cybersecurity legislation designed to help states seemed to be encouraging. DeRusha told StateScoop the House’s cybersecurity grant bill, which also includes the creation of a 15-member panel to advise CISA on state, local and tribal needs, is promising.
“We’re developing very innovative models in our states, but frankly, all of them cost a lot of money,” he said. “From what I read in the bill, I think it’s going to be very positive if you have a committee there, helping state and local leaders decide what makes sense, helping states develop strategic plans.”
Krebs also told reporters the House bill is a sign of progress, though CISA is still working with the House Homeland Security panel on the details.
“To me it shows cybersecurity has come around to the idea that state and locals need more support,” he said. “Just like counterterrorism [aid], they’ll get it for cybersecurity.”