Federal legislation creating new grants and other programs designed to help state and local governments with cybersecurity is expected to advance in Congress in the next few weeks, following a year that has seen scores of ransomware attacks against municipalities large and small.
The State and Local Government Cybersecurity Act would represent one of the most significant federal investments in state and local information security efforts, according to the National Association of State Chief Information Officers, which took the rare step in July of endorsing the legislation. The bill by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, was recently placed on the Senate’s legislative calendar, the list of bills ready for floor action this fall.
The legislation, approved in June by the Homeland Security and Governmental Affairs Committee, would create a new grant program in the Department of Homeland Security to offer direct aid to state and local governments that cannot afford cybersecurity tools on their own. While cybersecurity consistently ranks as the top concern of state CIOs, states on average devote only 1 percent to 2 percent of their overall IT budgets toward it, and most states’ budgets do not contain specific line items for cybersecurity, according to NASCIO’s surveys. And local governments, which have borne the brunt of recent ransomware attacks, often have even fewer resources.
The bill does not specify how much funding would be allocated toward new grants. Congressional appropriators would have to allocate it under the annual spending bill for the DHS.
The legislation would also fund the placement of advanced network intrusion sensors — similar to those currently guarding federal information networks — throughout state and local government organizations; authorize the sharing of more classified information with CIOs and other top officials; and create more voluntary training programs for state and local IT workers. The National Cybersecurity and Communications Integration Center, which conducts much of the existing cybersecurity coordination between federal, state and local governments, would hire as many as 15 new full-time employees to carry out the new programs contained in the bill. The Congressional Budget Office estimated these components will cost $31 million over five years.
The House of Representatives has moved more slowly on helping state and local governments fund cybersecurity initiatives. The House Homeland Subcommittee on Cybersecurity and Infrastructure Protection discussed creating a federal cybersecurity grant program in June after hearing Atlanta Mayor Keisha Lance Bottoms testify about her city’s long and costly recovery from a March 2018 ransomware attack.
But legislation that could eventually be squared with the Peters-Portman bill is coming soon, Moira Bergin, the House subcommittee’s staff director, said last week at a conference hosted by DHS’s Cybersecurity and Infrastructure Security Agency. The recent streak of ransomware incidents in particular has moved lawmakers to take action on helping states and localities, Bergin said during a panel discussion with other congressional staffers.
“Federal cybersecurity was this shiny object. State and local weren’t shiny objects until they fell victim to a series of ransomware attacks,” she said.
Bergin said that the subcommittee’s chairman, Rep. Cedric Richmond, D-La., plans to introduce a bill this fall.