As if by magic, there’s always gas at the gas station and there’s always milk at the grocery store, but if a hacker somehow interrupted the supply chain, it would only take a few days before the pumps went dry and people started getting thirsty and desperate.
A pair of bills introduced to Congress in March would provide a new funding mechanism for states to build resiliency efforts for when threats volleyed against the nation’s critical infrastructure find their targets. HR 1344 and S 516, sponsored by Democratic Rep. Derek Kilmer of Washington state and Democratic Sen. Mark Warner of Virginia, respectively, would require the Federal Emergency Management Agency (FEMA) to create a grant program that expands available resources and the role that states play in cybersecurity response. The legislation, known as the State Cyber Resiliency Act, has co-sponsors from the Republican majority on each side of Congress.
The legislation would allow the Department of Homeland Security (DHS) to award grants to states for the purposes of adopting cybersecurity best practices, building the cybersecurity workforce, protecting critical communications infrastructure, mitigating threats to key resources and coordinating across jurisdictions.
Washington state Chief Information Security Officer Agnes Kirk, who helped legislators mold the bills, said it’s time for states to “step up their game.”
“States — their role has really changed,” Kirk said. “No longer is it the federal government that is protecting us. This is really a national security issue and it’s about continuity of commerce and continuity of government.”
FEMA does a great job stepping in when things go wrong, Kirk said, but there’s a gap when it comes to cybersecurity response.
“This really does focus on directing money to industrial control systems — the dams, the things that for 30 years were standalone, never intending to be internet-facing,” Kirk said. “They just weren’t designed with protections and we just didn’t think about that.”
The legislation also would provide for greater state resources for workforce development. Federally-run programs like the Office of Personnel Management’s Scholarship for Service provide limited output. From a pool of about 330 graduates in one major program, Kirk said, just 10 percent of graduates go to state and local government.
“In today’s world, that’s totally inadequate,” she said.
Symantec predicts that by 2019, there will be more than 1.5 million unfilled cybersecurity positions worldwide.
“We don’t have enough time to put everyone through four years of college and to get a cyber degree,” Kirk said. “We need a multipronged approach. What this bill will do is allow us to spend money to train and increase the skillset of existing government employees.”
Kirk estimated that of the some dozen-odd cybersecurity bills introduced this session, this one has the best chance of passing and creating noticeable change for states.
The support for this legislation is growing, said Greg Garcia, executive vice president at lobbying and consulting firm Signal Group DC. It would create an important mechanism, he said, that he earlier tried to create while serving in a cybersecurity role for the U.S. Department of Homeland Security under President George W. Bush.
“We were able to make cybersecurity spending of grant money an allowable expense, but if it isn’t specifically fenced off for a given program or expenditure as a general matter, the governments aren’t going to spend the money on that,” Garcia said.
In many ways, the program is similar to any other DHS grant program, he said, except that it’s specifically for cybersecurity. As the Trump administration outlines a $200 billion 10-year budget plan for massive infrastructure construction projects around the country, the call for a cybersecurity for infrastructure bill seems timely.
“When you think about the move toward smart states and smart cities and the whole Internet of Things that will accelerate and enhance government services to the public, that’s digital infrastructure,” Garcia said. “And the digital infrastructure needs to be secured, otherwise it will be vulnerable to corruption or loss of availability. I think that’s how we should be looking at this. We have a number of companies that serve the various value chains of cybersecurity, whether it’s in the consulting realm or security software, hardware, telecommunications — any of those companies that are serving state government markets are going to be interested in this.”