Three Democratic members of the House Homeland Security Committee, including the panel’s chairman, sent a letter to House Speaker Nancy Pelosi again asking that explicit cybersecurity funding for state and local governments be included in the next round of federal aid in response to the COVID-19 pandemic.
While broadly supportive of the $3 trillion HEROES Act, which includes nearly $1 trillion in funding for state, local, tribal and territorial governments, the letter’s authors wrote that they were “disappointed that it did not provide targeted assistance to bolster network capacity and security” for the state and local agencies that are trying to keep public services — like unemployment insurance — running through the health crisis.
“State unemployment websites have been overwhelmed by the unprecedented onslaught of new applicants, resulting in hours-long wait times to access online applications and website crashes,” states the letter, which was signed by House Homeland Chair Bennie Thompson, D-Miss., and Reps. Jim Langevin of Rhode Island and Cedric Richmond of Louisiana, who leads the cybersecurity subcommittee.
The members also noted that there have already been several reported incidents in which state unemployment systems have been targeted by fraudsters using stolen personal information, including Washington’s, which reported paying out “hundreds of millions” in phony claims. Other states’ programs have inadvertently exposed the personal data — including names and Social Security numbers — of their applicants, most recently Florida.
Meanwhile, state and local governments continue to face a wave of ransomware attacks, including some that have targeted health agencies struggling to respond to the pandemic. In mid-March, as the coronavirus was beginning to spread across the United States, a public health authority in central Illinois had to retreat to social media to advise its constituents about the pandemic response. And earlier this month, the Texas Department of Transportation was compromised by a ransomware attack.
The letter goes on to say that state and local governments, many of which are already starting to cut their budgets, are ill-equipped to fend off both a deadly pandemic and an onslaught of cybersecurity incidents.
“These opportunistic attacks are likely to continue as states and localities navigate the COVID-19 response in the months to come,” it reads.
Thompson, Langevin and Richmond also expressed concern about states’ and cities’ rapid development of mobile apps to conduct contact tracing of the coronavirus. Several states have already signaled that they plan to launch apps built upon a Bluetooth notification API developed jointly by Apple and Google. But that pedigree does not mean that apps based on that platform will necessarily be secure.
“Hastily developed applications may have coding and architecture issues or fail to fully integrate security, creating new cyber risks,” the letter states.
Previously, House members had asked House Speaker Nancy Pelosi, D-Calif., to borrow language from the State and Local Government Cybersecurity Improvement Act, which would issue $400 million annually in grants for states to shore up their cybersecurity procedures and those of their local governments. Organizations representing state officials, including the National Association of State Chief Information Officers and the National Governors Association, have also voiced support for the funding.
The HEROES Act is extremely unlikely to move forward in its present form with the Republican-controlled Senate and White House. Earlier this month, Rep. John Katko, R-N.Y., said a state and local cybersecurity fund could be rolled into the defense authorization bill Congress passes every year.
Separately, Langevin’s office last week released a bipartisan letter to leaders of both chambers that pandemic-related cybersecurity funding should be passed “in conjunction with” the State and Local Government Cybersecurity Improvement Act, which has bipartisan support.
While the HEROES Act would give state and local governments wide latitude on how to use federal assistance, the letter Thompson, Langevin and Richmond argues that in a health emergency, there’s no guarantee it would be spent on critical technology infrastructure.
“Given the national security interests associated with a secure internet ecosystem within government networks, we must provide state and local government targeted funding for IT modernization and cybersecurity,” it reads.