A bill being introduced this week in the U.S. House Homeland Security Committee would create a new grant program awarding $400 million annually to states to improve the cybersecurity of their networks as well as those of their local governments.
The State and Local Cybersecurity Improvement Act is designed to provide a steady source of federal cybersecurity funding to states, which could then be redistributed at the local level, as public-sector entities face a growing array of cyberthreats that could disrupt critical infrastructure including utilities, transportation and elections. Along with the grant program, it would also establish a 15-member “State and Local Cybersecurity Resiliency Committee” to advise the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
According to a draft of the bill, which was introduced by Rep. Cedric Richmond, D-La., the leader of House Homeland’s cybersecurity subcommittee, states must develop cybersecurity plans and submit them to DHS to qualify for the grants. Plans would be required to meet a few standards, including that they “enhance the preparation, response, and resiliency of information systems,” “implement a process of continuous cybersecurity vulnerability assessments and threat mitigation practices,” and “ensure that State, local, Tribal, and territorial governments that own or operate information systems within the State adopt best practices and methodologies to enhance cybersecurity,” such as the framework developed by the National Institute of Standards and Technology.
“Louisiana has long been vulnerable to cyberattacks, and this bill offers the resources needed to ensure protection against potential threats,” Richmond, whose district includes New Orleans, the target of a December ransomware incident that it’s still recovering from, said in a press release. “I’m proud to introduce this comprehensive measure to give Louisiana and other states across the country the proper framework they need to implement vital cybersecurity plans.”
States’ plans would also need to include details about maintaining continuity of operations through a cyberattack and how information is shared between different government entities.
A long-awaited boost
The National Association of State Chief Information Officers, which has pushed for expanded federal cybersecurity aid to the states, said it supports Richmond’s bill. State and local officials have been clamoring for more cybersecurity assistance from the federal government for years, and especially so in recent months as more cities fall prey to ransomware, which can be costly to recover from.
“You don’t ever anticipate it happens, but when it does it’s a substantial, immediate hit to your budget,” Atlanta Mayor Keisha Lance Bottoms, who steered her city through a March 2018 ransomware attack that cost taxpayers $17 million, told House members last summer.
Under Richmond’s bill, recipients cannot use grants to supplant funds they’ve already set aside for cybersecurity efforts. The grants are also restricted from being used to pay off a ransomware attack’s demand, and from “recreational or social purposes.”
The grant program is structured to encourage states to increase their own contributions over time. In fiscal year 2021, the first year the grants would be available, the federal share of a state’s cybersecurity budget would not be allowed to exceed 90 percent, a figure that would decrease by 10 percentage points each year through 2025, after which the federal government and states would split costs 50-50.
The bill Richmond introduced Monday is a potential counterpart to the State and Local Cybersecurity Act that the U.S. Senate passed unanimously last November. That bill, which NASCIO says aligns with one of its top federal priorities this year, also laid out a new grant program, though it did not specify a dollar amount.
‘Some concern’ over distribution
But there are some key differences between the House and Senate measures, namely who would be in charge of distributing the new grants. Richmond’s bill put the program under the Federal Emergency Management Agency, which already distributes nearly all DHS grants, with guidance from CISA and the new 15-person panel the bill would create. That committee would be appointed by the CISA director based on the recommendations of groups including NASCIO, the National Governors Association, the National Association of Counties, the U.S. Conference of Mayors and the Multi-State Information Sharing and Analysis Center.
The Senate bill did not make clear what agency would issue the grants, though some NASCIO members raised the possibility that CISA would handle them directly. Speaking on a recent episode of NASCIO’s “Voices” podcast, Maine CIO Fred Brittain said he was worried the issue of grant-making authority could derail a new federal commitment to helping state and local governments.
“The area that left me with some concern was the question of how to distribute it,” he said. “There seemed to be mixed opinion whether it should go through FEMA. Does it go directly through CISA? This isn’t something that should be dragged out for a year. I am a little bit worried this is going to get caught up in conversation and debate if the mechanism for distribution is even a little bit partisan.”
An aide to Sen. Gary Peters, D-Mich., one of the Senate bill’s lead sponsors, told StateScoop that Peters plans to continue working with his colleagues to get something through Congress. The aide said the bills, while different, complement each other in attempting to bolster cybersecurity across the public sector.
Richmond’s bill is co-sponsored by Reps. John Katko, R-N.Y., Derek Kilmer, D-Wash., Michael McCaul, R-Texas, Dutch Ruppersberger, D-Md., Mike Rogers, R-Ala., and House Homeland Security Chairman Bennie Thompson, D-Miss. The bill will get its first hearing Wednesday, when it’s scheduled to be marked up by the full committee.