House members want state and local cybersecurity aid in next relief bill

Top Democrats on the House Homeland Security Committee wrote in a letter Monday evening that Congress’ next emergency relief bill in response the COVID-19 pandemic should include funding for cybersecurity assistance to state and local governments, especially as people continue working from home for an open-ended period.

“State and local government employees are working hard to ensure continuity of operations,” reads the letter, which was signed by House Homeland Chairman Bennie Thompson of Mississippi; Cedric Richmond of Louisiana, who chairs the cybersecurity subcommittee; Derek Kilmer of Washington; and Dutch Ruppersberger of Maryland. “However, working from home, they are more susceptible to phishing, malware, and ransomware attacks.”

The letter, addressed to House Speaker Nancy Pelosi, D-Calif., and Minority Leader Kevin McCarthy, R-Calif., cites an April 6 report from the Brookings Institution that found that as much as 50 percent of all U.S. workers are working from their homes, a figure that includes many public-sector employees, with all but 7 states having imposed stay-at-home orders for non-essential personnel. The members go on to share concerns that many of those government workers may be performing their duties with personal computers and mobile devices that have not been approved by their agencies’ information security officers, or are not logging in through virtual private networks.

“Many State and local employees are using personal, unvetted devices, so employers have no visibility on endpoints. These devices might be unpatched, rely on an unsupported operating system, or lack strong endpoint protection,” the members write. “In short, the State and local jurisdictions we are counting on to help implement and deliver the COVID-19 relief packages Congress has passed have less cybersecurity than most Congressional offices.”

A sudden shift to widespread telework has gone more seamlessly for some governments — like the City of Los Angeles — than for others, especially as workers are thrust into using new tools they were not familiar with in their office environments. An advisory published last month by the National Association of State Chief Information Officers warned its members that the learning curve could be steep, which in turn could make individual users more vulnerable to a cyberattack.

“State workers have little experience working remotely with advanced configurations and call forwarding to smart phones,” the NASCIO document reads. “Pre-configuration, guidance and end user training will be required”

The letter asks Pelosi and McCarthy to look at the State and Local Government Cybersecurity Improvement Act, which was approved by the Homeland Security Committee in February, and would issue $400 million annually in grants for states to shore up their cybersecurity procedures and those of their local governments.

“The American public is counting on State and local jurisdictions to implement and deliver COVID-19 relief packages approved by Congress,” it reads. “Any disruption in the delivery of services would only compound the strain on State and local governments struggling to effectively serve their citizens in the midst of a global pandemic.”

President Donald Trump signed a $2.3 trillion relief act on March 27. Congressional leaders have not said when another recovery act will be voted on.