The U.S. House of Representatives on Wednesday passed legislation sought by state IT leaders that would create a new federal grant program supporting state and local government cybersecurity efforts.
The State and Local Cybersecurity Improvement Act, which was introduced in February, would direct the Department of Homeland Security to distribute $400 million annually to states — which could then redistribute their awards to localities — in hopes of helping public-sector entities defend themselves from an ever-growing landscape of online threats.
The bill, initially sponsored by a bipartisan group of members of the House Homeland Security Committee, was inspired in large part by a years-long wave of ransomware attacks against cities, counties and school districts that have cost local governments tens of millions of dollars. These threats have only continued to evolve as ransomware actors have adopted new tactics, such as extorting victims into paying by stealing and threatening to publish confidential data.
The legislation was also introduced after state budgets analyses found cybersecurity often only accounts for 1-2% of states’ overall information technology budgets, whereas large federal agencies and corporations spend typically spend a much greater share of their tech budgets on security.
Under the grant program created by the bill, states would be required to develop comprehensive cybersecurity plans describing how federal funds would be used. The grants would also be structured to require states to put up matching funds. In the first year of the program, the federal government’s share of a state’s cybersecurity budget could not exceed 90%, a figure that would decrease by 10 percentage points annually until the federal government and states split costs 50-50.
The National Association of State Chief Information Officers, which endorsed the act in February, said it “is pleased that this legislation that we support has passed the House.”
Along with the grants, the bill would also create a 15-member board to advise DHS’s Cybersecurity and Infrastructure Security Agency on the needs of states, municipalities, overseas territories and tribal nations. Several members of the board would be recommended from groups including NASCIO, the National Governors Association, the National Association of Counties, the U.S. Conference of Mayors and the Multi-State Information Sharing and Analysis Center.
“For too long, the Federal Government has ignored a growing national security problem — vulnerably state and local networks. As ransomware attacks devastated cities from Albany to Atlanta, the Congress did nothing,” Rep. Cedric Richmond, D-La., who recently stepped down as head of the Homeland Security Committee’s cybersecurity subcommittee, said in a press release. “Then, late last year, a cyberattack took out critical government networks in my own congressional district, disrupting the operation of municipal and traffic courts as well as access to certain electronic health records and the city’s homeless cleaning and outreach sweep.”
While the House’s passage of the cybersecurity grant measure is welcome news to the bill’s sponsors and to the intergovernmental organizations that endorsed it, it is unlikely to go any further in 2020. Although the Senate has considered some state and local-related cybersecurity legislation of its own, none is seen as a potential companion to the House bill.