Amid a renewed focus on the threat posed by ransomware, leaders of the House Homeland Security Committee’s cybersecurity subcommittee said Wednesday they will attempt to once again pass legislation that creates a robust federal grant program supporting state and local governments.
During a hearing that came about a week after the release of a tech industry task force’s sprawling report on how to combat ransomware across all sectors, the panel’s chairwoman, Rep. Yvette Clarke, D-N.Y., said that in the “coming days,” she’ll introduce a new version of the State and Local Cybersecurity Improvement Act, which passed the House last year with broad bipartisan support but didn’t advance in the Senate.
“As the ever-increasing number of ransomware attacks on state and local governments demonstrates, adequate investment in cybersecurity has been lacking, and more resources are needed,” Clarke said, citing recent incidents such as the theft and publication of data last week from the Washington, D.C., Metropolitan Police Department by actors associated with the Babuk ransomware.
The subcommittee’s top Republican, Rep. Andrew Garbarino, noting cyberattacks on school systems in his Long Island district, said he plans to cosponsor Clarke’s bill, which would call for $500 million in new federal grants to be administered by the Department of Homeland Security.
But merely throwing money at the problem is not enough to tamp down the threat ransomware poses to governments, schools, hospitals and the private sector, witnesses said during the two-hour virtual hearing. Following on the report last week by the 60-member Ransomware Task Force, which offered 48 recommendations on a national anti-ransomware strategy, speakers Wednesday told lawmakers about the need for greater cross-government coordination, tougher regulations of cryptocurrency markets and more support mechanisms for smaller entities, like local governments.
Retired Army Maj. Gen. John Davis, the vice president for public sector at Palo Alto Networks and one of the task force’s co-chairs, said the U.S. needs a “sustained, aggressive whole-of-government anti-ransomware campaign” coordinated by the White House with support from the private sector.
“[Ransomware] is no longer purely a criminal nuisance driven by a profit motive,” he said. “Rather, it is now impacting national security, economic stability and public health and safety of the national and international community on a massive scale.”
Current grants ‘not sufficient’
Speaking on behalf of the National Association of State Chief Information Officers, which has long lobbied for a cybersecurity grant program, New Hampshire CIO Denis Goulet said that he and his colleagues appreciate efforts like DHS’ recent increase in the amount that its grant recipients are required to spend on cybersecurity, but that available funds are still short of what’s needed.
“Around the states, [chief information security officers] receive a very small amount of funding that goes through the grant program,” he said. “The amounts we receive are not sufficient.”
The increase in DHS grant money allocated toward cybersecurity announced by Secretary Alejandro Mayorkas on Feb. 25 amounted to just $25 million overall.
Goulet reminded lawmakers that the risks ransomware poses to state government have only increased during the COVID-19 pandemic, amplified by the effects of remote work and the heightened importance of services like unemployment insurance.
“With all the people moving home to work early last year, the attack surface for any cyberattack massively increased because people’s home networks became part of our state network,” Goulet said. “The criticality of these systems became so much more important, unemployment insurance, systems for contact tracing and vaccinations. We sent out a special message: Don’t be the one that clicks on a link and takes down the unemployment system.”
Goulet told Clarke that even at the state level, the national-security threat Davis described is apparent.
“State governments carry a lot of information that could be useful to our enemies,” he said. “There’s so much stuff happening at the state and local level. A computer-aided dispatch system being used by law enforcement being shut down, we’ve seen that happen.”
CISA’s future ‘in the field’
A cybersecurity grant program targeting states and cities would likely result in an expanded role for DHS’ Cybersecurity and Infrastructure Security Agency, and several House members directed their questions toward the agency’s former director, Chris Krebs.
Krebs said that the future of his old agency is “in the field,” including the new statewide coordinators CISA has hired in recent months to act as liaisons to CIOs, election officials and private sector organizations. But he also said that cybersecurity funding could be part of a broader infrastructure program.
“Let’s do a 21st century digital infrastructure act that’ll let state CIOs not just buy cybersecurity technologies, but get off legacy systems that tend to have higher maintenance costs,” he said. “It’ll increase citizen services, increase tech jobs and plow money back into U.S. tech companies.”