A bill pending in the U.S. Senate would deliver state and local governments new and needed resources for cybersecurity, state chief information officers say.
The National Association of State Chief Information Officers on Thursday endorsed the State and Local Government Cybersecurity Act of 2019, which would amend the Homeland Security Act of 2002 to boost collaboration between federal, state, and local governments on cybersecurity. The bill was introduced last month by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio.
“For our CIOs and CISOs, this legislation would provide them with additional tools, resources and expertise to counteract a continuous barrage of cyber threats,” NASCIO president and Delaware CIO James Collins said in a press release.
It’s an uncommon move for NASCIO to publicly back federal legislation, NASCIO’s director of government affairs Matt Pincus told StateScoop — a sign, he said, of the impact the legislation could have.
“For the last seven years, our number one priority for the CIOs has been security, cybersecurity,” Pincus said. “CIOs are saying we need to do everything we can to not only protect our networks but also our citizens’ data.”
The bill offers a reply to those calls, he said. It would create new grants for state and local cybersecurity and start a pilot program to deploy advanced network sensors that can identify malware — a technology that is presently limited to federal use. The bill would also promote federal information sharing, calling on the National Cybersecurity and Communications Integration Center to provide, for example, malware incident notifications to states.
Other provisions include a web portal for cybersecurity resources, federal technical assistance to implement security tools, and education and training initiatives.
Access to new funding and federal technology would be a windfall for state CIOs, Pincus said, who struggle to adequately fund their cybersecurity efforts. The majority of states don’t have a dedicated budget for cybersecurity, according to NASCIO’s metrics, meaning it must come out of general IT funding.
“The CIOs and the CISOs don’t have enough manpower to make sure that they are able to deal with every threat that they face. And then you combine that with there being only a few revenue streams federally for states to get cybersecurity funding,” Pincus said.
That lack of resources has left state and local governments vulnerable to cyber threats — particularly ransomware attacks, which can cost cities and states millions in repair fees and revenue losses.
Pincus called ransomware attacks — which are growing in number — a “significant factor” behind the legislation. The high-profile damage they have wreaked on the public sector has resulted in greater awareness in the federal government of the security challenges states face, he said. “The legislation’s a really good place to start,” Pincus said.
The bill is currently pending in the Senate’s Homeland Security and Governmental Affairs Committee.