Citing the ongoing threat of ransomware attacks, a group of nine associations of state and local government officials sent a letter Wednesday to congressional leaders asking them to include a new cybersecurity grant program in either an infrastructure spending package or government appropriations bill.
The letter, addressed to Senate Majority Leader Chuck Schumer, D-N.Y., Minority Leader Mitch McConnell, R-Ky., House Speaker Nancy Pelosi, D-Calif., and Minority Leader Kevin McCarthy, R-Calif., asks Congress to “authorize and fully fund” a dedicated grant program, which the groups behind it argue is necessary as financial losses from cyberattacks continue to mount.
According to the letter, known ransomware attacks against local governments rose 58.5% between 2018 and 2019, with an average ransom demand of nearly $836,000. Meanwhile, the amount of money Americans lost to cybercrime topped $4.1 billion in 2019, according to the FBI’s Internet Crime Complaint Center.
Ransomware attacks are growing in scope as the actors behind them grow more brazen. Recent months have seen an attack on a major pipeline operator trigger panic-buying of gasoline, an interruption of a global meat supplier and, in the past week, a supply-chain attack on Kaseya, a software vendor that supports managed service providers, many of which count local governments among their customers.
Attacks against the public sector have also grown more aggressive. In May, a ransomware group published several gigabytes of data stolen from the Washington, D.C., Metropolitan Police Department, including personnel files of nearly two dozen officers.
“The increased sophistication of cyber criminals, the ever-changing landscape of cyber attacks, and the limited resources of states, territories and localities, create the perfect storm and render carve-outs within existing homeland security grant programs insufficient,” reads the letter, which was led by the National Governors Association, National Association of State Chief Information Officers and National Association of Counties.
The letter also renews a case that groups like NASCIO and the NGA have been pleading to Congress for the past several years. NASCIO, in particular, has made passage of the State and Local Cybersecurity Improvement Act, which would create a $500 million annual grant program, administered by the Cybersecurity and Infrastructure Security Agency, one of its top legislative priorities. But while previous versions of the that bill have passed the House — with similar legislation being passed by the Senate — in previous sessions, Congress has not come through on a firm proposal.
During a House Oversight Committee hearing on IT modernization last week, NASCIO Executive Director Doug Robinson told lawmakers that states’ cybersecurity funding has not been “commensurate with the level of threats” they face.
The rounds of COVID-19 relief funding Congress has approved over the past 18 months, the letter noted, have allowed states and localities to invest in cybersecurity as it pertained to their pandemic responses — securing remote workforces and virtual education, for instance. But it also states that the pandemic “amplified significant vulnerabilities in our government networks, especially those operating on outdated technologies.”
Along with NASCIO, the NGA and NACo, the letter was signed by the U.S. Conference of Mayors, the National League of Cities, the National Conference of State Legislatures, the Council of State Governments, the International City/County Management Association and the Governors’ Homeland Security Advisors Association.