Cybersecurity

State and local cyber aid could find home in defense bill, congressman says

The top Republican on the House Homeland Security Committee said a cybersecurity grant program could be included in the National Defense Authorization Act.

By Benjamin Freed

May 14, 2020

Rep. John Katko, R-N.Y. (U.S. Customs and Border Protection / Flickr)

While the latest pandemic relief package the House of Representatives unveiled this week did not contain the state and local cybersecurity grants that some had advocated for, Rep. John Katko, R-N.Y., said Thursday that kind of program could find a home later this year as part of other critical federal legislation.

The Health and Economic Recovery Omnibus Emergency Solutions Act, or HEROES bill, that House Speaker Nancy Pelosi, D-Calif., introduced Tuesday contains nearly $1 trillion in emergency support for state and local governments, which are being forced to shred their budgets as the lockdowns caused by the COVID-19 crisis evaporate tax revenue. But none of that money for states and localities is tailored specifically for IT and cybersecurity operations, despite lobbying from governors, chief information officers and other officials who say the pandemic is putting unprecedented stress on government IT offices and infrastructure.

Still, Katko — the top Republican on the House Homeland Security Committee and one of Congress’ most prolific sponsors of cybersecurity legislation — said a grant package may be a suitable component of the National Defense Authorization Act, an annual bill expected to be voted on this summer.

“I think there’s an opportunity for it to latch onto a couple different vehicles,” Katko said on a webcast hosted by the law firm Venable LLP. “There’s an awful lot of the Cybersecurity Solarium Commission proposals that are going to be drafted into the NDAA. That’s the most likely vehicle.”

Katko — who spoke as he drove from Syracuse, New York, back to Washington — is one of the original cosponsors of the State and Local Cybersecurity Improvement Act, which would create an annual $400 million grant program, and was approved by the House Homeland Security Committee in February. He also said during the webcast that he’s unlikely to support the HEROES bill, calling it “very partisan.” (Senate Republicans and the White House have also dismissed the package, which was crafted by Pelosi’s leadership team.)

But Katko sounded confident that a grant program could wind up in the defense bill, which is considered “must-pass” legislation: “I think the best vehicle is going to be the NDAA.”

‘A huge federal role’

States themselves remain broadly supportive of a cybersecurity grant program, especially as the COVID-19 pandemic has forced government employees to work from home and amplified the demand for digital services.

“We really want to see a state and local grant program,” said Maggie Brunner, a program director at the National Governors Association. “Cybersecurity’s been a challenge at the state and local level for a long time. It’s heightened now.”

Chris DeRusha, Michigan’s chief information security officer, concurred that cybersecurity is increasingly challenging for local governments. He said his IT security team still sees many of the same actors carrying out their usual threats, though tactics like phishing emails have been repurposed to leverage fears or misinformation about the coronavirus.

The landscape has changed, DeRusha said, with more than half the state government’s 48,000-person employees working from home. DeRusha said it was easy for the state to adapt, but Michigan’s municipalities are struggling.

“Fortunately, at the state level we’re prepared enough to purchase 13,000 new laptops and thousands of [virtual private networks] and get it all deployed in weeks,” he said. “I’d be worried more about the local level.”

In February, DeRusha told House members that of Michigan’s 83 counties, just three have full-time CISOs. He said Thursday that local governments’ limited resources leave a huge gap that the federal government can fill in.

“There’s a huge federal role,” he said. “We’re very supportive of these bills. We’re tracking everything carefully and closely toward COVID-19 expenditures we have to make.”

Strings attached

Both Brunner and DeRusha said the federal government is unlikely to dole out cybersecurity funds with no strings attached, but that states would probably enforce compliance with recognized cybersecurity frameworks like those from the National Institute of Standards and Technology or Center for Internet Security.

“Congress doesn’t like to hear ‘just give us money,'” Brunner said. “We have seen in other grant programs a requirement to standardize processes. That’s currently what happens with the [Department of] Homeland Security grant program.”

Still, the cost of protecting government IT is only mounting, and states face a lean future. Michigan Gov. Gretchen Whitmer on Wednesday announced that 31,000 state workers will be required to take two furlough days per pay period through July, a move expected to save $80 million.

“It looks like it’s going to be precarious for a couple of years,” DeRusha said. “We’re doing hiring freezes, spending freezes, temporary layoffs. It’s really heartening to see what dedicated folks of state and local governments are willing to do. The money is the issue and it’s just going to continue to be.”