Industry groups ask Congress to expand state and local cyber grant funding

Less than one month before the State and Local Cybersecurity Grant Program is set to expire, several industry groups on Tuesday signed a letter addressed to congressional leaders requesting that the program be revived, but this time with more money.

The grant program, which was designed to disperse roughly $1 billion over four years, mostly to local governments, is set to expire Sept. 30. Five groups, led by the Alliance for Digital Innovation, are asking homeland security and appropriations committee leaders to expand the program to the tune of $4.5 billion over two years.

In their letter, the groups cite the grant program’s positive reputation, concrete wins in many state governments around the country and a consistently scary threat landscape. They point to a report published last February by the cybersecurity firm Crowdstrike showing that cyber activity linked to China rose 150% last year. They pointed to threats from Iran, North Korea and Russia, and to the Chinese hacking group Volt Typhoon’s penetration of U.S. critical infrastructure as particularly dire evidence that the nation’s lower levels of government could benefit from more cybersecurity funding. 

“Importantly, while much of our Nation’s critical infrastructure is owned and operated by state and local governments, its cyber defense is not just a local issue,” the report reads. “It is a vital component of national security because the Department of Defense relies on this civilian-operated infrastructure for military readiness and power projection, making state, local, tribal, and territorial cybersecurity a foundational element of our national defense posture.”

Dan Wolf, director of state programs at the Alliance for Digital Innovation, said that the program is “well-regarded” around Capitol Hill, and surmised that unlike the numerous other cybersecurity programs that have been cut under the second Trump administration, this one stands a chance of renewal and expansion.

“This program is a little bit of an outlier,” Wolf said. “It has received high levels of compliments. It has received testimony and support during a confirmation hearing, and more importantly, they had a chance to cancel these year-four funds and they didn’t do it.”

Wolf pointed to a complimentary report published last April by the Government Accountability Office, and to Cybersecurity and Infrastructure Security Agency Director Sean Plankey’s confirmation hearing last July, in which he said he supported the grant program.

“There are many rural parts of America, and CISA exists to support all Americans across the United States. And one of the best ways to do that is through the State and Local [Cybersecurity] Grant Program,” Plankey said during the hearing.

Frequently, but never too loudly, state technology leaders have remarked since the grant program’s creation that it provides relatively little money considering the size of the problem it aims to address. The $1 billion spread across 56 states and territories over the course of four years has also required states to rally considerable organizational resources as they build new programs to meet the federal program’s requirements. The required fund matches, which grew each year of the program, have also challenged some states and localities. 

“That [$1 billion figure] was originally seen as a starting point to a larger conversation,” Wolf said. “The real benefit of the SLCGP has been to force state and local officials to come to the table together and work on holistic, whole-of-state approaches that will be able to remediate risks and close gaps.”

Numerous CIOs have told StateScoop that facilitating new relationships was what the grant program did. Many smaller municipalities, often the ones with the least funding and cybersecurity know-how, are suspicious of the state government encroaching on their operations. Former Indiana Chief Information Officer told StateScoop that the program afforded him a chance to tour around the state and create relationships where previously there was distrust.

The groups — which also include Better Identity Coalition, Cybersecurity Coalition, Information Technology Industry Council, and TechNet — warn in their letter of what can happen when cyber preparations are fall short. They pointed to the cyberattack last year against Los Angeles Unified School District, and to cyberattacks against water treatment plants in Oldsmar, Florida, and Aliquippa, Pennsylvania, along with state-sponsored attacks against critical infrastructure in Guam, which involved utilities supporting U.S. military bases. 

One notable cyberattack the letter doesn’t mention is the one affecting the Nevada state government, which continues to struggle with restoring services after its network was compromised last week.

They also point out how the grant program has allowed state and local governments to improve their security postures, like the communities in Kentucky that established a cyber threat intelligence-sharing platform, and the new vulnerability assessment programs created by Maryland, New Hampshire and Virginia.

“Without continued funding, hard-won progress will stall,” the letter reads, “and communities across the country will be left vulnerable — handing our adversaries a dangerous advantage.”