A group of state and local officials told members of the Senate Homeland Security Committee on Thursday they’re very interested in dedicated cybersecurity grants to support their agencies, even as the prospects for such a program remain unclear.
The hearing came a few months after Homeland Security Secretary Alejandro Mayorkas raised the percentage of grant funding distributed to state and local governments by the Federal Emergency Management Agency that must be spent on cybersecurity. Even with the increase, the actual dollar amount available for cybersecurity remains low, and it competes with other priorities, said Karen J. Huey, the assistant director of the Ohio Department of Public Safety.
“With the inclusion of cyber as a priority, Ohio’s local governments are struggling even more to address the traditional preparedness needs while also prioritizing cyber projects,” Huey told Sen. Maggie Hassan, D-N.H.
She said that in the current fiscal year, Ohio will receive $6.7 million from FEMA, but only $340,000 of that will be committed to cybersecurity.
Durham, North Carolina, Mayor Steve Schewel said that cities — especially small municipalities — sometimes increase cybersecurity spending at the expense of “cannibalizing” other priorities. He said his own city, which was hobbled by a ransomware attack in March 2020, just as the COVID-19 pandemic was erupting, spends about $900,000 annually on IT security.
Schewel also said that a dedicated cybersecurity grant program could help smaller local governments increase their collaboration with their neighbors, as well as state, federal and industry partners. He noted that 80% of U.S. cities have populations under 50,000.
“We really need a grant program,” he said. “This would help our small cities not just with funding, but with coordination. A grant program would encourage cooperation necessary and be an incredible boon to our small cities.”
The House Homeland Security Committee recently approved a bill creating a $500 million annual grant program, with the full chamber expected to take it up soon. But similar legislation has passed the House in previous years only to come up short in the Senate. During Thursday’s hearing, Sen. Rand Paul, R-Ky., the lone Republican to show up, said his constituents have “asked more questions about cybersecurity in the past 10 days than I’ve been asked in the past 10 years.” But he pointed to growing federal deficits as a reason for his opposition to a new grant program.
Hassan, who’s shepherded previous legislation addressing states’ cybersecurity needs — including the new state coordinators that the Cybersecurity and Infrastructure Security Agency is currently hiring — told StateScoop she’s having “productive” conversations with her colleagues in search of bipartisan support for dedicated grants.
“It’s something I’ve been hearing about for a long time from the National Association of [State] Chief Information Officers, and what we really heard today was a lot of support for that,” she said. “While there are current grant programs that have cybersecurity as an allowed use, you don’t want, to use Mayor Schewel’s words, to cannibalize other security needs.”
Whether a Senate bill — if one emerges — would match the House’s $500 million proposal, or whether it might be attached to a bigger infrastructure or defense spending package is “a little bit down the road,” Hassan said.
“First we have to build support for the concept and then look at resource needs,” she said. “The important thing is to get this kind of input from our state and local partners.”