In January, the National Association of State Chief Information Officers made its top federal priorities quite clear: With a steady rise in attacks against state and local networks — including a particularly brutal year of ransomware incidents — consuming more and more resources of IT and emergency management departments, states needed Congress to step up and create an annual funding stream to help states and localities up their defenses.
Nearly 12 months later, a few procedural victories notwithstanding, Congress appears poised to let its term expire without creating the cybersecurity grant program sought by states. While the House in September approved a bill authorizing the Department of Homeland Security to distribute $400 million annually to states — which could then redistribute their awards to localities — the bill’s status in the Senate remains doubtful.
Meanwhile, the pace of cyberattacks against the public sector has shown no sign of slowing down, especially in school systems. So far in 2020, 44 school districts have publicly acknowledged suffering ransomware attacks, according to the K-12 Cybersecurity Resource Center, with the list of victims including some of the country’s biggest districts, such as Fairfax County, Virginia; Baltimore County, Maryland; and Clark County, Nevada.
‘No longer an IT issue’
But cybersecurity resources in state government remain thin, and even more meager at the local level. During a Senate hearing last week, New Hampshire CIO Denis Goulet, who also serves as NASCIO’s president, told lawmakers that a recent survey of state chief information security officers found that the three leading barriers to better cybersecurity in the states were a lack of sufficient budgets, inadequate staffing and a surplus of legacy technology more susceptible to emerging threats.
“Cybersecurity is no longer an IT issue; it is a business risk that impacts the daily functioning of our society and economy, as well as a potential threat to our nation’s security,” Goulet said.
Goulet’s hardly alone in that assessment. During that same hearing, Brandon Wales, the acting director of the Cybersecurity and Infrastructure Agency, said ransomware in particular “is quickly becoming a national emergency.” Getting the support needed to address that emergency, though, remains out of reach for now.
“Myself and my colleagues around the country have a view of what we would do to help state and local governments and education if we had more funds,” Goulet said last week, speaking via videoconference to a mostly empty Capitol Hill hearing room.
CIOs aren’t looking for a slush fund. Rather, Goulet and other CIOs have long said the need for increased funding arises in large part because states are responsible for delivering many federally backed services that use sensitive data, including Medicaid, nutrition assistance, unemployment insurance and criminal justice information.
“We administer federal programs, and ensuring the security and privacy of data is a big deal,” Goulet told StateScoop last month.
Currently, states receive some cybersecurity funding through the Homeland Security Grant Program, which is overseen by the Federal Emergency Management Agency. But of the $1.8 billion in grants FEMA distributed to states in the 2020 fiscal year, only 5% was allotted for cybersecurity.
“We really could do so much more with dedicated cyber grant funding in a separate stream,” Goulet said. “Although we’re slowly improving, we could greatly expand.”
‘The stakes have only grown’
The State and Local Cybersecurity Improvement Act, the bill the House approved in September, would overhaul how the federal government supports the cyber activities in lower rungs of government. In addition to creating the dedicated — and renewing — funding source Goulet and his fellow CIOs have long sought, it would also impanel a 15-member board made of state and local IT and information security officials to advise CISA on state and local matters.
And though the act passed the House on a bipartisan voice vote, it remains stalled in the Senate, even though some members are arguing the need to help out has become more pressing as the pandemic’s worn on.
“The stakes have only grown as COVID-19 has forced millions of Americans to migrate their everyday activities to the online world,” Sen. Maggie Hassan, D-N.H., said last week. “Many students now learn from their teachers on a computer instead of in the classroom. Doctors treat many patients through telemedicine instead of in person. Governments handle many essential services online instead of at city hall.”
Cybersecurity officials and industry figures said early in the health crisis that the widespread pivots to remote work, distance education and increased reliance on digital government services greatly expanded the target area for ransomware and other potential attacks. Months later, those fears appear to have borne out.
“How bad was the problem last year? Terrible. How bad was it this year? Somehow, it managed to get worse,” Charles Carmakal, the chief technology officer at Mandiant, said at a cybersecurity conference last week.
The National Defense Authorization Act that’s poised to be approved this month contains a few cyber upgrades for states, but they are mostly centered around expanding and formalizing the roles National Guard units play in responding to incidents, and directing CISA to hire cybersecurity advisers for each state. But the bigger goal — the grant program — remains stuck, despite the efforts of a few members, like Hassan.
Still, the incoming Congress appears intent on trying again. Rep. Lauren Underwood, D-Ill., said last month, upon taking over the House Homeland Security Committee’s cybersecurity panel, that Congress needs to “help state and locals better protect networks.” And on Monday, Rep. Bennie Thompson, D-Miss., the full committee’s chairman, told The Hill he plans to reintroduce the grant bill in early 2021.
Meanwhile, Goulet said, NASCIO members can only continue to push.
“We believe it’s important that we have dedicated federal funding streams,” he told StateScoop. “We’ll continue to advocate.”
This story is part a StateScoop and EdScoop special report on the lessons of 2020. Read the rest of the report.