The recent leaks detailing the U.S. National Security Agency’s extensive monitoring of electronic communications in all forms has certainly caught the attention of the nation. It is also an excellent example of what happens when sensitive/secure data is stolen either by an “insider” threat or by outside adversaries and is made public. When viewed in combination with the increased recognition that intellectual property in the United States is being stolen in extraordinary quantities, the overall mosaic of the threat posed by cyberattacks begins to take shape.
While these events are “good” in the sense that they highlight the need for additional cybersecurity measures, they are also distracting in that they tend to focus our attention and resources in two areas: the various weaknesses of the federal government in protecting its own networks or the chaos and harm that could be sewn by attacks on the private sector.
Both are valid worries, but we also need to consider another underappreciated threat vector: state and local governments. They are repositories of tremendous amounts of sensitive data, making them ripe targets. They are also vital players in the infrastructure sector thanks to transit systems, transportation infrastructure, and vital utilities like drinking water and energy systems they operate.
Photo: Brian Finch
Just like any other organization, state and local governments can and will be hacked. For example, in 2012, South Carolina suffered one of the worst hacks ever when one of its Revenue Department’s databases was breached, exposing 3.6 million Social Security numbers and 387,000 payment card records. California also suffered several major attacks, resulting in the exposure of well over 1 million names, and the exposure of Social Security numbers to unauthorized parties. It is sufficient to say then that state and local vulnerabilities are well known and repeatedly exploited.
Recognizing this problem is just a first step. Additional federal legislation could be helpful, but Congress has been notoriously slow in passing bills that will materially improve cybersecurity. That means that there is little hope for new laws that would help improve state and local cybersecurity. While President Obama’s Executive Order "Improving Critical Infrastructure Cybersecurity" should help curb vulnerabilities, it is a work in progress and will take some time for implementation.
Fortunately, there is an existing way to help state and local governments immediately with respect to cyberattacks: use existing funds for cybersecurity efforts. A quick review of federal grants reveals that there are large amounts of funds available that state and local governments can take advantage of right now to beef up their cybersecurity.
Since Sept. 11, 2001, through the U.S. Department of Homeland Security (DHS) nearly $35 billion in grants have been provided to state and local governments to prepare them for a variety of emergencies, man-made or otherwise. These grants, which have such wonderfully Washingtonian names as “State Homeland Security Program,” “Urban Areas Security Initiative,” and “Metropolitan Medical Response System,” have been used to fund the purchase a wide variety of safety and security tools. For example, DHS grant funds can be used to purchase hazmat suits, emergency vehicles, and even blast resistant trash receptacles.
The most critical part of those various grants programs is that cybersecurity equipment and staff can be funded through those programs. Anti-malware systems, firewalls, incident management systems, and even forensic analysis software can be purchased using DHS grant dollars. Indeed DHS grant funds, as it notes in its own guidance, can even be used to retain staff to support planning, training, and exercise as well as analysts to monitor system health and respond to intrusions for cybersecurity.
This is an incredibly positive development for state and local governments and our overall cyber health. For all the concern and deep thought being focused on how to improve national cybersecurity, especially in the face of extraordinarily difficult budgeting issues, an existing pool of upwards of $2 billion annually is ready and available to be tapped to help state and local governments. Even better, these funds already have an existing system in place for administration and disbursement, and include meticulous oversight by both Congress and DHS.
Now, of course, not all the funds could or should be used for cybersecurity. We still have to prepare for other disasters, including “traditional” terrorist attacks. That said, given that the last 10 years and $35 billion (with upwards of $8 billion of that amount remaining unspent) have been focused on those events, perhaps it is time to refocus our grant dollars on cybersecurity.
The DHS has certainly done a great deal to highlight the ability to spend grant funds on cybersecurity, and Congress should support those efforts. As Congress continues to tackle cybersecurity challenges, its efforts should focus more on how existing DHS grant dollars can be used to better fund state and local government cybersecurity efforts. After all, this is one of those rare times when the money is there and can be spent before a major disaster strikes. Let’s not waste the opportunity.
Brian Finch (Twitter: @BrianEFinch) is a partner at Dickstein Shapiro LLP, where he leads the firm’s Global Security Practice.