While these events are “good” in the sense that they highlight the need for additional cybersecurity measures, they are also distracting in that they tend to focus our attention and resources in two areas: the various weaknesses of the federal government in protecting its own networks or the chaos and harm that could be sewn by attacks on the private sector.
Photo: Brian Finch
Just like any other organization, state and local governments can and will be hacked. For example, in 2012, South Carolina suffered one of the worst hacks ever when one of its Revenue Department’s databases was breached, exposing 3.6 million Social Security numbers and 387,000 payment card records. California also suffered several major attacks, resulting in the exposure of well over 1 million names, and the exposure of Social Security numbers to unauthorized parties. It is sufficient to say then that state and local vulnerabilities are well known and repeatedly exploited.
Recognizing this problem is just a first step. Additional federal legislation could be helpful, but Congress has been notoriously slow in passing bills that will materially improve cybersecurity. That means that there is little hope for new laws that would help improve state and local cybersecurity. While President Obama’s Executive Order "Improving Critical Infrastructure Cybersecurity" should help curb vulnerabilities, it is a work in progress and will take some time for implementation.
Fortunately, there is an existing way to help state and local governments immediately with respect to cyberattacks: use existing funds for cybersecurity efforts. A quick review of federal grants reveals that there are large amounts of funds available that state and local governments can take advantage of right now to beef up their cybersecurity.
Since Sept. 11, 2001, through the U.S. Department of Homeland Security (DHS) nearly $35 billion in grants have been provided to state and local governments to prepare them for a variety of emergencies, man-made or otherwise. These grants, which have such wonderfully Washingtonian names as “State Homeland Security Program,” “Urban Areas Security Initiative,” and “Metropolitan Medical Response System,” have been used to fund the purchase a wide variety of safety and security tools. For example, DHS grant funds can be used to purchase hazmat suits, emergency vehicles, and even blast resistant trash receptacles.
The most critical part of those various grants programs is that cybersecurity equipment and staff can be funded through those programs. Anti-malware systems, firewalls, incident management systems, and even forensic analysis software can be purchased using DHS grant dollars. Indeed DHS grant funds, as it notes in its own guidance, can even be used to retain staff to support planning, training, and exercise as well as analysts to monitor system health and respond to intrusions for cybersecurity.
This is an incredibly positive development for state and local governments and our overall cyber health. For all the concern and deep thought being focused on how to improve national cybersecurity, especially in the face of extraordinarily difficult budgeting issues, an existing pool of upwards of $2 billion annually is ready and available to be tapped to help state and local governments. Even better, these funds already have an existing system in place for administration and disbursement, and include meticulous oversight by both Congress and DHS.
Now, of course, not all the funds could or should be used for cybersecurity. We still have to prepare for other disasters, including “traditional” terrorist attacks. That said, given that the last 10 years and $35 billion (with upwards of $8 billion of that amount remaining unspent) have been focused on those events, perhaps it is time to refocus our grant dollars on cybersecurity.
The DHS has certainly done a great deal to highlight the ability to spend grant funds on cybersecurity, and Congress should support those efforts. As Congress continues to tackle cybersecurity challenges, its efforts should focus more on how existing DHS grant dollars can be used to better fund state and local government cybersecurity efforts. After all, this is one of those rare times when the money is there and can be spent before a major disaster strikes. Let’s not waste the opportunity.
Brian Finch (Twitter: @BrianEFinch) is a partner at Dickstein Shapiro LLP, where he leads the firm’s Global Security Practice.