Back in early March, a bipartisan group introduced the State Cyber Resiliency Act. If passed and funded, the legislation would provide grants for state and local governments to improve cybersecurity protections and incident response. Here’s what you need to know.
For the past several years, survey after survey of state and local government technology and security leaders have produced the same results. What’s on their mind? Cybersecurity is the top priority, and security resources are an ongoing problem.
The National Association of State CIOs (NASCIO) and the National Governors Association (NGA) have consistently raised this cyberissue with their federal government counterparts, and it appears that the message may finally be getting through.
The State Cyber Resiliency Act was introduced by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., and Reps. Derek Kilmer, D-Wash., and Barbara Comstock, R-Va., was introduced on March 2, 2017.
“Despite the velocity of the threat, 80 percent of states lack funding to develop sufficient cybersecurity,” said Warner in a press release announcing the bill.
The act would leverage the existing State Cyber Resiliency Grant program to: “Assist State, local, and tribal governments in preventing, preparing for, protecting against, and responding to cyber threats, which shall be administered by the Administrator of the Federal Emergency Management Agency.”
Each state would be eligible to apply for grants after they submit an approved cyber-resiliency plan. The act has now been referred to many committees and subcommittees.
What Does the New Cyber Act Include?
The objectives of the proposed program are very broad in order to assist in the essential functions of the states. The stated objectives include:
(i) Enhancing the preparation, response, and resiliency of computer networks, industrial control systems, and communications systems performing such functions against cybersecurity threats or vulnerabilities.
(ii) Implementing a process of continuous cybersecurity vulnerability assessments and threat mitigation practices to prevent the disruption of such functions by an incident within the State.
(iii) Ensuring that entities performing such functions within the State adopt generally recognized best practices and methodologies with respect to cybersecurity, such as the practices provided in the cybersecurity framework developed by the National Institute of Standards and Technology.
(iv) Mitigating talent gaps in the State government cybersecurity workforce, enhancing recruitment and retention efforts for such workforce, and bolstering the knowledge, skills, and abilities of State government personnel to protect against cybersecurity threats and vulnerabilities.
(v) Protecting public safety answering points and other emergency communications and data networks from cybersecurity threats or vulnerabilities.
(vi) Ensuring continuity of communications and data networks between entities performing such functions within the State, in the event of a catastrophic disruption of such communications or networks.
(vii) Accounting for and mitigating, to the greatest degree possible, cybersecurity threats or vulnerabilities related to critical infrastructure or key resources, the degradation of which may impact the performance of such functions within the State or threaten public safety.
(viii) Providing appropriate communications capabilities to ensure cybersecurity intelligence information-sharing and the command and coordination capabilities among entities performing such functions.
(ix) Developing and coordinating strategies with respect to cybersecurity threats or vulnerabilities in consultation with —
(I) neighboring States or members of an information sharing and analysis organization; and
(II) as applicable, neighboring countries.
Further details of how the program would work are spelled out under H. R.1344 at Congress.gov.
News Media Analysis
Jenni Bergal wrote an excellent article for Stateline.org on this topic that described how state and local governments are now: Looking to the Feds For Help in Fighting Cybercrimminals. Here’s an excerpt:
“Yejin Cooke, NASCIO’s government affairs director, said inadequate cybersecurity funding has become a huge issue for states, which face increasingly sophisticated threats.
States already can access federal funding through a Homeland Security grant program, but officials say that pot of money rarely is distributed for cybersecurity. The program was created to support anti-terrorism and police training, and the money usually ends up being used for emergency preparedness and first responders.
Cooke said states would be happy to get dedicated federal funding to fortify their cyberdefenses. But while the proposed bill would authorize creating a grant program, its lack of a dollar figure or funding source may be an obstacle to getting it passed.”
Many different groups have been promoting this approach for years, but now feel that the time may be right with the new Trump administration’s focus on cybersecurity.
Back in December 2016, Greg Garcia, who was the DHS assistant secretary for cybersecurity under the Bush administration in 2007, wrote this excellent article on the lack of state and local cyberfunding. His view is that state and local cybersecurity needs slipped through the cracks in the Obama administration final report entitled: President’s Commission on Enhancing National Cybersecurity.
Greg Garcia writes: “So the time is right for a change. Bigly. President-elect Trump has identified infrastructure renewal as one of his top priorities. But we can’t modernize public transportation, water purification, air traffic control or the electric grid without securing the IT and communications networks that control the nervous system of ‘smart cities’, ‘internet of things’ and ‘predictive maintenance.’”
TheHill.com covered this bill in detail back in March. Here’s an excerpt:
“The bill unites four legislators with cybersecurity bone fides — Warner and Gardner co-chair the Senate Cybersecurity Caucus, Comstock chairs the research and technology subcommittee, and Kilmer co-chairs the New Democrat Coalition’s cybersecurity task force.
The funding would be welcome by states and localities that have recently found themselves at the center of cyberattacks.”
Is Funding Available?
So what stands in the way? In a word, funding.
At a time when many federal, state and local programs are identified for budget cuts, raising the dollars for cybersecurity grants for states and locals will be difficult.
While a government shutdown now seems unlikely when Congress returns from their Easter break, battles will continue throughout 2017 over federal budget cuts.
The National Association of Counties (NACo) published this blog which encourages Congress to fund other programs that are potential targets for budget cuts. Many other similar examples exist where states are lobbying for more dollars, and the April 28, 2017 deadline for the federal FY2017 budget is fast approaching.
The assumption is that this new cybersecurity grant program will begin in FY2018, which starts Oct. 1, 2017, but nothing is certain until the bill is passed by Congress and signed by the president.
What is encouraging for many states is that cybersecurity funding is now being called out as a specific category for dedicated grants. However, if other state and local grants are cut under FEMA, government programs will face other difficult budget challenges.
In Closing: My View on State and Local Cybersecurity Grants
The state and local cybersecurity funding problem is not new. Back in 2011, Investor’s Business Daily proclaimed that: Cybersecurity Is Among Casualties of State Budget Woes.
Going back further to my days as the Michigan chief information security officer (CISO) from 2002 to 2009, we were able to get millions of dollars in federal Department of Homeland Security (DHS) grants for cybersecurity for many different projects, ranging from new generators for data centers to anti-spam appliances to new encryption for laptops. Those grant dollars launched Michigan into the forefront of government cybersecurity leadership at the time, enabling us to implement many cyberprotections and stop ongoing cyberattacks.
An important aspect of many of these FEMA grants is that ongoing (full life-cycle) support of capabilities, including maintenance and upgrade fees, often come from the state or local government. Remember that there are people, process and technology elements to all most of the items on the list above. Therefore, the ongoing staffing, training and other aspects of cybersecurity will likely still need to come from operational budgets at some point down the road.
Nevertheless, I believe that the State Cyber Resiliency Act offers new hope for public-sector security pros and a good opportunity to improve cybersecurity programs nationwide. Private-sector partners should also prepare to assist in the national effort, with encouraging signs that cyberprogress may finally be coming to areas that have neglected information security for too long.
My recommendation is for state and local security leaders to get working on their initial cyber-resiliency plans now. How? At a minimum, do your homework on the US-CERT’s C3 Voluntary program, which offers assessments for different groups, including State, Local, Tribal and Territorial (SLTT) Governments.
Bottom line: I do think Congress and the Trump administration will provide some level of grants in the coming year for new cybersecurity projects for state and local governments. Start planning now to take your cyberprogram to the next level with these cybergrants.