There is agreement on both sides of the aisle that an expansion of the Cybersecurity and Infrastructure Security Agency (CISA) would benefit state and local efforts. There isn't consensus on just how that should happen.
A longstanding effort to create new federal support for state and local cybersecurity efforts may finally see a breakthrough.
As ransomware attacks against state and local entities skyrocketed over the past year or so, lawmakers have repeatedly introduced legislation promising to empower the Cybersecurity and Infrastructure Security Agency (CISA) as a kind of federal benefactor, expanding its ability to dispense funding, training and other resources to struggling state and local agencies.
In many ways, these proposals don't seem unthinkable for an agency that has, in two short years, gone from a federally inward-looking organization to one that is increasingly establishing itself as America's top risk adviser.
Since its inception in 2018, CISA has greatly expanded upon the mission of the National Protection and Programs Directorate (NPPD), the DHS sub-agency it evolved out of. While the NPPD merely acted as the federal government's cyber watchdog, CISA now offers its services not just to the feds, but to the private sector, as well as to state and local agencies: this includes such programs as the State Interoperability Markers system--which helps states and territories self-assess gaps in strategic and financial cyber planning, as well as its long running Cyber Assessments program, which gives free penetration tests and other cyberhygiene assessors to state and local public entities.
Yet with so much at stake in an increasingly digital, data-driven world, the talk of enlarging CISA's responsibilities has evolved into a more and more serious conversation. Most recently, this conversation has played out in the legislative process surrounding the passage of the FY 2021 National Defense Authorization Act (NDAA), with debates ongoing about what CISA's expanded role should be, and how appropriations should adequately reflect those changes.
Last week, the U.S. Senate passed its version of the NDAA, inside of which is an amendment that enumerates new powers and responsibilities for CISA — including the ability to assign a cyber "coordinator" to each state government to assist with security and defense matters. The cybercoordinator would act as a risk adviser who could provide training and guidance to state IT officials on an ongoing basis.
The House has also passed its own NDAA version, which includes a funding bump of $239.1 million for CISA above the last fiscal year, some amount of which would go toward empowering state and local cyberefforts. Under the House's version, CISA would get a new $11.6-million Joint Cyber Center for National Cyber Defense, that would bring together a diversity of stakeholders for collaboration, including with state, local and territorial leaders.
Other new responsibilities are included in both bill versions — like giving the agency more control over the defense of critical infrastructure, allowing it to "issue subpoenas to internet service providers compelling them to release information on cybervulnerabilities detected on the networks of critical infrastructure organization." Other various amendments look at workforce growth, creation of 5-year CISA director term limits, and other questions of authority and bureaucracy.
While they may differ on the details, in both House and Senate scenarios the federal agency would be given newfound powers and a greatly expanded reach. The bipartisan support for such expansions can be heavily attributed to Congressional homeland security committees, which have played a significant role in the legislative wrangling around CISA.
Case in point, the recent NDAA amendment was rebundled from legislation originally introduced back in January by Sen. Maggie Hassan, D-New Hampshire, called the Cybersecurity State Coordinator Act.
Hassan, who serves on the U.S. Senate Homeland Security and Governmental Affairs Committee, introduced the legislation following discussions with federal, state and local governments and organizations — including CISA officials — about "the importance of having direct connections between federal, state, and local governments and organizations about cybersecurity threats, preparedness, and resources," said Laura Epstein, a spokesperson for Hassan's office.
Similarly, the State and Local Cybersecurity Act was introduced last year by U.S. Rep. John Katko, R-New York, who serves on the House Homeland Security Committee as Ranking Member of the Cybersecurity, Infrastructure Protection and Innovation subcommittee. Katko's bill sought to leverage $400 million in federal funding towards a CISA-led grant program for state and local cybersecurity, while also suggesting the creation of a State and Local Cybersecurity Resiliency Committee, staffed by state and municipal leaders, which would "advise and provide situational awareness to CISA" on the status of their communities' cyberneeds.
In an email to GT, Katko said that the CISA's support would "allow governments to upgrade equipment, and assists in identifying critical systems," while also giving them the necessary training to deter bad actors.
Legislators have also used the ongoing negotiations surrounding COVID-19 economic stimulus bills as a potential window to push for CISA appropriations. Back in April, House Democrats lobbied for an inclusion of policy similar to Katko's bill in the CARES Act. Just this week, Senate republicans unveiled a bill that similarly targets CISA for additional funding.
These ongoing efforts to package and repackage new CISA-related opportunities have been bolstered by a lot of outside voices, including those at the Cyberspace Solarium Commission, which released its report earlier this year outlining America's cybersecurity needs. The Solarium, which has had a big influence on both House and Senate versions of the NDAA, has argued that CISA can act as a “central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”
Robert Morgus, one of the senior task force leaders with the Cyberspace Solarium, told Government Technology that CISA presents a lot of opportunities for improved across-the-board security in government.
"In a world where CISA is a robust cybersecurity and infrastructure security agency, CISA would also be in a position to not only assess and provide guidance on risk, but run programs to assist in actually mitigating that risk, whether through regional offices with HIRTs (Hunt and Incident Response Teams) or through grants programs designed to help underfunded states and municipalities defray some of the costs of digitizing securely," said Morgus.
This help may be needed now more than ever. As state and local governments battle the ongoing coronavirus, the budgetary shortfalls can't leave cybersecurity funding untouched. At the same time, another view is that new and emerging threats also warrant a more involved federal government. Morgus pointed to one such threat highlighted by the Solarium report: the vulnerability of public water infrastructure systems.
"Water in the U.S. is supplied by a network of nearly 70,000 local utility companies, most of whom are turning to digital systems to manage real-world, physical ones critical to water treatment and distribution," said Morgus. "Many of these municipal utilities often lack the resources or capacity to address weaknesses in these systems and the EPA — the water sector's "sector-specific agency" — has not done as much to help the sector address cybersecurity threats as others, like the [Department of Energy] for energy or Treasury for the financial sector."
Morgus further commented that many of the CISA-related amendments within the recent NDAA represent a "step in the right direction."
"A strengthened CISA would be integral in increasing federal government collaboration with state and local governments," Morgus said. "CISA should be the primary [point of contact] for states when it comes to cybersecurity issues, just like the FBI already is for criminal issues ... all of the efforts the Commission proposes around planning, including the Joint Cyber Planning Office at CISA and the myriad or recommendations around exercises would incorporate states and municipalities as a key stakeholder and the best way to improve collaboration is to practice it."
Where all the chips will land when the dust settles on the NDAA process isn't totally clear. After the Senate's passage of its version of the bill last week, the House and Senate must now hold conference to find where they agree and disagree, after which the finalized version will be submitted to the White House for approval.
Looking for the latest gov tech news as it happens? Subscribe to GT newsletters.