A bipartisan group of House lawmakers is drafting legislation that would provide as much as $500 million in annual grants to states and local governments to boost cybersecurity as financial fraud and ransomware attacks continue to cripple essential citizen services.
Rep. Yvette D. Clarke, D-N.Y., chairwoman of the House Homeland Security Cybersecurity, Infrastructure Protection and Innovation Subcommittee, said at a hearing last week that she soon planned to introduce the bipartisan legislation to provide the grants.
State and local governments remain the weakest link in the national cybersecurity chain, while private companies and federal agencies have significantly ramped up spending in the past decade on cybersecurity to protect their networks from attacks.
In 2020 alone, as many as 2,400 state and local governments, hospitals and schools paid out $350 million in ransom to regain access to networks after criminals locked up their computers and shut down services, Clarke said at the hearing.
Even before Clarke’s bill makes its way through Congress, states may be able to spend a substantial amount of money on upgrading their computer systems, thanks to the $350 billion in flexible aid that Congress provided states under the recent $1.9 trillion pandemic aid law.
That money is likely to land in state treasuries this week, followed soon afterward by guidelines on what states can spend it on, said Denis Goulet, president of the National Association of State Chief Information Officers, or NASCIO. He hopes that some of the money could be spent on upgrading computer networks and cybersecurity.
When COVID-19 pushed state and local government employees to remote work, that exposed states to more attacks.
The combination of insufficient budgets for cybersecurity, poor staffing and continued reliance on aging mainframe computers to operate key systems like unemployment insurance processing, for example, have left states even more vulnerable to attack and fraud, according to a biennial report on the state of cybersecurity in states prepared by the consulting firm Deloitte in partnership with NASCIO.
Several states lack the ability to monitor their networks on a continuous basis and identify a breach, said Srini Subramanian, a principal at Deloitte & Touche who is one of the authors of the report published in October.
Fundamental security practices such as continuous monitoring of networks is not “there consistently across state and local governments,” Subramanian said. In the absence of such monitoring, states often depend on private security companies and others to alert them to a breach or an ongoing attack, he said.
One reason for the disparity in security practices between state governments and private companies or federal agencies is how little states spend on cybersecurity, Subramanian said.
The Deloitte-NASCIO report found that states spend an average of 3 percent of their information technology budget on cybersecurity, compared with financial services companies, which spend about 11 percent, or the U.S. Treasury, which spends about 14 percent of its overall tech budget on cybersecurity.
The report also found that in 10 percent of the states, each agency within a state operated its own cybersecurity budget and strategy with only rough guidance from the state’s chief information officer. Another 40 percent of the states followed a so-called federated model, with the state’s top tech official setting policy and providing some centralized services while the rest are managed by individual agencies.
The Deloitte-NASCIO study, which surveyed state chief information security officers in 51 states and territories, found that respondents preferred a centralized model, with the top official responsible for all cybersecurity services.
“Fully three-quarters of state CISOs believe that a centralized model can most effectively improve the cybersecurity function,” the report said.
Technology managers in states also are advising governors and other officials to view spending on computer networks and cybersecurity as operational costs that have to be incurred on a regular basis instead of seeing them as one-time capital expenditures, Goulet said in an interview.
Such a shift in thinking “enables cloud computing, which takes away the lifecycle management problems that you may have or it certainly largely mitigates them,” said Goulet, who is the commissioner of the department of information technology in New Hampshire.
In contrast, “if I had a ton of money right now you just threw it at me and I magically updated all the infrastructure in the country … five years later, I’d be at the same place again,” because of obsolescence driven by technology changes and the evolving nature of threats.
States are beginning to embrace the idea that information technology and cybersecurity is an ongoing process, said Meredith Ward, director of policy and research at NASCIO.
“I see that a lot of folks are kind of going that way into looking at things in small bits and continuously looking at it rather than every 10 years or whatever,” Ward said. “I don’t think that we have a choice really.”
The bipartisan House bill to provide grants to states is likely to include several elements of a similar bill that passed in the House last year but did not get a Senate vote. The bill would have authorized a $400 million grant to be administered by the Cybersecurity and Infrastructure Security Agency.
Some senators objected to the grant program because they noted that states were operating outdated computer systems that would continue to be vulnerable to attacks no matter how much is spent on cybersecurity measures, Subramanian said.
“That I believe is a very good argument,” Subramanian said. Instead, lawmakers wanted to upgrade the infrastructure and “build better cybersecurity posture as we modernize,” he said. The downside of that view is it may take time and more money to upgrade outdated systems, he said.
But if the $350 billion federal aid to states as part of the pandemic aid law allows governors to invest in modern computer systems, it may address some of the questions lawmakers raised about the wisdom of spending on cybersecurity without addressing outdated computers, Goulet said.
“A lot of this, too, will depend on the specific state, but if states are able to use, or they choose to use a lot of that money for some legacy modernization, which I think they will, perhaps that might change Congress’ view” on providing ongoing grants to boost cybersecurity, Goulet said.