A bipartisan group of lawmakers wants to provide $500 million to help state and local governments improve their cyber defenses against debilitating ransomware attacks.
With some cybersecurity firms reporting a considerable uptick in ransomware attacks in the past year, a group of House members has proposed a grant program at the Department of Homeland Security to incentivize state and local governments to pump up their cybersecurity spending.
The State and Local Cybersecurity Improvement Act, introduced by three Democrats and three Republicans, would also require the DHS Cybersecurity and Infrastructure Security Agency to develop a strategy to improve the cybersecurity of state, local, tribal, and territorial governments.
While the bill is focused on overall cybersecurity, ransomware was top of mind for the sponsors.
“In the decade since I first chaired the cybersecurity subcommittee, the number of cases and the financial impact of ransomware have skyrocketed,” Rep. Yvette Clarke, a New York Democrat and the chairwoman of the House Homeland Security Committee’s cybersecurity subcommittee, said in a statement. “These attacks are more than a mere inconvenience — they are a national security threat.”
In recent weeks, cybercriminals have targeted Colonial Pipeline, a vast oil and gas pipeline serving the East Coast, and JBS, the world’s largest meat producer, with ransomware attacks. But ransomware has also disrupted several state and local government operations in recent years, including police departments, school districts, and several state agencies, bill sponsors noted.
Many cybersecurity experts applauded the bill, although some said the $500 million price tag wasn’t enough to fix the problem.
“State and local governments are expected to defend their systems against threat actors with unlimited resources using slingshots and stones that they’ve found along the way,” said Elizabeth Wharton, the chief of staff at SCYTHE, maker of a cyber adversary emulation platform.
Increased funding is a “good start,” she told the Washington Examiner. Still, government organizations also need to share intelligence better, maximize their use of existing tools, and share resources across organizations.
The proposed $500 million represents a small fraction of the losses to cybercriminals, countered Jeff Le, a political partner with the Truman National Security Project and former deputy Cabinet secretary for California. The federal government should look at a higher number, he told the Washington Examiner.
“These grants represent and acknowledge the importance of investing in state and local cybersecurity and IT that has long been deferred digital maintenance,” he said. “Like a road, state and local systems have been operating with cracks and potholes and are now on the verge of cratering.”
Many state and local governments have deferred “tough decisions” on cybersecurity, he added. “They have operated on old legacy frameworks and still use mainframes from the ‘70s and ‘80s. States have been unable to allocate multiple-year funding to support its systems and invest in newer technology, largely from lack of capacity, lack of political incentives, and lack of technical fluency.”
Beyond the money in this bill, state and local governments should focus on training employees to recognize phishing attacks and other avenues for ransomware, added Elena Elkina, a partner at Aleada, a privacy and data security consulting firm. They should also conduct regular risk assessments to understand potential threats, she told the Washington Examiner.
Many state and local governments have not prioritized cybersecurity in the past, and they may not have the expertise needed to determine cybersecurity best practices, she added. Therefore, the grants in the bill are needed, Elkina said, but Congress should provide detailed guidance on how to use the money.
However, state and local governments do need additional help, especially as they deal with problems caused by the coronavirus pandemic, she said.
“With the onset of the pandemic, state and local government employees had to make a sudden transition to remote work without robust technological infrastructure and without adequate security controls in place,” Elkina said. “Though this transition occurred due to the restrictions around COVID-19, it ultimately exposed underlying issues in the way that cybersecurity is handled at the state and local government level.”
