Congress mulls $500M to help states upgrade cybersecurity
WASHINGTON — A bipartisan group of House lawmakers is drafting legislation that would provide as much as $500 million in annual grants to states and local governments to boost cybersecurity as financial fraud and ransomware attacks continue to cripple essential citizen services.
Rep. Yvette D. Clarke, DN.Y., chairwoman of the House Homeland Security Cybersecurity, Infrastructure Protection and Innovation Subcommittee, said at a hearing last week that she soon planned to introduce the bipartisan legislation to provide the grants.
State and local governments remain the weakest link in the national cybersecurity chain, while private companies and federal agencies have significantly ramped up spending in the past decade on cybersecurity to protect their networks from attacks.
In 2020 alone, as many as 2,400 state and local governments, hospitals and schools paid out $350 million in ransom to regain access to networks after criminals locked up their computers and shut down services, Clarke said at the hearing.
Even before Clarke’s bill makes its way through Congress, states may be able to spend a substantial amount of money on upgrading their computer systems, thanks to the $350 billion in flexible aid that Congress provided states under the recent $1.9 trillion pandemic aid law.
That money is likely to land in state treasuries this week, followed soon afterward by guidelines on what states can spend it on, said Denis Goulet, president of the National Association of State Chief Information Officers, or NASCIO. He hopes that some of the money could be spent on upgrading computer networks and cybersecurity.
When COVID-19 pushed state and local government employees to remote work, that exposed states to more attacks.
Inadequate budgets
The combination of insufficient budgets for cybersecurity, poor staffing and continued reliance on aging mainframe computers to operate key systems like unemployment insurance processing, for example, have left states even more vulnerable to attack and fraud, according to a biennial report on the state of cybersecurity in states prepared by the consulting firm Deloitte in partnership with NASCIO.
Several states lack the ability to monitor their networks on a continuous basis and identify a breach, said Srini Subramanian, a principal at Deloitte & Touche who is one of the authors of the report published in October.
Fundamental security practices such as continuous monitoring of networks is not “there consistently across state and local governments,” Subramanian said. In the absence of such monitoring, states often depend on private security companies and others to alert them to a breach or an ongoing attack, he said.
One reason for the disparity in security practices between state governments and private companies or federal agencies is how little states spend on cybersecurity, Subramanian said.
The Deloitte report found that states spend an average of 3 percent of their information technology budget on cybersecurity, compared with financial services companies, which spend about 11 percent, or the U.S. Treasury, which spends about 14 percent of its overall tech budget on cybersecurity.
The report also found that in 10 percent of the states, each agency within a state operated its own cybersecurity budget and strategy with only rough guidance from the state’s chief information officer. Another 40 percent of the states followed a so-called federated model, with the state’s top tech official setting policy and providing some centralized services while the rest are managed by individual agencies.
Deloitte, which surveyed state chief information security officers in 51 states and territories, found that respondents preferred a centralized model, with the top official responsible for all cybersecurity services.
“Fully three-quarters of state CISOs believe that a centralized model can most effectively improve the cybersecurity function,” the report said.
Cloud computing
Technology managers in states also are advising governors and other officials to view spending on computer networks and cybersecurity as operational costs that have to be incurred on a regular basis instead of seeing them as one-time capital expenditures, Goulet said in an interview.
Such a shift in thinking “enables cloud computing, which takes away the lifecycle management problems that you may have or it certainly largely mitigates them,” said Goulet, who is the commissioner of the department of information technology in New Hampshire.