Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Making the Most of the New Federal Cybersecurity Money

With $1 billion on the way from the new infrastructure law, state cybersecurity planning committees will need to be creative to fairly and uniformly distribute funds across diverse government landscapes.

MPD-Facilities__element223.jpg
Aerial view of Washington, D.C., police department headquarters. The department was attacked recently with ransomware, and the criminal group responsible threatened to share data about informants and other sensitive information with local gangs. (dcmetropolicecollector.com)
Can a billion dollars from Washington make a significant dent in state and local governments' ever-intensifying cybersecurity challenges? The $1.2 trillion Infrastructure Investment and Jobs Act that President Biden signed in November includes $1 billion for grants to improve state, local, tribal and territorial government cybersecurity. To make the most of the new federal money —the biggest federal investment in state and local cybersecurity to date— will require careful and creative management and planning, particularly at the state level.

The federal government has certainly had its own challenges with headline-grabbing cybersecurity incidents, but the grants that will be coming from Washington signal that the impact of cyber attacks on state and local governments has finally become a national priority.

It’s no secret that cybersecurity incidents at those levels of government have become widespread over the past several years, resulting in damage and disruption of public services from incidents that can cost tens of millions of dollars to remediate and impact the lives of citizens for months at a time.

The 2021 Mid-Year SonicWall Cyber Threat Report highlighted a 917 percent increase in ransomware attacks on government organizations between 2020 and 2021, and Emsisoft reported that last year 2,323 local governments, schools and health-care providers were victims of financially motivated ransomware attacks. A few recent cyber crime examples include:

  • A New York cyber attack disabled access to databases by the state’s civil service, environmental department and state police force.
  • A cyber attack on the local water treatment facility in Oldsmar, Fla., was discovered before any damage occurred, but highlighted significant vulnerabilities common in many municipal water utilities.
  • The Washington, D.C., police department was attacked with ransomware, and the criminal group responsible threatened to share data about informants and other sensitive information with local gangs.
  • A ransomware attack on the Illinois attorney general’s office resulted in sensitive data being posted online.

But while cybersecurity incidents like these have seemingly captured the attention of government leaders, the funding resources to adequately address people, process and technology gaps have not materialized. The diversity of cybersecurity issues requiring an urgent response and hands-on attention is virtually limitless, and the paucity of resources being applied to these problems is disgraceful. Despite the growing number of high-profile incidents, for example, a 2020 study by IBM found that only 38 percent of state and local government employees had been trained on security issues like ransomware prevention.

Shortcomings of that type can only serve to underline the growing responsibilities of dedicated security teams at the state and local government level, responsibilities that are far broader and more complex than many people understand. Security teams across the spectrum of these organizations are responsible for an almost unbounded landscape of dynamic threats and vulnerabilities, which no one completely understands. For example:

  • If citizen data is publicly disclosed either through the inadvertent configuration of government systems or, as is becoming more common, through misconfigured cloud services, the security team is almost surely responsible — even if the data transfer processes are authorized by another group within the organization. And that responsibility includes all response and remediation, including any regulatory compliance issues and citizen advisory and monitoring services.
  • As government organizations have evolved to conducting almost all citizen-facing business online, including online payments for everything from driver's licenses and taxes to building permits and hunting licenses, the operational repercussions of fraudulent payments inevitably fall to the security teams.
  • When municipal operational technology and physical systems such as water treatment facilities, electricity generation and transmission systems, and other public infrastructures such as police, fire, and emergency services are damaged or delivery is disrupted through cyber means, the security team is at the pointy end of the spear.

The new federal cybersecurity grant funding could go a long way toward bolstering the support those teams need, and they are likely to be key to how those funds are allocated to local governments, schools and other governmental organizations. The federal funds will be administered at the federal level by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and will complement current CISA operational support and funding efforts. Allocation of the $1 billion, which comes with varying state funding match requirements, will happen over the next four years, with $200 million in 2022, $400 million in 2023, $300 million in 2024 and $100 million in 2025. Eighty percent of those funds are required to go directly to local governments, with 25 percent directed to rural areas.

State CIOs and chief information security officers will be the overall authority for managing and allocating funds within their states, but development of a cybersecurity plan is key and will be overseen and approved by a state planning committee comprised of members from across the state, tribes, counties, cities, towns, public education and public health, and at least half the representatives will be required to have cybersecurity or technology experience. This is important because many small towns and villages may not even have dedicated and trained IT staff, much less anyone with technical cybersecurity skills, and a priority for the state planning committee will be to ensure that everyone is equally represented.

States will be required to submit detailed cybersecurity plans to CISA on how the funds will be spent, which will then be approved by CISA before any projects can be funded.

According to the latest federal Census of Governments, there are more than 90,000 American local government organizations, including not only general-purpose governments but also special-purpose jurisdictions that encompass school districts, water authorities, parks districts and other public entities. When you divide $1 billion by 90,000, the math is pretty simple. This means that the state planning committees will need to be incredibly creative and clever to equitably distribute funding across the many small local governments that don’t have the knowledge or experience to reasonably write proposals for complex technology funding. Without an innovative approach to distributing this federal funding, the opportunity to level the playing field across the diverse geographic areas of the country will be missed. That would be a shame.



Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.
Mark Weatherford, Governing's cybersecurity columnist, is the chief strategy officer for the National Cybersecurity Center.