State and local governments have long lacked the funding, and in some cases the will, to bolster their cyber defenses, but much-needed help is on the way, thanks to $1 billion earmarked for state and local cybersecurity in the bipartisan infrastructure bill President Biden signed into law in November.
That funding, though a small fraction of the law’s $1.2 trillion overall price tag—which also allocates $65 billion to improve broadband infrastructure and another $65 billion to upgrade the U.S. power grid—is still significant, representing the largest federal investment in state and local cybersecurity to date, one that advocates say is both urgent and long overdue.
“Right now, only 15 states have a dedicated cybersecurity budget,” says Matt Pincus, director of government affairs at the National Association of State Chief Information Officers (NASCIO). “The ones that do are only budgeting between 1% and 3% of their overall IT spend on cyber, compared with 10% to 20% in the private sector.”
The money can’t come soon enough. In recent years, chief information security officers of U.S. states, counties, cities, and municipal agencies have been under siege. Countless government agencies have been held hostage by ransomware attacks, which cost an estimated $18.8 billion in recovery and downtime in 30 states in 2020, the most recent full year available. The attacks have affected 71 million citizens, according to a report by the consumer security site Comparitech.
At least 75 ransomware attacks targeted state, local, and tribal entities in just the first five months of 2021. Hackers even tried to infiltrate water districts in the San Francisco Bay Area, Southern California, and Central Florida, among others. If they had been successful in breaking through weak remote-access systems, they could have poisoned the local water supply.
Fighting a perfect storm
The newly minted cyber funding won’t be a one-time cash infusion. It will be spread out over four years, rising from $200 million in 2022 to a high of $400 million in 2023 before tapering off by 2025.
Congress is recognizing that resources need to go toward the most vulnerable.Notably, the law requires that 80% of the money go to state and local governments, which often have the least robust security infrastructure. “With that provision, Congress is recognizing that resources need to go toward the most vulnerable,” says Pincus. State and local governments face the same challenges that the Cybersecurity and Infrastructure Security Agency (CISA) and the Senate are finding at the federal level.
State and local governments will have to clear a few hurdles to access the funds. They must submit an annual spending proposal to CISA for approval. They must also share the financial burden with a match of the federal funds that will rise incrementally from a 10% local match of federal dollars in 2022 to a 40% match by 2025.
These efforts will be well worth the trouble, given the “perfect storm” of cyber challenges since the COVID-19 pandemic began, says Rita Reynolds, chief information officer at the National Association of Counties (NACo).
“COVID escalated the advancement of technology solutions for counties, but at the same time, it created a much broader landscape for the bad actors to infiltrate,” says Reynolds. With the rise in incidents and breaches, cyber insurance premiums are rising, with insurers often demanding government agencies put in place protective cyber hygiene practices like multifactor authentication (MFA). “Multifactor authentication is no longer a nice-to-have,” says Reynolds. “It’s a necessity.”
While tactics like MFA and zero trust top the cyber wish lists of many state and local governments, other needed security protections include upgrading legacy networks, implementing real-time monitoring, protecting endpoint vulnerability, and securing dedicated “.gov” domains.
More than a funding issue
It will take a lot more than money to harden the security of state and local governments.
“Resilience is key,” says Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology. “Determined adversaries have all the time in the world to invest in defeating network defenses.” Clarke says states should put in place cyber incident response plans, so operations can continue if systems are compromised.
In 2020, the most recent full year of available data, state and local victims of ransomware attacks logged 773 days of government operations lost to cybercrime and recovery efforts. Key government resources, such as utilities and 911 services, went down. One estimate places the average price tag for downtime at $8,662 per minute. And the number of attacks per year continues to rise.
Governments used to be concerned with hackers stealing personal data. Now a hacker could “shut down an entire state,” says Pincus of NASCIO. “It’s not an IT issue anymore,” he says. “It’s a continuity of government issue.”
With the requirement that state and local governments match federal funding, the choice to invest in keeping the digital lights on will fall to each public-sector entity. These are groups perennially strapped for cash, with budgets now stretched even thinner due to additional costs related to the pandemic. Pincus says that if a government agency doesn’t want to contribute the small percentage of the bill—next year the match is pegged at only 10%—it won’t be able to apply for a grant. “That’s wasted money and a wasted opportunity,” he believes.
In other words, while the $1 billion allocated in the new infrastructure law has built an on-ramp to improved state and local cybersecurity, it’s an open question whether lawmakers will accelerate into the fast lane.
The first signs of interest will come in early 2022 as state and local governments chart their annual priorities. In the midst of a pandemic, the irony is that many of their discussions will happen online over vulnerable networks rather than in still-shuttered legislative offices.