Ep. 4: How State and Local Governments Can Get Their Share of $1 Billion in Federal Cyber Funds

Summary

Ransomware attacks are hitting big federal agencies and smaller, underfunded state and local groups. Last fall, the feds rolled out $1 billion in cyber grants. How do states prep for that?

In this, our pilot episode, recorded in 2022, we lay out a five-step plan for better fundraising—and it’s just as effective now as it was then.

HOST: Doug Thompson, director of technical solutions engineering and chief education architect at Tanium
GUEST: David Rand, business and technology journalist

Show notes

Check out these articles in Focal Point, Tanium’s new online cyber news magazine.

• State CISOs to Feds: Show Us the Money
• 5 Strategies State CIOs Can Use to Transform Their Workforce
• State Agencies Play Catch-Up on Cybersecurity

Transcript

The following interview has been edited for clarity.

David Rand: Ransomware attacks against government agencies, especially cities and counties, [have been] absolutely out of control… There were 79 ransomware attacks against U.S. government organizations in 2020 that totaled nearly $19 billion in downtime and recovery costs. So we’re not talking chump change here.

Doug Thompson: Hi, I’m Doug Thompson, and today on Let’s Converge, we’re talking cyberattacks on state and local government.

We’re going to start with something that’s pretty apparent and something not so apparent. First, the obvious thing: Ransomware attacks are on the rise for both government agencies and private enterprises.

What’s not so apparent with government attacks are the targets themselves. It’s not just the big federal agencies with deep pockets. Just in the last few months, we’ve seen cyberattacks in Quincy, Illinois; Somerset County, New Jersey; and Bernalillo, New Mexico. You might need to pull out your Google Maps to find some of these places, but as David Rand will explain, just because they’re small doesn’t make them any less of a target.

David is a business and technology reporter, and he’s a frequent contributor to Tanium’s new online magazine, offering businesses and tech leaders the latest insight on today’s toughest cyber challenges. Dave took a deep dive into this subject, talking with state and local IT leaders. These folks are understaffed and underfunded. So the federal government plans to roll out 1 billion in cyber grants to states this year. But how should state CIOs and CISOs prepare? What should they prioritize?

Hey, welcome to the podcast, Dave. We’ve got a lot to cover, but first, I guess it’s fair to say that ransomware isn’t going anywhere anytime soon, is it?

Rand: Thanks for having me here, Doug. And yes, ransomware is a big deal. You know, ransomware attacks against government agencies, especially cities and counties, are absolutely out of control right now.

Each month this year [2022] alone, there’s been at least one example of a U.S. town, county, or state government being hit by ransomware. I’ve seen stats suggesting the average ransom paid in these kinds of attacks is around $925,000, which is up 71% from last year. I saw another stat that there were 79 ransomware attacks against U.S. government organizations in 2020 that totaled nearly $19 billion in downtime and recovery costs. So we’re not talking chump change here.

Thompson: I think too often people rely on cyber insurance as sort of the panacea—not everybody, but as I talk to people, they say we’ve got cyber insurance, so they sort of defocus on this a bit. You know, I would rather stop or try to block as many of these things as I could, rather than simply relying on insurance.

Rand: Yes, it’s something you’ll probably see me writing about sometime soon. Cyber insurance hasn’t covered everything that government agencies, or companies for that matter, need to be covering, and it’s going away because it’s just getting super expensive to cover.

But the problem for government agencies is that most operate on limited budgets. So, you know, they’re not investing in top-notch security. It’s not something they typically do, even if they really need to.

In fact, it’s more common for government procurement officers to default to purchasing good-enough hardware and software instead of best of breed, which would have more security features. It’s not even uncommon for government agencies these days to be running antiquated endpoint devices and operating systems from four, five, six years ago or more, when the cybersecurity roles were completely different.

But some states are looking closely at this; they want to change it, and they’re trying to figure out how to help their local governments rise to higher levels of cybersecurity proficiency.

Thompson: I run into this in education a lot, where you’ve got these smaller K-12s that don’t have a budget. How do they sort of fend for themselves? Because sometimes in these really small ones, the dog catcher or the janitor is also the IT person.

Rand: Yeah, that’s absolutely true. It’s going to vary by size of municipality or size of agency or even in the tribal areas. I mean, sometimes they don’t even have an IT staff, to your point. Sometimes they do, but even when they have an IT person with some technology background, they don’t necessarily have the funding they need to actually make a substantial change.

So, you know, it wouldn’t be uncommon to walk into a city office or a city manager’s office and find a Windows Vista machine sitting on his or her desk.

Thompson: Yeah. [Laugh.] I was at Microsoft when Vista came out. Once we got to SP1, it wasn’t so bad.

Rand: [Laugh.] I was at Microsoft for Windows Vista too, so I think we know what that’s all about.

Thompson: Well, obviously you weren’t in Philly with me when we launched that. It was like midnight in February and it’s below zero and… well anyway, that’s a whole other life that we [Laugh.] had.

But you talk about funding and, and I hear a lot that the feds have sort of gotten the message that we need to do something about this. I know there’s some funding that’s coming out— and you had an interesting conversation with a state CISO the other day, right?

Rand: I sure did. That was Ryan Murray, great guy.

So, a lot of states are looking at how they can help local governments rise to higher levels of cybersecurity proficiency. The state of Arizona is one of those, and like many states, it’s struggled to find the funding to secure government operations in its mostly rural communities and travel areas.

So three years ago they set out to upgrade antiquated IT systems using a combination of federal grant money and state budgetary contributions. So this isn’t something that’s just coming up this year.

Most recently they decided, though, to pursue a portion of this $1 billion in cybersecurity grant money that’s contained in the Biden infrastructure bill that was passed last November. By itself, that money’s not going to be enough, but Arizona’s actually been pretty aggressive about going after these kinds of grants. Really, they’re tin-cupping wherever they can. They’re even partnering with other states to share funds, with the idea to make a difference regionally. So Ryan Murray, the CISO in Arizona, told me he’s optimistic they’re going to be successful in upgrading the state’s security posture over time.

Thompson: You know, IT budgets—and I think budgets in general—are very, you take what you can get and then use that and hopefully it’s a launching pad to go to the next step. Especially when it comes to cybersecurity. Because you’re right: It’s not unusual to find very old, antiquated, vulnerable equipment in these places. And as a taxpayer, I appreciate my state not wasting money or taxpayer money, trying to be diligent with it.

But I think there’s some education that needs to get across 1) with the legislators and 2) with the taxpayers, as like, Hey, this is why we need this and this is what it’s going to do.

Rand: You’re exactly right. Ryan Murray told me it’s been a constant education process, right? Working with legislators, working with the governor, just trying to explain the situation—here’s what ransomware is, for example, here’s the potential cost, here’s what it could do to operations, here’s what it could do for public image.

In Arizona, Governor Ducey seems to get it, and there is an IT security portion of the state budget. Murray tells me he’s been a great partner in trying to go after funding wherever it might exist.

Thompson: What got him sort of aware of this or taking this tack? Because, you know, you’ve talked to a lot of people or seen a lot of people, and there’s some that haven’t quite gotten that message yet.

Rand: I’m not really sure to, to tell you the truth. I think every CISO at one level or another knows this is an issue. It’s not something that’s a surprise to anybody—as I mentioned, ransomware is out of control. It’s not getting any better when you’re in a state like Arizona where 80% of the state sits in rural areas. They’re struggling not only with bandwidth, Wi-Fi connectivity, but also they’re struggling just to have basic cybersecurity in place, and things like multifactor authentication—just having best practices around that, moving people away from passwords.

It’s no surprise, when you’re a security professional, that these things need to happen. Sometimes it’s a surprise to legislators, because they’re not necessarily fully aware of just how antiquated their systems are, how behind they are. And, you know, the MO over time has been, as I mentioned, going for good-enough security as opposed to best-of-breed security.

These days, with hackers and the level of sophistication they have, good enough isn’t good enough.

Thompson: You wrote about the need for cyber hygiene as a piece of this as well, because sometimes we give somebody the keys to the Ferrari and we don’t teach ’em how to drive. Are you seeing people sort of understanding this need, too, so that when they give funding for broadband, they also give more funding and ongoing funding for things like cyber hygiene and IT security?

Rand: Well, I think it’s a constant education process for the IT security team, the CISOs, to be constantly communicating the importance of baking security into anything you do from a technology standpoint.

From the very beginning—I’ve been in high tech for the longest time, you know, longer than I care to admit—and even in high-tech industries, security can be an afterthought. It can be a checkbox, you know? You’re developing a product, and you go down the road with it, and then at the very end you say, oh wait, how are we going to secure this? Because you get so excited about the product and, you know, it’s just human nature. And I think that goes on at the state level.

And to your point, if you’re going to do any kind of digital transformation or you’re going to start rolling out broadband or, in this case, you’re just trying to upgrade your IT infrastructure at a local level, security’s got to be built into your strategy, into your plan, from the get-go.

Thompson: You said you were at Microsoft too, and there was a time when I was there, and we sort of said, OK, now we have to start with security number one and develop products. And you see how that’s worked—there’s still holes! But that’s just the nature of software, when you’re developing it. You’re gonna have those things, and the bad guys are more apt to find them when [the products] get out in the wild than we are.

You mentioned the fed funding, we talked about that. But we always know that anytime that the fed offers money, there’s usually hurdles and strings attached.

Rand: Well, sure. In the article I just wrote, here’s how this cybersecurity funding works as part of the infrastructure bill: There’s a billion dollars set aside that’s supposed to be split among 50 states. Now, not all the states will go for that, but imagine 50 states trying to share just $1 billion for cybersecurity. It’s not a ton of money. But it’s something, right?

And over the next four years or so, it’s gonna be distributed in chunks. So $200 million will be available this year [2022], $400 million in 2023, $300 million in 2024, and another $100 million in 2025. Now, the rules required that at least 80% of grant money flow to the localities over that time. So the states might be going for the funding, but they’re going to have to get it out to the cities, to the counties, to the tribal areas.

In other words, that means the states have to match the grant money with their own funds, so they have to be bought in, right? The governor has to be bought in; it has to be part of the budget.

So the states have to put in 10% the first year, and that’s going to increase 10 percentage points each year until 2025. So they also need to, as part of this, put forth a cybersecurity plan. They have to submit this plan to get this money, and it has to lay out exactly how the money’s going to be distributed and how it’s going to be applied. They have to have the apparatus in place to do it.

Thompson: OK, Dave, so explain it to me like I’m a fifth grader here: I’m a state CIO or CISO. What should I be doing now to get this money? What’s the step-by-step?

Rand: There’s really five things states could or should be doing— this is what my sources are telling me.

First of all, brush off that cybersecurity plan. You may have one, but it needs to be specific again to what you’re going to be doing with this infrastructure bill funding. It has to detail with the states or how the states are gonna uplevel security in the localities and tribal areas.

Number two, talk to locals. CISOs need to be working with local agencies now to not only determine what they’ll do from a tools or endpoint-device standpoint but also consider things like ramping up training support, or hiring managed security service providers [MSSPs] to implement cybersecurity improvements. That’s one thing, by the way, that Ryan Murray in Arizona told me they’re looking at, bringing in MSSPs to help.

Because not every locality, to your point, has in-house staffing. Maybe the janitor’s not enough to implement a zero trust security infrastructure. So considering MSSPs would be a good, good move.

Third, educate other government stakeholders. Again, to your point, Doug, you know, governors, state legislators, and administrators need to understand the importance of cybersecurity for heading off cyberattacks like ransomware. And they need to upgrade IT infrastructure, security infrastructure, as soon as possible. By making them partners in these efforts, it’s possible to increase available funds over time.

In Arizona, for example, Governor Ducey’s budget sets aside $10 million to help local governments and K-12 school districts upgrade their security posture.

Fourth thing to think about is, just don’t limit yourself; think broadly. Don’t just look at this infrastructure bill money and think that amount is too small to waste time pursuing.

It’s going to be human nature to think about that and go, gosh, it’s a lot of work over four years for just a small amount of money. But there are multiple federal funding programs states can tap into, and they’re coming up all the time. The Department of Homeland Security, for example, recently announced $1.6 billion in preparedness grants to fight terrorism, and there’s a cybersecurity funding component to that. Arizona’s going after that as well.

The final thing I’d mentioned, and this surprised me, is you can partner with other states potentially. So if CISA doesn’t disallow it—and there’s no reason to think that they would, but as long as they don’t, states can actually partner with one another to share time, money, and resources for fighting cyber crime regionally versus within their own states. If I have this right, I think Arizona’s talking to government leaders in Texas and New Mexico, about doing exactly that.

Thompson: What are your final thoughts on this? Anything that comes to mind?

Rand: There’s a lot of opportunity out there for states to pursue federal funding, and they should. They need to be actively involved, and not look a gift horse in the mouth, and think about it more broadly. Again, partner with colleagues in the state legislature, partner with your governor. Think about partnering with other states. Look at it regionally.

You know, Jennifer Pittman-Leeper, a customer engagement manager at Tanium, said this funding is not a magic wand, but it is a beginning, and government agencies have to start somewhere. It’s good to start with this infrastructure bill funding if you haven’t already started looking at these kinds of programs.

Thompson: Thanks Dave, for sharing all that critical and timely information.

I’ve been talking to award-winning journalist David Rand, who writes for Tanium’s new online cybersecurity news magazine. You can check out those stories at Tanium.com.

If you’re a state CIO or CISO and you want to learn more about how to land this federal money or how to improve your cyber hygiene, check out the links in the podcast show notes. To hear more stories like this, make sure to subscribe to Let’s Converge on your favorite podcast app, such as Apple Podcast or Spotify.

Thanks for listening, and we look forward to sharing more cyber insights on the next episode of Let’s Converge.