Aug 25 2021

Infrastructure Legislation Could Improve State and Local Government Cybersecurity

The Senate’s bill would throw a cybersecurity funding lifeline to government agencies.

Cybersecurity is the top technology concern among county governments and state CIOs and has been for years. Now, as ransomware attacks on local governments continue unabated and states consider bans on ransom payments, the federal government may be riding to the rescue.

Tucked into the Senate’s recently passed $1 trillion infrastructure bill is about $1 billion in funding for state and local government improvements to cybersecurity.

The funding in the bill, which could become law this fall, would fill a critical need for states and localities to enhance IT security protections, especially from ransomware attacks.

“When a police department has a dispatch system that’s hit with ransomware, that directly affects public safety,” New Hampshire CIO Denis Goulet, who serves as president of the National Association of State Chief Information Officers, tells the Washington Post. “Having those systems functioning is not a ‘nice to have.’ It’s a ‘must have.’ It’s a real existential threat to citizens.”

How the Infrastructure Bill Boosts State and Local Cybersecurity

The core element of the bill’s cybersecurity funding for state and local governments is a $1 billion measure to support cybersecurity grants for state, local, tribal and territorial governments over four years.

As MeriTalk reports, the grant program in the Senate bill matches legislation in the State and Local Cybersecurity Improvement Act, which the House passed in July.

The Department of Homeland Security would run the grant program, which would receive $200 million in fiscal year 2022, $400 million in FY 2023, $300 million in FY 2024 and $100 million in FY 2025.

Governments seeking a grant would need to show DHS that they have a comprehensive cybersecurity plan that would enable them to access and use the funding, MeriTalk reports. Politico adds, “Governments can apply to the program to help upgrade their networks, but they can’t use the funds to do things like pay a ransom in a cyberattack.”

The funding could be a lifeline for smaller localities that may not have the budget for a dedicated cybersecurity team. “At least Atlanta and Baltimore have robust IT departments and information security teams,” Ed Mattison, an executive vice president at the Center for Internet Security, tells the Post, citing two recent high-profile ransomware attacks on city government. “They had some semblance of a plan. Many smaller municipalities don’t have that. This could be a game changer for them.”

At least 80 percent of the grant money has to go to local governments, and 25 percent would need to go to rural areas, according to a fact sheet from the bill’s sponsor, Sen. Maggie Hassan.

The bill would also provide $140 million through FY 2028 for a cyber incident response and recovery fund to be administered by DHS’ Cybersecurity and Infrastructure Security Agency. That money would provide direct support to public and private entities as they respond to and recover from significant cyberattacks and breaches.

RELATED: 5 questions a cybersecurity assessment must answer.

gorodenkoff/Getty Images