Federal legislation to help strengthen the cybersecurity of state and local governments through a Department of Homeland Security (DHS) grant program passed the House of Representatives on Sept. 30 – with impetus for the legislation coming from across the U.S. in the form of numerous ransomware and other attacks in recent years.
One such attack in May 2019 on Baltimore, Md., networks helped fuel momentum for the legislation.
“State and local governments have long been a top target for cyber-attacks – as we painfully learned in Baltimore last year,” said Rep. C. A. “Dutch” Ruppersberger, D-Md., a Baltimore-area congressman and formerly top Democrat on the House Intelligence committee, in a release. “I am proud the House has passed this bipartisan and common-sense legislation that will give state and local governments the resources they need to invest in cybersecurity, protecting their citizens and tax dollars.”
The legislation, H.R. 5823, the State and Local Cybersecurity Improvement Act, would establish a $400 million DHS grant program each year from 2021 to 2025 that would incentivize states to increase their own cybersecurity funding. The bill also requires DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to develop a strategy to improve the cybersecurity of state, local, tribal, and territorial governments.
In June of last year, while many of Baltimore’s systems were still locked down from a ransomware attack, the House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, and Innovation Subcommittee held a hearing to address the cybersecurity challenges for state and local governments.
It was at that hearing that the then-subcommittee Chair Rep. Cedric Richmond, D-La., said he was “working on a comprehensive package to improve the cybersecurity posture of our state and local governments.”
It was not until after a municipality in Rep. Richmond’s own district was attacked last December that the legislation finally was introduced earlier this year.
“A cyber-attack took out critical government networks in my own Congressional District, disrupting the operation of municipal and traffic courts as well as access to certain electronic health records and the City’s homeless cleaning and outreach sweep,” said Rep. Richmond, in a Sept. 30 release. “The attack will cost the City over $7 million to fix but might have been prevented by investing in cybersecurity tools beforehand,” he said.
In order to receive the grants, the bill requires state and local governments to develop thorough cybersecurity plans. The legislation also sets up a State and Local Cybersecurity Resiliency Committee as a mechanism to advise CISA on localities’ cyber needs.
“Federal action is long overdue,” said Rep. Lauren Underwood, D-Ill., who took over as chair of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee on Friday. “As a proud cosponsor, I congratulate Congressman Richmond on the passage of this legislation and look forward to working with him to support Senate approval.”
Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo., also introduced legislation this congressional session for a cyber grant program for state and local governments. That legislation has not yet moved out of committee.
The House legislation has three Republican co-sponsors – Reps. John Katko, R-N.Y., the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee’s ranking member; Michael McCaul, R-Texas, and Mike Rogers, R-Ala.
Commissioners from the Cyberspace Solarium Commission – Sen. Angus King, Jr., I-Maine, and Reps. Mike Gallagher, R-Wis., the commission’s co-chairs, along with Rep. Jim Langevin, D-R.I., also introduced a bill this year to upgrade state and local government’s cybersecurity through a grant program. That legislation, which came out of an idea from the Solarium’s pandemic white paper, also includes Reps. Richmond, Ruppersberger, McCaul as co-sponsors.