Cost-Effective Policy Options to Help States Manage Growing Cybersecurity Risks
State and local governments are facing growing cyber threats. From ransomware attacks to data breaches, local governments are on the frontlines of the global cyber conflict that remains a top national security threat, according to the Director of National Intelligence.
Like all organizations, state and local governments have limited resources to manage cybersecurity risks. Nationally, the United States is on an “unsustainable fiscal path,” according to Comptroller General Gene Dodaro. But ensuring that state and local governments can prevent cyber attacks from disrupting essential services must be a national priority in 2021.
Earlier this month, the Senate Homeland Security and Governmental Affairs Committee held a subcommittee hearing to discuss these threats and policy options to address them. Senator Margaret Hassan (D-NH) chaired the hearing. Ranking Member Rand Paul (R-KY) invited me to testify. Below is a video clip from the hearing with my spoken testimony and excerpts of my Q and A with the Senators. I’ll also share the main points that I made at the hearing.
- Congress should streamline federal rules to reduce state governments’ compliance costs to allow more state resources to be spent on improving security.
For years, the National Association of State CIOs and National Governors Association have urged Congress and the White House to harmonize agencies’ information security rules, which are often contradictory or duplicative. (I wrote about this problem last year in The Hill.) In 2018, the Oklahoma state CIO testified that his office spent 10,000 personnel hours complying with federal rules and audits. That’s a year’s worth of work for five employees and time that could otherwise be spent on improving security.
GAO has reported that OMB issued guidance to agencies encouraging them to harmonize rules, but did not require them to do so. Congress and the Committee could pass legislation to require OMB and federal agencies to harmonize federal rules and audits to fix this problem. Simply streamlining federal rules would increase states governments’ resources for cybersecurity overnight and allow state CIOs and CISOs to spend more of their teams’ precious time on security, rather than paperwork.
- DHS already provides more than $1 billion annually to states and cities to help address security risks. In 2021, we must prioritize cybersecurity investments.
At the hearing, Senator Hassan and several of my fellow witnesses expressed their support for creating a new DHS grant program to provide federal funding to states and local governments to improve cybersecurity. But DHS, through FEMA, already awards more than $1 billion in annual homeland security grants. Secretary Mayorkas recently announced that the Department would require grant recipients to spend 7.5 percent of grant funds on cybersecurity. Congress could further increase that amount. (As Senator Paul mentioned during his questions, it might make sense for Congress to require half of those grant funds to be spent on cybersecurity considering current threats.)
But states and localities don’t need to wait on Congress. They already have billions in unspent DHS grants and other funds that can be used for cybersecurity. According to OMB, states had not spent 50 percent of the homeland security grants that had been awarded since 2015 and 2.7 billion was still available in 2020, as I explained last year writing for Lawfare. After receiving $340 billion in additional funds through the American Rescue Plan, state and local governments should have resources to improve cybersecurity. Congress should conduct oversight to find out how states and localities are using DHS grants and ask questions about why billions remain unspent when states and localities are facing growing cyber risks.
- The federal government should share meaningful threat information and security recommendations to help organizations manage cyber risk, including about potential vulnerabilities in commercial-off-the-shelf technologies.
Over the past decade, Congress has passed bipartisan laws to establish federal programs to facilitate information sharing. But watchdogs have identified limitations and opportunities to improve DHS’s information sharing programs. Congress should press the Department to implement these recommendations.
The federal government should also better leverage its expertise to help state and local governments implement best practices. For example, NIST provides valuable guidance through its cybersecurity framework. But the Framework includes a checklist of more than 100 recommendations which are difficult for many organizations to fully implement. The White House recently issued a memo to American companies with five specific recommendations to prevent and prepare for ransomware attacks. This is exactly the kind of specific, focused security recommendations that are needed to help organizations manage cyber risk.
At the hearing, Senator John Ossof (D-GA) asked me about how the federal government could help state and local governments by providing vulnerability warnings in commercial technologies. (As background, Lincoln Network published my paper documenting how state and local governments purchased COTS technologies which certain federal agencies had banned due to known vulnerabilities.) Ohio Homeland Security Advisor Karen Huey told the Committee that:
“Ohio’s dedicated federal homeland security intelligence officer shared information about two Chinese video surveillance technology companies whose products have been banned for purchase or use by federal government agencies since 2018. Despite the federal ban, dozens of these systems were purchased in Ohio, including some school districts, and at least one hospital… In turn, Ohio Homeland Security (OHS) drafted a situational awareness bulletin designed to alert Ohio entities that these companies are likely using their products to provide U.S. customer data to the Chinese government for espionage and surveillance operations….High level technical mitigation information has already been shared and CISA personnel are working on a plan with the affected entities that will include a more detailed risk management solution.”
State officials like Ms. Huey and her colleagues should not need to rely on a proactive intelligence officer to identify these warnings. In 2018, Congress passed bipartisan legislation requiring a Federal Acquisition Security Council to share information about and prevent these kinds of security vulnerabilities across the federal government. In 2021, Congress should pass follow up legislation to require that Council to proactively share information with state and local government partners.
- Congress and the Subcommittee should conduct a strategic review of national cyber threats and assess current and future resource needs to manage long-term cybersecurity risks.
The Intelligence Community recently assessed that technological innovations will likely result in increasing competition in the cyber domain. Congress should forecast what resources are needed moving forward. President Biden proposed spending $9.4 billion on federal civilian agency cybersecurity programs in his recent budget, or a 14 percent increase.
In comparison, he proposed spending $750 billion on national defense. Congress should consider whether these resource allocations are appropriately balanced to address current and future threats. There is also significant waste in the federal budget — such as the $75 billion that is lost annually on improper payments — that’s much larger than what Congress currently spends on cybersecurity. Given the Subcommittee’s mandate, it should review and forecast what federal spending resources are needed to counter emerging cyber threats.
As a former Senate Homeland Security and Governmental Affairs Committee staffer, testifying before the Subcommittee and speaking with the Senators about this challenge was truly an honor. My time working at the Committee involved bipartisan efforts to strengthen the nation’s cybersecurity, one of the few federal policy issues that continues to be addressed in a nonpartisan manner. A key lesson of my time working on the Committee staff was that using legislation to reform federal law and policy required finding areas of agreement between Senators of both parties. The policy and government oversight options presented above and in my testimony were offered based on my understanding of that reality.
Since the hearing, I have had productive conversations with staffers working for members of the Subcommittee. I’m hopeful that we will see progress in the months ahead. We will be providing updates here on the Lincoln Policy blog.