A bipartisan group of U.S. House members on Wednesday introduced legislation that would create a grant program for state and local cybersecurity operations, which they said is more needed than ever amid a rising tide of ransomware attacks against governments and schools nationwide.
The State and Local Cybersecurity Improvement Act, a version of which passed the House during Congress’ last session but failed to advance in the Senate, would launch a $500 million annual grant program to be administered by the Department of Homeland Security. It would also give several new roles to DHS’s Cybersecurity and Infrastructure Security Agency for its relationships with state and local governments.
“In the decade since I first chaired the cybersecurity subcommittee, the number of cases and the financial impact of ransomware have skyrocketed,” said Rep. Yvette Clarke, D-N.Y., chairwoman of the House Homeland Security Committee’s cybersecurity panel and one of the bill’s lead sponsors. “These attacks are more than a mere inconvenience – they are a national security threat.”
Clarke said during a hearing last week that she was preparing to introduce the legislation, which is also being backed by the cybersecurity subcommittee’s top Republican, Andrew Garbarino of New York, who called the bill “an essential first step to ensure our state and local governments are not left vulnerable to cybercrimes.”
Garbarino’s own Long Island-based district has seen multiple school systems hit with ransomware in recent months, some of which resorted to paying off the perpetrators. Lawmakers sponsoring the bill had no shortage of other incidents to cite, including schools having to cancel classes or Washington, D.C., police being threatened with the publication of officers’ detailed personnel records.
House Homeland Security Chairman Bennie Thompson, D-Miss., and the ranking Republican, John Katko of New York, also sponsored the bill, as did Reps. Derek Kilmer, D-Wash., Michael McCaul, R-Texas, and Dutch Ruppersberger, D-Md.
Cybersecurity grants are a longstanding priority of the National Association of State Chief Information Officers, which has endorsed previous iterations of the State and Local Cybersecurity Improvement Act. The group praised the new version on Wednesday.
“NASCIO greatly appreciates the reintroduction of the State and Local Cybersecurity Improvement Act. As cybersecurity has remained the top priority for state CIOs for the past decade, we have long contended that a dedicated cybersecurity grant program is long overdue,” the group told StateScoop. “The sophistication of cyber incidents has progressed from digital consequences to sophisticated strikes designed to threaten the health and safety of our nation’s citizens – with state and local governments remaining some of the most vulnerable entities.”
The bill would structure grants by requiring recipients to match a portion of any grant funding they receive. The federal government would cover up to 90% of activities funded by the grants in the first year of the program and 80% in the second year, with gradual steps down until the federal government and states split costs 50-50.
NASCIO said that requirement could be an incentive to state lawmakers who are sometimes reluctant to support consistent cybersecurity funding.
“Passage of this legislation will not only enhance the cybersecurity posture for state and local governments but will also require state legislatures to match a portion of federal grant funds,” the group’s statement read. “This is crucial as far too many legislators view cybersecurity as something that can be solved with a one-time expenditure – not a continuous problem that needs to be an ongoing priority in every state’s budget.”
If the bill passes, CISA will also be required to develop a strategy and guide to federal cybersecurity resources available to state and local governments. The agency would also be responsible for setting baseline objectives for state and local agencies. The bill would also order CISA to study the possibility of state and local government employees being detailed to its cyber workforce on a rotating basis.
The Biden administration has not commented on the legislation yet, but DHS Secretary Alejandro Mayorkas said during his confirmation hearing in January that he “[looked] forward” to working with lawmakers on such a proposal.