The additional responsibilities state and local IT shops have taken on in the wake of the pandemic have stretched their already thin resources, but the work administering hundreds of federal programs may finally open the door for federal cybersecurity funding.
State and local governments, along with hospitals and critical infrastructure, have borne the brunt of ransomware, which has not been considered a national security risk by federal policymakers until recently.
An attack on an ill-protected municipality, health care facility, small company or other organizations "wasn't at the same level as say, Chinese espionage or Russian election interference,” Rob Knake, former director of cybersecurity policy on the National Security Council in the Obama administration. Knake said at a May 4 webcast hosted by the Council on Foreign Relations. The prevailing perception was that allowing cyber criminals to hit the lowest-hanging fruit would provide incentives to drive better investment and security behavior from others, he said.
The financial pressures facing cities and states because of the coronavirus has changed this equation.
A number of lawmakers on Capitol Hill are pushing to include dedicated federal funding in future COVID-19 relief bills that states and localities can draw from to bolster protections. One such bill would set aside $400 million per year for states to tackle ransomware and other cyber threats.
Engagement from Congress and other policymakers around the issue has improved substantially following the high-profile ransomware attack on Baltimore last year, according to Matt Pincus, director of government affairs at the National Association of State Chief Information Officers (NASCIO).
Additionally, the extra responsibilities state IT officials have taken on since the pandemic began “have exacerbated the amount of responsibility they have in the cybersecurity world," Pincus said in an interview.
NASCIO has historically gotten pushback from the Hill about subsidizing cybersecurity for state and local governments, Pincus said. His hope is that the COVID-19 pandemic has demonstrated that these entities are often on the front lines of processing benefits passed by lawmakers to deal with the crisis.
"The federal government charges the states to administer hundreds of federal programs … even funding that's in the CARES Act," he said. "If you want unemployment insurance to be distributed amongst citizens, you need to make sure that you have systems that are capable of doing it."
NASCIO helped craft the $400 million funding proposal and has lobbied for lawmakers to include it in future coronavirus relief bills. One of the top asks the non-profit has heard from state IT leaders is the need for more training to school their employees on how to avoid phishing lures and other tactics that provide an initial foothold to ransomware actors. Pincus said multifactor authentication, endpoint security, software patching tools and remote security assessments were also flagged as cybersecurity needs.
Rep. Dutch Ruppersberger (D-Md.) has successfully pushed for more federal funding to states and localities for their cybersecurity needs in the past and was one of four members who requested House leadership include regular grant funding in a future stimulus bill. A spokesperson for Ruppersberger's office said they have not heard back from House leadership since sending the letter in mid-April.
"I think the challenge is going to be convincing members of the connection between the pandemic and ransomware," the aide said, noting that emphasizing how greater reliance on digital services by many states and municipalities during the lockdown offers one such avenue. "I think it's going to be a messaging battle."
A spokesperson for the House Homeland Security Committee said members are still pushing House leaders to include the funding in future spending packages.
One thing most agree on: All parties should do everything they can to avoid paying the ransom. Pincus said NASCIO's message to states is the same as those offered by the Cybersecurity and Infrastructure Security Agency and other federal agencies: don't pay.
Knake said organizations today are paying a price for past decisions made by organizations who failed to heed that advice.
Criminal groups have "built these organizations starting from that $50 ransomware from your grandmother's computer, taking that money and reinvesting it in their capability and so what we're seeing today is the result of that," Knake said. "We have grown these criminal enterprises, we have paid their R&D budgets and now they are targeting us and we are in very bad shape."
This article was first posted to FCW, a sibling site to GCN.
NEXT STORY: Mitigating cyber risk with zero trust