Federal grants could boost whole-of-state cyber defense
The $1 billion State and Local Government Cybersecurity Grant Program requires states to collaborate more closely with their local governments, reinforcing the holistic approach favored in many state capitals.
Federal cybersecurity grants for state and local governments could give nascent whole-of-state cyber strategies a boost because the grants foster greater cooperation between different levels of government, panelists said this week.
Intergovernmental collaboration and better information sharing were cited as some of the biggest goals for a whole-of-state approach to cybersecurity, which emphasizes partnerships between the different levels of government as well as with other public- and private-sector organizations and academic institutions. It acknowledges shared risks and encourages the sharing of resources to reduce financial burdens.
The $1 billion federal State and Local Government Cybersecurity Grant Program could make the whole-of-state strategy easier as it requires that 80% of support go to local governments through cash or services.
Carlos Kizzee, senior vice president for stakeholder engagement operations at the Center for Internet Security, said during the GovExec Cyber Summit that the grant program fosters “a culture of cooperation and collaboration and creates an environment where there's an incentive not just for states to participate, but also for states and local municipalities to work together.”
The value of collective defense “has been shown and seen everywhere,” said Netta Squires, director of local cybersecurity at the Maryland Department of Information Technology. “These kinds of grants, but also this forward thinking as a whole of state, and really nation, at the end of the day, is going to move us towards that collective defense.”
The biggest beneficiaries are local governments whose limited IT security staff and small budgets for software upgrades make them among the most vulnerable to attack. Squires said states have a responsibility to provide protection for residents in various areas, and cybersecurity is no different, she said. Localities need cybersecurity assistance from a larger, better resourced organization.
But a pervasive lack of trust between local governments and the state can prevent collaboration, she said. To get around that, forming relationships and keeping lines of communication open is crucial, especially in the early stages of building a whole-of-state strategy. And Squires said when the state government creates a position like hers that is focused on liaising with localities on cybersecurity, that also fosters that trust.
In Maryland, close state and local collaborations resulted in the creation of the Maryland Information Sharing and Analysis Center, a resource that enables jurisdictions large and small to collaborate and share threat information beyond the legal requirements for localities to report certain attacks to the center.
Kizzee said similar models are working in other states and in multistate information-sharing groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC). Sustaining that collaboration can be a challenge given the time and budgetary constraints that governments at all levels face, but it’s worth it.
“[States are] learning from each other, and I think that is a huge value proposition, because then [we’re] able to see what does work, what might work for us, let's apply it if it is working, let’s keep it going,” he said.
Squires said metrics are key for measuring a program’s success and will be especially critical for evaluating the success of the federal cyber grants that states receive and then pass on to local governments.
“If we can show that over the next three years of this grant that we have measured results and success and that … we've managed to mitigate and prevent [however] many attacks that we wouldn't have otherwise, that will, I believe, help leadership want to continue to implement and sustain programs,” Squires said.
As for other states that are starting on their journey toward a whole-of-state cyber strategy, Kizzee urged them to join MS-ISAC, especially as it is free. He also called on states to make use of the resources available to them, and build their cybersecurity strategy on collective defense. “Don't view it as something that everybody who has a protected laptop or some capability has to fight on their own,” he said.
NEXT STORY: Should governments ban TikTok? Can they?