State and local officials celebrate passage of infrastructure bill with $1 billion in cyber funds

State and local officials are celebrating the expected distribution of $1 billion in cybersecurity funds from the newly approved infrastructure deal, the biggest government investment in state and local cybersecurity to date.

The funds were included in the $1.2 trillion infrastructure package that is awaiting President Biden’s signature after months of negotiations in Congress and years of advocacy from state and local governments, which have faced chronic shortages of resources to address increasing cyber threats. 

“We are elated,” Matt Pincus, director of Government Affairs at the National Association of State Chief Information Officers (NASCIO) told The Hill Monday. 

“It’s a significant amount of money that has never existed before,” Pincus said. “Our members and other state and local government associations have been clamoring for the need for some sort of cybersecurity-specific funding stream available to local and state governments.”

The funds are set to be allocated over four years, with $200 million made available in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. 

States have varying funding match requirements throughout that time to help share the financial burden, and 80 percent of the money will go to local governments that may be more in need. 

The federal funds are set to be rolled out after a difficult few years, during which state and local governments have found themselves increasingly vulnerable to attackers as critical services moved online during the COVID-19 pandemic.

Even prior to the pandemic, governments were increasingly under attack, with ransomware attacks against the city governments of Baltimore, Atlanta, New Orleans and dozens of Texas towns crippling services and costing millions of dollars to recover from in recent years.

Rita Reynolds, the chief information officer at the National Association of Counties (NACo), told The Hill on Monday that counties were seeing more “probing” of networks for vulnerabilities. 

“COVID brought challenges, but it brought significant opportunities with the utilization of technology,” Reynolds said. “Setting the stage then, that gives a much broader landscape for what we call the bad actor community, the hackers, to access more information from counties, from local governments than they have ever had before, and so the exposure is greater for sure, and it isn’t going to go away.”

Reynolds noted that the funds were desperately needed for issues including implementing multi-factor authentication, switching over to more secure .gov domains, and hiring and maintaining a skilled cybersecurity workforce. 

“In so many of these smaller to midsize counties, they don’t have a security professional on staff or even access to a consultant, one that will meet their needs appropriately,” Reynolds said. “Even in the smaller counties, some don’t even have an in-house IT person.”

Besides the apparent needs, up until recently there has not been as much of a focus on allocating limited funds to cybersecurity. Pincus told The Hill that only 35 percent of states currently have a line-item budget for cybersecurity, an amount he described as “wholly inadequate.”

But in the wake of escalating and expensive successful attacks, states and localities have clamored for the funds, with officials testifying on Capitol Hill about the desperate need to shore up cybersecurity, and organizations sending letters outlining the needs. 

In July, NASCIO, NACo, the National Governors Association (NGA) and several other government advocacy groups sent a letter to House and Senate leaders urging them to include a “dedicated cybersecurity fund” for state, local, territorial and tribal governments. They pointed to the increase in ransomware attacks on critical services, combined with a lack of resources, as creating a “perfect storm” of threats.

“States, territories and localities are the primary agents for the delivery of a vast array of federal programs and services to our communities,” the organizations wrote. “The increasing frequency and debilitating impact of ransomware and other types of cyberattacks threaten our ability to deliver these critical services to the American people.”

The inclusion of the funds is a victory not only for state and local governments, but for members of Congress that have urged the federal government to funnel cybersecurity funds to embattled state and local governments. 

The $1 billion in funding is part of the State and Local Cybersecurity Improvement Act, which was sponsored in the House by Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, along with several other Republican and Democratic sponsors. 

Clarke made passage of the bill and pushing out the funding a priority, saying in a statement late Friday following the House vote on the infrastructure package that the legislation is “an essential step to ensure our state and local governments are not left to fend for themselves.”

“Cyber attacks have increased at a rapid pace this year and pose a persistent threat to our national security,” Clarke stressed. “Ransomware attacks, in particular, have wreaked havoc on state and local governments across the country, disrupting essential government services.”

Sen. Maggie Hassan (D-N.H.), who led the effort to include the bill in the Senate version of the infrastructure package, said in a separate statement Friday that cyberattacks put “crucial services in jeopardy.”

“I have heard directly from New Hampshire local leaders who are eager to strengthen their cybersecurity, but do not have the resources to do so, which is why this new grant program is so important,” Hassan said. “I look forward to the President signing into law our groundbreaking, bipartisan infrastructure bill that includes our state and local cybersecurity grant program.”

There is still some distance to go before the funds are in the hands of states and localities, with the Cybersecurity and Infrastructure Security Agency (CISA) charged with approving plans submitted by these governments before they can receive the money. 

The funds are also fairly limited in scope and time, with no guarantee that Congress will renew the program in four years, and a limitation in the amount of money each government will receive when it is all divided up.

“When you break down those numbers in terms of what it means for actual states, it is probably not a significant game changer,” Pincus said. “Is it certainly a huge help? For sure.”

He stressed though that while more funding from the federal government may eventually be needed, this was a positive step in the right direction. 

“The money is obviously much needed and very much appreciated, but I think from a messaging standpoint it’s even more important,” Pincus said. “This is a recognition that state and local cybersecurity is important, and that collaboration between state and local governments and federal partners is equally important.”