Proposed legislation establishing a Department of Homeland Security grant program that would bolster cybersecurity for state and local government IT networks faces a steep climb in Congress, but its backers say the need is urgent.
“There’s an acknowledgement that this is a real problem … [and that] things could get worse. … As [former Defense Secretary] Leon Panetta has observed, we’re at something of a pre-9/11 point in cyber,” said Rep. Derek Kilmer, D-Wash., a co-sponsor of the State Cyber Resiliency Act, HR 1344.
Cyber threats “aren’t aimed at red districts or blue districts — all of our communities are vulnerable … There is an obvious need and I hope that makes it more likely that this bill could move,” Kilmer told CyberScoop in an interview. His GOP co-sponsor is Virginia Rep. Barbara Comstock. An identical companion bill in the Senate, S. 516, is sponsored by Sens. Mark Warner, D-Va., and Cory Gardner, R-Colo.
The proposed law, backed by a broad coalition of state and local leaders and tech vendors, would put the Federal Emergency Management Agency in charge of doling out the money, starting in fiscal 2018, which begins in October.
The current push by cities and states into smart infrastructure is blurring the lines between physical and digital security, and creating new risks to the public from hackers or foreign cyberwarriors, according to the bills’ supporters.
No dollar figures are included in the bills, but the grants would fund up to two years of planning work in order to help states to draw up cyber resilience plans, and two years of implementation costs as they put the plans into practice. The states would have to submit applications and the grants would be awarded competitively. Although the bills only authorize expenditure, and the money would still have to be appropriated in a funding measure, they are nevertheless likely to viewed with suspicion by conservative budget hawks.
When first established, the broad post-9/11 State Homeland Security Program, known as the block grant program, was criticized for funding purchases of expensive state-of-the-art equipment which local first responders lacked the training and resources to operate.
But Kilmer said the process his bill envisaged would prevent that from happening by requiring consultations with CIOs and “operational-level personnel.”
“We’re bringing together the right people at the table to make the decisions” about how to spend the money, he said.
“Any time you have a large amount of federal dollars heading out the door there’s a risk,” acknowledged Bush-administration DHS official Greg Garcia. But he told CyberScoop the grant program would require “outcome-based measures of success,” and lay out requirements for interoperable technologies.
Garcia said he spent a lot of his time at DHS in 2006-08, “traveling the country talking to [state and city] CIO and CISOs” and became very concerned about the condition of cybersecurity in some states.
“DHS offers a lot of good [cybersecurity] programs [to state and local governments] but frankly some states lack the foundational capabilities to take advantage of them,” he said.
Although, while at DHS, he managed to get cybersecurity made an “allowable expense” under the state block grant program, he said, there was a need for special funds to be carved out for cyber, as they are for firefighters.
“Whenever there’s competition for limited state funds, cyber tends to get short shrift,” he said. Nor, in the current fiscal environment, was there any likelihood that states would find the money themselves. “CISOs are being asked to cut their budget to help make ends meet,” he said.
“When you fence it off, state governments have a separate bucket of funds they can only draw on for these activities,” said Garcia, who is working with legislators to build support for the bills.
He pointed out that the much-anticipated federal government infrastructure spending boost would likely lead cities and states to accelerate their deployment of smart infrastructure — civic facilities and amenities like traffic lights or transit systems equipped with computing power and connected online. “That digital infrastructure needs to be secured,” he said.
Garcia, who now works for D.C. lobby and communications firm Signal Group, is hoping to generate work for his company from his support of the bill but also says he feels a responsibility.
“This was something I feel like I left on the table” at DHS, he said.
For his part, Kilmer acknowledges that politics and jurisdictional issues will make the bill a tough proposition, but says they are well positioned to get across the finish line.
“This is a bipartisan, bicameral effort and I certainly hope that this reinforces the likelihood that we can see this move forward. We’ve also got strong engagement from cities [and other state and local governments] around the country” — including from first responders, he said.
In the Senate, the bill has been referred to the Homeland Security and Governmental Affairs Committee, but in the House it has two referrals — Homeland Security and Transportation and Infrastructure. Referral to more than one committee is often a bad sign for legislation since it means the bill has to negotiate a minefield of jurisdictional tensions.
But Kilmer noted that his Republican co-sponsor, Comstock, was the chairwoman of a Transportation and Infrastructure subcommittee and that it might help the the bill make progress. “We intend to work the process as well as we can,” he said, noting the authors were collecting additional sponsors.