Question for states: Why isn’t more DHS grant money funneled to cybersecurity?

A House bill to reauthorize the Department of Homeland Security includes a requirement to study why state and local governments have not been using homeland security grant programs to fill the large gaps in their cybersecurity defenses.

The requirement was added by voice vote during a markup of the bill by the House Homeland Security Committee as an amendment proposed by Rhode Island Democrat James Langevin. It requires figures on the amount of DHS grant money spent by state and local governments on cybersecurity over the past decade, as well as a report on “obstacles and challenges related to using grant funds to improve cybersecurity.”

“In the [security, threat and risk] self-assessments they do, states consistently identify cyberattacks as one of their top-tier man-made threats, if not one of their top-tier risks overall. And they put cybersecurity at the top of the list of capability gaps they have,” explained a House aide familiar with the legislation. But, the aide added, while “some jurisdictions have [used DHS grant money for cybersecurity programs], the level [of spending on cyber] overall doesn’t seem commensurate with the self-reported risk.”

Former DHS cyberscurity official Greg Garcia shared some figures with CyberScoop that back up the House aide’s anecdotal perception of a spending gap.

Over the four years 2011-14, “Data I’ve seen from DHS show that only 30 states and 2 tribal territories spent a total of just $27.3 million of homeland security grants on cybersecurity as an allowable expense. … That’s a tiny fraction of the more than $4 billion in total Homeland Security grants to the states in that same period,” Garcia said.

Garcia, who now works for D.C. lobby and communications firm Signal Group, said he expects the report the bill requires will show that cyber spending levels continue to be “troublingly low.”

“Thumbs up to Congressman Langevin for informing the issue and pushing cyber progress for the states,” he added.

Although official guidance makes clear that cybersecurity is an “allowable expense” for states spending DHS grants, it is not explicitly mentioned in the original 2002 law establishing the department and listing the purposes of its grant program. The reauthorization bill would add cybersecurity to that list, the house aide said, but “it seems very unlikely that this will completely solve the problem.”

Hence the requirement for DHS officials to study the problem and get back to lawmakers.

“There are clearly other barriers to the [state and local government] use of homeland security grant money for cybersecurity,” that need to be identified, the aide added.

A second amendment proposed by Langevin at last week’s markup and approved by voice vote would add the DHS 24-hour watch center called the National Cybersecurity and Communications Integration Center to the list of federal agencies and centers from which personnel can be seconded to state and local homeland security fusion centers.

The legislation, HR 2825 which sets policy for DHS as a whole, would be the first-ever authorization bill in the 14 year history of the department — if it passes. Previous efforts to pass such a policy bill for DHS, modeled on the annual reauthorization passed every year for the Department of Defense, have foundered on the reef of jurisdictional conflicts with other committees. By any count, there are more than a dozen House committees and subcommittees claiming jurisdiction over some part of DHS.

“Many people do not grasp the jurisdiction and realities of our committee,” House Homeland Chairman Michael McCaul, R-Texas, said at the markup. “This reality has helped push reauthorization out of our grasp” in previous years.

But he noted that earlier this year, eight committee chairmen including himself, under the direction of the House speaker, signed a memorandum of understanding pledging to push through a reauthorization bill this year, and on a regular basis going forward.

“This is not a one-time deal. It is the establishment of a regular process that will ensure robust oversight and improve the operation of the Department for the benefit of the American people,” McCaul said.

Under the agreement, other committees will submit legislative language for the part of the department they oversee and the powerful Rules Committee will combine them into a single bill, which is expected to be brought to the House floor soon, perhaps even before the July Fourth recess.

The bill still has to pass the Senate, where there have also historically been some jurisdictional difficulties for DHS legislation. “Hopefully,” said the House aide, “getting it passed in the House will help kick-start something over there” in the Senate.