Boost state government cyber defenses by streamlining federal rules

State governments are facing unprecedented challenges due to the COVID-19 pandemic. While saving lives and addressing urgent public health needs remains the focus, state leaders must also prepare for the 2020 elections and address cybersecurity threats.

As Congress and the administration consider ways to provide assistance, streamlining federal regulations should be atop the list. 

This month, senior House Democrats, led by Homeland Security Committee Chairman Bennie Thompson (D-Miss.) wrote to Speaker Nancy Pelosi (D-Calif.) and Minority Leader Kevin McCarthy (R-Calif.) urging that the next federal spending package include funding to support state and local government cybersecurity. The lawmakers warned that state governments already face serious threats, including widespread ransomware attacks. Now, many state employees are working remotely. Demand for state IT services is surging as people apply for unemployment benefits and other assistance.

States also face serious challenges defending election infrastructure from potential cybersecurity threats. More than 8,000 different jurisdictions administer our elections. Voter registration databases and other government information systems are vulnerable to potential attacks.

Since 2016, the Department of Homeland Security has led a campaign to support state and local government cybersecurity. But much work remains. The Brennan Center estimated that it will cost more than $1 billion over five years to secure state and local election systems. And that’s before accounting for any system changes necessary to accommodate broader use of vote-by-mail that may be necessary during the pandemic.

Congress and the Trump administration have opened the U.S. Treasury’s checkbooks for unprecedented spending during the current pandemic. But cost-effective solutions should be prioritized since the national debt as a share of the economy is now larger than any time since World War II, according to the Committee for a Responsible Federal Budget.

A simple way for Washington to help state governments would be to make state chief information officers’ jobs a little easier.

The nonpartisan National Association of State Chief Information Officers’ (NASCIO) top federal advocacy priority is to “harmonize disparate federal cybersecurity regulations and normalize the audit process.” Simply streamlining bureaucratic compliance would allow these officials to focus more time on cybersecurity and maintaining state operations during the pandemic.

As background, states must partner with federal agencies to administer federal programs, which includes ensuring that information is protected. But different federal departments and agencies have specific rules for data security and separate audits to monitor compliance, which creates significant red tape.

For example, the Internal Revenue Service, Social Security Administration, and the Health and Human Services Department, among many others, have specific, and in some cases contradictory, rules for how to protect Americans’ information. As a result, state officials spend much of their time on bureaucratic compliance.

In 2018 testimony before the House Oversight Committee, then-Oklahoma State CIO James “Bo” Reese explained, “how duplicative, complex, and often conflicting federal regulations and their accompanying audits hinder state governments from achieving a more effective and efficient IT enterprise and cybersecurity posture.” He testified that his office spent 10,712 hours on “compliance activities and support,” which amounts to five employees’ entire year of work and nearly half of his team’s time spent answering federal rules.

Streamlining rules and audits would immediately boost state governments’ IT and cybersecurity capacity. For starters, harmonization would allow state CIOs to focus on the immediate challenge of managing the transition to a remote workforce and ensuring that states’ online services keep up with growing demand.

State government officials are also well positioned to provide assistance to local governments and school districts to prevent ransomware attacks and other attacks. According to a January report published by NASCIO and the National Governors Association, “65 percent of states reported providing security infrastructure and services to local governments.”

To be clear, the state CIOs aren’t asking for these rules to be waived. As Reese testified to Congress, states “are acutely aware of the responsibility to secure citizen data,” but ask that “our federal regulatory partners work collaboratively with state CIOs to harmonize disparate regulations and normalize the audit process.” Reese and NASCIO proposed a working group of state CIOs and federal regulators and “sought the assistance of the Office of Information and Regulatory Affairs within the Office of Management and Budget.”

The pandemic is causing the nation to rethink our approach to regulations, weighing past approaches to managing risk with the urgent need to address immediate life-and-death problems. Federal and state regulators are now exploring options to streamline rules to help communities across the country face the public health emergency.

Harmonizing cybersecurity regulations imposed on state governments was a good idea before the pandemic. Now, it should be a top priority to help states address current challenges and defend the 2020 election.

Dan Lips is director of cyber and national security with Lincoln Network.