House lawmakers roll out bill to invest $500 million in state and local cybersecurity

A group of bipartisan House lawmakers on Wednesday rolled out legislation that would provide state and local governments with $500 million annually to defend against cyberattacks, which have escalated over the past year during the COVID-19 pandemic. 

The State and Local Cybersecurity Improvement Act, led by House Homeland Security Committee cybersecurity subcommittee Chairwoman Yvette Clarke (D-N.Y.), would create a grant program to provide $500 million annually to state and local governments over the next five years for cybersecurity needs.

The legislation, provided to The Hill to review Wednesday, would also require state and local governments to submit plans for securing their systems against cyber threats in order to obtain the funding, and establish committees to implement the plans. 

Clarke teased the legislation last week during a subcommittee hearing on ransomware threats, noting she would reintroduce it “in the coming days.” It was passed by the House last year, but failed to get a vote in the Senate. 

“As the ever-increasing number of ransomware attacks on state and local governments demonstrates, adequate investment in cybersecurity has been lacking, and more resources are needed,” Clarke said at the hearing. “This legislation would ensure funding is available, while insisting state and local governments step up to prioritize cybersecurity in their own budgets.”

The bill is a major bipartisan effort, with House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), ranking member Rep. John Katko (R-N.Y.) and cybersecurity subcommittee ranking member Rep. Andrew Garbarino (R-N.Y.) among the sponsors. 

House Foreign Affairs Committee ranking member Rep. Michael McCaul (R-Texas) and Reps. Dutch Ruppersberger (D-Md.) and Derek Kilmer (D-Wash.) are also co-sponsors. 

Katko testified at the same hearing last week that he was “looking forward” to pushing the legislation, noting that “equipping state and local governments with the resources to bolster their defenses is an important step.”

“While we all can agree more resources for our state and local governments are necessary, we must also ensure these funds are spent responsibly, and effectuate meaningful impacts on risk reduction,” Garbarino testified at the hearing. “This important bill is a tremendous step forward in our fight, but we can’t stop there.”

State and local governments have come under intense pressure from cyber threats over the past few years, and in particular during the COVID-19 pandemic, as more operations moved online and hackers targeted vulnerable and sometimes aging systems. 

Schools, hospitals and libraries have been among public institutions targeted by ransomware attacks, among other cyber threats, and the city governments of Baltimore, New Orleans and Atlanta have been forced to spend millions of dollars to recover from ransomware attacks targeting operations in recent years. 

The bill also comes as the nation continues to grapple with the fallout of a succession of major cyberattacks. 

The SolarWinds attack, first discovered in December, allowed Russian government-backed hackers to compromise nine federal agencies and at least 100 private-sector groups, while new vulnerabilities in Microsoft’s Exchange Server allowed Russian and Chinese hackers to potentially compromise thousands more organizations.

Last week, Colonial Pipeline was forced to shut down operations due to a ransomware attack on its IT systems. The pipeline provides 45 percent of the East Coast’s oil supply. As of Wednesday, the suspension of operations has lead to fuel shortages in some areas of the country. 

Clarke, Thompson, Katko and Garbarino joined the bipartisan leaders of the House Transportation and Infrastructure Committee to send a letter Tuesday night to Jake Sullivan, President Biden’s national security adviser, expressing strong concerns around the Colonial Pipeline incident. 

“We are deeply concerned about the security of our nation’s critical infrastructure and the industrial control systems (ICS) that underpin many national critical functions,” the lawmakers wrote. “As we have repeatedly stressed, cybersecurity is no longer just an ‘IT issue’ but instead an economic and national security challenge that can have real-world impacts to our security.”

“It is imperative that the federal response is rapid, clear, and consistent,” they stressed.

–Updated at 3:58 p.m.