Congress looks to strengthen government’s aging cyber infrastructure

Congress is working to funnel resources to beef up state and local government cybersecurity infrastructure after the COVID-19 pandemic forced municipalities to move many essential operations to aging and vulnerable online sources.

Included in the bipartisan infrastructure bill passed by the Senate in August is $1 billion to shore up government cybersecurity after a year in which hackers took full advantage of targeting systems. Officials say lessons have been learned.

“Cybersecurity has been the No. 1 issue and priority for state chief information officers. That hasn’t changed, but certainly the pandemic has exacerbated a lot of things in terms of funding, in terms of resources, and how to ensure that you are maintaining enterprise levels of cybersecurity while doing it virtually,” Matt Pincus, the director of government affairs at the National Association of State Chief Information Officers, told The Hill. 

States and local governments were already facing cyber threats before the pandemic hit, particularly when it came to ransomware attacks. A spree of coordinated attacks hit almost two dozen Texas city governments in 2019, and attacks on major cities that same year, including Baltimore, Atlanta and New Orleans, caused millions of dollars in damages and debilitated city services. 

States and localities already prone to such attacks were forced to move their services online with just a few days notice in early 2020 when the pandemic struck, forcing many to initially prioritize resident services over cybersecurity, which left systems open to vulnerabilities. 

These have included an increase in fraud cases around unemployment and other pandemic benefits, along with an explosion in ransomware attacks. Pincus told The Hill that 60 percent of state chief information officers said ransomware was their “No. 1 cybersecurity concern.” 

“Certainly this hasn’t gone away, and if anything, COVID’s been a good test case for a lot of states in terms of how they are postured on cyber,” Pincus said. 

Michael Watson, the chief information security officer of the Virginia Information Technologies Agency, said last week that his office was in a “cleanup phase” after rushing to digital services at the beginning of the pandemic.

“We had to be a little comfortable with being uncomfortable for a while there and looking at ways to try to limit our risk wherever possible,” Watson said on a panel at the Billington CyberSecurity Summit. “Now we are kind of doing a little bit of work to bring that back in and figure out what we want our risk posture to be overall.”

State and local governments are not alone in their push to secure their networks. 

The funds allocated in the Senate bipartisan bill are part of the State and Local Cybersecurity Improvement Act, which would create a grant program at the Department of Homeland Security to provide funding to government entities over four years, with a quarter of the funds going to more vulnerable rural communities. 

The Senate measure is similar to a bill in the House spearheaded by Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity panel, which would also provide millions in cybersecurity funding for state and local governments. The bill was passed by the House in July, and Clarke vowed last week to continue pushing for progress on the legislation and other cybersecurity-related bills.

“The evidence is clear, our adversaries are aware of America’s cyber deficiencies and are eager to exploit them. They will only continue to target these shortcomings if we do not address them immediately,” Clarke said at a virtual event hosted by the National Cyber Security Alliance.

Awareness of cybersecurity threats has exploded at the federal level following a spate of major attacks on government agencies and large companies, such as Colonial Pipeline and meat producer JBS USA, in recent months, both of which briefly interrupted consumer services.

Such awareness could be a boon to state and local governments, with more attention likely to bring more resources. 

“It’s in everyone’s interest,” Pincus said of security. “I think there has been more recognition over the last year and a half than there has been before, so that’s a positive.”