The views expressed by contributors are their own and not the view of The Hill

Time for a cybersecurity grant program for the states

The current imbroglio between state governments and DHS over voting systems being designated as critical infrastructure misses an opportunity for more proactive partnership between states and the feds on cyber security. 

Congress and DHS should show their seriousness about states’ cyber defenses by directing some of President Trump’s $1 trillion infrastructure investment toward expenditures on shoring up states’ critical cyber infrastructure. 

{mosads}This is an imperative stemming from the persistent and growing gap between the cyber threat to state governments and their ability to mitigate it.  They need federal help.

Consider some of these troubling numbers:

  • According to a 2015 Ponemon Institute study, 50 percent of state and local governments experienced 6 to 25 breaches in the prior 24 months, and 12 percent experienced more than 25 breaches. 
  • Most state cyber budgets are between 0-2 percent of their overall IT budget, compared with an average of more than 10 percent in large companies.
  • According to one DHS tally, only 30 states and 2 tribal territories spent a collective total of $27.3 million on cyber security as an “allowable expense” with HSGP grants over a four-year period from 2011-2014.
  • 80 percent of state CIO’s surveyed in a 2016 NASCIO and Deloitte study indicated lack of sufficient funding as their number 1 challenge in cyber security, followed by inadequate availability of cyber security professionals.

It isn’t that states aren’t getting some in-kind assistance. DHS is to be commended for the range of cyber security services it offers, such as support for the Multi-State Information Sharing and Analysis Center that provides cyber threat feeds, cyber resilience reviews and on-site support. But the fact is these initiatives are the cart before the horse.  If state agencies and services do not have a foundational security architecture, advanced protective tools, and experienced technical professionals to manage them, then it won’t be able to act effectively on DHS assistance. 

That was the principle behind establishment of the Homeland Security Grant Program in 2003, a $1 billion per year fund to help the states strengthen their security posture in a range of physical security, public safety and emergency management functions.  But it has never carved out a dedicated cyber fund since its inception.  Strapped state budgets tend to favor security investments that are more physically and politically visible than firewalls and cyber risk assessments.

So now, the time is right for an HSGP 2.0 for cybersecurity – big league. President Trump has identified infrastructure renewal as one of his top priorities. But we can’t modernize public transportation, water purification, e-911, air traffic control or the electric grid without securing the IT and communications networks that control the nervous system of “smart cities”, “industrial internet” and “predictive maintenance.” In today’s world, physical security needs cyber security. 

This reality is not lost on the National Governors Association under Gov. Terry McAuliffe’s chairmanship, whose signature initiative – “Meet the Threat” – targets cyber security for the states.

Now, newly introduced bipartisan bills in the House and Senate would create a dedicated cyber grant program for the states, by establishing funding first for resiliency planning and then for acquisition of technology, services and best practices implementation.  Bill sponsors Reps. Derek Kilmer (D-Wash.) and Barbara Comstock (R-Va.) in the House, and Sen. Mark Warner (D-Va.) and Cory Gardner (D-Colo.) in the Senate understand that the internet protocol and the information and services it manages across state and local governments – both online and physical – is essential critical infrastructure that needs collaborative protection between state and federal government, and the private sector.

President Trump’s vision for infrastructure investment should in turn drive funding toward securing the digital infrastructure that powers “smart cities” and “smart states” and all the physical infrastructure that operates on top of it. 

Business leaders agree. In an open letter to President-elect Trump, IBM CEO Ginni Rometty observed: “…(A)s infrastructure gets smarter, it also increases the need for cybersecurity, so that vital networks cannot be compromised. We recommend that your infrastructure package include incentives for states and localities to build intelligent – and secure – roads, bridges, buildings, and other public facilities.”

Good government in the form of infrastructure investment means you need to spend money to save money in the long run – as insurance against galloping innovation and evolving threats and vulnerabilities.  Forsaking states’ cyber funding needs for another four years would be penny wise and pound foolish.  Instead, shouldn’t we spend a penny to save a dollar? That’s good business, good government, more jobs and a secure infrastructure.

Greg Garcia served as the nation’s first Assistant Secretary for Cybersecurity and Communications at the U.S. Department of Homeland Security from 2006-08.  He is Executive Vice President for the Signal Group and is executive director of the Alliance for Cybersecurity Enhancement in the States.


The views expressed by this author are their own and are not the views of The Hill.

Tags Cory Gardner Derek Kilmer Mark Warner

Copyright 2024 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed..

 

Main Area Top ↴

Testing Homepage Widget

 

Main Area Middle ↴
Main Area Bottom ↴

Most Popular

Load more

Video

See all Video