A bipartisan group of House members led by Rep. Yvette Clarke (D-N.Y.) soon will introduce a bill that will authorize $500 million annually in federal grants to state, local, tribal and territorial (SLTT) governments to strengthen their cybersecurity posture, including bolstering defenses against ransomware attacks, Clarke said on Wednesday.
“As the ever-increasing number of ransomware attacks on state and local governments demonstrates, adequate investment in cybersecurity has been lacking and more resources are needed,” Clarke said in her opening statement during a hearing she chaired of the House Homeland Security subcommittee on Cybersecurity, Infrastructure Protection & Innovation.
Clarke said large and small governments in the U.S. are vulnerable to ransomware attacks.
The State and Local Cybersecurity Improvement Act would provide resources to SLTT governments to bolster their cybersecurity and also require them to “prioritize cybersecurity in their own budgets,” she said.
Clarke said there is bipartisan support on the committee for the legislation and that she is working to get it passed with the help of Rep. Andrew Garbarino (R-N.Y.), ranking member of the subcommittee, Rep. Bennie Thompson (D-Miss.), chairman of the full committee, and Rep. John Katko (R-N.Y.), ranking member of the committee.
The forthcoming bill is similar to one introduced in the House last year with the same name that would have authorized a $400 million Department of Homeland Security grant program to incentivize states to increase their own cybersecurity funding.
Chris Krebs, the former director of the DHS Cybersecurity and Infrastructure Security Agency, told the panel that legacy information technology systems used by SLTT governments are a major vulnerability.
Krebs said that “perhaps the area with greatest need for government investment is not necessarily within the federal government…but withing our state and local partners. The idea is simple. We can reduce that attack surface across state, local, tribal and territorial government organizations in this country by investing in more modern systems.”
Such investments will improve services for citizens and create technology jobs, Krebs said.
Denis Goulet, chief information officer for New Hampshire, agreed with Krebs.
Goulet told the panel that a recent “comprehensive cyber risk assessment” conducted by the state showed that legacy systems “overwhelmingly” were a weak spot. The review led to temporary shut downs of some citizen-facing systems until vulnerabilities were mitigated, he said.
Earlier Wednesday afternoon, Homeland Security Secretary Alejandro Mayorkas warned that “no one is inoculated from” the threat of ransomware. Speaking during a virtual event hosted by the U.S. Chamber of Commerce on the threat of ransomware to small and medium-sized businesses, Mayorkas pointed out that CISA and the U.S. Secret Service have tools and resources for these and other entities to help them prevent and respond to ransomware attacks.
Mayorkas said between 50 and 75 percent of ransomware attack victims are small businesses and that over $350 million in payments were made in the past year by victims of ransomware to their attackers.
Chris Roberti, vice president for Cyber and Security Policy with the chamber and the moderator of the discussion with Mayorkas, said a statistic he came across is that 60 percent of small and medium-size business owners don’t think they will be a target of cyber criminals. Mayorkas said for anyone that believes they’re “invulnerable” to a cyber-attack, “one is probably putting a bigger target on one’s back.”
Under Mayorkas, DHS has increased the amount from 5 percent to 7.5 percent of homeland security grant spending to SLTT’s that must go to cybersecurity. New Hampshire’s Goulet said later during the hearing that the existing federal grant funding to states for cyber security is insufficient.
Mayorkas also said that DHS is looking into a potential new grant program that could provide cybersecurity funding for “enterprises that otherwise are outside of our existing grant programs to really raise the bar of cybersecurity throughout the country.”