Connecting state and local government leaders
A report from the Government Accountability Office identified 27 grants not “intended to primarily support cybersecurity activities” that state and local governments could tap for critical funding—if they have grant writing expertise.
Earlier this month, a cyberattack crashed parts of the Washington State Department of Transportation’s website, including its highway travel map, traffic cameras, the ferry vessel tracker and online freight permit services. Several days later across the country, Huber Heights, Ohio, was hit with a ransomware attack that affected multiple city government systems and functions. Breaches like these on state and local governments are becoming more and more common. They are also costing states and cities a lot more money.
But there are dozens of federal grants that states and localities might not know about that can help them improve their cybersecurity, according to a Government Accountability Office report released last week. The agency found that there are 27 federal grants that were not “intended to primarily support cybersecurity activities,” but can be used by cities and states to improve the security of computer systems. Between fiscal years 2019-2022, these agencies handed out $827 million in grants for cybersecurity efforts in state and local governments.
Among the grants identified in the report are those offered by the Interior Department, the U.S. Election Assistance Commission and the Federal Emergency Management Agency. The main intent of some of these grants is to address issues such as climate change and preventing terrorist attacks.
But essential services provided by state and local governments including public utilities, health care, and public safety “are increasingly reliant on the internet, making them vulnerable to various cyber-related risks,” said the GAO report, which examined what cybersecurity funds are available at the request of the House Homeland Security Committee.
“A failure or disruption to [state and local government’s] critical infrastructure could result in significant harm, a major public health issue, long-term economic loss and impacts to other critical infrastructure,” the report said.
Indeed, citing data from the Multi-State Information Sharing and Analysis Center, state, local and tribal governments dealt with about 2,800 ransomware attacks between January 2017 through March 2021. The report included a number of examples of what can happen when governments are victims of ransomware attacks.
In January 2023, for example, Iowa’s Des Moines Public Schools had to cancel classes for two days while its information technology staff investigated suspicious activity in its network.
Following a ransomware attack, a group demanded payment for the personal data it stole from the Los Angeles Unified School District in September 2022. After the nation’s second largest public school district refused to pay, the hackers posted 2,000 student mental health assessment records on the dark web.
In December 2021, the personal information of more than 500,000 Chicago Public Schools staff and students, including their names, dates of birth, genders and school identification numbers were made public after a ransomware attack.
The report also cited another ransomware attack in Baltimore in May 2019 that led to city employees not being able to access their emails and delayed real estate sales and water billing in the city for months.
Among the grants the GAO targets for state and local governments are those run by FEMA, which are generally meant to aid efforts to protect against terrorism. The agency, the report said, gave out $6.8 million, or about 10% of the funding handed out through grants, to improve cybersecurity in all 50 states between fiscal years 2019 through 2022.
The Election Assistance Commission, meanwhile, gave out $155.7 million in grants over the same period for election security—some of which was distributed during the pandemic to accommodate absentee voting. One state upgraded its elections computer system and another state used COVID funding to make electronic absentee voting more secure.
Among the other grants, the report said, is the Interior Department’s Technical Assistance Program, which is mainly intended to be used in efforts to fight climate change, bolster energy projects and protect natural resources. But between fiscal years 2019 and 2022, the program gave out $844,106 to two territories for cybersecurity. The money was used to buy software to report and detect anomalies in their networks, upgrade switches and routers, create cybersecurity policies, and train system technicians.
But the GAO warns in the report that the ability of state and local agencies to identify, apply for and manage these grants depends on several factors, particularly whether the organization has sufficient staff, knowledge and technical skills. The report notes that smaller governments are likely to lack employees with expertise in grant writing.
Kery Murakami is a senior reporter for Route Fifty, covering Congress and federal policy. He can be reached at email@example.com. Follow @Kery_Murakami