Experts warn of coming ‘reprioritization’ for cyber funding
MR.Cole_Photographer via Getty Images
By
Chris Teale
A popular federal grant program looks unlikely to be replenished, they said, so states must start thinking differently about how they want to fund their cybersecurity efforts.
In the months since the House passed legislation to reauthorize the State and Local Cybersecurity Grant Program in November and with companion legislation still pending in the Senate, some state and local leaders appear skeptical that it will be replenished and are looking for alternatives.
New funding for the program remains to be seen, as its initial $1 billion has been quickly exhausted by cash-strapped states looking to protect themselves from cyber threats.
Christine Serrano Glassner, chief of external affairs at the Cybersecurity and Infrastructure Security Agency, said the end of grant funding means states will have to engage in “reprioritization” of their cyber budgets and find new funding sources.
“We know that the funding is not going to be reupped on the state and local grant program at this point,” she said during a panel discussion at the Billington State and Local Cybersecurity Summit this week in Washington, D.C. “[States] know that they're never not asking for more help. It's got to be more about what resources are out there, what free resources and tools do they need to be aware of and start using. Reprioritization of their own budgets [for] what really matters.”
The $1 billion across four years has been spent on a variety of cyber efforts, including endpoint detection, multifactor authentication, security operations and other shared services. And a key tenet of the grant program, which was included in the 2021 infrastructure law, required states to have a cybersecurity planning committee and strategy in place.
But while lawmakers have voted to reauthorize the program, they have yet to fund additional years, although several groups have made various suggestions. A joint letter the Alliance for Digital Innovation, Better Identity Coalition, Cybersecurity Coalition, ITI and TechNet sent to lawmakers in September suggested establishing a stable funding stream of $4.5 billion over two years, noting that the “cost of inaction” would be even higher if Congress does not invest now in a national strategy.
However, in financially constrained times, it can be difficult for states to invest in cybersecurity when they have so many other priorities to fund.
“Are we going to support medical resources for families or feeding families? It's really tough to weigh that against cybersecurity or privacy infrastructure,” said Nevada Chief Information Officer Timothy Galluzi. “Obviously, having a crisis changes things a little bit, but it shouldn't take a crisis to motivate folks to invest in infrastructure and cybersecurity.”
It means, then, that cybersecurity professionals must be good at telling their stories and showing the difference their work makes. Too often, said Virginia Chief Information Security Officer Michael Watson, government cybersecurity leaders “get good” and then “get quiet” as their hard work has kept them out of the headlines. Then, they need to explain why continual investment is necessary, he said.
“If you're not telling your story, if you're not telling the story of cybersecurity and why it's important for your municipality, for your organization, they're not going to hear you,” Galluzi said. “They're not going to listen to you, and they're going to fund the other effort or the other priority.”
In addition, speakers said there need to be new ways to track metrics of success in cybersecurity that are more focused on outcomes. The old ways of tracking patches and the number of IT tickets that have been handled are “meaningless,” said Orange County, California CISO Andrew Alipanah. Instead, tracking how many critical assets are covered and to what extent, is much more effective.
“These are things that are meaningful and they have to follow directly from your strategic security plan,” Alipanah said. “It's one of the easiest ways to get funding, because you can actually show it to your policymakers and funding sources.”
These new approaches, and changing procurement to be more challenge- or outcome-focused, would be massive shifts in policy but would be more proactive, experts said. It would be a sea change compared to the past, when governments would only invest in cybersecurity after a major incident shut down their systems.
“Why don't you just fund the cybersecurity side of the house properly from the beginning, so that you don't have to jump through hoops and organize and reappropriate funds into an area that is obviously the forefront of all your data, all your infrastructure, all your people, all your [personally identifiable information] and all your [Health Insurance Portability and Accountability Act] data,” Jared Pane, senior director of public sector business for field engineering at data company Elastic, said in an interview at the summit. “Yet you're only going to throw a minimum amount of funding and a minimal amount of money towards that.”
Serrano Glassner, who herself was a local elected official in New Jersey — including a spell as mayor of Mendham Borough — until she resigned to take a post in the new Trump administration, said some tough choices are ahead in cybersecurity budgeting.
“We have to look within and say what is really important and what do we need to prioritize,” she said.