Connecting state and local government leaders
In addition to the grant program, other provisions in the bipartisan proposal would enhance cybersecurity for local utilities and water systems.
The $1 trillion bipartisan infrastructure bill is about more than building and repairing roads and bridges—it also aims to strengthen the nation’s cybersecurity.
The 2,700-page bill, which lawmakers released this week, includes provisions that would assist in cybersecurity planning for infrastructure like electric grids and water systems and establish a grant program to aid state and local governments.
A grant program funded in the bill would provide $1 billion to state and local governments over four years to help them strengthen defenses against ransomware and other cyberattacks.
“There is a lot of flexibility in how you can spend that money,” said Matt Pincus, the director of government affairs at the National Association of State Chief Information Officers, of the proposal.
The program would require states to distribute at least 80% of funding they receive to local governments, and 25% of the funding would be set aside for rural areas, according to Sen. Maggie Hassan, a New Hampshire Democrat who pushed for inclusion of the grant program in the infrastructure package.
“State and local governments need more resources to prevent cyberattacks that can devastate their ability to carry out day-to-day functions that citizens rely on, from protecting school data to keeping utilities up and running,” said Hassan in an email statement.
To be eligible for a grant, state and local governments would have to submit a cybersecurity plan to the U.S. Department of Homeland Security for review that details technological capabilities and protocols in place to detect and respond to cyber intrusions. The plans would be required to meet certain baseline standards.
While all states have some sort of cybersecurity planin place, many small municipal governments do not have the manpower or resources to work on these sorts of matters or to provide regular cybersecurity training to staff, Pincus said. Because of their lack of resources, the federal grant program would be “a game changer” for local governments, he said. The grants could be used to help local governments devise these response and protection plans, host regular training on cybersecurity best practices, or even implement multifactor authentication for employees to prevent potential security breaches, he said.
Cybersecurity has been a top concern for public sector IT professionals for some time—recent hacks on local governments have caused schools to cancel classes, nearly poisoned water at a water treatment plant, and enabled hackers to leak internal police files on officers working in the nation’s capital. But concern has grown during the coronavirus pandemic, as many government employees transitioned to work remotely.
To help protect critical infrastructure from cyberattacks, the bill also includes a $250 million grant program for rural and municipal utilities, including rural electric cooperatives and municipally owned electric utilities. The program would provide grants that could help these entities detect and respond to cybersecurity threats within electric grid systems and promote participation in threat information sharing programs.
The nation’s electric grid system, which is primarily regulated by states, is “increasingly at risk from cyberattacks, the U.S. Government Accountability Office said in a report released this year.
The bill aims to strengthen cybersecurity within municipal water systems as well. One provision in the bill would task the Cybersecurity and Infrastructure Security Agency with developing a list of public water systems deemed vulnerable to a cyberattack. CISA would then create a plan to provide voluntary technical and cybersecurity support to those public water systems.
More broadly, the infrastructure package would also boost funding for CISA, providing $20 million annually for the Cyber Response and Recovery Fund. That money could be used to provide assistance to state and local governments or private entities during a cybersecurity incident, including vulnerability assessments, malware analysis or threat detection.
Andrea Noble is a staff correspondent with Route Fifty.