Last week, the US House of Representatives passed an extensive package of bipartisan bills. Five new pieces of legislation take a variety of approaches to strengthen the nation’s response to online threats. Chairman Bennie Gordon Thompson sees them as an essential step to ensure state and local governments are not left vulnerable to cyberattacks.
Critical Bipartisan Legislation
“Cyberattacks have increased at a rapid pace this year and pose a persistent threat to our national security,” said Chairman Thompson. “I am pleased that the House came together to pass this critical bipartisan legislation. I look forward to working with the Senate to ensure these bills become law.”
The five pieces of legislation were part of an extensive package of over a dozen homeland security bills. These bills address many of the threats the nation is facing today. In the US, state and local governments oversee water utilities and electricity, airports, schools, law enforcement, emergency rescue operations, hospitals and more. This makes government departments top targets for cyberattacks.
Moreover, the Covid-19 pandemic has made things worse. Last year, thousands of US government entities, healthcare facilities and schools fell victim to ransomware attacks. Working from home, whether out of necessity or just because it is possible, will probably only increase the number of hacking and phishing attempts in the coming years.
Five New Cybersecurity Bills
All five cybersecurity bills are proposed as amendments to the Homeland Security Act of 2002. They are designed to bolster the states and governments’ cyber defense capabilities.
- The first bill, the State and Local Cybersecurity Improvement Act, establishes a new $500 million grant program. These grants will provide governments with dedicated funding to secure their networks. The bill was, in part, inspired by the 2019 ransomware attack on the City of Baltimore that reportedly cost the city more than $18 million.
- Second is the Cybersecurity Vulnerability Remediation Act. This bill would authorize the US Cybersecurity and Infrastructure Agency (CISA) to assist owners and operators of critical infrastructure with mitigation strategies for the most critical, known vulnerabilities.
- The third bill, the CISA Cyber Exercise Act, directs CISA to create National Cyber Exercise programs. The aim is to promote more regular testing and systemic assessments of the preparedness and resilience of critical infrastructure.
- Fourth is the DHS Industrial Control Systems Capabilities Enhancement Act of 2021. This bill’s goal is to improve CISA’s ability to identify and address cyberthreats and vulnerabilities to industrial control systems used in critical infrastructure.
- The last bill in the series of five is the Domains Critical to Homeland Security Act. This bill authorizes the Department of Homeland Security (DHS) to conduct research and development into supply chain risks to domains that are critical for the US economy.
Congressman Dutch Ruppersberger thanked colleagues for supporting this legislation. “Cybercriminals know that state and local government is where the rubber meets the road, providing essential services that we all rely on every day. This legislation will give state and local governments the resources they need. To invest in cybersecurity, protecting citizens and tax dollars.”
Cybersecurity Not Adequately Funded
According to the 2020 Deloitte-NASCIO Cybersecurity study, most states have allocated less than 3% of their total IT budget on cybersecurity. Federal agencies spend a greater percentage of their IT budget on strengthening their cyber resilience. The department of Justice spends the most. In 2021, almost a third of their IT budget (28.16%) goes to cybersecurity.
The department of transportation currently spends the least. They allocated just 7.33% to cybersecurity for this year. Nonetheless, this is still more than double of what States spend. Most of the States’ budget goes to incident management, followed by awareness & training, investigation and forensics, security operations and vulnerability management.
More astonishing, is that only 18 states have a separate cybersecurity budget line item. (There are fifty States in total, plus Washington DC). Just a minority of these states have increased the cybersecurity budget since 2018. The most important source of funding is the US Department of Homeland Security, providing 46% of the budget. 19% originates from business or program stakeholders.
