Budget strains leave cyber defense goals identified but unadopted at state, local and county levels, where successful attacks could down 911 call centers, halt school classes and disrupt water systems and waste treatment, speakers said during a Senate hearing yesterday.
Lawmakers convening the Homeland Security and Governmental Affairs Subcommittee on Emerging Threats and Spending Oversight hearing sought to determine how the federal government could use policy changes and new grants to better fund these needs, while controlling its own expenditures.
Jurisdictions are too often priced out of enacting attack prevention and incident response measures. After Superintendent Russell Holden’s Sunapee, N.H., school district fell to a ransomware attack in 2019, a security audit identified important fixes — but with daunting costs.
“Going through that audit process, we quickly realized that we were completely understaffed [in IT,]” Holden said. “But to hire a new person would add at least 1 percent to our overall budget.”
Lower-level government often struggles with the expense of hiring IT personnel, vetting software, upgrading systems and a variety of other preventative and response methods, attested several government leaders during the hearing. Those expenses are no small matter but the societal costs of not investing and falling to attack may be greater still.
The federal government has recently shown willingness to open up its purse, with the efforts like the American Rescue Plan funding various cybersecurity needs and Homeland Security Secretary Alejandro Mayorkas instructing state and local recipients of Urban Areas Security Initiative (UASI) and State Homeland Security Program (SHSP) security defense grants to direct greater portions of their awards toward cybersecurity.
Yet testifying government officials said many efforts still fall short. Karen Huey, assistant director of the Ohio Department of Public Safety, and Mayor Stephen Schewel of Durham, N.C., said state and local governments need designated cybersecurity funding that does not subtract from investments in other public security priorities, which are still very much needed.
Schewel also underscored the need for regularly recurring funding to support defensive needs that are not one-and-done, such as continual network monitoring, regular software upgrading and frequent staff training.
“Cybersecurity measures are an ongoing expense,” Schewel said even if “a one-time grant will help get some efforts off the ground.”
Federal agencies may need to consider whether some policies are preventing funds from being used impactfully.
Dan Lips, vice president of national security and government oversight at technology and public policy focused nonprofit the Lincoln Network, said during the hearing that 50 percent of USAI and SHSP funds disbursed from 2015 to 2020 have not yet been spent. He said it was not clear why.
While not speaking in response to Lips, Tarrant County, Texas, Judge Glen Whitley said that restrictions on exactly how funding sources can be spent can block jurisdictions from putting money where it’s most needed to meet their specific needs, and he called for flexible funding.
Holden similarly expressed interest in widening how monies can be used and proposed examining whether some restrictions on Title IV education funding could be loosened to allow for tapping it to boost school systems’ cyber protections.
In other cases, strict requirements can keep those in need from qualifying for financial support: Policies that require localities to pitch in with matching contributions often hamstring initiatives by locking out smaller municipalities without the resources to make those matches, Schewel said.
Senators did not contest the need to better support cybersecurity – but Sen. Rand Paul, R-Kentucky, questioned whether it was necessary for the federal government to budget more money or if other strategies could be helpful.
“The Washington solution seems to be throwing money at every problem,” Paul said.
Lips also expressed concerns around federal spending and pointed to recent Government Accountability Office (GAO) reports that have found public debt increasing faster than economic growth – something that could ultimately cause a drop in the value of the U.S. dollar.
(The GAO report proposed several steps for addressing the issue, including that the government reap more revenue by working to ensure it genuinely receives all taxes due to it and trim some unnecessary costs by better avoiding making accidental overpayments.)
Not all support needs to be directly financial, however, and some policy changes could help reduce demands on state, local and county budgets, Lips said.
For example, jurisdictions can struggle to sort through different federal agencies’ cybersecurity regulations, especially when some departments’ rules seem to conflict. Bringing different agencies’ rules into greater alignment could simplify this work and reduce the amount of staff time spent on compliance, Lips said.
He also suggested the federal government strive to offer partners more simplified security recommendations that are easy to digest and act on. Smaller entities may struggle to work with the National Institute of Standards and Technology (NIST)’s robust, but extensive and “high-level” slate of suggestions.