At a Senate Homeland Security and Government Affairs Emerging Threats subcommittee hearing, representatives from state and local governments across the country pushed for dedicated federal funding, a priority of subcommittee chair Maggie Hassan, D-N.H.
"Today I'd like to share our concern that the small carve out for cybersecurity in the current Homeland Security funding does not meet the needs of our state and local governments," said Karen Huey, assistant director of the Ohio Department of Public Safety.
Homeland Security funding is prescriptively allocated, noted Huey, Texas County Judge Glen Whitley, small-town New Hampshire school superintendent Russell Holden, and Durham, North Carolina Mayor Stephen Schewel. Very little money can be allocated to cybersecurity priorities, despite state, local and tribal governments handling public utilities, emergency services, schools, transit, and other critical functions.
Ohio, said Huey, recieves a total of $6.7 million, only $340 thousand of which is spent on cybersecurity.
The House has already passed block grant legislation for cybersecurity. Former Director of CISA Chris Krebs had also suggested a "digital infrastructure" block grant bill to follow the infrastructure bill earlier this year, as the pace of cyberattacks from espionage and ransomware quickened.
Huey proposed that localities' grant money be dependent on after incident reporting of attack indicators to state authorities to aid in the common defense.
One issue states have traditionally faced with grant funding is that one time payments cannot fund projects requiring long term employement, training and equipment upgrades.
"Cybersecurity measures are ongoing expenses. And while a one time grant will help get some efforts off the ground, network monitoring, training and upkeep must be budgeted for every year," said Schewel.
The proposal for block grants received pushback from co-chair Rand Paul, who worried that adding additional funding to state and local governments would balloon the debt out of control.
Paul nonetheless advocated that states take a proactive stand against hackers, improving defenses to reduce their own costs in the long run.
"Cyber security must be prioritized in the same way that any other essential services are prioritized," he said, later adding: "Recovering from cyber events, such as ransomware attacks and data breaches is several orders of magnitude more costly than what it takes to implement and maintain good cybersecurity practices on the front end."
Paul also expressed concerns that the federal government would take too heavy handed a role in mandating one size fits all solotions to the private sector, and state and local governments.
Hearing witness Dan Lips, vice president for national security and government oversight agreed with Paul's assessment of the budget harm of new funding. In its place, he proposed that the federal government reduce duplicative standards to reduce bureaucratic state labor costs, redirecting that money to cybersecurity. He also suggested Congressional review of spending priorities, perhaps redirecting funding from the defense budget to cybersecurity, as well as repurposing unspent national security grants earmarked for other purposes to cybersecurity.
Lips further suggested that the federal government simplify cybersecurity guidance for state and local governments from the complex NIST Cybersecurity Framework to concrete action steps. That might inadvertently put him at odds with Paul's desire to keep state and local governments in charge of their own cybersecurity; the Cybersecurity Framework is complex to allow for heavily customized cybersecurity planning, while concrete steps are more inflexible.
Lips ultimately suggested that before moving forward with cybersecurity block grants, Congress make sure the grants are tied to risk reduction.
Local governments were adamant that new funding was more appropriate than repurposing existing homeland security funding.
"Our hope is that a dedicated cyber grant program will help ensure that we remain prepared for both the traditional terrorist event and a cyber threat without having to choose between the two," said Huey.