(Source: MIRS.news, Published 08/30/2024) (LOUISVILLE) -- Cybersecurity is an ongoing challenge for state and local governments that cannot be ignored, panelists said at a National Conference of State Legislatures (NCSL) forum last month. They added that federal grants are available to help with initial funding, but cannot be relied upon continually. 

The panel included Texas Rep. Giovanni Capriglione, chair of the Texas House of Representatives’ Select Committee on Artificial Intelligence and Emerging Technologies; Brady Vaughn, director of budget and public affairs at the Texas Department of Information Resources; and Meredith Ward, deputy executive director of the National Association of State Chief Information Officers (NASCIO). It was moderated by Sean McSpaden, principal legislative IT analyst for the Oregon Legislative Assembly. 

McSpaden opened the discussion by saying ransomware and other cyberattacks threaten the nation’s cybersecurity, infrastructure, economy, public health and safety. The threats and impacts from these attacks seemingly continue to worsen each day for public, private and nonprofit sector organizations across the United States.

At the technical level, the cybersecurity landscape is constantly shifting. The workforce for state and local governments is often “outgunned and outnumbered with limited reinforcements available on the horizon.” Cybersecurity officials with the requisite knowledge, skills and abilities are “scarce” and in demand across all sectors. While there are multiple cybersecurity workforce development, educational and training programs in states across the country, they typically lack the funding needed to produce enough qualified professionals at a rate and pace to meet the need. 

 McSpaden also discussed how a range of educational institutions have identified internal cybersecurity vulnerabilities and IT modernization needs that can’t be addressed alone, which has led them to seek help from their state legislatures. Cybersecurity is a “team sport,” he said, a point echoed by the panel. 

These issues led to the creation of a federal cybersecurity grant program for state and local governments that he said is non-competitive and formula-based. It is expected to provide approximately $1 billion in required state matching funds by the end of FY ‘25. The state matching funds percentage has increased every year of the grant program, which started disbursing funds in FY ’22. Eighty percent of the funds are reserved for eligible local entities. In addition to this program, the U.S. Government Accountability Office (GAO) published a report in November 2023 on numerous other federal grants for cybersecurity support, with a total of $827 million among them. 

 Accessing and effectively utilizing the federal grant funds requires “coordinated governance, planning grant applications, distribution of funds by state legislatures and project implementation among and between the executive and legislative branches of state government and between state and local representatives in the months and years to come,” he continued. 

 The federal government and states have begun a “whole of government approach” to cybersecurity, with McSpaden calling it “the new imperative for us all.” He also talked about how cybersecurity is not “finite” and represents a series of tasks over the long haul. 

 “Security by design” needs to be a mantra in acquiring new systems, McSpaden said as well. He added that cybersecurity incidents “will happen” as far as local governments are concerned and they need to prepare for that event. 

 Ward followed by talking about how there is growing awareness of the issue both in government and among the public. Ward also discussed the data that state governments have, including tax records, and the protection efforts around it. Cybersecurity will always need funding and is becoming more difficult due to new approaches by bad actors. Attempted attacks will continue on a daily basis, she continued. 

 Ward also explained different models for state cybersecurity and budgeting types, with cybersecurity representing 2 to 5 percent of the IT budget. At the federal government and private sector levels, however, cybersecurity is at around 10 to 12 percent. States have a “long way to go” though there has been progress in recent years. 

Capriglione compared cybersecurity to other government functions that are “expensive but necessary.” He added that it reflects an investment in trained workforce, hardware and software in order to protect personal data stored by the state and children’s online privacy. Looking at it like a service helps make it easier to justify funding for cybersecurity programs, Capriglione continued, even though cybersecurity will always be a challenge. 

Vaughn described how state funding for cybersecurity has changed over time in Texas and also noted state residents have no alternative to government systems. Cyber officials should be right all the time, while bad actors only need to succeed once for an attack, he added. 

Vaughn and Ward also discussed the recent Crowdstrike software outage. Capriglione gave an overview of how artificial intelligence (AI) is growing and is being used for cybersecurity in Texas already. Bad actors use AI as well to improve their attacks, however. He also talked about communicating with legislators on the need for procuring new computer technology now. 

 Ward said that prevention is not as expensive as the cost of a cyber incident when “basic” steps had not been taken. She said some states have “technical debt” in the form of aging computers that pose a cybersecurity weak point, as well.

Capriglione and Vaughn also discussed how Texas has used federal grants, which McSpaden noted are meant to provide initial funding support. Capriglione said that unlike with grants during the pandemic, some requirements of these federal programs make it difficult for local governments to use them. He also said his office conducted a poll measuring willingness to vote for a candidate based on cybersecurity and it had a higher response than border security, adding for emphasis that this was in Texas. 

Ward followed that by saying states and local governments cannot rely on federal funding to support their cybersecurity efforts over time. McSpaden concurred. Capriglione detailed how it is more difficult for states to find cybersecurity professionals since they can’t pay as well as the private sector. He said Texas has developed an apprenticeship program to help people train more quickly for government IT jobs. Vaughn gave further details about the results of that program. 

Ward added that workforce is one of the biggest challenges and that while states can’t match private sector pay they can provide better benefits and remote work options. Thirty to 40 states have removed their four-year college degree requirement for these jobs in recent years. 

 Asked by the audience about balancing public transparency and not revealing government vulnerabilities to bad actors, Capriglione said there is a “time and place for everything” and executive sessions can be useful to discuss negotiating during a ransomware incident as in the questioner’s case. Vaughn also said governments should not pay such ransom demands and there are ways to help rebuild systems. Ward added that local governments don’t know who they are paying in ransom cases and the FBI says not to do it. 

In final comments, Capriglione encouraged legislators to be “tech champions” in their state to support the entire country rather than just their state. Ward echoed that, adding her organization can provide data to help justify cybersecurity funding to other state legislators.