The hearing, "State and Local Cybersecurity: Defending Our Communities from Cyber Threats amid COVID-19," was held before a federal spending subcommittee of the Committee on Homeland Security and Governmental Affairs, and emphasized the ongoing conversation about how best to rollout new aid to governments.
Among the officials to appear before the U.S. Senate was NASCIO President Denis Goulet, who made a case for why the fiscal needs of SLTTs are not being met.
"Inadequate resources for cybersecurity has been the most significant challenge facing state and local governments, even prior to the COVID-19 pandemic," said Goulet, also CIO of the state of New Hampshire. "The question of why the federal government should be contributing to cybersecurity of the states is straightforward as states are the primary agents for the delivery of a vast array of federal programs and services."
The legislation introduced over the past two years that focuses on SLTT cyberassistance includes half a dozen bills — a majority of which suggest similar or parallel strategies for dealing with the problem.
NASCIO supports the State and Local Cybersecurity Improvement Act, Goulet told legislators Thursday. Introduced last year, the bill envisions creating a $400 million grant program for SLTTs, to be delivered via the Cybersecurity and Infrastructure Security Agency (CISA). One of several bills that sees a federal grant program as the way to ensure governments' future, the bill has been one of the more prominent examples of how resources could be doled out in a top-down fashion.
Goulet also stressed NASCIO's support for the DOTGOV Act, which would make it easier for local governments to secure a .gov domain name, considered the most secure public-sector domain available.
"The DOTGOV Act seeks to ease the process for these governments to obtain .gov domain names, providing the sites themselves with greater security and offering greater assurances to residents that they are, in fact, looking at a government website," he said.
The SLTT cyberfunding issue is certainly not new, but 2020 saw efforts to correct it center more and more around an expanded role for CISA. Created in 2018, CISA has expanded its influence and reach in a very short time and, under new policy proposals, the agency would gain even more power and influence.
Brandon Wales, the new director of CISA, also made an appearance Thursday, arguing that CISA had a big role to play in ensuring the future security of state and local governments.
"The technical assistance and guidance provided [by CISA] can be used to secure networks, systems, assets, information and data by reducing vulnerabilities, ensuring resilience to cyber incidents, and supporting their holistic risk management priorities," said Wales. "CISA’s regional personnel are deployed in all states and territories to provide advisory services and assist the private sector and state and local government in improving their risk posture."
Goulet also showcased support for the Cybersecurity State Coordinator Act of 2020, a bill that would create a special program within CISA that designates a federal liaison to each state government to assist with risk management and security issues.
"While this relationship is still in its infancy, CIOs and CISOs appreciate the resources provided to state and local governments by CISA in the wake of cyberattacks," said Goulet. "NASCIO has supported efforts to more clearly define CISA’s roles and responsibilities in assisting state and local governments and has endorsed federal legislation to increase CISA’s resources within each state."
With the incoming Biden administration, some expect cybersecurity to get a new and improved priority, though so far its unclear if this support will extend to smaller governments, or will just imply a greater strategic adoption at the federal level.
Goulet stressed the need for greater collaboration at all different levels of government, lobbying for the relatively new whole-of-state approach wherein a multitude of stakeholders are brought into the security process (including state, local, federal, private and academic, among others).
"By approaching cybersecurity as a team sport, information is widely shared and each stakeholder has a clearly defined role to play when an incident occurs," Goulet said.