Will CISA be the savior of state and local cybersecurity?

A longstanding effort to create new federal support for state and local cybersecurity may finally see a breakthrough.

As ransomware attacks against state and local entities skyrocketed over the past year or so, lawmakers repeatedly introduced legislation promising to empower the Cybersecurity and Infrastructure Security Agency (CISA) as a kind of federal benefactor, expanding its ability to dispense funding, training and other resources to struggling state and local agencies.

Most recently, this conversation has played out in the legislative process surrounding the passage of the FY 2021 National Defense Authorization Act (NDAA), with debates ongoing about what CISA’s expanded role should be, and how appropriations should adequately reflect it.

Last week, the U.S. Senate passed its version of the NDAA, inside of which is an amendment that enumerates new powers and responsibilities for CISA — including the ability to assign a cyber “coordinator” to each state government to assist with security and defense matters. The cybercoordinator would act as a risk adviser who could provide training and guidance to state IT officials.

The House passed its own NDAA version, which includes a funding bump of $239.1 million for CISA above the last fiscal year enacted level, some amount of which would go toward empowering state and local cyberefforts. Under the House’s version, CISA would get a new $11.6-million Joint Cyber Center for National Cyber Defense, that would bring together a diversity of stakeholders for collaboration, including state and territorial leaders, as well as federal.

Other new responsibilities are included in both bill versions — like giving the agency more control over the defense of critical infrastructure, allowing it to “issue subpoenas to internet service providers compelling them to release information on cybervulnerabilities detected on the networks of critical infrastructure organization.” Other various amendments look at workforce growth, creation of 5-year CISA director term limits, and other questions of authority and bureaucracy.

While they may differ on the details, in both House and Senate scenarios the federal agency would be given newfound powers and a greatly expanded reach.

Congressional homeland security committees have played a significant role in this legislative wrangling.

Case in point, the recent NDAA amendment was rebundled from legislation originally introduced back in January by Sen. Maggie Hassan, D-New Hampshire, called the Cybersecurity State Coordinator Act.

Hassan, who serves on the U.S. Senate Homeland Security and Governmental Affairs Committee, introduced the legislation following discussions with federal, state and local governments and organizations — including CISA officials — about “the importance of having direct connections between federal, state, and local governments and organizations about cybersecurity threats, preparedness, and resources,” said Laura Epstein, a spokesperson for Hassan’s office.

Similarly, the State and Local Cybersecurity Act was introduced last year by U.S. Rep. John Katko, R-New York, who serves on the House Homeland Security Committee as Ranking Member of the Cybersecurity, Infrastructure Protection and Innovation subcommittee.

Katko’s bill sought to leverage $400 million in federal funding towards a CISA-led grant program for state and local cybersecurity, which municipalities could apply to. His legislation also suggested the creation of a State and Local Cybersecurity Resiliency Committee, staffed by state and municipal leaders, which would “advise and provide situational awareness to CISA” on the status of their communities’ cyberneeds, greatly increasing state, local, and federal communication and cooperation.

In an email to GT, Katko said that the CISA’s support would “allow governments to upgrade equipment, and assists in identifying critical systems,” while also giving them the necessary training to deter bad actors.

In little time, CISA has gone from a federally inward-looking organization to one that is increasingly establishing itself as America’s top risk adviser. A number of CISA programs already assist state and local government, such as the State Interoperability Markers system–which helps states and territories self-assess gaps in strategic and financial planning and gives CISA a sense of which communities to prioritize for future assistance. Similarly, CISA also still offers its long running Cyber Assessments program, which gives free penetration tests and other cyberhygiene assessors to state, local and tribal entities.

Legislators have also used the ongoing negotiations surrounding COVID-19 economic stimulus bills as a potential window to push for CISA appropriations. Back in April, House Democrats lobbied for an inclusion of policy similar to Katko’s bill in the CARES Act. Just this week, Senate republicans unveiled a bill that similarly targets CISA for additional funding.

These ongoing efforts to package and repackage new CISA-related opportunities has been bolstered by a lot of outside voices, including those at the Cyberspace Solarium Commission, which released its report earlier this year outlining America’s cybersecurity needs. The Solarium, which has had a big influence on both House and Senate versions of the NDAA, has argued that CISA can act as a “central coordinating element to support and integrate federal, state and local, and private-sector cybersecurity efforts.”

Robert Morgus, one of the senior task force leaders with the Cyberspace Solarium, told Government Technology that CISA presents a lot of opportunities for improved across-the-board security in government.

“In a world where CISA is a robust cybersecurity and infrastructure security agency, CISA would also be in a position to not only assess and provide guidance on risk, but run programs to assist in actually mitigating that risk, whether through regional offices with HIRTs (Hunt and Incident Response Teams) or through grants programs designed to help underfunded states and municipalities defray some of the costs of digitizing securely,” said Morgus.

This help may be needed now more than ever. As state and local governments battle the ongoing coronavirus, the budgetary shortfalls can’t leave cybersecurity funding untouched. At the same time, another view is that new and emerging threats also warrant a more involved federal government. Morgus pointed to one such threat highlighted by the Solarium report: the vulnerability of public water infrastructure systems.

“Water in the U.S. is supplied by a network of nearly 70,000 local utility companies, most of whom are turning to digital systems to manage real-world, physical ones critical to water treatment and distribution,” said Morgus. “Many of these municipal utilities often lack the resources or capacity to address weaknesses in these systems and the EPA — the water sector’s “sector-specific agency” — has not done as much to help the sector address cybersecurity threats as others, like the [Department of Energy] for energy or Treasury for the financial sector.”

Morgus further commented that many of the CISA-related amendments within the recent NDAA represent a “step in the right direction.”

“A strengthened CISA would be integral in increasing federal government collaboration with state and local governments,” Morgus said. “CISA should be the primary [point of contact] for states when it comes to cybersecurity issues, just like the FBI already is for criminal issues … all of the efforts the Commission proposes around planning, including the Joint Cyber Planning Office at CISA and the myriad or recommendations around exercises would incorporate states and municipalities as a key stakeholder and the best way to improve collaboration is to practice it.”

Where all the chips will land when the dust settles on the NDAA process isn’t totally clear. After the Senate’s passage of its version of the bill last week, the House and Senate must now hold conference to find where they agree and disagree, after which the finalized version will be submitted to the White House for approval.

—Lucas Ropek is a staff writer for Government Technology. He has worked as a newspaper reporter and writer in Massachusetts and New York. He received his Bachelor’s degree in English from Kenyon College in Ohio. He lives in Northern California. -- 

(c)2020 Government Technology

Visit Government Technology at www.govtech.com

Distributed by Tribune Content Agency, LLC.

This article is written by Lucas Ropek from Government Technology and was legally licensed via the Tribune Content Agency through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.