Cybersecurity legislation included in infrastructure plan sets aside $1 billion for local governments

Last month, while senators were debating the recently passed $1.2 trillion Infrastructure Investment and Jobs Act, a ransomware attack targeting Miami-based IT security company Kaseya put at risk some 800 to 1,500 businesses. 

It wasn’t the first cyberattack on a U.S. company in 2021 and, if history is anything of a guide, it won’t be the last. As the global economy plunges deeper into the digital era, local municipalities are pivoting rapidly to address cybersecurity issues in outdated digital infrastructure. But in the theater of local politics—against the backdrop of budgetary constraints—upgrading software might play second fiddle to more visibly pressing needs like crumbling roadways or dilapidated municipal buildings.

But just because it’s not as visible doesn’t make cybersecurity less important.

That’s why local city and county leaders should take note of one line item, in particular, that’s notably included in the sweeping bipartisan infrastructure legislation: The State and Local Cybersecurity Improvement Act.

“A cyberattack on a state or local government network can put schools, electrical grids and crucial services in jeopardy,” said U.S. Sen. Maggie Hassan (D-N.H.), chair of the Emerging Threats Subcommittee, in a statement. Hassan helped introduce the cybersecurity funding proposal.  

“Even though cyberattacks are becoming more and more common in today’s threat landscape, state and local governments often do not have the adequate resources to defend against them,” she said. 

Specifically, the spending proposal would authorize a new grant program at the Department of Homeland Security that is intended to improve cybersecurity measures for state, local, Tribal and territorial entities.  

The program, which allots $1 billion over four years, would be administered by the Federal Emergency Management Agency (FEMA), according to an information sheet about the spending plan. The Cybersecurity and Infrastructure Security Agency (CISA) would provide subject matter expertise. 

Contingencies written into the act define that most of the money should go to local and small municipalities, particularly those in rural counties that might not have the same tax base as larger metropolitan areas. 

Having received the Senate’s stamp of approval, if the bipartisan infrastructure plan is approved by the House—as is expected—it would require states to distribute at least 80 percent of that $1 billion directly to local governments, including 25 percent to rural areas. State governments would also have to submit a comprehensive cybersecurity plan (approved by a cybersecurity committee that includes local representation) outlining what steps will be taken to improve cybersecurity. 

Hassan, who drafted the legislation following ransomware attacks in Strafford County and Sunapee School District, New Hampshire, called the grant program “a crucial resource for state and local governments, and I am very pleased that it is a part of our historic bipartisan infrastructure bill,” she said.  

According to an NPR article written at the time of one of the cyberattacks, the Sunapee School District’s servers were taken hostage over Columbus Day Weekend in 2019. A week’s worth of data was lost and teachers weren’t able to access their lesson plans for two weeks. But the district was able to avoid paying the ransom because it had a plan in place—as a practice, IT administrators backed up all of the district’s data at the end of each week. 

Following the breach, Hassan took the lessons learned by the district to the Senate to share best practices with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The State and Local Cybersecurity Improvement Act came about through subsequent committee discussions. 

At its core, the program is intended to fill a funding gap, allowing local cities and counties the flexibility to address both the physical needs of their infrastructure and the more abstract digital necessities. The information sheet notes that, these days, “Many state and local governments lack the resources to address the increased pace of cyberattacks, with most states only spending 1-3 percent of their overall IT budgets on cybersecurity, compared to about 16 percent for federal agencies.” 

Another notable cybersecurity legislative initiative tied into the bipartisan infrastructure bill is the Cyber Response and Recovery Act, which would allow the Secretary of Homeland Security to declare a Significant Cyber Incident following a breach of public and private networks. It would also establish a Cyber Response and Recovery Fund for the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency to provide direct support to public or private entities as they respond and recover from significant cyber-attacks and breaches, according to a fact sheet from the U.S. Senate Committee on Governmental Affairs.

“The multiple recent cyberattacks from sophisticated malicious actors against U.S. government clearly demonstrate our vulnerability to attack. These cyberattacks will continue, and we must ensure that we have the capacity to respond when they do,” said U.S. Sen. Rob Portman (R-OH) in a statement. “This bipartisan bill will provide emergency resources when impacted organizations are overwhelmed and unable to respond to a debilitating attack. I urge my colleagues to join us in supporting this commonsense legislation to take a needed step in strengthening our cyber defenses.”