First the great pivot and now the great wait–Time to revisit state and local cyber governance

First, we adjusted to the great pivot. In March 2020 as if by magic, hundreds of thousands of local governments pivoted to remote work in less than a week. And with remote work came added cyber risks, but we are still awaiting a massive funding initiative aimed at helping local governments bolster their cyber defenses. It could come any day, but we have been hearing the same for the past six months—hence the great wait.

You might recall the huge fanfare that came with the passage of the Infrastructure Investment and Jobs Act (IIJA), which was signed into law in November 2021. The IIJA provides $1 billion in grants towards cybersecurity enhancements for state and local government information systems including a 20/80 percent split with local governments receiving the larger share. These funds are to be dispersed over the next four years in the following increments: $200 million in 2022, $400 million in 2023, $300 million in 2024 and $100 million in 2025. The cybersecurity grant program requires a state match and the submission of a cybersecurity plan by September 30, 2023, which reflects a comprehensive understanding of relevant cybersecurity control methods and applications. With only three months left in the current fiscal year, it is likely the Act will be amended, since there is no way $200 million can be effectively spent in such a short period of time.

The delay comes from the Cybersecurity and Infrastructure Security Agency (CISA) as they contemplate the most effective means and detailed rules to satisfy the Act’s requirements. In fairness, no one better understands the external cyber threats our nation faces than CISA, but as we wait, cyber-attacks have increased and have become more complex and evasive. Worse, it appears that CISA continues to operate in a vacuum that excludes the very stakeholders the new rules are designed to help. History demonstrates that the federal government lacks the on-the-ground understanding of just what our nation’s localities and special districts face in real time. It is for this reason that federal grants programs are mostly administered through the states—and this massive program is no exception. Since IIJA was enacted last fall, to my knowledge, there has been no meaningful anticipatory actions have taken place between states, cities and counties, as well as tribal lands and special districts. Sadly, this is a lost opportunity where state and local governments should be working together to better prepare for this program and many other programs to come. All eyes and ears are turned towards CISA as the great wait continues.

Enhanced governance is equally as important as increased financial investment and support of our nation’s localities. Many like myself fear that money—no matter how many billions—will not reach its intended goals without a massive change in state and local cyber governance. Each state operates separately, which means we have 50 ways of doing things when it comes to policies and leadership. Following are just a few suggestions that might help address the cyber governance dilemma.

What would help is for every state to have a designated chief information security officer (CISO) with direct responsibility to work with local governments and tribal organizations as well as special districts—some 80,000 units of government in all. To help facilitate improved coordination and communications, each state should be divided into cyber regions with each region having a designated CISO. The division CISO could be from a major city and county that would help foster communications and provide key communications amongst the region and the state CISO. Ideally every entity receiving federal dollars should be required to join the Multi State Information Sharing center (MS-ISAC), where membership is free to local governments, and they provide a host of superior tools and other critical cyber resources.

We all know money alone can’t solve our cybersecurity woes, but it can certainly go a long way in helping if invested wisely. Most importantly, it appears Congress and the administration recognize the need to do more to protect our nation’s most vulnerable public institutions. Even if the new rules were to be released tomorrow, we wouldn’t expect to see any awards for many more months to come. So, while we are waiting, perhaps it’s time to do something we can control now—the need for greater state local collaboration and communications through cyber governance which starts with improved communications among states and localities. Let’s not wait—let’s communicate.

Dr. Alan R. Shark is the vice president public sector and executive director of the CompTIA Public Technology Institute (PTI) in Washington D.C. since 2004. He is a fellow of the National Academy for Public Administration and chair of the Standing Panel on Technology Leadership. He is as associate professor for the Schar School of Policy and Government, George Mason University, and is course developer/instructor at Rutgers University Center for Government Services. Shark’s thought leadership activities include keynote speaking, blogging and a bi-weekly podcast called Sharkbytes. He is the author or co-author of more than 12 books, including the nationally recognized textbook “Technology and Public Management,” as well as “CIO Leadership for Cities and Counties.”