The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: The bipartisan infrastructure bill could bring a cyber bounty for state and local governments

Placeholder while article actions load

with Aaron Schaffer

The mammoth bipartisan infrastructure deal that passed the Senate this week includes a $1 billion pot of cybersecurity money to help state and local governments battered by ransomware and other digital attacks.

If the bill becomes law, it would be especially helpful for local governments, which are often a weak link in cybersecurity.

They struggle with cyber protections that are years out of date, leaving them vulnerable to hacks that can impact everything from 911 services to the ability to produce marriage licenses

While cyberattacks that impact federal government agencies and major corporations draw far more public attention, local government hacks can have the most direct impact on citizens. 

When a police department has a dispatch system that’s hit with ransomware, that directly affects public safety,” Denis Goulet, New Hampshire’s chief information officer and president of the National Association of Chief Information Officers (NASCIO), told me. “Having those systems functioning is not a ‘nice to have.’ It’s a ‘must have.’ It’s a real existential threat to citizens.”

The $1 trillion infrastructure bill passed the Senate with 19 Republicans joining Democrats in supporting it. But it faces challenges in the House, where liberal Democrats are pushing for far bolder spending. House Speaker Nancy Pelosi (D-Calif.) has said the chamber won’t vote on the package until it votes on the Democrats’ $3.5 trillion budget.

The past few years have seen devastating ransomware attacks that locked up city computers for days or weeks in Atlanta, Baltimore, Greenville, N.C., and Pensacola, Fla., among others. 

Such attacks are likely to become even more common as hacking gangs get bolder. Without a cyber funding surge, some of the worst damage could be done in smaller cities that don’t have dedicated IT staff to help them recover. 

“At least Atlanta and Baltimore have robust IT departments and information security teams,” Ed Mattison, an executive vice president at the Center for Internet Security, told me. “They had some semblance of a plan. Many smaller municipalities don’t have that. This could be a game changer for them.”

The cyber dangers facing cities have grown exponentially with the rise of ransomware, in which hackers lock up a victim’s computers and demand a payment to unlock them. Before that, the greatest danger facing cities was hackers stealing citizen and employee information and selling it to identity thieves — a damaging but far less lucrative form of cybercrime. 

“I want municipalities protecting my information so I don’t get my identity stolen. I also depend on the services they provide,” Mattison said. “I want clean water and I want sewage treated and I want the DMV and everything else I pay taxes for. All those things are at risk if municipalities don’t have the correct cyber protections.”

The Senate bill would deliver the cyber money in grants spread out over four years. 

At least 80 percent of it would have to go to local government and 25 percent of it to rural areas, according to a fact sheet from the bill’s sponsor, Sen. Maggie Hassan (D-N.H.).

States and cities would have to outline exactly how they plan to spend the money to the Cybersecurity and Infrastructure Security Agency. And they would have to put up matching money that would add up to about $250 million over four years. 

A cyberattack on a state or local government network can put schools, electrical grids and crucial services in jeopardy,” Hassan said. “Even though cyberattacks are becoming more and more common in today’s threat landscape, state and local governments often do not have the adequate resources to defend against them.”

Some top priorities for the spending include replacing outdated software that isn’t being patched for security bugs, setting up systems that better identify workers when they log on to city computer networks and removing those log-ins when they leave the job, Matt Pincus, NASCIO director of government affairs, told me. 

Another major priority is making sure cities have a game plan for if they get hacked and in some cases can enlist experts at the state level to help, Pincus said. 

This is a continuity of government issue,” he said. If a city’s computers are locked up by ransomware, “people can’t get driver’s licenses, they can’t get marriage licenses, they basically can’t do anything. It impacts everything and it leads to a lack of trust in government.”

The keys

Defamation lawsuits against Trump allies from voting machine maker Dominion can move forward, a judge said.

Federal Judge Carl J. Nichols denied motions to dismiss the lawsuits by former New York mayor Rudolph W. Giuliani, My Pillow and its chief executive Mike Lindell, and former federal prosecutor Sidney Powell. All three boosted the false claim that the 2020 election was stolen and said Dominion was partly responsible.

“As a preliminary matter, a reasonable juror could conclude that the existence of a vast international conspiracy that is ignored by the government but proven by a spreadsheet on an Internet blog is so inherently improbable that only a reckless man would believe it,” Nichols wrote in a section of his 44-page opinion pertaining to Lindell and My Pillow. 

Howard Kleinhendler, a lawyer representing Powell, told our colleagues that his team was “disappointed” by the ruling. Powell’s attorneys look forward to litigating this case on its merits and proving that Ms. Powell’s statements were accurate and certainly not published with malice,” he said. Lawyers for Lindell and Giuliani did not respond to requests for comment.

Mike Lindell promised evidence the election was rigged. It’s not coming, his top cyber expert says. 

Lindell has claimed for months he has access to digital “packet captures” that show China interfered in the 2020 election and altered vote counts to steal the election from former president Donald J. Trump. But such evidence does not exist in the data Lindell provided his own top analyst Josh Merritt told the Washington Times’s Joseph Clark

So our team said, we’re not going to say that this is legitimate if we don’t have confidence in the information,” Mr. Merritt said. The claim came on the second day of Lindell’s three-day “cyber symposium,” which has been stuffed with brash but baseless claims of fraud. 

The decampment of his top expert did little to slow Lindell’s phony claims. Reuters’s Brad Heath:

Cyber forensics expert Robert Graham, who’s attending the conference, also noted that the promised evidence has not arrived.

Hackers stole $600 million from a cryptocurrency platform. Then they returned half of it.

The hackers said it was always the plan to return the money, though its not clear if thats true. Cryptocurrency experts told Reuters that it would’ve been difficult for the hackers to successfully launder the money. 

The hackers also said in messages that they breached Poly Network “for fun” and wanted to “expose the vulnerability” in its system, blockchain analysts said. 

The original $600 million robbery is believed to be the largest that the cryptocurrency world has ever faced. Poly Networks wrote an open letter Tuesday to the hackers urging them to return the stolen money. The letter was a subject of mockery on Twitter. 

Government scan

The U.S. government still has lots of work to do to shore up cybersecurity, a major cyber commission says.

In coming years, the Cyberspace Solarium Commission wants the U.S. government to codify “systemically important critical infrastructure,” set up a place for the public and private sectors to share intelligence and establish a State Department cyber bureau with a Senate-approved leader, according to an annual progress report coming out today.

The commission also celebrates some successes, like the establishment of a national cyber director. The congressionally mandated commission released its initial report last year, describing it as an effort to deliver a warning with the heft of the 9/11 Commission report but before a “cyber 9/11” happens.

Some of the commission’s more ambitious recommendations, such as establishing House and Senate cybersecurity committees and enacting a data security and privacy protection law appear to be non-starters. The progress report notes they “have met resistance and are unlikely to move forward in the near future.”

Businesses Push to Shape Federal Rules for Disclosing Hacks (Wall Street Journal)

NSA quietly awards $10 billion cloud contract to Amazon, drawing protest from Microsoft (Aaron Gregg)

Global cyberspace

A British court gave the U.S. government more leeway as it tries to extradite WikiLeaks founder Julian Assange.

The judge in the case previously ruled that Assange posed too great a risk of suicide in a U.S. prison, but U.S. prosecutors say that concern is overblown, the Associated Press’s Sylvia Hui reports

U.S. prosecutors have charged Assange with 17 espionage counts and one computer-hacking charge for attempting to help U.S. Army intelligence analyst Chelsea Manning try to crack a password on a Defense Department network. Supporters of Assange say he should be treated more like a journalist than a hacker. The U.S. government says the case is largely based on Assange’s “unlawful involvement” in the theft of U.S. government files by Manning. 

A full appeal hearing is expected to take place in October. 

Securing the ballot

‘We are in harm’s way’: Election officials fear for their personal safety amid torrent of false claims about voting (Tom Hamburger, Rosalind S. Helderman and Amy Gardner)

Industry report

Accenture downplays ransomware attack as LockBit gang leaks corporate data (The Record)

Cyber insecurity

Four years after FBI shut it down, AlphaBay dark web marketplace claims it's back in business (CyberScoop)

How GrayShift keeps its iPhone unlocking tech secret (Motherboard)


  • The Cyberspace Solarium Commission hosts an event on the commission’s progress today at noon.
  • National Cyber Director Chris Inglis speaks at the CyberScape National Security event on Aug. 19 at 11 a.m.

Secure log off