States and localities are about to get their biggest infusion of cyber funds, ever
State and local governments are preparing for a windfall of cyber funding that could fundamentally reshape their digital defenses.
The $1 billion grant program – provided in the recently-passed infrastructure bill – marks by far the largest-ever federal investment in state and local cybersecurity. It comes as cities are being pummeled with ransomware attacks that have cost millions of dollars to remediate and have locked up vital services for weeks or months. The recovery from a single attack in Baltimore cost a whopping $18 million.
By comparison
The only previous regular federal funding for state and local cybersecurity came as a tiny percentage of an annual Department of Homeland Security grant program aimed at combating terrorism and other threats. The cyber part of that program topped out at about $75 million this year. It was around $50 million in previous years.
“It’s a huge step along the path,” Matt Pincus, director of government affairs at the National Association of State Chief Information Officers, told me. “You’re never going to solve cyber. It’s always going to be a cat-and-mouse game where bad actors evolve. But state and local governments need to catch up, and this grant program will move them a long way toward improving defenses.”
The funding is part of roughly $2 billion in cyber money in the $1 trillion infrastructure bill, which President Biden plans to sign this month. The Senate passed the bill in August, but the House delayed passing it for months in a bid by progressive members to tie it to a larger social spending measure.
Such a huge infusion of cash has the potential to revolutionize how state and local governments protect themselves from hacking — especially small towns and rural areas that often don’t employ a single IT person, let alone a cyber expert.
The program mandates that about 80 percent of funding goes to local governments and about 25 percent of that must go to rural areas.
The long-term goal: Officials hope the program will push states and localities to start making significant cybersecurity spending a standard part of their annual budgets.
Right now
But only about one-third of states include a regular line item in their budgets for cybersecurity. And even in those states, cyber and IT leaders are often strapped for cash. To be eligible for grants from the program, states and cities will have to invest between 10 percent and 40 percent of the cost of all of the projects they undertake.
“Part of the way the bill is written is to entice states to take more responsibility,” New Hampshire Chief Information Officer Denis Goulet told me. “The hope is with these scaled matches that happen through the program, that will ease states into the process and mind-set of investing continuously.”
The grants could also forge a stronger link between state and local governments on cyber protections so local governments aren’t left fending for themselves against sophisticated criminal hacking groups.
“The ultimate goal of our whole-of-state approach is a tightly woven fabric of cyber protections across the state,” North Carolina Chief Information Officer James Weaver told me by email. “These grants will provide an opportunity to achieve that goal and continually improving and enhancing those protections for the betterment of the state.”
Goals
Here are some of state and local officials’ top priorities:
- Outfitting cities with basic cyber protections including multi-factor authentication systems that require additional verification from users beyond passwords
- Regular audits to ensure local governments are shutting down email and other accounts held by former employees that could be hijacked by hackers
- Regular cybersecurity training for employees and game planning how they'd respond to a cyberattack
- Migrating local government websites and emails from .com to .gov domains, which will make them better protected against spoofing and phishing attacks
- Expanding the number of IT systems that are shared between cities and managed and secured by a central provider — usually a private company
The details: The Federal Emergency Management Agency and the Cybersecurity and Infrastructure Security Agency will distribute the money to states, which will pass it along to localities.
- The money will be distributed among all states using a complex formula that takes into account states’ total population and their rural population.
- Three percent of the money will be distributed to territorial governments.
- States and tribes must write extensive cybersecurity plans detailing how the money will be spent.
One big caveat: States, cities and tribes are barred from using any of the money to pay ransoms to hackers.
From a CISA spokesperson: “Cybercriminals continue to target state, local, tribal, and territorial (SLTT) governments and exploit vulnerabilities that SLTT partners simply do not have the resources to address. The grants provided in the infrastructure bill will provide a much-needed boost in resources that SLTT partners can use to increase the security and resilience of their networks.”
The keys
Mexican authorities arrest man for allegedly using NSO spyware to target journalist
Local media identified the man as Juan Carlos García, who worked as a technician for the private firm KBH’s Proyectos y Diseños VME division. Garcia was arrested “on allegations he was involved in illegally tapping the phone of a broadcast journalist,” Mary Beth Sheridan reports.
Investigative journalist Carmen Aristegui, who is often threatened for her reporting on corruption by Mexican politicians and cartels, said she was the target of the surveillance in 2015 and 2016, Sheridan writes.
It’s the first arrest by Mexican authorities in the wake of an investigation by The Washington Post and 16 media partners into NSO Group’s Pegasus spyware. Mexican authorities say they spent millions of dollars to use Pegasus but ended the contracts in 2017. Researchers found signs of NSO spyware on the phones of 26 Mexican journalists, activists and politicians from 2015 to 2017.
“García did not enter a plea, and it was not possible to locate his lawyer on Tuesday,” Sheridan writes. “Uri Ansbacher, the head of KBH, which is no longer in business, has denied any involvement in illegal spying.”
NSO is pushing back on the allegations. The company’s products “are only sold to vetted and approved government entities, and cannot be operated by private companies or individuals,” the company said. “We regret to see that, over and over again, the company’s name is mentioned in the media in events that have nothing to do with NSO.”
Iranian hackers are targeting Middle East telecom and Internet companies, researchers say
The Lyceum group has tried to hack Internet service providers and telecommunications firms in Israel, Morocco, Tunisia and Saudi Arabia, as well as an African nation’s foreign affairs ministry, according to researchers from the cybersecurity firms Accenture and Prevailion. The hackers appear to still be digging around in two of the victims’ computer systems despite the public disclosure of their hacking, researchers said.
Telecom and Internet companies are especially valuable targets for hackers because “they provide access to various organizations and subscribers in addition to internal systems that can be used to leverage malicious behavior even further,” the researchers said. They can also be used to spy on customers of the companies.
Researchers found more than a dozen software vulnerabilities in medical devices
The vulnerabilities affect around 4,000 devices used in the health-care, government and retail industries, CNN’s Sean Lyngaas reports. The vulnerabilities could affect devices like patient monitors, anesthesia systems, ultrasound machines and X-ray equipment,.
The medical technology company Siemens has issued updates for some affected products, and CISA issued an advisory about the vulnerabilities.
Whether devices are vulnerable to hacking depends on what version of software they're running and if they're connected to the Internet, Lyngaas writes, citing FDA cybersecurity official Kevin Fu.
Securing the ballot
Threats to election officials often go unpunished
Such threats have surged since the 2020 contest, driven largely by false claims by former president Trump and his supporters that the election was stolen. But law enforcement agencies have declined to investigate many of the cases, citing the difficulty in tracing and prosecuting suspects, Reuters’s Linda So and Jason Szep report. So and Szep interviewed nine people who admitted they were behind the threats or harassing messages.
“All nine harassers interviewed by Reuters said they believed they did nothing wrong,” So and Szep write. “Just two expressed regret when told their messages had frightened officials or caused security scares. The seven others were unrepentant, with some saying the election workers deserved the menacing messages.”
In one case, a man left a profanity-laced phone message at the Vermont secretary of state’s office warning that several staff members would soon get “popped.”
“The officials referred the voicemail to state police, who again declined to investigate. Agency spokesperson Adam Silverman said in a statement that the message didn’t constitute an ‘unambiguous reference to gun violence,’ adding that the word ‘popped’ – common American slang for ‘shot’ – ‘is unclear and nonspecific, and could be a reference to someone being arrested.’”
Global cyberspace
Cyber insecurity
Industry report
Daybook
- Microsoft President Brad Smith gives a lecture on cyber diplomacy at Sciences Po’s Paris School of International Affairs today at 11 a.m.
- Former undersecretary of defense Michèle Flournoy, former Google CEO Eric Schmidt and Shield AI co-founder Brandon Tseng discuss the U.S. military's digital transformation at a Washington Post Live event on Thursday at noon.
- CISA chief of staff Kiersten Todt speaks at a Charter of Trust event on critical infrastructure resilience on Nov. 15 at 11 a.m.
- The Aspen Institute’s Commission on Information Disorder launches its final set of recommendations for addressing misinformation and disinformation on Nov. 15 at 3 p.m.
- Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Judiciary Committee on Nov. 16 at 10 a.m.
