New law proposes increase in federal assistance

The recent explosion of cyber-attacks on US government infrastructure has put the lack of preparedness by state and local authorities under the spotlight.

For example, last month, an Emergency Declaration (PDF) was issued across the state of Louisiana following reports of multiple malware attacks on schools in Sabine, Morehouse, and Ouachita, which brought disruption to services. The crisis marked the application of newly established government support for the first time.

“The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,” state governor John Bel Edwards said in a statement at the time.

“This is exactly why we established the Cyber Security Commission, focused on preparing for, responding to and preventing cybersecurity attacks, and we are well-positioned to assist local governments as they battle this current threat.”

In 2017, under governor Edwards, Louisiana established a Cybersecurity Commission – a state-wide partnership aimed at coordinating response to cyber incidents, including information-sharing across the private and public sector.

“We are actually sending out cybersecurity experts from the state, from the National Guard, to help these school systems,” Christina Stephens, deputy chief of staff for communications and special projects with the governor’s office, told Government Technology. The remarks were made during a malware onslaught and state of emergency, which remained in effect until August 21.

The Commission is also tasked with boosting the state’s cybersecurity posture, and using its resources to determine future dangers to its digital ecosystem.

But not all state governments appear as in tune to risks associated with digitalizing their systems. According to a 2017 survey of local municipalities, 44% agree that more help is needed when it comes to cybersecurity funding.

Financial assistance paired with education is certainly required, with states currently spending only 1-2% of their budgets on cybersecurity, and just 63% of local governments conducting annual risk assessments, research from the International City/County Management Association (ICMA) found.

“There have been many bills proposed, and some enacted, to strengthen cybersecurity at the federal, state, and local levels,” Joseph Lazzarotti, an attorney at Jackson Lewis P.C, who leads his firm’s data privacy and cybersecurity practice group, told The Daily Swig.

“Perhaps some benefits could be derived from increased sharing of information, training, exercises, and installing sensors to gather additional information about system risks.

“However, state and local entities need to be able to receive that information and have resources to address it in their own environments.”

The latest proposal to accelerate cyber efforts on local and state levels is the State and Local Cybersecurity Act (2019) – a bill that gives more power to the Department of Homeland Security’s cyber arm, the National Cybersecurity and Communications Center (NCCIC), in sharing threat intelligence.

“Implementing the voluntary initiative would require hiring additional cybersecurity advisors, deploying sensors to non-federal networks, and sharing classified information on cybersecurity threats with state and local partners,” the bill, also referred to as S. 1846, states.

It adds: “The bill also would authorize DHS to implement an initiative to help state and local governments detect and prevent malicious network traffic on non-federal information systems.”

Implementation of the bill is estimated to cost the federal government $31 million between 2019-2024, which includes the hiring of cyber experts.

According to the Congressional Budget Office, the NCCIC is already performing many of the coordination efforts put forward in the legislation.

RELATED US Ransomware attacks send shockwaves across unprepared gov’t offices