Renew — but improve — billion-dollar cyber grant program to states and locals, House witnesses say

It’s vital that Congress renew the expiring $1 billion state and local cybersecurity grant program, witnesses testified before a House panel, but they added that it could benefit from some upgrades, too.

New York Rep. Andrew Garbarino, chairman of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection that held the hearing Tuesday, said the four-year cyber grant program “has undoubtedly improved, and sometimes even established, the cybersecurity posture of our states and localities.” It’s jointly administered by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Emergency Management Agency (FEMA), and is due to expire in September.

But the testimony from the witnesses occurred during a period of completed or contemplated cutbacks and policy changes from the Trump administration that are withdrawing, or are threatening to weaken, federal cyber support to state and local governments. Those governments are facing threats from ransomware and foreign nation-backed attacks.

“State and local governments are not prepared to fight this kind of cyber engagement with foreign nations,” said Connecticut Chief Information Officer Mark Raymond, who testified along with two other state and local officials and a cybersecurity vendor. With cuts to FEMA, CISA, the Multi-State Information Sharing and Analysis Center (MS-ISAC) and more, “additional responsibilities are falling to the states,” Raymond said, and further reductions would “diminish our ability to help municipalities.”

Homeland Security Secretary Kristi Noem was a rare holdout on receiving grants from the joint CISA-FEMA program as governor of South Dakota, and has told Congress she will be reviewing grant programs to make sure they’re doing their job effectively.

All four witnesses agreed the program was a big boon, but could stand some improvements. Alan Fuller, CIO for the state of Utah, said it had helped his state block seven major cyberattacks in the past six months. But he and others said inconsistent year-to-year funding makes some governments hesitant to sign up because they’re “afraid to launch programs that might get cut.”

The program could benefit from a separate fund dedicated to large municipalities that would allow them to apply directly rather than through states, said Kevin Kramer, first vice president of the National League of Cities and a city councilman in Louisville, Ky.

Robert Huber, chief security officer at Tenable, said the program should have a simpler application process to make it more accessible to government employees who aren’t as technically oriented, something other witnesses seconded. He also said the grant program should align with the National Institute of Standards and Technology’s cybersecurity framework. 

And Raymond suggested  the program should standardize the matching percentage grant requirements, keeping them consistent each year rather than allowing them to increase over time. 

Lawmakers on the panel indicated support for improving and extending the grant program, with some caveats. (In the Senate, Homeland Security and Governmental Affairs Chairman Rand Paul, R-Ky., has been a proponent for giving CISA hardly anything at all, legislatively.)

Rep. Morgan Luttrell, R-Texas, said in his district “we hate the federal government” and “don’t want them in and around us at all.”While he acknowledged  some of the recommendations made by witnesses align with what Congress should pursue  he said it’s hard to convince people to spend money on the program when attacks keep happening. On the other hand, smaller  towns like Magnolia, Texas — which is in Luttrell’s district — can’t defend against massive foreign cyber threats, he said.

Garbarino said the program may not prevent all attacks but it can also help recover from those that do land. “Getting this reauthorized and fixed is a very important goal we all have,” Garbarino said.

Rep. Seth Magaziner, D-R.I., said he was concerned about the Trump administration’s approach to cyber and “this is not the time to take our foot off the gas.” California Rep. Eric Swalwell, the top Democrat on the subcommittee, said attacks happen in both Democratic and Republican jurisdictions.

Said Fuller: “The risk doesn’t take politics into account.”