The US House just passed a bill to incentivize cybersecurity planning for state and local gov

The U.S. House of Representatives passed a bill last week that hopes to prepare cities across the country for ransomware attacks.

The $400 million grant program to be administered by the Department of Homeland Security (DHS) would incentivize cities to invest in cybersecurity to avoid the disruption that hit the City of Baltimore following its 2019 ransomware attack.

The State and Local Cybersecurity Improvement Act, H.R.3138, was drafted by a group including Rep. C.A. Dutch Ruppersberger, who represents Maryland’s 2nd Congressional District comprising parts of Howard, Harford, Baltimore, and Anne Arundel Counties, as well as small portions of the City of Baltimore. Other bipartisan representatives hail from Alabama, New York, Washington, Louisiana and Texas.

The bill doesn’t create the grant program per se, as a Ruppersberger spokesperson told Technical.ly, but directs the DHS secretary to create it, with stipulation including that recipients need a cybersecurity plan and must build maintenance of it into their own budgets.

“Already, [cybercriminals] have been able to disrupt medical treatment, remote learning and public transportation in the middle of a pandemic and things will get a lot worse if we don’t take action now,” Ruppersberger said in a statement. “I want to thank my colleagues for supporting this legislation to give state and local governments the resources they need to invest in cybersecurity, protecting citizens and tax dollars.”

Less than 3% of overall state IT budgets go to cybersecurity according to the 2020 Deloitte-NASCIO Cybersecurity Study. Baltimore, for its part, saw its IT budget get a boost in funding for FY2020 and 2021 following its big attack.

BCIT’s budget allocation saw a boost in 2020. (Screenshot from FY2021’s budget hearing)

Along with plenty of other civic horror stories from around the country, Baltimore County School District also shut down from a ransomware attack as recently as November 2020. It’s no doubt there’s a real need for increased cybersecurity systems. Next up, we’ll see if the senate sees it as a big enough issue to appropriate the millions in funds.

Here’s the full text of the bill:

This bill requires the Cybersecurity and Infrastructure Security Agency (CISA) to establish the State and Local Cybersecurity Grant Program to address cybersecurity risks and threats to the information systems of state, local, or tribal organizations.

Eligible grant applicants (i.e., states and certain Indian tribes) must submit a cybersecurity plan—to be approved by CISA as a condition of disbursement—that describes how the applicant will use the funds to address cybersecurity risks and threats to their information systems. Grant funds must be used to implement, develop, or revise the applicant’s cybersecurity plan or to assist with activities that address imminent cybersecurity risks or threats.

CISA must establish a State and Local Cybersecurity Resilience Committee to provide state, local, and tribal stakeholder expertise, situational awareness, and recommendations to CISA on how to address cybersecurity risks and threats.

CISA must develop and maintain a resource guide for state, local, tribal, and territorial government officials to assist with identifying, preparing for, detecting, protecting against, responding to, and recovering from cybersecurity risks, threats, and incidents. In addition, CISA must develop and make publicly available a Homeland Security Strategy to Improve the Cybersecurity of State, Local, Tribal, and Territorial Governments.

Finally, CISA must assess the feasibility of implementing a short-term rotational program to detail approved state, local, tribal, and territorial government employees to CISA in cyber workforce positions.