By Ashley Schultz
It would be hard to miss the media attention dedicated to the data breaches and hacking of high profile businesses in recent years. The most serious offenders, including Yahoo (2013), Equifax (2017) and Facebook (2018), left hundreds of millions of consumers worried about the privacy of their personal information stored online.
Government agencies carry similar levels of concern for the security of their own data. Public health agencies hold confidential information on patients. Public utility companies maintain payment information for individual homes. Law enforcement officers record names, addresses, and statements of survivors, offenders, and witnesses. Each individual trove of data represents a potential target for foreign and/or domestic hackers. And each trove must – in turn – be protected by layers of cybersecurity.
Recognizing the potential implications of large scale data breaches at the federal government, Congress began allocating funds to improve the antiquated systems of its 76 agencies in 2016. The most recent budget included more than $14 billion for these cybersecurity-related investments. The same commitment has not been made by individual states, however. According to a 2016 report by the National Association of State Chief Information Officers (NASCIO), a majority of states allocate between zero and two percent of their total IT budgets to cybersecurity1. Funding at the local county or municipal level is often worse - leaving IT personnel scrambling to cobble together a myriad of ad hoc solutions not dissimilar to Frankenstein’s monster.
It should therefore be of little surprise that grant funding dedicated exclusively to cybersecurity measures is lacking. On a whole, we see funders select grant projects that extend services into new population groups, or initiatives that try something innovative and forward-thinking. There are very few funding streams to support on-going operational costs or the basic, day-to-day functions of government. This includes protecting the data and online systems upon which all of these systems rely.
The largest funding source for state and local preventative measures is FEMA’s annual suite of programs related to homeland security and emergency preparedness. In 2018, cybersecurity was listed as one of the seven “core capabilities” in each of the following FEMA programs:
· State Homeland Security Program (SHSP)
· Urban Area Security Initiative (UASI)
· Operation Stonegarden Program (OPSG)
· Port Security Grant Program (PSGP)
· Transit Security Grant Program (TSGP)
· Intercity Bus Security Program (IBSGP)
· Tribal Homeland Security Grant Program (THSGP)
In total, these programs amounted to more than $1.26 billion of grant investments just last year. While that’s a far cry from the Congressional allocation of $14 billion for a handful of federal agencies, it’s still a strong investment in cybersecurity for states, right?
Not quite. Homeland security funding supports a broad range of program areas – from basic surveillance equipment to training for bomb squadrons – and everything in between. As a result, available grant money is quickly gobbled up by a slew of program, personnel and equipment needs. Only a fraction of that $1.26 billion is dedicated to projects that inhibit data phishing or slow attempted breaches of computerized systems. What’s more, FEMA funding tends to favor state agencies and large urban areas. The UASI program, for example, accounts for $580 million (45%) of funding available through the grants listed previously. This money is only available to 32 pre-selected cities across the US – leaving smaller municipalities and rural areas with considerably fewer resources to share.
So what’s to be done for grant funding exclusively focused on cybersecurity efforts? A few states have responded with targeted programs in recent years. New York state, for example, made a one-time dedication of $500,000 from its SHSP allocation this year to “enhance and sustain local cybersecurity posture” in local government agencies. Indiana took a similar stance earlier in 2018, including cybersecurity on their short list of “high priority” projects for SHSP proposals. It’s important to note, however, that neither of these initiatives represent an actual monetary dedication to digital safety on behalf of these States.
For now, it’s up to each government entity to establish long-term strategies for cybersecurity measures. NASCIO reports that several state agencies are appointing individual roles (e.g. CIO, CTO, CSO) to ensure digital infrastructure is a budget priority2. Local government agencies of all sizes can mimic this technique, potentially adding a requirement that all future technology upgrades include such components.
The same can be said for future grant projects. While there may not be a clear path to secure funding solely for cybersecurity, your agency can include individual solutions as a small part of a larger project. The next time the police department requests funding for an in-car computer refresh, for example, make sure to add dual-factor authentication licenses to the budget. When the town utility applies for a grant to extend water lines to new homes, include a line item that will allow you to purchase software to secure payment information and addresses of new (and old) users. Each of these commitments can be led by the individual appointed to oversee cybersecurity for your agency. He or she may recommend the particular solutions to include in the grant budget, thus ensuring that cybersecurity standards/policies are applied accurately and consistently across the organization.
Our first suggestion? Invite your IT staff to the team’s next planning session for grant funding. Ask them about the agency’s largest cybersecurity needs. Start the conversation now about how your shared goals align with projects you’re already planning down the road.
Work Cited:
1. National Association of State Chief Information Officers (NASCIO). “State governments at risk: Turning strategy and awareness into progress.” 2016. <https://www.nascio.org/Portals/0/Publications/Documents/2016/2016-Deloitte-NASCIO-Cybersecurity-Study.pdf>
2. National Association of State Chief Information Officers (NASCIO). “State Cybersecurity Governance.” 2017. <https://www.dhs.gov/sites/default/files/publications/Cross_Site_Report_and_Case_Studies_508.pdf>
Grant funding from FEMA supported cybersecurity efforts as a “core capability” of state and local government agencies. This may include costs for planning, training, equipment, and mock-exercises.
Not sure where to start with your agency’s cybersecurity measures? DHS provides voluntary, non-binding, and no cost cybersecurity services to the State, local, tribal and territorial agencies. See more at: https://www.us-cert.gov/sites/default/files/c3vp/sltt/SLTT_Hands_On_Support.pdf.
