With cyberattacks on local governments increasing 50 percent since 2017, members of NACo’s Telecommunications and Technology Steering Committee March 12 discussed ways to improve cybersecurity at the local level during the 2021 Virtual Legislative Conference.
Peter Su, congressional science fellow for the U.S. Senate Homeland Security and Governmental Affairs Committee, discussed the State and Local Cybersecurity Improvement Act developed by Sen. Maggie Hassan (D- N.H.), who serves as chair of the Senate Homeland Security Committee’s Subcommittee on Emerging Threats and Spending Oversight.
The legislation bolsters cybersecurity resources for state and local governments and would authorize a new Department of Homeland Security (DHS) grant program to address cybersecurity vulnerabilities on state and local government networks.
Su said the legislation aims to create a $400 million-per-year grant program within DHS to help state and local governments with cybersecurity improvements.
While the grant runs through the states, local governments and counties play a large role in some of the legislation’s provisions, Su said. States are required to have their cybersecurity plan approved by DHS before they can apply for grants and the plan must also be approved by a planning committee that includes local representatives.
“This should bring county voices to the table from the beginning, so that before they even apply for any grants, the counties are part of the decision-making for how states plan on improving their cybersecurity overall,” he said.
Provisions also require states to pass at least 80 percent of grant funds to local governments, including counties, and requires the federal government to set up an advisory committee which includes two representatives from NACo.
The bill is still in the drafting phase and Su encouraged committee members to provide feedback or suggestions.
As counties look to improve upon cybersecurity plans, the Cybersecurity and Infrastructure Agency’s (CISA) Jay Gazlay discussed the most recent compromise that led to vulnerabilities of the Microsoft Exchange.
Gazlay said the agency has seen widespread exploitation of vulnerabilities throughout the country and received the first report of ransomware use on March 11.
“It has always been our worst-case scenario that critical infrastructure at a rural electric co-op or small-scale production facility, that’s part of the infrastructure of the United States, is hit by a ransomware attack,” he said.
Gazlay advised members to ensure their county and neighboring counties are following CISA’s guidance related to the Microsoft Exchange vulnerability.
“It’s critical for the well-being of all Americans that we get this taken care of soon,” he said. “We all know that ransomware can be devastating to business or communities and we want to try and limit the impact of that as much as we possibly can.”
The Federal Communications Commission’s (FCC) Gregory Cooke, chief of the Office of Intergovernmental Affairs, informed committee members about recent FCC initiatives to expand access to the internet, improve how the commission assesses broadband deployment and ensure the security of emergency communication systems.
Initiatives and programs include:
The Emergency Broadband Benefit Program
Broadband Data Task Force
The second round of the COVID-19 Telehealth Program
911 Fee Diversion Task Force
Emergency Alert System and Wireless Emergency Alert improvements
Committee members also heard from NACo’s Chief Information Officer Rita Reynolds about the DotGov Online Trust in Government Act, which was passed in December 2020. The legislation transfers administration of the DotGov domain from the federal General Services Administration to CISA, which is under the Department of Homeland Security.
Many county websites utilize the DotGov domain name. Reynolds explained its benefits include clearly identifying that a website is coming from a government organization, building trust levels with users and allowing CISA to increase internet defenses.
To receive the DotGov domain, counties must complete a registration process through CISA.