Is your state prepared to handle a cyberattack? According to Rep. Michael McCaul, R-Texas, the answer is likely “no.”

“Despite playing a vital role in protecting our nation against cyberattacks,” McCaul observes, “state governments often do not have the vital resources they need to strengthen their cybersecurity capabilities or retain or recruit seasoned cybersecurity professionals.”

Indeed the sad reality is that, compared to their federal counterparts, most state and local governments are not well equipped to deter, detect, defeat or recover from cyberattacks. The State Cyber Resiliency Act, a new piece of legislation introduced in Congress, is looking to fix that.

While federal support would greatly assist budget-strapped local governments, states should be prepared to act independently of federal assistance — and as quickly as possible.

Cyberattacks on state and local governments are becoming increasingly frequent. In March 2018, hackers demanded more than $50,000 from the city of Atlanta after the SamSam ransomware attack. Although the city refused to hand over the funds, taxpayers still had to pay $17 million to replace technology and incorporate cybersecurity updates.

A few days later, the city of Baltimore found the computer program that manages its 911 emergency call center disrupted by hackers. Staff were forced to manage emergency calls manually, and the system wasn’t fully restored for 17 hours. In Pennsylvania, Senate Democrats paid more than $700,000 to Microsoft to restore computer systems damaged by hackers. And just this month, although no major services were affected, the city of Albany, N.Y., fell victim to a ransomware attack.

The problem is also widespread. According to a 2018 survey by the International City/County Management Association, “Approximately one in three local governments don’t know how frequently their information system is subject to attacks, incidents and breaches. Of those that do, 60 percent report they are subject to daily cyberattacks, often hourly or more.”

Unfortunately, governments at all levels run into difficulty in recruiting and maintaining a cybersecurity workforce to prevent and address these attacks. A report by (ISC)2 found a gap of 2.9 million cybersecurity professionals globally and predicted this number was likely to increase in the future. In the United States alone, there was a shortfall of 17,000 information analysts between April 2017 and March 2018, with an additional 200,000 openings for other jobs requiring cybersecurity-related skills.

The State Cyber Resiliency Act, introduced in the U.S. House of Representatives by McCaul and Derek Kilmer, D-Washington, and in the Senate by Mark Warner, D-Virginia, and Cory Gardner, R-Colorado, aims to bolster state and local governments’ abilities to defend against cyberattacks. If the bill is passed, states will be able to apply for federal grants to both develop and implement cyber resiliency plans. A state or local government would be able to receive grants twice for developing new programs and twice for supporting existing programs.

Because the funds would be granted only a limited number of times, state and local governments must seek innovative and workable solutions to their cybersecurity problems that are sustainable after federal funding has been spent.

Some states with limited resources are already working to develop cost-efficient volunteer cyber forces. Governors in Ohio, Michigan and Arizona, for instance, have created public-private partnerships that leverage the expertise of local cyber experts. The Ohio Cyber Collaboration Committee (OC3) brings together volunteers from a variety of public, private, military and educational organizations to create a cyber task-force to respond in a coordinated fashion if the state were attacked. Michigan’s MiC3 — short for “Michigan Cyber Civilian Corps” — and the Arizona Cybersecurity Team are similarly structured.

In addition to recruiting volunteers, state and local officials should look to funding potential cyber professionals. According to the federal bill, approved grant projects could include educational programs for individuals interested in pursuing careers in cybersecurity and willing to work for their state or local government for a certain amount of time. Developing a future talent pool is vital since successful programs must be sustainable once federal funding is depleted. States looking for other inspiration can look to the U.S. Department of Homeland Security’s best practices case studies.

Cybersecurity is too important for state officials to ignore or kick down the road. The existence of volunteer programs like the OC3 and MiC3 show that it is possible for states to take cyber defense into their own hands, develop programs that suit their unique needs and protect their unique vulnerabilities. Regardless of whether the State Cyber Resiliency Act is passed, state and local officials should proactively prioritize cybersecurity before hackers attack and leave them to pick up the (expensive) pieces.

Featured Publications