Security news that informs and inspires

Lawmakers Ask for Cybersecurity Funding for States


As Congress continues to work on the contents of the next stimulus package, a bipartisan group of lawmakers are trying to gather support for earmarking some funds to modernize state and local governments' IT infrastructure.

Rep. Michael McCaul (R-Texas), the ranking member of the House Foreign Affairs Committee, Reps. Jim Langevin (D-R.I.), Mike Gallagher (R-Wis.), and Cedric Richmond (D-La.) plan to send a “Dear Colleagues” letter to House lawmakers sometime this week, The Hill reported. The goal of the letter is to encourage more lawmakers to pressure Speaker Nancy Pelosi (D-Calif) and Minority Leader Kevin McCarthy (R-Calif) to include funds in the next funding package that state and local governments can use towards current and future IT modernization projects.

“Unfortunately, our digital infrastructure is (virtually) crumbling,” the lawmakers wrote in the not-yet-sent letter, according to The Hill. “Federal agencies often rely on IT systems that are decades old, and the problems are all the more acute at the state and local level.”

The lawmakers were concerned that state and local IT systems are not able to bear the increased load as people try to access “vital government services.” State unemployment sites have crashed in recent weeks under the weight of all the applications. Some states are trying to hire developers who know legacy programming languages such as COBOL to keep their systems running, because the systems are that old. State and local IT and cybersecurity are dealing with increased responsibility, but are hampered in what they can do with legacy systems.

All of these challenges may result in residents not being able to access the resources they need.

This is not the first letter from House lawmakers to Pelosi and McCarthy. In mid-April, House Homeland Security Committee Chairman Bennie Thompson (D-Miss) sent a letter along with Reps. Cedric Richmond (La.), Dutch Ruppersberger (Md.), and Derek Kilmer (Wash.) to Pelosi and McCarthy requesting cybersecurity funding for states and local governments to use to make sure their networks stay up and running.

“The American public is counting on State and local jurisdictions to implement and deliver COVID-19 relief packages approved by Congress,” that earlier letter said. “Any disruption in the delivery of services would only compound the strain on State and local governments struggling to effectively serve their citizens in the midst of a global pandemic. We cannot let that happen.”

Shortly after, a coalition of technology groups—The Internet Association, BSA, CompTIA, Cyber Threat Alliance, Cybersecurity Coalition, the Global Cyber Alliance, the Alliance for Digital Innovation, and the Information Technology Industry Council—also pressed Pelosi and McCarthy to make cybersecurity funding a priority in future Congressional funding packages. The groups were particularly concerned about the number of ransomware attacks against state and local government entities over the past year, and the likelihood that attackers would target state- and locally-owned and -operated public hospitals.

“State and local entities, however, have long lacked the resources to adequately secure and maintain their digital infrastructure,” the group wrote. “The rise in malicious cyberattacks targeting state and local entities, combined with the chronic lack of workforce, patchwork legacy systems, under-resourced cybersecurity and IT services, and uneven federal assistance creates a greater risk of system failure that interrupts services on which state and local populations depend.”

The ransomware attack against Baltimore last year is expected to have cost the city $18.2 million. Atlanta spent $2.6 million within the first few months of the attack that crippled nearly all its systems. A city auditor’s report later concluded that one of the reasons the ransomware attack had been so devastating for Atlanta was because of the sheer amount of legacy systems the city relied on. The report found nearly 100 servers running outdated versions of Windows, and many of the systems were severely behind on security updates. However, the problem of legacy systems isn't unique to Atlanta. Municipalities have long had to defer modernization plans because they didn't have funds or the authority to embark on these kinds of IT projects.

“This was the reality before COVID-19,” the groups wrote. “Things have become considerably worse in the months since.”

State and local government operated health systems make up nearly 20 percent of the country's community hospitals, the letter from the tech coalition said. Medical facilities, research institutions, and other healthcare organizations have been targeted by ransomware and other cyberattacks over the past few weeks, "at a time when disrupted service is intolerable."

“As it stands, State and local entities are simply not resourced to effectively address these new challenges over the extended period that pandemic mitigation measures will likely need to remain in place,” the groups wrote.

It is not clear whether there is enough political will within Congress to include cybersecurity funding, despite the fact that there is some support for it. It is also unclear when the House of Representatives will begin working on the next stimulus package.

“As we consider additional legislative measures to address the urgent needs of our citizens, we encourage you to consider the digital infrastructure on which so many of our constituents rely to access vital government services,” the House members plan to write in the latest letter.