Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices.
Members of Congress have taken notice of cyber threats at the state and local level, both before and during the pandemic, and efforts are underway to address the challenges, though how much will be provided is uncertain amid a fight over the amount of additional coronavirus stimulus.
For Atlanta’s top cybersecurity official, any funds cannot come soon enough.
“We would love and welcome more funding from the federal government as our digital infrastructure is just expanding and it’s going to expand even more because of this,” Gary Brantley, the chief information officer for the city of Atlanta, told The Hill.
Brantley said that coronavirus-related attacks have become an issue for his office, particularly those targeted at his office through malicious phishing emails.
“We are seeing a lot more malicious activity, especially a lot of activity related to COVID-19,” Brantley said. “I know our phishing attacks are up tremendously across the city and attempts to confuse our user base are high.”
Prior to the pandemic, state and local governments were already plagued by cybersecurity threats.
Ransomware attacks, in which the attacker encrypts a system and demands money to unlock it, have increasingly hit government entities across the nation over the past two years.
The city governments of New Orleans and Baltimore had their networks temporarily taken out by ransomware attacks last year, while a coordinated attack on almost two dozen Texas towns in August and attacks on multiple school districts in Louisiana also highlighted the threat.
Atlanta was another city that fell victim to a ransomware attack. The 2018 incident negatively impacted city networks for months, and forced residents to pay some bills by paper. The city spent millions to recover from the attack, and the Justice Department later indicted two Iranian nationals in connection with the attack.
Brantley said lessons learned from the 2018 cyberattack helped prepare the city for new threats that have come up during the pandemic.
“We went from a computer virus to a human virus, and I just recall thinking we were focusing on the right thing, we didn’t expect this [pandemic] to happen, but we were focusing on our business continuity plans,” Brantley said. “From a mobile workforce perspective, the one thing people don’t really take into consideration is strong IT.”
But with states increasingly facing budget shortages and even potential bankruptcy from the impact of COVID-19 shutdowns, cybersecurity funding is uncertain at a time when more people are working from home and placing stress on systems and when hackers are zeroing in.
A coalition of groups representing state and local officials, including the National Governors Association and the National Association of Chief Information Officers, sent a letter to House and Senate leaders in April pleading for funding to support IT and cybersecurity infrastructure.
The groups asked that Congress “fully fund a dedicated cybersecurity program” to help state, territorial, and local authorities respond to stress placed on networks by remote working, and to the increase in attempted cyberattacks.
“This surge on our information technology infrastructure requires additional investment in both funding and manpower to keep up with the massive usage,” the groups wrote. “Additionally, malicious cyber actors have used attention on COVID-19 to their advantage, further targeting government infrastructure, the healthcare sector, and individual citizens for internet crimes, such as ransomware, phishing, and computer-enabled financial fraud.”
Their concerns have not fallen on deaf ears, and key members of Congress are moving forward with efforts to help states and localities amid a brewing fight over how much more in stimulus to pass after trillions of dollars have already been approved.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), along with committee cybersecurity subcommittee Chairman Cedric Richmond (La.) and other Democrats, asked House leaders in April to include $400 million for state and local cybersecurity needs in the next coronavirus stimulus package.
While the funding did not make it into the House-passed HEROES Act, the $3 trillion stimulus package passed earlier this month, Thompson said last week that he would “continue to fight for state and local cybersecurity grants and election security funding in the HEROES Act” following President Trump’s comments condemning state vote-by-mail efforts.
Both Richmond and Rep. John Katko (R-N.Y.), the ranking member on the House Homeland Security Committee’s cyber panel, are also supportive of efforts around funding cybersecurity.
Richmond told The Hill on Friday that despite funds not being included in the HEROES Act, he is “committed to this effort and am looking for other opportunities and legislative vehicles to get these important resources into the hands of state and local governments.”
“Networks lack the capacity to process the increased traffic we are seeing and the increase in attacks that makes possible,” Richmond emphasized. “It is time to recognize the cybersecurity and IT modernization for state and local governments is essential to the success of our response and recovery efforts.”
Both Katko and Richmond are sponsors of legislation introduced before the pandemic that would create a $400 million grant program at the Department of Homeland Security to provide governments with cybersecurity funds.
While the bill has not yet been passed by the House, Katko told The Hill that supporting state and local governments was essential to maintaining services during the coronavirus pandemic.
"State and local governments have been critical in our fight against COVID-19, providing essential services that help combat the disease and deliver relief to the most vulnerable," Katko said. "At a time of unprecedented need for these services, we need to ensure governments have the necessary resources and guidance to protect against, and recover from cyber-attacks."
For Atlanta’s city government, while IT funds are still in the local budget, Brantley said more could be used to address changes ushered in by COVID-19.
“It’s a new way of dealing with things, I wouldn’t say that the challenges are that new, they are just different,” Brantley said. “The routines that we had in place are different, and we are trying to adjust to a new routine, new normal, new stress on our networks.”