“It’s a significant amount of money that has never existed before,” Pincus said. “Our members and other state and local government associations have been clamoring for the need for some sort of cybersecurity-specific funding stream available to local and state governments.”The funds are set to be allocated over four years, with $200 million made available in 2022, $400 million in 2023, $300 million in 2024, and $100 million in 2025. States have varying funding match requirements throughout that time to help share the financial burden, and 80 percent of the money will go to local governments that may be more in need. The federal funds are set to be rolled out after a difficult few years, during which state and local governments have found themselves increasingly vulnerable to attackers as critical services moved online during the COVID-19 pandemic.Even prior to the pandemic, governments were increasingly under attack, with ransomware attacks against the city governments of Baltimore, Atlanta, New Orleans and dozens of Texas towns crippling services and costing millions of dollars to recover from in recent years.Rita Reynolds, the chief information officer at the National Association of Counties (NACo), told The Hill on Monday that counties were seeing more “probing” of networks for vulnerabilities. “COVID brought challenges, but it brought significant opportunities with the utilization of technology,” Reynolds said. “Setting the stage then, that gives a much broader landscape for what we call the bad actor community, the hackers, to access more information from counties, from local governments than they have ever had before, and so the exposure is greater for sure, and it isn’t going to go away.”Reynolds noted that the funds were desperately needed for issues including implementing multi-factor authentication, switching over to more secure .gov domains, and hiring and maintaining a skilled cybersecurity workforce. “In so many of these smaller to midsize counties, they don’t have a security professional on staff or even access to a consultant, one that will meet their needs appropriately,” Reynolds said. “Even in the smaller counties, some don’t even have an in-house IT person.”Besides the apparent needs, up until recently there has not been as much of a focus on allocating limited funds to cybersecurity. Pincus told The Hill that only 35 percent of states currently have a line-item budget for cybersecurity, an amount he described as “wholly inadequate.”But in the wake of escalating and expensive successful attacks, states and localities have clamored for the funds, with officials testifying on Capitol Hill about the desperate need to shore up cybersecurity, and organizations sending letters outlining the needs.
