Reauthorization of the State and Local Cybersecurity Grant Program on the Horizon
The State and Local Cybersecurity Grant Program, poised to reach its expiration at the end of this month, is on the verge of reauthorization. However, the pertinent legislation still lacks a defined financial allocation. The quest to safeguard the digital infrastructure of state and local governments raises the crucial question: how much investment is warranted?
Introduced on Tuesday, the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act has begun its journey through legislative committees, receiving positive bipartisan feedback. Representative Andy Ogles, the Tennessee Republican who sponsored the bill, articulated a common sentiment, asserting that while he typically advocates for minimal governmental intervention, he recognizes the necessity of not leaving local entities vulnerable to cyber threats, which could result in a heftier burden later on.
“I don’t think there is a magic number,” remarked Erik Avakian, former chief information security officer for Pennsylvania. He emphasized that funding tends to fall short in addressing cybersecurity needs and advocated for a more responsive approach by asking states, “What do you need?”
Currently serving as a cybersecurity executive counselor at Info-Tech Research Group, Avakian reflected on the program’s nascent days, recounting how Pennsylvania effectively amplified its security awareness training initiative by expanding its license count significantly.
“We elevated our license quantity from 80,000 to approximately 250,000, thus reducing individual license costs,” he shared.
Avakian noted that stakeholders in state governance have perceived the initial $1 billion allocated over four years as merely a “starting point.” In a recent proposal to lawmakers, five industry organizations, led by the Alliance for Digital Innovation, suggested a much larger funding sum of $4.5 billion over a biennial span.
Notably, the PILLAR Act in its current iteration aims to reauthorize grants for a decade—a timeframe welcomed by the National Association of State Chief Information Officers (NASCIO), which has been vocal in advocating for the renewal and expansion of the program. Alex Whitaker, NASCIO’s director of government affairs, expressed contentment regarding the potential reauthorization, viewing the extended duration as advantageous.
Echoing Avakian’s sentiments, Whitaker remarked that the initial funding for the program was never regarded as particularly generous. “We’ve consistently viewed the SLCGP as a foundational investment that necessitates expansion. This is not solely driven by the desires of states and localities; the escalating sophistication and frequency of cyber threats demand it,” he emphasized.
The PILLAR Act proposes a requirement for states to contribute a 60% matching fund. Whitaker conceded that this stipulation is stringent but appreciates its consistency compared to the prior program, which increased matching requisites annually, complicating funding for some local governments.
Furthermore, the reauthorization would mandate that 80% of the received funding be allocated to local governments. It would also permit states to offer in-kind security services to satisfy this requirement. “This method enhances efficiency; dispersing checks to every local entity would deplete resources quickly,” remarked Whitaker.
“States can leverage existing programs for assessments and multifactor authentication, utilizing the funds to reinforce those efforts instead of compelling localities to develop new initiatives.”
For collaborations among governmental bodies, the matching requirement slightly escalates to 70%. However, discussions had yet to reveal any initiatives wherein conglomerates of states partnered on grants during the program’s initial four years. Avakian suggested forming regional alliances to economize on bulk purchases, noting the potential benefits of a united effort among all 50 states, albeit acknowledging the political complexities that such an initiative would entail.
An intriguing addition to the PILLAR Act is the inclusion of artificial intelligence (AI), mentioned a striking 26 times within the bill. Avakian elucidated that AI has emerged as a pivotal element in the realm of cybersecurity, impacting both attackers and defenders alike, thereby justifying its mention.
Travis Hall, director for state engagement at the Center for Democracy and Technology, contended that the prevalence of AI in the legislation is emblematic of contemporary trends, particularly among supporters of the Trump administration.
Notably, the White House’s AI Action Plan, introduced last July, proclaims an ambition to foster a trifecta of revolutions—industrial, informational, and cultural—through the facilitation of AI.
The AI Action Plan urges the Federal Communications Commission to scrutinize the potential interference of state AI regulations with Federal operations and directs other federal entities to identify and address state laws detrimental to industry operations.
Hall speculated that the numerous mentions of AI within the PILLAR Act could serve as a strategic alignment with the AI initiative, although he also posits a more straightforward interpretation: the increase in AI advocacy reflects a prevailing zeitgeist.
Source link: Statescoop.com.
