Bipartisan legislation supports state and local cybersecurity

It’s an undeniable reality that no organization is immune to the increasing sophistication of cyber adversaries — with ransomware continuing to be an especially serious threat.  

In fact, in 2021, the average ransom demand rose 144 percent to $2.2 million, according to research from Palo Alto Networks’ Unit 42 team. Those threat researchers identified 35 new ransomware gangs in 2021, an expansion of the already thriving extortion ecosystem.

State and local governments need to be especially vigilant. Nearly 80 percent of state and local IT officials said they expect ransomware to be a persistent threat over the next 18 months, according to a study Palo Alto Networks commissioned with the Center for Digital Government. Although cybersecurity budgets have thankfully shown some increases, the same study revealed that over half of state and local entities don’t have a ransomware incident response plan in place.

Perhaps lost in the seriousness of this backdrop, is one welcome development from the past year: meaningful bipartisan support from Congress to assist cyber defenders across organizations of all shapes and sizes.

Congress needs to continue pushing forward with initiatives like the State and Local Cybersecurity Grant Program, created through last fall’s bipartisan infrastructure law, which are poised to measurably move the needle and promote cyber resilience across all corners of the country. 

As DHS works to finalize the Notice of Funding Opportunity for this program, states eagerly await this formal guidance on how the program will be rolled out. Consistent themes we have heard from state and local cybersecurity leaders include:

• The need for multi-entity approaches between state and local governments;
• Continued evolution toward Zero-Trust Architecture;
• Movement from narrow, single-point solutions to more integrated platforms; and
• Growth in information sharing initiatives among states.

Other congressional legislative efforts look to deepen the partnership and collaboration between the federal government and state and local entities.

President Biden recently signed into law the State and Local Government Cybersecurity Act, legislation sponsored by Sen. Gary Peters (D-Mich.) chairman of the Senate Homeland Security and Governmental Affairs Committee. This law will deepen the information sharing, coordination, tools, and training made available to state and local entities across the country.   

At the same time, the federal government must continue leading by example around how it builds resilience on its own networks. 

In early March, the Senate unanimously adopted the Strengthening American Cybersecurity Act, bipartisan, comprehensive legislation to expand the universe of cyber incidents reported to the Cybersecurity and Infrastructure Security Agency (CISA), strengthen cybersecurity requirements for federal agencies, and modernize the federal government’s ability to procure cloud technologies.

While some of the provisions in this legislation were recently enacted into law via a government funding package, much of it still needs to be pushed across the finish line.

The continued full court press from Congress to provide vital resources to state and local governments, federal agencies, and critical infrastructure entities alike is welcome news. The American people are continuously reminded how entities public, private, large, and small can all be attractive targets for cyber adversaries.

Just a little more than a year after the Colonial Pipeline ransomware attack led to panicked gas buying across the Southeast due to the pipeline system halting operations to deal with the intrusion, attacks like this have unfortunately become more common than ever. 

The list of victims has become varied as it is wide, from a Maryland health agency to a small Illinois university that opted to shut its doors, in part, after being unable to recover from a ransomware attack.

While there’s no way to say definitively how many ransomware attacks there were last year, the Unit 42 threat research team found the names and proof of compromise for 2,566 victims publicly posted on ransomware leak sites in 2021, marking an 85 percent increase from the previous year.

The seriousness of today’s threat landscape should encourage information sharing and collaboration between the public and private sectors. Efforts like CISA’s Joint Cyber Defense Collaborative (JCDC), DHS’s Supply Chain Risk Management Task Force and NIST’s National Cybersecurity Center of Excellence projects highlight the power of partnership between government and industry.

Additionally, we’ve seen states like North Dakota, Massachusetts, New York, and others work across levels of government and across state lines to up their own game by sharing intelligence, information, and capabilities.

That same recognition from Capitol Hill that cybersecurity is indeed a team sport is something we should all applaud.