Congratulations to the President’s Commission on Enhancing National Cyber Security for releasing on December 2 its final report. Its 70 recommendations and action items span the operational and policy needs of government and private sector cyber security and surely should help the Trump Administration get a feel for the breadth and complexity of the challenge it will inherit.
But, one critical recommendation is missing: we should hope to have seen more attention paid to the dire cyber security funding needs of state and local governments.
The business axiom “you have to spend money to make money” should remind us that we also need to spend money to save money. This is a particularly enlightened principle in the world of cyber security, as new innovations beget new vulnerabilities and attacks, which add increasing costs to enterprise operations and recovery from cyber incidents.
Yet, as we look at cyber security management by state and local governments – their spending of money to save money, as well as to protect data and critical services, does not come close to where it should be.
Clearly, priorities need to be set every year against tight budgets. Governors have a tough job. Our federal government, primarily through Congressional appropriations for the Department of Homeland Security’s Grant Program (HSGP), has acknowledged state spending shortfalls in many areas considered priority homeland security concerns. Accordingly, Congress has funded these areas to the tune of $1 billion per year.
But even with President Obama’s request for a 37 percent increase in cyber security resources for the 2017 budget year, federal cyber security funding for the states has been overlooked.
When I was DHS Assistant Secretary for Cyber Security in 2007, I was alarmed by this funding gap and made an unsuccessful effort to establish an HSGP set-aside for state cyber protection. The timing wasn’t right then, but we were able to designate states’ cyber spending of HSGP funds as an “allowable expense.” Cyber has since been upgraded to a “core capability”, but the net effect is that there have been no incentives or accountability for states to spend federal grant money on cyber security.
When budgets are tight and the pressure is on, state governments understandably favor spending on visibly reassuring equipment such as fire trucks, as opposed to unseen firewalls.
Consider some of these troubling numbers:
- According to a 2015 Ponemon Institute study, 50% of state and local governments experienced 6 to 25 breaches in the prior 24 months, and 12% experienced more than 25 breaches. Just look at the 200,000 voter records breached in the Illinois voting registration system over the summer, and the recent ransom ware attack that brought down the San Francisco Muni Rail System.
- Most state cyber budgets are between 0-2% of their overall IT budget, compared with an average of more than 10% in large companies.
- According to one DHS tally, only 30 states and 2 tribal territories spent a total of $27.3 million on cyber security with HSGP grants over a four-year period from 2011-2014.
As recently as 2013, 56 states and territories left an average of 36% of the grant moneys awarded them on the table (unspent), indicating a significant availability of funds that can be targeted at other critical needs like cyber security.
- 80% percent of state CIO’s surveyed in a 2016 NASCIO and Deloitte study indicated lack of sufficient funding as their number 1 challenge in cyber security, followed by inadequate availability of cyber security professionals.
So the time is right for a change. Bigly. President-elect Trump has identified infrastructure renewal as one of his top priorities. But we can’t modernize public transportation, water purification, air traffic control or the electric grid without securing the IT and communications networks that control the nervous system of “smart cities”, “internet of things” and “predictive maintenance.” This reality is not lost on the National Governors Association either, whose signature initiative under Governor McAuliffe’s chairmanship is cyber security – under the lean-forward moniker of “Meet the Threat.”
It isn’t that states aren’t spending their own money on cyber or that they’re not getting help. DHS is to be commended for the range of cyber security services it has developed for the states, such as funding for the Multi-State ISAC that provides threat feeds to states, cyber resilience reviews and on-site support. But the fact is these initiatives are merely band-aids covering a larger problem, and often put the cart before the horse. If a complex enterprise such as a state government with its multiplex of agencies and services does not have a foundational security architecture, the most advanced protective tools, and experienced technical support to manage them, then it won’t be able effectively to take DHS coaching and run the plays. In other words, a coach without a team and field is not going to win the game. And teams and fields cost money.
The only state specific recommendation offered in the President’s Cyber Commission report was, to some extent, a cart before the horse imperative. Action Item 5.5.3 recommends that “The governors in each state should consider seeking necessary legislative authority and resources to train and equip the National Guard to serve as part of the nation’s cybersecurity defense.” This might be the most coherent solution for a critical operational and incident response challenge, but it still doesn’t address the need for stronger underlying security architecture that would reduce the need for incident response in the first place.
So, here’s what the Trump Administration can do as it develops its infrastructure investment package: Make the case that the nation’s critical infrastructures include the internet protocol and all the information and networked services it manages – both online and physical – and make the necessary investment to secure those state infrastructures. States’ investment needs are somewhere in the billions of dollars, but we can start somewhere short of that – in the hundreds of millions of dollars of seed money – to give the states the jump-start they need to build and modernize the cyber security systems that will protect the nation’s next generation infrastructures. And they have a playbook – the NIST Cybersecurity Framework – which DHS can use to measure the effectiveness of states’ application of these federal investments.
Business leaders agree. In an open letter to President-elect Trump, IBM CEO Ginni Rometty said it well: “…(A)s infrastructure gets smarter, it also increases the need for cybersecurity, so that vital networks cannot be compromised. We recommend that your infrastructure package include incentives for states and localities to build intelligent – and secure – roads, bridges, buildings, and other public facilities.”
Forsaking states’ cyber funding needs for another four years would indeed be penny wise and pound foolish. Instead, shouldn’t we spend a penny to save a dollar? That’s good business, good government, more jobs and a secure infrastructure.