As federal legislators rejoin the lawmaking process in Washington, they are presented with an encroaching deadline to renew a vital cybersecurity grant program for state and local governments nationwide.
On Sept. 30, the State and Local Cybersecurity Grant Program (SLCGP) will expire, placing cybersecurity programs across the country in jeopardy and potentially exacerbating the nation’s worsening cybersecurity crises. With billions on the chopping block, a coalition of cyber groups and legislators are petitioning Congress to renew the program with a $4.5 billion reserve to distribute over a two-year span.
Recent trends have shown that foreign actors have been consistently targeting critical infrastructure at all levels of government, impacting critical services, stealing data and performing espionage. Threats from major powers have risen dramatically, with some industries receiving nearly triple the amount of attacks than previous years.
The SLCGP has been pivotal in ensuring governments – particularly state, local and regional ones – are able to bolster their cyber resiliency in the face of escalating threats. It is currently the only federal program exclusively dedicated to enhancing state and local government and rural area cybersecurity posture. Originally funded with $1 billion over a four-year period, the SLCGP has shown that funded initiatives have yielded positive results by mitigating threats and safeguarding national, state and local security.
Should the program expire, nationwide cybersecurity measures would be significantly weakened, stalling without reliable funding to shore up defenses and address future threats. Multiple groups have submitted letters of support for the SLCGP to congressional members, urging them to take action by signing a long-term reauthorization, reducing cost-share requirements for communities and improving the application process.
While the program has been highly regarded, state technology leaders have expressed that it has delivered less funding than truly needed to overcome numerous cybersecurity barriers. With the $1 billion spread across all states and six territories over four years, recipients have been forced to contribute continually higher funding matches to receive support, raising the bar past what many are feasibly able to offer.
Reauthorizing and consistently funding the SLCGP would support a more cohesive national cybersecurity framework, removing pressure from state and local agencies and the uncertainty associated with existing programs. The technology coalitions are also advocating for lower required fund matches. These changes would directly support areas that typically don’t have adequate budgets or expertise to implement cybersecurity policies and technologies that might be otherwise unavailable. Requiring strategic planning alongside ample financial support contributes to holistic safety and results in improved governance and planning, mitigation measures and workforce development.
In one of the letters, the coalition asserted that the program helped advance the concept of a “whole-of-nation” approach to cybersecurity. Recipients pursuing related initiatives are enable to collaborate across all government levels and sectors and benefit from resource sharing, reduced redundancies, better efficiency and promote a unified defense strategy.
The need for this type of approach is evident in the litany of cybersecurity breaches that have shut down critical utilities, interrupted business operations, suspended government services and damaged economic production and resilience. Some recent events include:
- Attacks against the water systems in Aliquippa, Pennsylvania, and Oldsmar, Florida, that threatened water supply safety and threatened control over the installations.
- Several of Nevada’s agency websites being shut down, impairing state operability and impacting service availability. Nevada is still working to fully restore services following the incursion.
- Ransomware attacks on transit systems in Pennsylvania, disrupting rail tracking, announcement systems and schedules.
- An attack against the Los Angeles Unified School District that leaked 500 gigabytes of sensitive student and faculty information.
Lawmakers are mirroring cybersecurity advocates efforts by drafting new legislation to ensure program continuity. A bill renaming the program to the Protecting Information by Local Leaders for Agency Resilience (PILLAR) Act was introduced Sept. 3, detailing Congress’ intention to continue supporting underfunding state and local cybersecurity initiatives. However, while the act doesn’t include how much would be available, it would extend the original law by another decade.
The draft bill includes new ordinance promoting the administration’s reinforced focus on artificial intelligence technologies in cybersecurity. In addition, the federal cost share would be 60% for entities and 70% for multi-entity groups through 2035. The cost share may be increased by an additional 5% for recipients implementing or enabling multi-factor authentication and identity and access management tools to protect critical information infrastructure by no later than Oct. 1, 2027.
If no action is taken, the SLCGP will expire at the end of September. Congress will be responsible for authorizing new legislation to support state, local and regional cybersecurity initiatives.
Photo by Ron Lach from Pexels
