How state governments are waking up to cybersecurity
Cybersecurity researchers
reported
last week that Chinese hackers have breached the networks of six state governments since May. The news adds to the challenges facing state and local governments managing growing cybersecurity risks, including widespread ransomware attacks.
The biggest cyber risk facing state governments is ransomware attacks. This entails hackers seeking to extract ransom payments by compromising or encrypting sensitive data. Such hackers have successfully breached state and local government organizations in recent years. Between 2018 and 2020, nearly 250 government organizations were
victimized
by ransomware attacks. This cost them as much as $50 billion. Beyond the financial costs, these attacks can disrupt key government services, including public safety, and also put sensitive data at risk.
Congress and federal agencies have sought to help state and local governments manage the problem. Congress recently created a new
cybersecurity grant program
to award $1 billion over five years. This comes in addition to the billions provided annually by the Department of Homeland Security that can be used for cybersecurity. Congress also passed a law last year designed to help state and local governments transition to .gov domains managed by DHS so as to improve security. The federal government has also issued valuable guidance on how to prevent ransomware attacks and manage cyber risks.
But state and local governments are ultimately responsible for managing their own security. Preventing ransomware and other threats will require state lawmakers to establish cybersecurity laws, improve governance, and ensure that their agencies have the necessary technical expertise.
In 2021, many states considered legislation to improve cyber risk management.
According to the National Conference of State Legislatures
, 45 states considered cybersecurity bills last year. Common themes of this legislative activity were requiring cybersecurity training for state employees, establishing and enforcing new security guidelines, and planning for cyber incidents.
Several states also established new laws aimed to address ransomware threats. Indiana passed a measure to require state and local government agencies to report cyber incidents to the state’s Office of Technology. North Carolina established a law that prohibits state and local government agencies from paying ransoms in the event of a breach.
This year, Florida state lawmakers are considering
legislation
that could become a model for how states can improve cyber risk management, including by establishing security standards for local governments. The bill would require new rules for state and local governments to report cyber incidents as well as after-action reports to the state. By 2025, all county and municipal governments would be required to adopt and implement cybersecurity best practices based on federal and state guidelines. The bill recently passed the state House of Representatives with overwhelming support.
Facing attacks from nation-state adversaries and criminal hackers, state and local governments are increasingly on the front lines of this fight. State lawmakers have a responsibility to ensure that they are adopting security best practices.
Dan Lips is the head of policy at the Lincoln Network.
Gloss