Cybersecurity is Local, Too: Assessing the State and Local Cybersecurity Grant Program

Cybersecurity and Infrastructure Protection

2025-04-01

Loading video...

Source: Congress.gov

Summary

The Committee on Homeland Security, Subcommittee on Cybersecurity, and Infrastructure Protection convened a hearing to examine the state and local cybersecurity grant program (SLCGP), which is currently up for reauthorization this year. The hearing aimed to assess the program's strengths and weaknesses and discuss future steps, particularly given the escalating cyber threats faced by state and local governments and critical infrastructure. [ 00:13:15-00:13:28 ] [ 00:13:40-00:13:45 ]

Themes

Necessity and Impact of the SLCGP

The State and Local Cybersecurity Grant Program is deemed a vital tool to address increasing cyber threats, including attacks from nation-states like China's Volt Typhoon and criminal ransomware groups. State and local governments often lack the necessary resources and qualified talent to defend against these sophisticated attacks, making them highly vulnerable despite hosting critical infrastructure. [ 00:15:02-00:15:19 ] The program, initiated in 2021, has allocated nearly $1 billion to strengthen cybersecurity postures, significantly improving and sometimes establishing cybersecurity frameworks for states and localities. [ 00:15:38 ]

Citation requires full transcript

Sign in to continue

Sign in
[ 00:16:01 ]

Citation requires full transcript

Sign in to continue

Sign in

Program Successes and Benefits

The SLCGP has demonstrated significant success by providing essential funding, fostering collaboration, and encouraging strategic planning based on best practices. Utah, for instance, received approximately $13 million in federal funds and $4 million in matching state funds, deploying a comprehensive cybersecurity initiative across 140 governmental entities and successfully blocking seven major cyber incidents within six months. Connecticut expanded offerings to local governments, awarding millions in grants and collaborating with the National Guard for systemic risk assessments, though many municipalities still face high risks. Louisville utilized funding to create the Kentucky Cyber Threat Intelligence Cooperative (KCTIC), a platform for timely, actionable cyber threat information sharing among regional governments and private sector partners, enhancing regional cyber resilience.

Challenges and Areas for Improvement

Several challenges and areas for improvement were identified to maximize the program's effectiveness. These include reducing administrative burdens and providing clearer guidance through simplified applications, as the current process can be complex and difficult for smaller communities with limited staff. There is a call for sustainable and predictable funding to enable long-term planning and address the reluctance of some local governments to start cybersecurity programs without assured ongoing support. The current pass-through model limits efficiency for larger jurisdictions, leading to suggestions for a complementary direct funding track for eligible larger municipalities. Standardizing matching percentages across grant years and promoting shared services are also proposed to reduce administrative complexity and costs.

Threat Landscape and Federal Response

The threat landscape is characterized by increasingly sophisticated and persistent cyber actors, including nation-states (e.g., China, Russia, Iran, North Korea) and criminal gangs. [ 00:14:24-00:14:35 ] [ 00:18:58 ]

Citation requires full transcript

Sign in to continue

Sign in
 Attacks include ransomware, data breaches, phishing campaigns, business email compromise, and attempts to disrupt critical infrastructure. The emergence of "ransomware-as-a-service" and the use of artificial intelligence by malicious actors are making detection even more challenging. Federal agencies like CISA and FEMA are recognized as crucial partners in this "whole-of-society challenge," providing expertise, support, and a framework for collaboration. [ 00:17:02-00:17:02 ]

Citation requires full transcript

Sign in to continue

Sign in
 However, concerns were raised about potential delays in funding distribution and proposed cuts to these agencies, which could severely impact national cybersecurity capabilities.

Tone of the Meeting

The tone of the meeting was largely serious, urgent, and collaborative, with a clear bipartisan consensus on the critical importance of the State and Local Cybersecurity Grant Program. Speakers emphasized the escalating threats and the dire need for continued federal support. [ 00:18:00 ]

Citation requires full transcript

Sign in to continue

Sign in
[ 01:01:01 ]

Citation requires full transcript

Sign in to continue

Sign in
[ 00:13:40-00:13:45 ] [ 00:14:35-00:14:44 ] While acknowledging the program's successes, there was a shared determination to identify and address its shortcomings to ensure greater efficiency and broader reach, especially for smaller, rural communities. [ 00:16:21-00:16:26 ]

Citation requires full transcript

Sign in to continue

Sign in
 Concerns about potential cuts to federal agencies involved in cybersecurity highlighted a sense of vigilance and advocacy for sustained investment. [ 01:01:46-01:02:23 ]

Citation requires full transcript

Sign in to continue

Sign in

Participants

Transcript

Committee on Homeland Security, Subcommittee on Cybersecurity, and Infrastructure Protection will come to order.  Without objection, the chair may declare committee in recess at any point.  The purpose of this hearing is to examine the state and local cybersecurity grant program, which is up for reauthorization this year.  Since Congress signed the program into law four years ago, nearly $1 billion has been allocated to bolster the cybersecurity postures of state and local governments.  Today, we will assess the program's strengths and weaknesses as we consider next steps.  I now recognize myself for an opening statement.   The threat of cyber attacks to U.S.  networks and critical infrastructure is real and rising.  Microsoft's 2024 Digital Defense Report estimates that its customers are targeted with more than 600 million attacks per day from nation-states and criminal actors.  For years, the intelligence community has warned of the threat of state-sponsored cyber actors engaging in malicious activities against our critical infrastructure.  As we've seen, these warnings have become a reality.   With the persistent threat that groups like the typhoons pose to IT and OT assets, any critical infrastructure sector could be the next to fall victim to attacks or have its data seized through a phishing scheme.  As cyber actors become increasingly sophisticated and persistent, we can no longer be complacent when it comes to securing our critical infrastructure.  We must take all steps necessary to ensure our nation's cyber preparedness and resilience.   In doing so, it is essential that our state and local government partners are similarly well situated to respond to these threats.  Despite often lacking resources and qualified talent for cybersecurity, state and local governments host the key pieces of critical infrastructure that keep our economy running.  If left unprotected, this presents a huge vulnerability.  To help state and local governments improve their cybersecurity postures, Congress passed the State and Local Cybersecurity Grant Program in 2021.   Since this program began, $838 million has been allocated to address cybersecurity risks and threats to information systems owned and operated by or on behalf of state, local, and territorial governments.
The state and local cybersecurity grant program is set to expire this September, at which point the program will not continue to receive federal funding unless reauthorized by Congress.  As we have heard from many stakeholders, this program has undoubtedly improved and sometimes even established the cybersecurity posture for our states and localities.   I am encouraged by the progress and applaud the efforts of our state and local governments to seize this opportunity to prioritize cybersecurity.  With that said, we know the program does not come without its challenges.  As we consider reauthorization, we want to understand any administrative burdens or barriers to ensure state, local, and territorial governments can focus on cyber resilience and preparedness.   To that end, it is also Congress's responsibility to evaluate whether the state and local cybersecurity grant program is the most efficient and effective means of strengthening cybersecurity posture of state, local, and territorial governments.  I'm here with an open mind and a vested interest in understanding how the program is working.  Cybersecurity is a whole of the society challenge, meaning federal government must continue to support and strengthen cybersecurity at the state and local levels to protect our nation's networks and critical infrastructure.   State and local governments must also continue to share information with each other.  They play an important role in disseminating best practices, which could greatly benefit organizations with less mature cybersecurity programs.  I want to thank our witnesses who've all had firsthand experience with the state and local cybersecurity grant program for being here today.  I look forward to hearing your perspectives on the program and working with you to strengthen our collective defense against cyber threats.  I now recognize the ranking member, the gentleman from California, Mr. Swalwell, for his opening statement.
Morning.  Thank you to Chairman Garbarino for holding this subcommittee hearing on state and local cybersecurity grant programs.  Also want to thank our witnesses for their participation.  A nice blend of private sector and public sector witnesses that we have today.   This program was established four years ago as the product of a bipartisan agreement from this committee.  And as we consider further authorization, it's important to remember that cyber attacks hit Republican districts and Democratic districts.  They're in blue states and red states.  They're in urban areas, suburban areas, and rural areas.   In my district, the 14th district of California in the Bay Area, the city of Hayward suffered a ransomware attack in the summer of 2023 that shut down the city's computer networks for more than two weeks.  And just two months ago, Hayward began notifying individuals that personally identifiable information, including social security numbers and sensitive medical information, had been breached as a part of the ransomware incident.   I know this story is not unusual, and I'm sure my colleagues have also heard from local governments impacted by cyber attacks and looking for help.  With cyber attacks coming from criminal gangs and nation-state adversaries, we cannot leave our state and local governments to fend for themselves.  Federal support for state and local governments is necessary to address the national security threat, and the state and local cybersecurity grant program has always reflected that understanding.   By providing $1 billion to state, local, tribal, and territorial governments, Congress took a major step in strengthening our country's cyber defenses.  For example, with a $250,000 grant from this program, a water utility can expand real-time monitoring to better detect and respond to cyber incidents, finally addressing a long-standing resourcing challenge in the water sector that we've heard about on this subcommittee for years.
When the state and local cybersecurity grant program was created, our primary concern was that ransomware epidemic that was plaguing our communities.  That threat remains, but China's campaign to pre-position on our critical infrastructure for potential future destructive attacks is even more alarming.   While much of our critical infrastructure is privately defended, some of our most vital services are provided by the public sector.

Sign up for free to see the full transcript

Accounts help us prevent bots from abusing our site. Accounts are free and will allow you to access the full transcript.

Sign up