While generally opposed to categorical rules, any intelligent individual should appreciate the importance of cybersecurity. A failure to appreciate the importance of cybersecurity is likely indicative of other intellectual inadequacies, as every person over the age of 12 in this country has a smartphone, relies on electronic banking (even if indirectly), and enjoys air conditioning during the summer.
Lost in the aftermath of last week’s United States Supreme Court decisions, was a key item of law signed by President Joseph R. Biden, Jr., which when coupled with recent cybersecurity-focused grants identified in the Infrastructure Investment and Jobs Act (IIJA), signaled the U.S. Government’s efforts to arm the states and local governments for cybersecurity battles.
On June 21, 2022, President Biden signed the “State and Local Government Cybersecurity Act of 2021” into law. Formerly known as S.2520, the act was initiated shortly after the Colonial Pipeline incident, which motivated lawmakers throughout all levels of government to prioritize a proactive approach to cybersecurity. Often referred to as “left of boom” activities, proactive measures to enhance cybersecurity and prevent adverse incidents include training events, risk assessments, and the development of information sharing platforms.
This new act requires the National Cybersecurity and Communications Integration Center (referred to as the “Center” and formerly known as the "NCCIC"), which is housed in the Cybersecurity and Infrastructure Security Agency (CISA) under the direction of the Assistant Director of Cybersecurity, to “timely” and “to the extent practicable” coordinate to fulfill requests to conduct exercises with state, local, tribal, and territorial (SLTTs), provide operational and technical cybersecurity training to SLTTs, promote cybersecurity education, and create/enhance SLTT information sharing capabilities.
While great in theory, a few key issues are unaddressed: 1) Who (exactly) is eligible to make the “request” under 6 U.S.C. §659[(r)](p); and 2) Who pays the bill for these activities? Regarding requests sufficient to trigger the Center’s obligations to SLTTs, these are likely to originate with the SLTT’s Governor or Executive Official.
The financial question is more confusing and without any hints available from the current laws within Title 6. One option is that Center will require SLTTs to supply all of the funding, but-for the costs of the travel and pay for federal employees sent to “coordinate” the assistance, from the SLTT’s operating budget or grant funding received through IIJA. Another option is that CISA, through its administration of the Cyber Response and Recovery Fund (also in the IIJA) will utilize some of the $20 million annual appropriation in pursuit of legally permitted activities (as defined by 6 U.S.C. 677c and 6 U.S.C. §659[(r)](p)). And, finally, a third (and less desirable possibility) is that all costs are bore by the SLTT itself with the Federal Agencies assuming a position of “call us if you need us,” with the state scratching its head thinking “I just did.”
Arguably, some states are more advanced and prepared than the Federal Agencies themselves in the area of cybersecurity (cough, cough, California). But for those SLTT entities still pondering a defensive plan, it’s time to collect on the U.S. Government’s recent offerings.
Taking realistic view that any request for assistance may be slow to materialize into action (despite a legal timeliness requirement), SLTT leaders need to reach out to the Center and request the assistance with permitted activities based on the entity’s posture.
For those with a robust cybersecurity posture and pool of educated professionals, exercises are great mechanisms to test operational theories as well as bring private and public sector representatives together to measure collective defenses. Furthermore, inviting higher-education institutions to the exercises creates potential recruiting opportunities, but also alternative revenue streams available to colleges and universities that are not available to governmental entities (donations…sponsors….). For SLTTs struggling to design their cybersecurity platform, inviting the Center to review present vulnerabilities and create an incident response plan is a perfect first-step towards improvement.
Regardless of any SLTT’s cybersecurity posture (or those of its political subdivisions), the important message is the appropriate federal agencies are now required to respond to requests for assistance consistent with the new act. Therefore, and with the worst potential response being “it may take a while,” it’s better to tender the request than ignore the opportunity.