States Press for Federal Resources to Fight CyberthreatsCongress Hears Testimony on Battling Ransomware, Other Threats at Local Level
State government officials from Michigan and Texas told a U.S. Senate committee on Tuesday that more federal resources are needed to help states combat cyberthreats, including ransomware.
The officials also asked the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, a unit of the Department of Homeland Security that’s responsible for securing critical infrastructure, to share more information about cyberthreats with local and state representatives who are responsible for cybersecurity.
Amanda Crawford, the executive director of the Texas Department of Information Resources, and Christopher DeRusha, the chief security officer at the Michigan Cybersecurity and Infrastructure Protection Office, testified Tuesday at a hearing of the U.S. Senate Committee on Homeland Security and Governmental Affairs.
Senators also heard testimony from Christopher Krebs, the director of CISA, who agreed that the agency should provide more resources to state and local governments.
"I cannot be effective if I am sitting here in Washington, D.C. I need more dedicated state and local resources," Krebs testified. He did note, however, that the agency's role was not to provide hands-on assistance in overcoming cyberattacks, but to help state and local governments set up incident response plans and to provide them with information on how to prioritize recovery.
Over the last several months, CISA and Homeland Security officials have started to focus more on cybersecurity issues at the state and local levels as the U.S. gears up for the 2020 presidential election and ransomware attacks against cities have increased (see: Election Security Program Aims to Mitigate Ransomware Risks).
During the hearing, Senator Gary Peters of Michigan, the ranking Democratic committee member, noted at the hearing that while local and state governments are responsible for safeguarding elections and sensitive personal information, they don’t always have the tools to defend against cyberthreats.
"Financial constraints, workforce challenges, and outdated equipment are all significant challenges for states and cities," Peters said. "Attackers always look for the 'weakest link', and that's why we must ensure that everyone from small businesses to our state and local governments have the tools to prevent, detect and respond to cyberattacks."
Senator Ron Johnson, R-Wis., the committee chairman, also expressed sympathy for local officials, but told reporters later that he wanted to ensure that any federal money is efficiently spent.
"I just want to make sure that any additional resources, particularly personnel and more involvement with the states, is done the right way as an advisory, a clearinghouse, not as a regulatory control," Johnson said, according to the The Hill.
In December, security firm Emsisoft reported that over 960 government agencies, educational institutions and healthcare providers sustained ransomware attacks in 2019.
One of the hardest hit with ransomware was Texas, which saw 23 municipalities targeted in a coordinated attack in August 2019. In her testimony, Crawford noted that while the state successfully dealt with this cyber event without paying any ransoms, there were miscommunications between CISA and state officials working to resolve the issue.
“This confusion stemmed from a lack of clarity on the resources that CISA could provide to states," Crawford said. “If Texas and other states do not have greater awareness of the threats which could affect us, we cannot be effective in stopping them." She called for the FBI to review whether more information about cyberthreats could be released to the states.
Michigan’s DeRusha testified that Homeland Security should help officials tailor cybersecurity plans to the specific needs of each state.
"“We see the intent every day of [Homeland Security] trying to get everywhere across the state, particularly in the run-up to the elections, and I think it’s just a matter of they need more boots on the ground, and they need a specific state representative to get more familiar with that state," DeRusha added.