Published by The Lawfare Institute
in Cooperation With
Federal and state officials recently told a Senate Committee that state and local governments need additional cybersecurity resources. Their testimony follows the gatherings of the nation’s state secretaries of state and election directors earlier this year in Washington, where cybersecurity and election integrity were a top focus. Congress is now considering legislation to create a new grant program to strengthen state cybersecurity.
In December 2019, Congress appropriated $425 million in new funding under the Help America Vote Act to upgrade election systems and improve security. The National Association of Secretaries of States applauded the investment. But state officials have urged Congress to establish additional, sustaining funding streams to upgrade aging voting machines and address cybersecurity vulnerabilities.
Yet state and local governments currently have $2.7 billion in unspent homeland security grants on hand. Using some of those funds in 2020 to improve state and local cybersecurity could help achieve the national, bipartisan goal of protecting the 2020 election from foreign interference.
Why Additional State and Local Cybersecurity Capabilities Are Needed
State and local governments are now on the front lines of a national effort to defend U.S. election systems from potential foreign interference.
Jared Dearing—the executive director of the Kentucky State Board of Elections—testified on Feb. 18 before a state legislative committee that nation-state adversaries are routinely scanning state and local networks. “We’re asking county clerks with very, very limited resources, with not enough IT staff, to fully maintain their own systems,” Dearing said. “We’re asking them to participate in national security.”
In his recent testimony before the Senate Homeland Security and Governmental Affairs Committee, Michigan Chief Security Officer Chris DeRusha said that “[a]ttacks on government organizations at all levels continue to increase and demonstrate the ever-expanding capacity of our adversaries. State of Michigan firewalls repel over 90 million potentially malicious probes and actions every day, and we are not unique.” He added that resources to defend systems at the local level are particularly scarce. “[O]f Michigan’s 83 counties,” he continued, which are home to approximately 10 million people, “only three have uniquely designated Chief Information Security Officers with dedicated time and authority to address cybersecurity for their organizations.”
Helping state and local officials secure their systems from cyber threats will require significant funding and resources. Last year, the Brennan Center estimated the cost of achieving basic election security to be $2.15 billion over five years, with more than half of that amount focused on strengthening cybersecurity. The Brennan Center’s estimate includes $833 million for “additional state and local election cybersecurity assistance” and $486 million to “protect voter registration infrastructure.”
State officials also recognize the need to improve state and local cybersecurity and to leverage limited resources. In January, the National Governors Association (NGA) and the National Association of State Chief Information Officers (NASCIO) co-published a report calling for increased state and local cybersecurity collaboration. NGA and NASCIO explained that states were responding to increasing ransomware attacks by “increasingly providing services to county and municipal governments, including endpoint protection, shared service agreements for cyber defensive tools, incident response and statewide cybersecurity awareness and training.”
Using Homeland Security Grants to Improve State and Local Cybersecurity
While Congress is unlikely to appropriate new election security or cybersecurity funding in the short term, existing homeland security grant funding could be used to improve state and local cybersecurity capabilities.
Each year, the Department of Homeland Security (DHS) awards more than $1 billion in grants to state and local governments “to prevent, protect against, mitigate, respond to, and recover from acts of terrorism and other threats.” The grants are distributed through a series of different programs—including formula grants to state governments, competitive grants for specific security needs, and risk-based allocations to major urban areas.
One of these programs is called the State Homeland Security Program. In 2019, DHS awarded $415 million to state government agencies through the program. States are required to spend 25 percent of those funds on “law enforcement terrorism prevention activities” but otherwise have broad discretion over how the rests of the funds are used to improve homeland security, including cybersecurity. (Cybersecurity is listed as one of the Federal Emergency Management Agency’s “core capabilities” for homeland security. FEMA’s 2019 Preparedness Grants Manual explicitly says that cybersecurity expenditures are allowed.)
States and Local Governments Currently Have $2.7 Billion in Unspent DHS Grants
States already have access to significant resources to improve state and local cybersecurity to protect election systems. According to the White House’s 2021 budget proposal, states and major urban areas have billions of unspent grant funds that could be steered toward cybersecurity: “Of the $5.3 billion in awards made since 2015,” the White House wrote, “recipients of FEMA’s two largest grant programs—[State Homeland Security Program and Urban Area Security Initiative]—are currently carrying $2.7 billion in unspent balances, or 50 percent of awarded funds.”
While some funding may already be obligated for future projects, states and urban areas could spend unobligated funds or reprioritize other projects to fund cybersecurity investments in 2020. Using $1 billion of the currently unspent grant funds would be nearly enough close the cybersecurity gaps identified by the Brennan Center’s report.
Some observers may question whether grant funds that were originally intended to help states and cities prepare for and prevent terrorist attacks should be used for state and local cybersecurity. But the Government Accountability Office and congressional watchdogs have raised questions about whether these grants are buying-down risk and closing capability gaps to improve security or, instead, simply subsidizing state and local public safety.
While FEMA does not publicly report which states have unspent or unobligated homeland security grant funds, this data is routinely made available to Congress upon request. It is nonetheless fair to assume at least $1 billion in unspent homeland security grant funds are currently available to state governments. (DHS has awarded more than $2 billion to states through the program since 2015, and the White House estimated that 50 percent of funds remain unspent over that period.)
Election Security Has Become a Homeland Security Priority
While the nation must remain vigilant to prevent terrorist attacks, securing the nation’s election systems has become a clear homeland security priority. Consider DHS’s increasing involvement in securing American elections beginning in 2016.
In August 2016, then-Secretary Jeh Johnson offered cybersecurity assistance to state election officials. The following January, he designated election systems to be critical infrastructure. The Trump administration has continued to prioritize election security. Under Director Chris Krebs, the Cybersecurity and Infrastructure Security Agency (CISA) has identified election interference to be “one of the highest-profile threats we face today.” CISA recently released its #Protect2020 Strategic Plan, describing all the ways the agency plans to support state and local officials administering elections.
It’s clear that DHS views election security as a top homeland security priority. But CISA has limited resources with only about 700 dedicated cybersecurity workers. DHS could encourage states to use already available homeland security grant funds to provide cybersecurity services to local government offices, such as by hiring cybersecurity navigators to provide technical assistance or to help localities install sensors to monitor network traffic.
There’s already precedent for DHS to issue new grant guidance and to direct states to spend funds quickly during an election year. In 2012, the department issued new guidance urging states to spend $8 billion in unspent homeland security grants at the time, citing the economy: “In light of the current economic situation and the need for further fiscal stimulus, DHS/FEMA have evaluated ways to further streamline the grants process and put available funding to work now.” This 2012 guidance specifically allowed grantees to reprioritize previously awarded funds to be spent on more urgent homeland security priorities at the time (such as “general purpose equipment and overtime/backfill expenses for first responders engaged in protection or prevention activities”). It also offered several waivers from prior appropriations, such as 2008 and 2009 rules that required 25 percent of state grant funds be used for countering improvised explosive devices or capped personnel costs at 50 percent of allowed expenditures.
Protecting the 2020 election from foreign interference is a bipartisan, national priority. DHS and states should work together to use some of the billions in unspent homeland security grant funds to improve state and local cyber defenses before November.