Training workers to fill a severe cybersecurity workforce shortage should be the first order of business for states and localities sharing $1 billion in new federal grant funding to beef up their technology protocols, experts said.
“There is plenty of work to go around but states have a really tough time finding people who can do it,” especially since the government agencies are competing with the private sector for cybersecurity workers, said Alex Whitaker, director of government affairs at the National Association of State Chief Information Officers, a Lexington, Ky.-based advocate for information technology policy at all levels of government.
Workforce development is one of the goals of the State and Local Cybersecurity Grant Program, a recently announced initiative that will award $1 billion to state, local and territorial governments over four years to address cybersecurity risks.
For fiscal year 2022, $185 million will be made available.
The cybersecurity grant program, announced in September, is part of the Infrastructure Investment and Jobs Act that President Biden signed into law in November 2021.
The Cybersecurity and Infrastructure Security Agency and Federal Emergency Management Agency, both of which are part of the Department of Homeland Security, are managing the grant program, which has four goals, including assessing and evaluating systems and capabilities, and building a cybersecurity workforce.
The Cybersecurity and Infrastructure Security Agency collaborates with state, local and territorial governments that often lack the resources to address cybersecurity challenges, CISA Director Jen Easterly said.
“The State and Local Cybersecurity Grant Program will play a critical role in helping these organizations build their capability and capacity,” she said in a statement last month.
The biggest cybersecurity risk to state governments is ransomware attacks, which are typically hackers seeking ransom money after compromising or encrypting sensitive information, experts said.
“This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.” — November 2020 report from Cybersecurity Ventures
Global cybercrime costs are projected to grow 15 percent annually, reaching $10.5 trillion by 2025, up from $3 trillion in 2015, according to a November 2020 report from Cybersecurity Ventures, a Northport, N.Y.-based cybersecurity industry research firm.
“This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined,” according to the report.
Experts called the new federal cybersecurity grant program “a good start” toward helping governments address their technological vulnerabilities, especially the goals for boosting the workforce.
There were 1.1 million cybersecurity professionals in the United States in 2021, but 377,000 more are needed, according to a cybersecurity workforce study from the International Information System Security Certification Consortium, or (ISC)2, a Clearwater, Fla.-based provider of certifications for information technology professionals.
But worldwide, 2.72 million cybersecurity professionals were needed as of 2021. Though that number was down from the global shortage a year earlier, 3.12 million, many U.S. employers are competing globally for workers.
While some states are further ahead than others in their cybersecurity protocols, probably none is doing it at the level that it should because the United States as a whole hasn’t invested in cybersecurity enough, said Gordon Bitko, a senior vice president of policy who oversees the public-sector portfolio at the Information Technology Industry Council, a trade group in Washington, D.C.
Many small towns have small police departments and other agencies without the technological staff to make sure cybersecurity infrastructure is up to date, he said.
“This grant program is a recognition of that. It’s a recognition that we need to make more of a focused effort to invest in these areas,” Bitko said.
The COVID-19 pandemic also brought cybersecurity vulnerabilities to light as more employees began working remotely, he said.
The National Association of State Chief Information Officers has been advocating for a whole-estate approach to cybersecurity, in which states can take the funds and use it to provide assessments of localities’ systems, said Whitaker, of NASCIO.
“There is a lot of low-hanging fruit that local governments can address right now,” such as transitioning from dot-com to dot-gov domains, which are more secure, and adopting multi-factor authentication to access computer networks, he said.
