Chapter 4: Recommendations for the Federal Government

There is a widespread and acknowledged requirement for increased cybersecurity-related funding for states and cities. Existing federal funding mechanisms, such as those designated for emergency services and counterterrorism, allow funding to be spent for cybersecurity, but are not specifically designed to fund those efforts. Typically the grant recipients are in disciplines like law enforcement and emergency management, and as a result little of the eligible money has in fact flowed to cybersecurity-related projects or agencies.

Creating cybersecurity-specific funding mechanisms tied to national priorities could provide guidance to state and local policymakers and help to align SLTT programs with federal objectives and other SLTT programs to help streamline the ecosystem. When cybersecurity remains a line item in other funding mechanisms, it necessarily remains more generic and less supportive of current policy and strategic initiatives.¹

To make incident response more efficient and effective, whether for large or small incidents, the United States should prioritize deconflicting efforts, authorities, and responsibilities across the various agencies. The existing incident reporting guidance lists several points of contact that depend on the nature of the incident, which may or may not be known until well after the event.² Furthermore, in many cases, verbal guidance provided to SLTT representatives from various federal agencies on how to report an incident has been conflicting.

Local representatives from relevant federal agencies can address these concerns from a regional perspective, but a national approach driven from the policy level is needed. To adequately mark and resolve conflicting issues, there may need to be a single point of contact for the federal government, perhaps located at each FEMA region, to coordinate federal government response. There are additional studies forthcoming that examine the challenges of deconflicting in greater detail.³ This issue clearly requires more study and prioritization from the agencies involved, and should be taken into account by policymakers in the legislative branch, where there are several pending bills concerning cybersecurity efforts at the federal level.

Within DHS itself there is additional work to be done to streamline the process for working with SLTT actors. Voices from various parts of the department or affiliated entities (SECIR, FEMA, NCCIC, MS-ISAC, CERT, CSAs, PSAs, etc.) have their own outreach programs that suffer from a lack of central coordination. While each organization may be doing great work, such success can be tempered by competing communications. There should be department-wide priorities for SLTT efforts that are tied to specific, deconflicted initiatives across different departments and functionalities. Because states have fewer specialized and focused cyber workforces than federal partners, a small number of cyber “generalists” at the state level are often expected to consistently interact with a half-dozen or more federal agencies or partners, often leaving these state agencies or organizations confused or overwhelmed.

To better coordinate its SLTT efforts, the Department of Homeland Security (DHS) should further expand its localized assistance programs. The Cybersecurity Advisor (CSA) Program, designed to provide direct coordination, outreach, and regional support to private industry and SLTT governments has only 11 active advisors, who are roughly aligned with the 10 FEMA regions. Even if DHS reaches its targets for ramping up the CSA roster, which is by no means assured, it will still be limited in its capacity to reach the numerous critical infrastructure and public sector entities it is designed to support. Consistent contact and relationship-driven action is essential to the development of SLTT-level engagement, both with public and private entities. The current program simply does not have sufficient resources to achieve its stated goals; and arguably its current stated goals are insufficient given the scale and scope of the cybersecurity challenges facing SLTT partners.

There is additional work to be done to establish requirements and work through the authorization of DoD elements aiding the domestic mission. Such forces could come from U.S. Cyber Command through a domestic/homeland defense Mission Essential Task List as part of the Title 10 wartime mission or through the National Guard under Title 10 or Title 32 to defend critical infrastructure deemed essential for conducting or supporting military operations. So far each state has been left largely alone to develop the legal authority for activating the National Guard in the case of an emergency; guidance and additional authorizations from Congress and the NGB would help to streamline these efforts and help states build effective programs, like those in Washington State and North Carolina⁴, among others. DoD and DHS might also consider habitual relationship with an underlying set of principles and a memorandum of understanding (MOU) by which the National Guard cyber teams are trained and funded to conduct domestic operations in support of DHS, in an agreement similar to that between the DoD and the National Science Foundation (NSF) for the NSF’s Polar Program.⁵