Report from Washington:Cybersecurity Policy and Its Implication 

for States

Secure Delaware Workshop 2017

Greg GarciaExecutive Director, 

Healthcare and Public Health Sector Coordinating Council

LAST SEEN HERE 2007NOW: SAME TIE SAME PROBLEMS

NEW SUIT NEW PROBLEMS

Most Significant Cyber Policy in 2018?

Presidential Executive Order 13800, May 2017“Strengthening the Cybersecurity of Federal 

Networks and Critical Infrastructure”

E.O 13800 ‐ 15 Reports Due Out On:• International Cooperation• Modernizing Federal IT and Procurement with Cybersecurity Emphasis• Workforce Development• Federal Risk Management Assessments• “Market Transparency” of Critical Infrastructure Risks• Defense Industrial Base Cybersecurity• Electric Grid Security• Botnet Mitigation• Deterrence Policy• Critical Infrastructure “at greatest risk” Identification and DHS Capabilities 

to Support (state election systems?) – November 6

Other Movements to Watch• Little in the way of serious legislation; CSA 2015 exhausted congressional bandwidth

• So expect more states to step in, such as NY financial services regulation

• Internet of Things device security and privacy protection mandates will surge

• Federal Trade Commission enforcement actions will be tempered by Trump Administration deregulatory stance

• More refinement of NIST Cybersecurity Framework

States Under Intensifying Cyber Attack50% of state and local governments experienced 6 to 25 breaches in the last 24 months,

and 12% experienced more than 25 breaches*

6

A trove of personal records and services transiting state databases

* Poneman Institute 2015: State of Cybersecurity in Local, State and Federal Government

Money and Talent are Biggest Gaps

7

Insufficient FundingMost state cyber budgets are between 0-2% of their overall IT budget, compared with an average of more than 10% in large companies.

8

JP Morgan ‐ $500 million

Federal Government ‐ $19 billion

States ‐$10 millionComparative Cyber Spending in 2016

Crisis in Hiring Talent

State CISOs continue to identify inadequate availability of cybersecurity talent as a top barrier; more funding can increase competitive salaries.

9

States Spend Much More on Physical Security Than On Cyber Security

• Only 30 states and 2 tribal territories spent a total of $27.3 million of HSGP grants on cybersecurity as an allowable expense over a four year period from 2011‐2014.

• Between 2007‐2011 states left $5.2 billion of grant funds on the table, unspent.• There is no dedicated cybersecurity fund.• States invest scarce grant funds on physical security as a political priority.• New “Smart Cities” and “Smart States” infrastructure investments will require digital security• Without smart security investment, state and local governments are a soft target for cyber attacks that 

have physical consequences.

10

0 100 200 300 400 500 600 700 800 900 1000

$ Millions

States Spend Just 1% of Total Homeland Security Grants on Cybersecurity

FY‐16 HSGP ‐ $1 billion FY‐16 Cyber Spending ‐ $10 million

• Only 30 states and 2 tribal territories spent a total of $27.3 million of HSGP grants on cybersecurity as an allowable expense over a four year period from 2011‐2014.

• Between 2007‐2011 states left $5.2 billion of grant funds on the table, unspent.

• There is no dedicated cybersecurity fund.

• States invest scarce grant funds on physical security as a political priority.

• New “Smart Cities” and “Smart States” infrastructure investments will require digital security

• Without smart security investment, state and local governments are a soft target for cyber attacks that have physical consequences.

Homeland Security Grants: What Have We Supported Over the Years?

• Homeland Security Grant Program (HSGP)• Homeland Security Grant Program (HSGP)

• State Homeland Security Program• Urban Area Security Initiative• Operation Stonegarden

• Emergency Management Performance Grant (EMPG)• Tribal Homeland Security Grant Program (THSGP)• Nonprofit Security Grant Program (NSGP)• Transit Security Grant Program (TSGP)• Port Security Grant Program (PSGP)• Intercity Passenger Rail (IPR) Program - Amtrak• Intercity Bus Security Grant Program (IBSGP)• Assistance to Firefighter Grant (AFG)• Buffer Zone Protection Program (BZPP)• Driver’s License Security Grant Program (DLSGP)• Emergency Operations Center (EOC)• Freight Rail Security Grant Program (FRSGP)

11

Of the $10.6 billion awarded to these programs between FY 2008-

2011, 49% went unspent.

What Do the States Need the Money For?

• State cybersecurity personnel – analysts, auditors, executives

• Security, risk, threat, and vulnerability assessment services

• Security architecture design and installation

• Managed security services

• Intrusion detection and prevention (IDS/IPS) tools

• E911 security tools

• Secure communications circuits and systems

• Cyber incident forensics and mitigation tools and services

• Threat data analysis and decision making tools

• Network and application security technology

• Data security protection

• Identity management systems

• Information Sharing and Analysis Center involvement

• Call flow monitoring and system health sensors

12

Just a few critical cybersecurity imperatives:

NEED NOW: Authorization and Funding for State Cybersecurity Grant Program

• DHS resolve, or …

• Legislation needed to authorize and fund cybersecurity programs within DHS and close states’ cyber spending gap.

• New appropriation or reallocate percentage of HSGP to specific cybersecurity programs.

• Require and fund states to conduct formal cyber vulnerability assessments as critical baseline for improvement.

• Link cyber grant program performance to alignment with recognized cybersecurity standards of practice (e.g. NIST).

• HR 1344 / S. 516

13

Task Force High Level Imperatives

Thank you

ContactGreg Garcia

ggarcia@nhisac.org