This article was produced by Spotlight PA's State College regional office, an independent, nonpartisan newsroom dedicated to investigative and public service journalism in Pennsylvania. Sign up for Talk of the Town, North Central Pennsylvania's newsletter at spotlightpa.org/newsletters/talkofthetown.
STATE COLLEGE — Pennsylvania local governments could soon have access to up to $25 million in federal funding to prepare for digital security threats facing critical infrastructure, according to Gov. Josh Shapiro's budget proposal. be.
But county and local leaders say funding isn't enough to keep up with mandatory technology updates, higher insurance premiums and the rise of artificial intelligence that increase cybersecurity costs.
Joe Sasano, York County's executive director of information technology, told the Legislature in January that “spending on cybersecurity technology has more than tripled in the past four years, and as the threat landscape evolves, “This trend is seen in all counties,” he said.
Local government officials and state legislators see cyberattacks as a growing threat. In November, a cyber attack shut down pumping equipment at the Aliquippa Water Department in western Pennsylvania. In January, Bucks County's 911 reporting system was shut down for nine days due to a ransomware attack.
To help governments across the country address these risks, Congress established a state and local cybersecurity grant program as part of the Federal Infrastructure Investment and Jobs Act of 2021. These grants will first be awarded to states and can be used to develop or improve cybersecurity plans. , carry out those plans or respond to immediate threats.
In the first two years of the program, Pennsylvania received approximately $10.6 million. A spokesperson for the Pennsylvania Emergency Management Agency (PEMA) told Spotlight PA in an email that these dollars will pay for intrusion detection systems for 148 municipalities, and 132 awardees will receive digital best practices training. He said he received funding.
John Barty, former president of the Pennsylvania Association of Municipalities, said in testimony to lawmakers in late January that local governments need more cybersecurity as they manage critical utilities such as water and sewer services. He said there is a great need for resources.
He said bad actors could target technical information or customer data.
“System shutdowns due to cyberattacks can create public health hazards, environmental hazards, and permit violations,” Berti said.
He added that risks are ubiquitous. “The question is not 'if' but 'when.'”
Mr. Barty, along with representatives from other Pennsylvania municipalities, appeared before two state Senate committees to discuss the issue. They want funding for needed system upgrades, staff training, statewide coordination efforts and methods to investigate cyberattacks.
The challenge remains how to maintain the costs of these ongoing efforts.
“Cybersecurity needs have driven many IT-related projects and subsequently increased IT budgets over the past few years with no signs of slowing down,” said York County's Sassano. said York County's Sasano, who is also a member of the technical committee. of Pennsylvania.
The City of Redding has spent more than $701,000 on cybersecurity over the past five years. Ken Cochran, the city's IT manager, told councilors the money was used for firewall maintenance, vulnerability testing and staff training. This represented approximately 8% of the department's budget at the time.
Per federal guidelines for state and local cybersecurity grant programs, local governments are not eligible to receive funds. But they “have critical data (and) infrastructure and are no different than any other organization that could be targeted,” said Jenny Schade, senior director of government relations at the Pennsylvania Municipal Association. he told Spotlight PA.
Shade said while the exclusion may not have been intentional, the association wants federal lawmakers to know the agency is excluded and should be able to get some of that funding. Stated.
Shapiro's budget proposal does not include dedicated state funding to help local governments with cybersecurity costs.
The Pennsylvania County Commission wants to include $2.5 million in the next state budget for that purpose. Officials from other local governments that manage their own cybersecurity costs have not suggested a specific amount of funding they want the state to allocate.
Sassano pointed out that to receive federal cybersecurity grants, recipients must pay an equal amount, or a percentage of the amount, out of their own pocket. The match rate increases in stages from his 10% in the first grant year to his 40% in the last year.
The PEMA director told state House members during a Feb. 21 budget hearing that PEMA would cover matching costs in the first year and do the same in the second year. The agency said it did so to reduce the burden on local grant recipients and “fundamentally strengthen cybersecurity across the commonwealth.”
A spokeswoman for the agency said it has not yet decided whether to continue matching for the remainder of the program. If this does not continue, there is a high possibility that local governments will take action.
Sassano told lawmakers that the higher percentage of matching dollars in the final two years of the grant program will be a “real challenge” for counties and local governments.
The governor is “open to” committing state funds to local cybersecurity in the future, his office told Spotlight PA, but did not provide a specific timeline.
“The administration's current priority is to drive away millions of dollars in federal funding to support cybersecurity efforts and federal agencies,” Will Simmons, a spokesman for Mr. Shapiro, said in a statement. Will Simmons told Spotlight PA via email.
He added that the governor's office continues to communicate regularly with local government agencies to encourage investments in cybersecurity.
Support this journalism Help power local news in north central Pennsylvania at Spotlightpa.org/donate/statecollege. Spotlight PA is funded by foundations and readers like you who are passionate about responsible, public service journalism that gets results.
