July 26, 2023 at the Pennsylvania State Capitol in Harrisburg.Amanda Berg/Spotlight Pennsylvania
Amanda Berg
This article was produced by Spotlight PA's State College regional office, an independent, nonpartisan newsroom dedicated to investigative and public service journalism in Pennsylvania. Sign up for Talk of the Town, North Central Pennsylvania's newsletter at spotlightpa.org/newsletters/talkofthetown.
STATE COLLEGE — Pennsylvania local governments could soon have access to up to $25 million in federal funding to prepare for digital security threats facing critical infrastructure, according to Gov. Josh Shapiro's budget proposal. be.
But county and local leaders say funding isn't enough to keep up with mandatory technology updates, higher insurance premiums and the rise of artificial intelligence that increase cybersecurity costs.
Joe Sasano, York County's executive director of information technology, told the Legislature in January that “spending on cybersecurity technology has more than tripled in the past four years, and as the threat landscape evolves, “This trend is seen in all counties,” he said.
Local government officials and state legislators see cyberattacks as a growing threat. In November, a cyber attack shut down pumping equipment at the Aliquippa Water Department in Western Pennsylvania. In January, Bucks County's 911 reporting system was shut down for nine days due to a ransomware attack.
To help governments across the country address these risks, Congress established a state and local cybersecurity grant program as part of the Federal Infrastructure Investment and Jobs Act of 2021. These grants will first be awarded to states and can be used to develop or improve cybersecurity plans. , carry out those plans or respond to immediate threats.
In the first two years of the program, Pennsylvania received approximately $10.6 million. A spokesperson for the Pennsylvania Emergency Management Agency told Spotlight PA in an email.
John Barty, former president of the Pennsylvania Association of Municipalities, said in testimony to lawmakers in late January that local governments need more cybersecurity resources because they control critical public facilities such as water and wastewater. He said there is a great need.
He said bad actors could target technical information or customer data.
“System shutdowns due to cyberattacks can create public health hazards, environmental hazards, and permit violations,” Berti said.
He added that risks are ubiquitous. “The question is not 'if' but 'when.'”
Mr. Barty, along with representatives from other Pennsylvania municipalities, appeared before two state Senate committees to discuss the issue. They want funding for needed system upgrades, staff training, statewide coordination efforts and methods to investigate cyberattacks.
The challenge remains how to maintain the costs of these ongoing efforts.
“Cybersecurity needs have driven many IT-related projects and subsequently increased IT budgets over the past few years with no signs of slowing down,” said York County's Sassano. said York County's Sasano, who is also a member of the technical committee. of Pennsylvania.
The City of Redding has spent more than $701,000 on cybersecurity over the past five years. Ken Cochran, the city's IT manager, told councilors the money was used for firewall maintenance, vulnerability testing and staff training. This represented approximately 8% of the department's budget at the time.
Per federal guidelines for state and local cybersecurity grant programs, local governments are not eligible to receive funds. But they are “no different than any other organization that holds sensitive data and could be targeted.” [and] ” Jenny Shade, senior director of government relations for the Pennsylvania Municipal Association, told Spotlight PA.
Schade said that while the exclusion may not have been intentional, the association wants federal lawmakers to know that the agency is excluded and should be able to get some of that funding. Stated.
Shapiro's budget proposal does not include dedicated state funding to help local governments with cybersecurity costs.
The Pennsylvania County Commission wants to include $2.5 million in the next state budget for that purpose. Officials from other local governments that manage their own cybersecurity costs have not suggested a specific amount of funding they want the state to allocate.
Sassano pointed out that to receive federal cybersecurity grants, recipients must pay an equal amount, or a percentage of the amount, out of their own pocket. The match rate increases in stages from his 10% in the first grant year to his 40% in the last year.
PEMA will pay the matching costs in the first year and again in the second year, the agency's director, Randy Padfield, told state House members during a Feb. 21 budget hearing. The agency said it did so to ease the burden on local grant recipients and “fundamentally strengthen cybersecurity across the commonwealth.”
A spokeswoman for the agency said it has not yet decided whether to continue matching for the rest of the program, adding that if not, local governments will likely take action. Sassano told lawmakers that the higher percentage of matching dollars in the final two years of the grant program will be a “real challenge” for counties and local governments.
The governor is “open to” committing state funds to local cybersecurity in the future, his office told Spotlight PA, but did not provide a timeline.
“The administration's immediate priority is to drive millions of dollars in federal funding to support cybersecurity efforts and federal agencies,” Will Simmons, a spokesman for Mr. Shapiro, said in a statement. Will Simmons told Spotlight PA via email.
He added that the governor's office continues to communicate regularly with local government agencies to encourage investments in cybersecurity.
Support this journalism and help power local news in north central Pennsylvania at spotlightpa.org/donate/statecollege. Spotlight PA is funded by foundations and readers like you who are passionate about responsible, public service journalism that gets results.
Spotlight PA is an independent, nonpartisan newsroom powered by The Philadelphia Inquirer in partnership with PennLive/The Patriot-News, TribLIVE/Pittsburgh Tribune-Review and WITF Public Media.