Government

Local Governments Want Long-Term State Money For Cybersecurity

Officials claim that the cybersecurity funding allocated in the governor’s budget proposal is insufficient for local governments.

This story was produced by the State College regional bureau of Spotlight PA, an independent, nonpartisan newsroom dedicated to investigative and public-service journalism for Pennsylvania. Sign up for our north-central Pa. newsletter, Talk of the Town, at spotlightpa.org/newsletters/talkofthetown.

By Min Xian | Spotlight PA

File photo.

Local governments in Pennsylvania could soon have access to up to $25 million in federal funding to help them prepare for digital security threats facing critical infrastructure, according to Gov. Josh Shapiro’s budget proposal.

But county and municipal leaders say that money won’t be enough to keep up with mandatory technology updates, higher insurance rates, and the rise of artificial intelligence, which have all added to cybersecurity costs.

“Our cybersecurity technology spending has more than tripled over the last four years, and this trend can be seen across all counties due to the evolving threat landscape,” Joe Sassano, executive director of information technology for York County, told state lawmakers in January.

Local government officials and state legislators see cyberattacks as a growing threat. In November, a cyberattack halted pumping equipment of the Municipal Water Authority of Aliquippa in western Pennsylvania. In January, the Bucks County 9-1-1 computer-aided dispatch system had a high-profile outage because of a ransomware attack.

To help governments nationwide deal with these hazards, Congress established the State and Local Cybersecurity Grant Program as part of the federal Infrastructure Investment and Jobs Act of 2021. These grants, which are awarded first to states, can be used to devise or improve cybersecurity plans, implement those plans, or address imminent threats.

In the program’s first two years, Pennsylvania received about $10.6 million. Those dollars paid for intrusion detection systems for 148 local government recipients, and 132 awardees got funding for digital best practices training, a spokesperson for the Pennsylvania Emergency Management Agency (PEMA) told Spotlight PA in an email.

Because local governments manage essential public utilities like water and sewage plants, the need for more cybersecurity resources is great, John Berti, a past president of the Pennsylvania Municipal Authorities Association, said in testimony given to lawmakers in late January.

Bad actors can target technical information and customer data, he said.

“Any system shutdown because of a cyberattack can result in public health hazards, environmental dangers, and permit violations,” Berti said.

He added that the risks are ubiquitous. “It’s not a matter of ‘if,’ but ‘when.’”

Berti appeared before two state Senate committees to discuss the issue, along with other representatives from Pennsylvania municipalities. They would like funding for necessary system upgrades, staff training, statewide coordination efforts, and ways to investigate cyberattacks.

How to sustain the costs of those ongoing efforts remains a challenge.

“Cybersecurity needs have driven many of our IT-related projects and subsequently increased our IT budget for the last several years with no sign of decreasing,” said Sassano of York County, who is also a member of the technology committee of the County Commissioners Association of Pennsylvania.

The City of Reading has spent more than $701,000 on cybersecurity in the past five years. The money went toward maintaining firewalls, vulnerability testing, and staff training, the city’s IT manager Ken Cochran told legislators. That amounted to about 8% of the department budget during that time.

Because of the federal guidelines of the State and Local Cybersecurity Grant Program, municipal authorities are not eligible to receive the money. But they are “not unlike any other entity that could be targeted, with critical data [and] infrastructure,” Jennie Shade, senior director of government relations for the Pennsylvania Municipal Authorities Association, told Spotlight PA.

While the exclusion might not be intentional, Shade said, the association wants federal lawmakers to know authorities have been left out and should be able to get part of that funding.

Shapiro’s budget proposal includes no dedicated state funding to help municipalities with cybersecurity costs.

The County Commissioners Association of Pennsylvania wants $2.5 million to be included in the next state budget for that purpose. Officials from other local governments, which manage their own cybersecurity costs, have not suggested a specific amount of funding they’d like to see the state allocate.

Sassano noted that to get the federal cybersecurity grant, recipients have to pay a match, meaning a certain percentage of the money, out of their own pockets. The match percentage incrementally increases from 10% in the first grant year to 40% in the last year.

PEMA covered the matching costs during the first year and will do so again for the second year, agency Director Randy Padfield told state House lawmakers during a Feb. 21 budget hearing. The agency did so to take away the burden from local grant awardees and “foundationally increase cybersecurity across the commonwealth,” he said.

A spokesperson for the agency said it has not decided whether it will continue matching for the remainder of the program — a tab that local governments will likely have to pick up if not.

The higher percentage of matching dollars for the final two years of the grant program will be a “real sticking point” for county and local governments, Sassano told lawmakers.

The governor is “open to” putting state money toward local cybersecurity in the future, his office told Spotlight PA, but did not provide a specific timeline.

“The Administration’s priority right now is driving out millions of dollars in federal funding to support cybersecurity efforts and Commonwealth agencies,” Will Simons, a spokesperson for Shapiro, told Spotlight PA in an email.

The governor’s office remains in regular communication with local government agencies, he added, and encourages them to invest in cybersecurity.

SUPPORT THIS JOURNALISM and help us reinvigorate local news in north-central Pennsylvania at spotlightpa.org/donate/statecollege. Spotlight PA is funded by foundations and readers like you who are committed to accountability and public-service journalism that gets results.

About the author

Spotlight PA

Spotlight PA is dedicated to producing non­partisan investigative journalism about Pennsylvania government and urgent statewide issues. We are an independent watchdog unafraid to dig deep, fight for the truth and take on the powerful to expose wrongdoing and spur meaningful reform. We connect Pennsylvanians to their state, and to each other, through public service journalism that matters to their lives and is creatively told in the many modern, digital ways they consume their news.

Leave a Comment