Senators Perdue, Peters Introduce Bill to Enhance Cyber Security Coordination

Bill Helps State and Local Governments Combat Cyber Threats

WASHINGTON, D.C. – U.S. Senators David Perdue (R-GA) and Gary Peters (D-MI) today announced they have introduced bipartisan legislation to help state and local governments combat cyber threats by increasing coordination with the Department of Homeland Security (DHS). The State and Local Cyber Protection Act requires DHS’s National Cybersecurity and Communications Integration Center (NCCIC) to provide assistance and training for state, local, and tribal governments in preventing, preparing for, and responding to cyber threats.

“In the face of ever-evolving attacks from our adversaries, we must strengthen our nation’s cyber defense capabilities which requires coordination across all levels of government,” said Senator Perdue, a member of the Armed Services Committee. “This is key to combating the asymmetric threats we face on a daily basis. I’m proud Georgia is on the front lines of training the next generation of cyber warriors, and I will continue working with Senator Peters and my colleagues to expand on cyber security innovation and improve communication.”

“Our nation is facing an ever-growing threat from increasingly sophisticated cyber-attacks, and we are only as strong as our weakest link,” said Senator Peters, a member of the Senate Armed Services and Homeland Security Committees. “State and local governments face unique cybersecurity threats that can endanger critical infrastructure, as well as residents’ sensitive personal and financial data. This bipartisan legislation will help ensure every level of government has the necessary tools to protect their networks and respond to cyber-attacks.”

According to the National Association of State Chief Information Officers (NASCIO), state governments have identified improving cybersecurity as a top information technology priority. However, state and local governments often lack the resources or technical expertise to defend their networks from cyber-attacks.

Analysis from the Brookings Institute found that state and local governments vary widely in their abilities to budget sufficient resources and field the technical expertise necessary to respond to increasingly sophisticated cyber-attacks.

“We applaud Senators Gary Peters and David Perdue for introducing the State and Local Cyber Protection Act of 2017,” said National Association of Counties Executive Director, Matthew Chase. “As county governments deploy modern technology to provide services to residents, it’s important that we have access to resources and expertise to address data breaches and cyber-attacks. Counties and states are also responsible for managing information that must be safeguarded for privacy and personal protection. The State and Local Cyber Protection Act helps to ensure that our nation’s counties can mitigate the risk of cyber threats.”

The State and Local Cyber Protection Act would require the NCCIC to provide state and local governments with:

  • Assistance, upon request, in identifying cyber vulnerabilities and appropriate security protections;
  • Tools, policies, procedures, and other materials related to information security, and to work with state and local officials to coordinate effective implementation of these resources;
  • Technical and operational assistance, upon request, to utilize technology in the analysis, continuous diagnosis and mitigation, and evaluation of cyber threats and responses;
  • Assistance to develop policies and procedures consistent with industry best practices and international standards, including cybersecurity frameworks developed by the National Institute of Standards and Technology;
  • Technical assistance and cybersecurity training, upon request, to state and local personnel and fusion center analysts; and
  • Privacy and civil liberties training as relates to cybersecurity, focusing on consistency with existing privacy laws and DHS policies, minimizing the retention and use of unnecessary information, and prompt removal of the personally identifiable information “unrelated” to a cyber threat.