3 minute read
+ Towns & Law: Russian Cyber Attacks & Shields Up; ARPA Funds Available for Immediate Investment in Cybersecurity
Advertisement
Russian Cyber Attacks & Shields Up; ARPA Funds Available for Immediate Investment in Cybersecurity
BY ALISON EARLES, SENIOR ASSOCIATE GENERAL COUNSEL CIPP/US
Every city, large and small, must be prepared to respond to disruptive cyber incidents arising from cyber attacks and human error. Many cities have held off on implementing basic protections due to cost.
FORTUNATELY, FEDERAL GUIDance is clear that cities may use American Rescue Plan Act State and Local Fiscal Recovery Funds (ARPA SLFRF) to pay for cybersecurity
measures.
The Final Rule narrative states that government services include “modernization of cybersecurity, including hardware, soft ware and protection of critical infrastructure.” Investments in cybersecurity are eligible under Eligible Use Category 6.1, Revenue Replacement, Provision of Government Services (see Appendix 1 in the Treasury Compliance and Reporting Guidance).
For more information about cybersecurity investments and ARPA funding, see the articles Cities May Use ARPA Funding for CyberSecurity and IT Services and Websites on gacities.com
Funding Comes at Opportune Time
This opportunity for cities to use ARPA funds to invest in cybersecurity comes at a time when federal leaders have issued clear guidance about the threats of cyber attacks and ways to reduce exposure and improve resilience. On March 21, President Biden issued a renewed warning based on intelligence that the Russian government is exploring options for potential cyberattacks, and the Cybersecurity & Infrastructure Security Agency (CISA) launched the Shields Up website.
Urging all U.S. organizations to report strange cyber activity and/or cyber incidents immediately to CISA and adopt a “heightened posture when it comes to cybersecurity and protecting their most critical assets,” the Shields Up website explains how to reduce the likelihood of a damaging cyber intrusion, ensure rapid detection of the intrusion, and respond aft er an attack.
Federal agencies have been warning cities about cyberattacks on water systems by Russia and other state actors for several years. These utilities oft en serve very small populations and are “inconsistently resourced,” use “unsupported or outdated operating systems and soft ware” and rely on “outdated control system devices or fi rmware versions” with known vulnerabilities. (FDD “Poor Cybersecurity Makes Water a Weak Link in Critical Infrastructure.” See also Government Technology What Will it Take to Defend Drinking Water from Cyber Attacks.) On April 5, when representatives from the nation’s water sector testifi ed to federal lawmakers about the unique risks of cyberattacks on water safety and distribution, Kevin Morley of the American Water Works Association advocated for creating a minimum set of “tiered risk- and performance-based” cybersecurity standards for water sector entities. He praised the Shields Up website and encouraged the development of communications specifi cally for small community water systems. (Government Technology, April 19, 2022, Water Systems: At Greatest Risk from the Russian Cyber Threat?). The same critical cyber-
The opportunity for cities to use ARPA security measures necessary funds to invest in cybersecurity comes at a to protect water systems time when federal leaders have issued clear from cyberattack and enguidance about the threats of cyber attacks. able them to respond rapidly when hit also enable every city, large and small, to obtain cyber coverage. These measures are described in Cyber Coverage Underwriting Requirements and ARPA Funds Prompt Investment in CyberSecurity. Fortunately, thanks to SLFRF, 515 Georgia cities already have unprecedented amounts of federal money that can be used immediately to pay for these ongoing investments in cybersecurity. Cities without qualifi ed IT staff that can help them implement the actions described in Shields Up should act immediately to obtain such a resource and begin implementation.
