Tribal governments have joined state and local governments in their request to include funding for cybersecurity in the next COVID-19 relief package. As the pandemic has forced tribal governments to move their governmental services online, the need to protect tribal data and ensure the integrity of the services that they provide is more important than ever. Yet tribal governments continue to be largely left out of federal opportunities to build critical cybersecurity infrastructure and internal protocols that keep tribal data safe. Currently, the only program that tribal nations are able to use to meet their cybersecurity needs is the U.S. Department of Homeland Security (DHS) Tribal Homeland Security Grant Program (THSGP). That program serves all of Indian Country's homeland security and emergency management needs, not just cybersecurity, and not every tribal government is eligible for the program. In effect, when it comes to cybersecurity, tribal governments do not have access to the cybersecurity resources they need.
In a letter to House Speaker Nancy Pelosi (D-Calif.) and House Minority Leader Kevin McCarthy (R-Calif.), the National Congress of American Indians (NCAI) urged Congress to establish a 10 percent set-aside for tribal governments in cybersecurity funding available for state and local governments, and to require DHS to submit an annual report to Congress outlining the cybersecurity needs of Indian Country. The letter specifically requests that Congress include the following language in the next COVID package:
(a) Set Aside — Provided, that of the amount made available, the Secretary shall set aside not less than ten percent to address the cybersecurity risks and threats of Indian Tribes as defined in section 4 of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 5304).
(b) Report — No later than one year after the date of the enactment of this Act, and annually thereafter, the Department of Homeland Security Secretary shall submit to Congress a report on federal resources available to tribal governments, as defined in section 4 of the Indian Self-Determination and Education Assistance Act (25 U.S.C. 5304), to prevent and mitigate cybersecurity incidents, identify cybersecurity infrastructure shortfalls in Indian Country, and the status of actions taken by the Agency to address those shortfalls.
A letter also was sent to Senate Majority Leader Mitch McConnell (R-Ky.) and Senate Minority Leader Chuck Schumer (D-N.Y.).
State and local government officials have also been advocating for the inclusion of cybersecurity funding in the relief package. A coalition, including the National Governors Association, the National League of Cities and the National Association of Counties, sent a letter to House and Senate leadership on April 28, 2020, requesting direct funding to states, territories and localities specifically for addressing cybersecurity and IT infrastructure. The groups explain that the COVID-19 pandemic has caused a "surge on … information technology infrastructure [that] requires additional investment in both funding and manpower to keep up with massive usage." Moreover, the letter notes an increase in malicious cyberattacks on government infrastructure, such as ransomware, phishing and computer-enabled financial fraud. Tech and cybersecurity groups also sent a letter of support for cyber funding to House leaders on April 20.
On May 22, Reps. Bennie Thompson (D-Miss.), Jim Langevin (D-R.I.) and Cedric Richmond (D-La.), members of the House Homeland Security Committee, asked House Speaker Nancy Pelosi (D-Calif.) to include cybersecurity assistance to state and local governments in the next relief package, even though such funding was left out of House Democrats' latest coronavirus aid package, the Health and Economic Recovery Omnibus Emergency Solutions (HEROES) Act (H.R. 6800). The letter states, "We are disappointed that [the HEROES Act] did not provide targeted assistance to bolster network capacity and security to ensure that the aid the House provided to displaced workers, frontline workers, and other vulnerable populations is delivered in a timely way." Before the HEROES Act was released, House Democrats — including Reps. Thompson, Richmond, Derek Kilmer (D-Wash.) and Dutch Ruppersberger (D-Md.) — sent a letter requesting the inclusion of cyber funding in the next relief bill. The lawmakers specifically touted the House-passed State and Local Cybersecurity Improvement Act (H.R. 5823), which would provide $400 million in annual grants to state, local and tribal governments to address cyber risks and threats.
Although the bill enjoys bipartisan support, tribal emergency managers have expressed concerns that the funding will not reach Indian Country. Currently, the legislation requires funding to be passed through states to tribes, and in many cases, such funds historically have not always reached tribes as Congress intended.
For more information on advocating for increased cybersecurity resources in the next COVID package and/or ensuring that your tribe's data is secure during these challenging times, please contact Kayla Gebeck or Marissa Serafino.
DISCLAIMER: Please note that the situation surrounding COVID-19 is evolving and that the subject matter discussed in these publications may change on a daily basis. Please contact your responsible Holland & Knight lawyer or the authors of this alert for timely advice.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.
Please note that email communications to the firm through this website do not create an attorney-client relationship between you and the firm. Do not send any privileged or confidential information to the firm through this website. Click "accept" below to confirm that you have read and understand this notice.