Subcommittee Chairman Ogles Opens Hearing on State and Local Cybersecurity

WASHINGTON, D.C. -- Today, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andy Ogles (R-TN) delivered the following opening statement in a hearing to examine the escalating cyber threats facing state and local governments and assess the federal government's role in supporting non-federal partners, including through the Cybersecurity and Infrastructure Security Agency (CISA) and the State and Local Cybersecurity Grant Program (SLCGP).

Watch Subcommittee Chairman Ogles ' opening statement here.

As prepared for delivery:

Good afternoon and thank you all for joining us. I think we have New York, Florida, Virginia, and the great state of Tennessee. I want to extend my sincere appreciation to our witnesses - the men and women on the front lines of cybersecurity in our states and local communities - for traveling here today.

The cyber threat facing America's states, cities, and counties today looks nothing like it did five years ago. Nation-state actors, ransomware groups, and criminal organizations have grown more capable, more persistent, and more willing to target systems that Americans rely on every day.

Artificial intelligence is changing this fight in both directions. State and local governments are beginning to use AI to detect threats faster, respond more efficiently, and do more with limited staff. But our adversaries are using those same capabilities against us, crafting more convincing phishing attacks, finding vulnerabilities faster, and carrying out operations that once required specialized expertise.

The witnesses with us today have played a key role in helping their states embrace digital transformation and expand access to government services. But with this increased connectivity comes a larger attack surface and a greater level of risk.

Just last week, a ransomware attack on Canvas shut down classes for students and faculty in the middle of final exams. Hospitals have had to turn away patients and cancel surgeries when their systems were held hostage. State agencies have gone offline for weeks, cutting seniors off from benefits they have earned and depend on. And water utilities have had their control systems probed and, in some cases, compromised. Each of these incidents has a real human cost, and they are happening more often.

The core problem is a mismatch that Congress has an obligation to address. State and local governments are expected to defend against the same adversaries our Intelligence Community tracks, including China, Russia, and Iran, but with budgets and workforces that bear no comparison to what those nation-states deploy against us. A county government in rural America may not have a single dedicated cybersecurity professional. And yet that county holds sensitive data on its residents, runs systems that deliver essential services, and sits inside a network of American infrastructure that our adversaries are actively working to disrupt.

I know this from personal experience. Before I came to Congress, I served as a county executive in Tennessee. We had no dedicated cybersecurity staff and a tight budget, and we still had an obligation to protect our residents' data and keep their government running. That is in part why the testimony we will hear today matters to me.

To their credit, states have not been waiting for Washington to figure this out. Today, we will hear about whole-of-state cybersecurity strategies that push resources and expertise down to counties and municipalities that could not otherwise afford them. We will hear about information-sharing programs that give smaller jurisdictions access to threat intelligence they could never build on their own. We will hear about workforce programs developed with universities and community colleges to train the next generation of defenders. These are real solutions, and they deserve real support from Congress.

But state efforts can only go so far without federal support. Congress recognized that in 2021, when it created the State and Local Cybersecurity Grant Program and put one billion dollars behind it over four years. The premise was simple. A small town faces the same threats as a large city, and a rural county is not exempt from Chinese or Russian cyber actors just because it has a limited IT budget. That program helped communities that could not otherwise help themselves.

Unless Congress acts, that program expires this September. We should not let that happen, and we certainly should not let it happen at a moment when the threat is growing ever worse.

That is why I am committed to enacting the PILLAR Act, which we passed and we sent to the Senate Homeland Security Committee.

Reauthorization alone is not enough, though. We have four years of program history now, and we owe it to taxpayers to ask whether the money is being spent well, whether the structure is right, and whether the outcomes match the investment. Today is an opportunity to get honest answers from the people who have actually run these programs.

I look forward to hearing from our witnesses, especially Tennessee, and using what we learn today to drive action.

###