Cyber insecurity: Shields down?
Qi Yang via Getty Images
By
Alan R. Shark
COMMENTARY | Federal funding cuts and the end of the cyber grant program, combined with growing threats from nation-states, has made our cybersecurity posture weaker.
Every day, state and local governments collect more data than they collect in taxes. Moreover, the data they collect can be highly personal and sensitive, and public trust quickly erodes when such data falls into the hands of criminals. What happens when the people we trust to protect our data can’t protect their own systems?
For well over a decade, surveys by the Public Technology Institute and the National Association of State Chief Information Officers have consistently listed cybersecurity as their top priority. As cybercrime continues to wreak havoc among public institutions, it was rather shocking to learn of the federal government's plan to cut 50% of the all-important Multi-State Information Sharing and Analysis Center.
MS-IAC is a nonprofit institution, a division of the Center for Internet Security, which receives funding through cost-recovery services and support from the Department of Homeland Security. It has approximately 18,000 members, providing a critical lifeline to thousands of local governments that lack the resources to adequately defend their systems.
While many critical services will continue to be made available in the near term, the longer-term outlook is rather ominous, as all federal agencies continue to dismantle key programs and purge key technical expertise. State and local governments have never faced more significant cyber challenges, while, intentionally or not, the federal government appears to be abandoning critical support for digital infrastructure.
The MS-ISAC began operations in 2003, with a mission to share threat information and best practices in cybersecurity with state, local, tribal, and territorial governments across the nation. Seven years later, the mission expanded as needs grew, with MS-ISAC being charged with maintaining the growing community by expanding its services to include no-cost to low-cost cybersecurity resources for state, local, tribal and territorial government organizations.
MS-ISAC maintains a 24x7 security operations center that monitors and analyzes potential security incidents involving member organizations in real time. It also helps member organizations respond to incidents with early cyber threat warnings and advisories along with vulnerability identification and mitigation. It also provides an intrusion detection system that further monitors networks and identifies malicious activity.
MS-ISAC more recently began offering malicious domain blocking and reporting and endpoint detection and response services. The former is a cloud-based solution that takes less than 15 minutes to implement and can prevent IT systems from connecting to known malicious domains.
Cybersecurity funding is often invisible to the public — until something goes very wrong. The public has been led to believe that governments at all levels consider cybersecurity one of their top priorities and fund it accordingly. However, as cyber threats have increased in both frequency and sophistication, budgets have not kept up. Which leads to the irony: while threats grow, shields shrink.
For years, CIOs and cybersecurity experts alike have sounded the alarm that cybersecurity is everyone’s responsibility, and more recently, they have expanded this call for awareness and action to a “whole-of-government approach.”
For the first time, Congress, recognizing the urgent need to enhance state and local government cybersecurity, in 2021 passed the State and Local Cybersecurity Grant Program as part of the Infrastructure Investment and Jobs Act. This historic piece of legislation provided $1 billion over four years to state, local, tribal and territorial governments to address cybersecurity risks. The program is nearing its conclusion, with the final year of funding allocated for this year. As with all federal funding being slashed, any future money is now in doubt.
It is their inherent relative weakness compared to other sectors that public institutions present many richer targets for cybercriminals. Ransomware incidents have proven highly costly and disruptive for governments. A 2024 industry survey found that the average cost to recover from a ransomware attack in the state and local sector reached $2.83 million, more than double the previous year’s $1.21 million.
Prolonged intrusion leads to disrupted courts, public websites and services, illustrating how operational damage can extend well beyond the initial attack window. These expenses include system restoration, incident response, notification and often credit monitoring for affected individuals.
When city services are crippled — 911 systems, permitting, payroll, to name a few — downtime can last days or weeks, prompting emergency declarations and significant recovery budgets. For example, Dallas was hit by a major ransomware attack in May 2023, which forced many municipal systems offline. It was reported that the city later approved an $8.5 million budget for recovery from that one attack.
Many public institutions are struggling to attract and retain cyber expertise. Limited resources often lead to burnout among overworked, underfunded IT and cybersecurity professionals. The current budget-cutting climate exacerbates the talent crisis.
Left out of most public discussions is the origin of an overwhelming number of cyberattacks. Determining the exact percentage of cyberattacks against U.S. state and local governments originating from outside the country is challenging due to the complexities of attributing cyber incidents and the lack of comprehensive data.
Nation-state cyberattacks, particularly those linked to countries like China, Russia, Iran and North Korea, constitute a substantial share of malicious cyber activities targeting various sectors, including government agencies.
Why is the origin of cyberattacks significant? Imagine each state being tasked with defending itself militarily against primarily foreign aggression. Why, then, is it so different when it comes to defending the digital infrastructure of our state and local public institutions against foreign aggression? The same argument can be made for cybercrime committed by actors operating within various states, where physical boundaries are often meaningless in the face of digital ones.
Based on the current round of ideologically driven and mind-numbing federal budget cuts, the cyber landscape is being transformed into a dramatically weakened and perilous environment. Seasoned technical expertise is being discarded as if it were a commodity, despite years of proven allegiance to the mission of non-partisan cyber defense. The whole of government defense posture is being shattered; defenses weakened. Cyber insecurity has emerged, and despite our best efforts, we are forced into a posture of vulnerability that can only yield disastrous results.
Dr. Alan R. Shark is the Executive Director of the Public Technology Institute (PTI) and an Associate Professor at the Schar School of Policy and Government, George Mason University, where he also serves as a faculty member at the Center for Advancing Human-Machine Partnership (CAHMP). Shark is a National Academy of Public Administration Fellow and Co-Chair of the Standing Panel on Technology Leadership. Shark also hosts the bi-monthly podcast Sharkbytes.net.