Trump is shifting cybersecurity to the states, but many aren’t prepared
Maria Korneeva via Getty Images
Only 22 of 48 states in a Nationwide Cybersecurity Review met recommended security levels.
This story was originally published by Stateline.
For the first half of his career in law enforcement, working as a police officer in South Florida, Chase Fopiano did not think cyberattacks on police agencies were a serious threat.
Many of his law enforcement colleagues were under the same impression — that since they were the most likely to investigate the attacks, there was no way cybercriminals would go after them.
By about 2015, as technology advanced and hackers became more creative, that changed, Fopiano said. Now, from the U.S. Secret Service to the Florida Department of Law Enforcement, there are thousands of attempts to compromise networks or organizations every day, he said.
“A lot of those [attempts] are toward government or even police, especially because they know that we’re not as prepared as we should be,” said Fopiano, who now oversees cybersecurity as part of a regional task force.
Spanning health care facilities to court systems, states and local communities are facing a rise in cyberthreats. They include threats to critical infrastructure, increased activity from foreign actors, continued ransomware attacks and more, according to a recent report from the Multi-State Information Sharing and Analysis Center.
But President Donald Trump recently signed an executive order shifting some of the responsibility from the federal government to states and localities to improve their infrastructure to address risks, including cybercrimes. And federal cuts have reduced resources for state and local officials, including a cybersecurity grant program and a key cybersecurity agency.
States and localities are taking steps to address the problems, such as establishing new penalties for tampering with critical infrastructure, centralizing state IT personnel and setting standards in areas from elections to health care.
But the Trump order and federal funding cuts, a shortage of IT experts at the local level and an overall lack of preparedness could weaken their efforts.
In December, a major cyberattack forced Rhode Island to take down its online portal used by residents to obtain Medicaid benefits and SNAP, commonly known as food stamps. The personal data stolen from Rhode Island’s public benefits network — including Social Security numbers and banking information — was later found on the dark web.
In February, a “sophisticated cyberattack” hit the office of Virginia Republican Attorney General Jason Miyares, which led agency officials to shut down computer systems and resort to paper court filings.
Last week, hackers also breached the computer network of the Fall River School District in Massachusetts. The school district is working with third-party experts and law enforcement to determine if anyone’s personal information was targeted, according to MassLive.
In 2023, of the 48 states that participated in the Nationwide Cybersecurity Review, a voluntary self-assessment conducted by federal agencies that examines how well governments are prepared to respond to cyberattacks, only 22 states reached or surpassed the recommended levels of security in their systems.
The notion that the federal government could just withdraw and expect states and localities to step in is just not realistic.
– Samir Jain, Vice President of Policy at the Center for Democracy & Technology
Cybersecurity has become increasingly important over time because more government services and data are digitized, said Samir Jain, the vice president of policy at the Center for Democracy & Technology, a nonprofit that advocates for digital rights and freedom of expression.
But a national shortage of people with that expertise — especially at the local level — creates a challenge.
“The federal government has traditionally played at least some role in trying to fill some of those gaps,” Jain said. “And so the notion that the federal government could just withdraw and expect states and localities to step in is just not realistic.”
Local governments and law enforcement agencies also have other priorities, Fopiano said. The police need cars, guns, shields and other resources that generally take precedence over cybersecurity.
Today, Fopiano is the cybersecurity chair of the Southeast Regional Domestic Security Task Force in Florida, overseeing cyber activity from South Florida to the Florida Keys. The attacks continue to rise, he said.
“Terrorist groups are getting into cybercrime, cartels are getting into cybercrime, you have kids just learning about hacking and just fooling around,” he said. “The audience of who’s doing it has definitely expanded and led to that rise in overall cybercrime.”
Cuts to Federal Resources
In 2022, the U.S. Department of Homeland Security announced a first-of-its-kind cybersecurity grant program, providing more than $1 billion in funding for states, localities, tribes and territories to address cybersecurity risks and threats.
The State and Local Cybersecurity Grant Program, created under the Infrastructure Investment and Jobs Act of 2021, awarded $279 million to states and localities in fiscal year 2024. The Tribal Cybersecurity Grant Program awarded another $18 million for tribes in its first year.
But the grant program is set to expire in September, with no current plans to renew it. At a hearing this month, several state and local officials urged Congress to reauthorize the program. But U.S. Department of Homeland Security Secretary Kristi Noem, who refused the federal aid during her tenure as governor of South Dakota, questioned the program’s efficacy.
The Trump administration is also cutting as many as 1,300 employees from the Cybersecurity and Infrastructure Security Agency, or CISA, which administers the grants alongside the Federal Emergency Management Agency.
The program has allowed states to assess the security of their networks, develop cybersecurity training, implement multi-factor authentication features — which requires users to provide more than one form of verification to access a site or service — and much more, said Alex Whitaker, the director of government affairs at the National Association of State Chief Information Officers.
“This has been a really great program because we’re seeing a lot of great evidence for how states and their counterparts in local government are improving their cyber defenses,” Whitaker said.
Counties also rely on a number of federal resources to strengthen their defenses, including services provided by CISA, said Rita Reynolds, the chief information officer at the National Association of Counties and managing director for County Tech Xchange. NACo is an organization that represents county governments across the United States.
The Multi-State Information Sharing and Analysis Center, for instance — a key collaboration between CISA and the Center for Internet Security to help state and local governments with cybersecurity operations — lost some of its federal funding for certain programs last month, Reynolds said.
In trying to keep up with emerging threats, counties are still trying to find resources to help them implement multi-factor authentication, convert government pages to “.gov” domains and other methods of protecting their infrastructure, she said.
“Are counties prepared?” Reynolds asked. “I would say they’re not as prepared as they’d like to be. And in some cases, they are looking at how to strategically approach this now that resources are disappearing.”
In a statement, CISA spokesperson Jared Auchey said Trump’s executive order empowers state and local governments “to make risk-informed decisions and investments to improve their preparedness.” The agency will work with state and local officials to ensure they have the information and support they need, Auchey added.
Lawmakers Step Up
In 2024, 33 states adopted resolutions or enacted legislation regarding cybersecurity, according to a database from the National Conference of State Legislatures, a nonpartisan public officials’ association.
Many of those measures sought to protect states’ critical infrastructure, including water systems, government services, health care and more. Florida, Louisiana, West Virginia and other states created new criminal and civil penalties for people who attempt to tamper with critical infrastructure.
In Minnesota and Washington state, lawmakers passed measures allowing or requiring state and local governments to invest in cybersecurity protections related to election administration. Connecticut and Florida also passed legislation to secure health care facilities from cyberattacks by having hospitals create plans or by supporting investments in new technologies.
Other states are looking for solutions from outside vendors. South Dakota has set aside $7 million for a company to examine local governments for vulnerabilities to hackers.
With attacks occurring at every level of government, New Mexico Democratic state Sen. Michael Padilla, the Senate majority whip, sponsored legislation in 2023 to create the state’s office of cybersecurity. As chair of the Senate Science, Technology and Telecommunications Committee for 10 years, he plays a significant role in most of the state’s cybersecurity legislation.
Through the committee’s work, Padilla says New Mexico is in good shape to fend off cyberattacks — and the state’s cities and counties are joining in.
“I think New Mexico is in a very good position because what we decided to do by creating that office is to ensure that any transactions that occur with state government here [in New Mexico] have to meet a minimum set of security standards,” he said.
In Indiana, Republican state Sen. Liz Brown filed legislation that would encourage state agencies and groups to develop cybersecurity policies. The bill was approved by both chambers, with the Senate agreeing to changes sent from the House.
“You have to protect your infrastructure,” Brown said. “We don’t want utility systems to be shut down. We don’t want wastewater or freshwater treatment plants or even the water supply being contaminated or harmed in some way. Our systems all have backups, but even so, we know there are bad actors.”
Some states are also preparing to reshuffle their offices or create new ones to centralize their cybersecurity efforts. Arkansas, for example, enacted legislation this month to create a new state cybersecurity office, which will monitor the state’s computer networks and respond to cyberthreats.
In Alabama, rather than having information technology people scattered throughout the government, Republican state Rep. Mike Shaw wants cybersecurity personnel centrally managed.
Shaw’s legislation, which passed the House and is currently in the Senate, would give the Alabama Office of Information Technology central authority to maintain the needs of all of the state’s departments.
The centralization would make it easier to pursue cybersecurity initiatives in the future, Shaw said.
“The federal government is really big, and it’s really hard to come up with a one-size-fits-all solution for things like cybersecurity, data privacy and technology in general,” Shaw said. “So, in some sense, it’s good that the states are coming up with their own.”
Stateline reporter Madyson Fitzgerald can be reached at mfitzgerald@stateline.org.
Stateline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Stateline maintains editorial independence. Contact Editor Scott S. Greenberger for questions: info@stateline.org.