Push continues to fund cyber info-sharing center
akinbostanci via Getty Images
By
Chris Teale
Emergency funding for the Multi-State Information Sharing and Analysis Center runs out at the end of September, and experts are worried about the consequences if it lapses fully.
Late last month, Nevada announced it had been targeted by a cyberattack that temporarily closed services and forced others to rely on paper and in-person activities.
As the state looked to get its systems back up alongside its partners and recover from the attack, the federal Cybersecurity and Infrastructure Security Agency said it was providing real-time incident response to Nevada, and noted that it offers “a wide range of no-cost services to protect governments’ networks and critical services.”
But other groups said the attack on Nevada’s systems highlighted the need for more sustained and targeted cybersecurity support for state and local governments through the Multi-State Information Sharing and Analysis Center, known as MS-ISAC.
The center, which partners with more than 18,000 state, local, tribal and territorial governments — known as SLTT — and offers incident response, monitoring and threat intelligence, had its federal funding slashed by $10 million by the Department of Homeland Security earlier this year. Since then, MS-ISAC has been operating using emergency funding from the Center for Internet Security, but that money runs out at the end of this month. It is now moving to a paid membership model for governments to maintain its services.
If the MS-ISAC is forced to close altogether, the consequences could be disastrous, members of its executive committee warned.
“I'm sure the bad guys out there are watching this funding thing going on, and it's just a matter of time where they're going to elevate the attacks and hit a lot harder in SLTT, and we're simply still not prepared,” said Gary Coverdale, chief information security officer for Santa Barbara County, California. “MS-ISAC is an amazing organic support that gives the SLTT a lot of the tools that we need to protect ourselves.”
A recent CIS report illustrated the continued cyber risks that state, local, tribal and territorial governments face, which would be magnified if the MS-ISAC disappears. The report found that 68% of governments do not have the budget to address their major cybersecurity priorities, while small and rural communities are “disproportionately vulnerable” to cyberattacks, partly due to their lack of resources. Foreign hackers are wise to this weakness too, the report found, as they target local infrastructure like water systems, public schools and other critical sectors.
Local leaders have stressed the MS-ISAC’s importance too. In a joint letter early last month, the National Association of Counties, National Association of State Chief Information Officers, the U.S. Conference of Mayors, the National League of Cities and the Major County Sheriffs of America urged Congress to fund the organization during its FY 2026 appropriations process.
The letter said MS-ISAC has helped state and local governments detect more than 43,000 potential cyberattacks, identify and prevent more than 59,000 malware and ransomware attacks, prevent 25 billion connections to malicious sites, and block 5.4 million potentially malicious emails.
The MS-ISAC provides various cybersecurity services for free or at massively reduced prices, including regional security operations centers for 24/7 monitoring and shared services like endpoint detection. For small governments with less money in their budgets to spend on cybersecurity, losing those services that have previously been provided for them would create an impossible situation.
“They're going to be critically impacted,” Coverdale said. “They're going to have to do without all the services that MS-ISAC provides. They're not going to find replacements. They're going to go out and buy replacements. They can't afford it. A lot of these small agencies are very resource constrained, and so it's essentially going to be the weak spot.”
The MS-ISAC’s end might necessitate a larger role for the private sector and a reliance on them providing certain services or products to under-resourced governments. In mid-August, CIS announced it had selected cybersecurity company Sophos as the endpoint protection provider for government organizations as part of the organization’s new CIS Managed Detection and Response service. That service is intended to stop malicious activity, as well as provide continuous monitoring, detection and response.
Rob Lalumondier, Sophos’ vice president of public sector, said that partnerships such as these will help “close that resource gap.”
“A lot of this is very targeted at and built around the needs of what we call underserved governments out there,” he said. “Rural counties, small municipalities, villages that don't really have the resources to run their own [security operations center], and probably lack quite a bit of cybersecurity manpower and expertise. A lot of times these entire cities’ cybersecurity system is basically run by one or two people. This gives them access to that same caliber of defense that some of the world's largest organizations get.”
In the absence of the MS-ISAC, Coverdale said responsibility for cybersecurity protection and response could be pushed onto state governments, some of which may also lack the resources to help their localities or critical infrastructure providers.
Joshua Bauman, director of technology at the Festus R-VI School District in Missouri and an MS-ISAC executive committee member, said having a state-by-state approach also risks creating a patchwork of protection.
“There's 50 states, and you likely have 50 different versions of cybersecurity programs out there,” Bauman said. “You have very robust ones being built … but not every state has taken to dedicating money out of a state budget to a cybersecurity program, where the actions of those programs happen behind the scenes.”