‘Reckoning’ coming in state and local cyber
Cravetiger via Getty Images
By
Chris Teale
This year brought all manner of uncertainty about the relationship with the federal government to defend against threats. Next year looks to be more of the same, albeit with more intense threats.
The end of a difficult year for state and local cybersecurity brought a glimmer of hope, as the House voted to reauthorize the State and Local Cybersecurity Grant Program and the Senate introduced a companion bill to do the same.
But the year was dogged by uncertainty about the future cybersecurity role of the federal government in helping other units of government, even as cyberattacks crippled states and localities as well as school districts and other critical infrastructure providers.
And it has state and local leaders concerned about what comes next, especially as threats were numerous this year, and are likely to increase and become more potent thanks to artificial intelligence. The likes of St. Paul, Minnesota, and Nevada’s state government have been rocked by cyberattacks this year alone.
Help from the federal government in the form of reauthorizing this popular $1 billion grant program is a good start, they said.
“Counties serve on the frontlines of ensuring cybersecurity standards are met at the local level,” Matthew Chase, executive director at the National Association of Counties, said in a recent statement after the House vote. “As costs for cybersecurity needs continue to rise, prioritizing federal investments in the cybersecurity of local government systems will help prevent malicious attacks on our critical infrastructure.”
The sheer number of cyber threats, and the debilitating effect they have on government services, should force leaders to have a “reckoning” about their preparedness, said Mike Bimonte, chief technology officer for state, local and education at cybersecurity company Armis. The “real differentiator” next year, he said, “will be how quickly an organization detects, contains, and recovers.”
“The era of ‘we’ll patch later’ is coming to a close,” Bimonte said in an email. “Between relentless adversaries, policy shifts and the expanding sprawl of digital services, cyber exposure management will become the defining capability that separates the merely functional from the truly resilient.”
Further illustrating the importance of cybersecurity to state and local leaders, the National Association of State Chief Information Officers had it as its second most important policy and technology priority for 2026, just behind AI, having held the top spot for 12 straight years. The state and local grant program encouraged better coordination between states and their localities on information sharing and utilizing shared services.
But experts said there is still a long way to go before the two levels of government work closely together, simply because localities do not know what is available from their states. They need to build a closer relationship if they want to strengthen their cybersecurity and save money.
“The challenge in the future for most states is not that they don't have those services, or they're not promoting them, or they're not offering them, they just don't have the capacity to do a high level of promotion,” NASCIO Executive Director Doug Robinson said during a panel discussion at the GOVIT Leadership Summit and Symposium last month in Minneapolis. “A lot of these counties, a lot of local governments and cities don't know what's available, so it's a two-way street. Both sides need to elevate their game on that.”
On the state and local level, Bimonte warned that elected officials and agency leaders “no longer want dashboards; they want answers,” as the way they hold those in charge of cybersecurity could shift to be less focused on technology and more focused on business continuity.
“They’ll ask how many citizen-hours of service were preserved this quarter, how much potential loss was avoided through faster containment and how cybersecurity investments directly improved operational continuity,” Bimonte said. “The shift from technical reporting to outcome-driven storytelling will become a competitive advantage for security leaders who can speak the language of mission impact.”
A major federal cybersecurity body went through a dramatic change this year. In September, federal funding ran out for the Multi-State Information Sharing and Analysis Center, forcing it to shift to a paid membership model rather than offer free tools and threat intelligence to its tens of thousands of members.
At the time, the Cybersecurity and Infrastructure Security Agency said it had “transitioned to a new model” to support state, local, tribal and territorial governments that includes grant funding, no-cost services and tools, security operations center calls, advisors and coordinators to provide their expertise, and more. What that looks like remains to be seen, however, especially as staff have been reassigned to other agencies or laid off, even with the promise of more hires next year and a refocused mission.
“I don't know that you want to eliminate [CISA],” Dakota State University President Jose-Marie Griffiths said in a previous interview. “[I] don't believe [Homeland Security Secretary] Kristi Noem’s intent was to close it down, but I don't know that she has the people at the moment that really, she needs to get them rebuilt and reset… There is a lot of fear, and so people are nervous. And so, it's an interesting time in the industry, and people are saying, you know, are there going to be jobs? Well yes, somebody's got to do it. And how, I'm not sure.”