Route Fifty - Cybersecurity

Hackers are already laying groundwork to disrupt the 2026 midterms, research says

David DiMolfetta — Tue, 02 Jun 2026 11:00:00 -0400

Hackers are already preparing for the 2026 midterms, with a new report warning that campaigns, fundraising platforms, public websites and local governments could face a wave of phishing, credential theft, artificial intelligence-generated deception and foreign influence activity.

The findings, produced by cybersecurity firm Check Point, do not point to voting machines as the most likely near-term target, but instead warn that attackers are more likely to exploit infrastructure around elections — like campaign accounts and fundraising platforms — to steal credentials, impersonate trusted organizations, disrupt public information or fuel doubts about the nation’s electoral process.

The conclusions come as the Trump administration has pursued a more aggressive role in election administration, including through a March executive order aimed at tightening rules around mail-in voting and voter eligibility. The U.S. Postal Service has also proposed a rule that would require states to submit lists of voters receiving mail ballots.

The report also comes amid scrutiny of the intelligence community’s posture toward election threats under outgoing Director of National Intelligence Tulsi Gabbard. ODNI recently named two officials to coordinate the intelligence community’s election-threat mission for the 2026 cycle.

The firm does not address the administration directly. The assessment is notable, however, because it points to AI and digital threats as more immediate election security concerns, rather than the voting-procedure issues that have dominated talking points from the White House.

“Overall, the most significant 2026 risks center on the trusted accounts, platforms, services, and information channels that election-related organizations rely on to operate and maintain public trust, with election-adjacent systems presenting the more immediate source of operational exposure,” the report says.

Check Point also said it observed sustained election-related infrastructure creation in early 2026, including new websites containing terms such as “election” and “vote.”

In January, the firm identified roughly 1,300 newly registered domains containing the keyword “election” and nearly 3,000 containing “vote.” Between April 13 and May 14, it identified about 1,140 newly registered domains containing “election” and roughly 4,000 containing “vote.”

The company cautioned that those registrations do not prove malicious activity on their own, but they expand the pool of web infrastructure that could later be used for phishing, fake donation pages, impersonation or misinformation campaigns.

Check Point also found exposed credentials tied to some of the most widely used political and government platforms, including roughly 9,500 linked to ActBlue, the Democratic fundraising platform, and 6,500 linked to WinRed, its Republican counterpart.

The firm also observed smaller volumes tied to gop.com and democrats.org, the national party websites, as well as usa.gov, the federal government’s public services portal.

The company identified Russia, Iran and China as the principal state actors to monitor. AI is expected to make their influence operations easier to scale, and could be used to create more convincing phishing lures, cloned audio, manipulated images and deepfake videos.

Local governments may be especially exposed because they often operate with fewer resources, older technology and smaller security teams. Check Point cited recent ransomware incidents affecting Winona County, Minnesota, and Foster City, California, as examples of how municipal cyberattacks can disrupt public services and erode trust in government systems.

“Even when election operations are not directly affected, disruption at the local government level can still create confusion, delay public communications, and undermine confidence during politically sensitive periods,” the report says.

The findings also come as the Cybersecurity and Infrastructure Security Agency’s election security role faces new uncertainty. The Trump administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program, including funds for information-sharing support to state and local officials and dedicated election security advisors.

Efforts under the Trump administration to scale back CISA and its election resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month. Sen. Mark Warner, D-Va., the vice chairman of the Senate Intelligence Committee, has also pressed DHS over reports that CISA is no longer providing the same election security training and resources it offered in prior years.

]]>

Israeli researchers link Iran government to LA Metro cyberattack

Chris Teale — Thu, 28 May 2026 13:00:00 -0400

A cyberattack that crippled a transit system in Los Angeles in March appears to have been carried out not by a pro-Iran hacker group, but by a government ministry, according to new research.

Gambit, an Israeli security company, said in an analysis released this week that new forensic evidence suggests that the Iran Ministry of Intelligence and Security was responsible for the attack on the Los Angeles County Metropolitan Transportation Authority, known as LA Metro. The attack forced the transit agency to shut down access to some of its network after its security team found unauthorized activity, although it said bus and rail service was unaffected.

Gambit’s analysis found that the group responsible is not a new, standalone hacktivist group, but is instead the group Black Shadow, which has links to Iran’s Ministry of Intelligence and Security. Initially, a new pro-Iranian hacking group called Ababil of Minab had claimed responsibility for the attack and published claims on Telegram that they said showed them accessing LA Metro’s internal systems. Gambit said those claims were false.

According to the research, hackers infiltrated a virtual machine on LA Metro’s network and deleted it, as well as its underlying files. Hours later, LA Metro said a “technical issue” was delaying service alerts and preventing riders from loading fares onto their mobile app. Hackers then continued to infiltrate virtual systems and delete files.

The analysis found that the group had also hit organizations in Israel, Saudi Arabia and Turkey, as well as the South Florida Regional Transportation Authority, where the group took databases offline and deleted them. The hackers also appear to have used ChatGPT to improve their scripts and make their hacks more effective, Gambit said.

“What makes this campaign matter beyond the attribution is the velocity,” Gambit researchers wrote. “Modern intrusion operators are moving from initial access straight into the recovery layer, virtualization, backups, storage volumes, to maximize destruction and deny remediation. The skill required to do that at scale is collapsing in parallel. As AI capabilities become widely available, any actor, skilled or not, will be able to execute this kind of campaign.”

Experts have long warned of the threat Iran could pose to U.S. critical infrastructure as it looks to retaliate for the ongoing war in their country and the surrounding region. Other observers said hacking efforts like the ones made against LA Metro and SFRTA should have officials worried, especially if they are backed by Iranian government agencies.

TJ Sayers, senior director of threat intelligence at the Multi-State Information Sharing and Analysis Center, drew a comparison to Handala Hack Team, which emerged in 2023 as a pro-Palestinian hacktivist group judged to be responsible for several cyberattacks during the ongoing war in Iran and is also allegedly operated by Iran’s Ministry of Intelligence and Security.

“Aside from their claimed allegiance with Iranian state causes, very little information was available on Ababil of Minab at the time they claimed the attack,” Sayers continued in an email. “This is not uncharacteristic for emerging Iranian hacktivist collectives, especially with reference to any ties directly to state or state sanctioned activities.”

The ministry was sanctioned in 2022 for what then-Secretary of State Antony Blinken and the U.S. Department of the Treasury’s Office of Foreign Assets Control described as “malign cyber activities,” which included cyberattacks against critical infrastructure. Israel’s top cyberdefense official recently warned that Iran’s hackers are coordinating with each other more closely, too.

Experts said the hacks in Los Angeles and elsewhere represent something of an escalation in Iran’s efforts to wreak havoc in cyberspace. Ensar Seker, chief information security officer at threat intelligence platform SOCRadar, said it shows the nation’s “growing willingness to combine espionage, disruption, and psychological impact in a single campaign.”

“Transportation systems are particularly attractive targets because even limited operational disruption can generate immediate public visibility, media attention, and pressure on local governments,” Seker continued in an email. “In this case, the theft of hundreds of gigabytes of internal data alongside network disruption suggests the attackers were not simply conducting intelligence collection, but also positioning themselves for coercive influence and operational impact.”

Seker warned that organizations that are being targeted need to be hyper-vigilant, especially as it shows that regional conflicts can “increasingly spill” into civilian digital infrastructure that is often far away from the immediate conflict zone.

“Organizations should also pay attention to the data exposure aspect of this incident,” Seker said. “The theft of backups, emails, and internal documentation can create long-term downstream risks including follow-on phishing campaigns, extortion attempts, infrastructure mapping, and targeting of employees or contractors. Many organizations still treat operational disruption and data theft as separate problems, but modern state-aligned actors increasingly combine both into multi-stage campaigns.”

]]>

State leaders renew call for cyber grant program’s renewal

Chris Teale — Tue, 26 May 2026 13:00:00 -0400

State leaders once again reiterated their calls for Congress to reauthorize and fund a popular cybersecurity grant program at a House hearing last week.

Officials said the State and Local Cybersecurity Grant Program, which has been reauthorized by the House but awaits action in the U.S. Senate before it expires in September, has been helpful for governments looking to build their cyber resilience against growing threats and must be allowed to continue.

“The scale, speed, and complexity of today’s threat environment require sustained funding, operational flexibility, and the ability to respond at the pace of emerging threats,” Tennessee Chief Information Officer Kristin Darby said in written testimony before the House Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation last week. “The State and Local Cybersecurity Grant Program is one of the most effective tools available to strengthen our collective defense.”

The $1 billion cyber grant program was initially funded through a 2021 infrastructure law and received a temporary extension of its authority through September as part of a government funding deal last year. The House voted in November to approve the Protecting Information by Local Leaders for Agency Resilience — or PILLAR — Act, which would reauthorize the grant program for another 10 years. A companion bill is pending in the Senate, albeit with only a one-year extension.

Witnesses at this latest House hearing said the cyber grant program has been crucial in helping them strengthen their cybersecurity postures, although much more work lies ahead. Darby said the $21 million in grant funding that Tennessee has received has secured almost 90,000 endpoints across local governments and provided cybersecurity training to more than 21,000 local government employees.

That grant funding, the majority of which has been passed to local governments, has also supported programs like managed endpoint detection and response; cybersecurity awareness training; critical infrastructure improvements like firewalls and disaster recovery systems; and managed services for jurisdictions without IT staff, Darby said.

What happens next remains an open question, however, especially if more money is not appropriated to the program. Outside groups have previously called for a stable funding stream of $4.5 billion over two years. Darby said that, without continued funding, local governments would lose access to various programs and services that require subscription funding, they and would be unable to sustain various managed services or make further investments. She also warned of job cuts if the grant program dries up.

“Most importantly, we risk losing the momentum, relationships, and trust that have been built through our whole-of-state approach,” Darby said. “Cyber adversaries are not slowing down. If funding and support diminish, the gap between attackers and defenders will widen.”

Speakers had various suggestions for how the program could be improved. Darby and Colin Ahern, New York’s director of security and intelligence, urged the subcommittee to fund the program consistently over multiple years to allow states to carry out longer-term procurements and initiatives, while Ahern said eliminating cost-share match requirements could help reduce the burden of cost sharing on smaller jurisdictions.

Ahern also said that the program should be amended to allow states and localities to buy memberships and services from the Multi-State Information Sharing and Analysis Center, which recently moved to a membership model after seeing its federal funding cut. All speakers agreed that the federal government must be a strong partner in any cybersecurity efforts alongside states and localities.

“The federal government is an essential partner in this work,” said Florida CIO Warren Sponholtz in written testimony. “Federal intelligence collection and sharing brings national visibility that no individual state can replicate. Federal advisories, threat feeds, automated indicator sharing, vulnerability guidance, and incident coordination help states understand what is happening across the country and what may be heading toward our jurisdictions.”

There appears to be broad bipartisan support for helping state and local governments in their cybersecurity posture and a recognition that, while it may need tweaks, the cyber grant program has been a positive step forward.

“The premise was simple [behind the grant program],” Rep. Andy Ogles, a Tennessee Republican who chairs the subcommittee, said in his opening statement. “A small town faces the same threats as a large city, and a rural county is not exempt from Chinese or Russian cyber actors just because it has a limited IT budget. That program helped communities that could not otherwise help themselves. Unless Congress acts, that program expires this September. We should not let that happen, and we certainly should not let it happen at a moment when the threat is growing ever worse.”

]]>

Aligning state and local AI security investments with the Cyber Strategy for America

Dave Stroth — Thu, 14 May 2026 10:00:00 -0400

The White House’s Cyber Strategy for America outlines six pillars that will shape future cybersecurity priorities and funding for the public sector. While the strategy is focused on federal agencies, it can also be a guide map for state and local government, helping entities drive toward a "whole of state” cybersecurity model.

This is essential since state and local agencies are facing a more dangerous cyber threat landscape than even a few years ago, according to a 2025 report from the Center for Internet Security. Foreign adversaries are targeting local infrastructure daily, from water systems to public schools, according to CIS.

Within the strategy, pillars four and five — securing critical infrastructure and utilizing emerging technologies — are ripe with guidance for state and local leaders, providing clear pathways for modernizing cyber defenses and security operations center activity.

State and local agencies often don't have the resources or institutional insights to directly map out holistic cyber strategies — in fact, the CIS report underscores this need, saying 68% of state, local, tribal and territorial governments lack the budget to address major cybersecurity priorities.

That makes the strategy a vital outline for how state and local agencies should prioritize their security needs, now and into the future. It also shows the importance of deploying a unified, AI-ready data foundation that reduces total cost of ownership and empowers state and local leaders to master their data for AI-driven action.

Securing Critical Infrastructure

Pillar four focuses on securing America’s critical infrastructure, including the energy grid, water utilities and operational technology. FBI data shows ransomware complaints from U.S. critical-infrastructure organizations rose from 870 in 2022 to 1,193 in 2023, then increased another 9% in 2024. That’s roughly a 50% rise in two years.

Hardening critical infrastructure to combat this increase in attacks requires unparalleled visibility across IT and operational technology environments. Unlike tools that force teams to stitch together insights across disconnected systems, a modern, integrated data platform provides a holistic view of IT and OT infrastructure.

This is important when building a “whole of state” cybersecurity strategy — achieving this posture requires a platform capable of securely handling multi-tenant data across municipal, county and state agencies, without runaway licensing costs.

This unified approach serves as an AI-ready data foundation, helping state and local agencies defend critical infrastructure, through:

AI-driven data management and threat detection. State and local security teams are often overwhelmed by the volume and complexity of unstructured data. AI capabilities can help automate log parsing, respond to natural-language queries and provide critical context. Agencies benefit from reduced investigation time and streamlined analyst workflows, helping resource-constrained teams focus on higher-value threat detection and response.
Cost-effective log retention and compliance. Data storage approaches that align retention with access needs can help agencies preserve long-term data access without creating unsustainable expenses. This is increasingly important as logging requirements expand, and state and local agencies seek practical ways to support records retention, cybersecurity mandates and audit readiness.
Support for open standards and interoperability. State and local organizations benefit from technologies that work across existing environments rather than forcing wholesale replacement. Platforms built around open standards make it easier for agencies to standardize data structures and workflows across cloud, on-premises and hybrid environments, which is critical for long-term modernization and agency collaboration.

Integrating AI-Driven Security

The fifth pillar in the strategy outlines the need for emerging technologies in the fight against cyber adversaries moving at machine speed. This is just as true for state and local agencies that are guarding sensitive citizen information, like health and financial data.

Many states are already taking steps to integrate generative and agentic AI into their operations, according to a NASCIO survey from March. In July of 2025, Virginia’s then-Gov. Glenn Youngkin issued an executive order to use agentic AI to improve government efficiency. Tennessee is looking for a next generation ERP solution with agentic AI capabilities to detect compliance risks and identify potential fraud.

For agencies still “dipping their toes in” or struggling to bridge this adoption gap, mapping to federal guidance is best achieved through an AI-ready data foundation that centralizes access and breaks down data silos — a prerequisite for modern SOC operations.

With this in place, teams can then properly lean on AI-powered security solutions, like a security information event management platform. An AI-driven SIEM accelerates threat detection and provides explainable context that helps resource-constrained SOC teams understand the "why" behind a threat. This governed environment also mitigates "Shadow AI" risks by providing a secure, internal alternative to unmanaged consumer tools.

Federal and state agencies that have already deployed an AI-driven SIEM noted that features like alert triage, automation and chat-based guidance have been differentiators in successfully protecting government systems from cyberattacks and enabling cyber teams to work more efficiently.

Cyber alert triage uses large language models to prioritize, analyze and correlate security alerts, reducing analyst alert fatigue and enabling SOC teams to prioritize the highest profile threats instead of chasing false positives.

Success at CA EDD With AI-Driven Security

When California's Employment Development Department wanted to modernize its networks, the agency turned to some of the same kind of AI-enabled cyber tools outlined in the new strategy.

The organization, which manages the state’s benefits programs, is on a multi-year modernization journey to transform CX, making sure users are supported and well protected within EDD systems and applications. Since EDD handles billions of points of data, a big challenge was balancing between making that data easily accessible to beneficiaries and making sure it was safe from cyber attacks.

EDD found that balance by deploying a unified, AI-powered SIEM platform that consolidates data across their entire IT environment, providing its cyber team with holistic visibility across thousands of servers. By collecting and normalizing system and transactional data into one location, the security team can more easily find patterns and spot vulnerabilities.

The EDD security team handles more than 80,000 alerts per month and the AI-driven features of the organization’s modern SIEM platform has assisted the security team in prioritizing alerts by detecting unknown threats and highlighting the most important ones. This significantly lowers the average time to detection, making operations more direct and clear for analysts.

EDD and the citizens it serves have already begun to reap the benefits of this modern solution that utilizes agentic AI, including:

99% reduction in mean time to respond to cyber events.
850 billion records secured across 14,000 endpoints, to-date.
3,000 servers connected across EDD.

State and local leaders do not need to start from scratch to strengthen their cyber posture. The Cyber Strategy for America offers a practical, credible framework for protecting the essential services communities rely on every day.

With an AI-ready data foundation set, state and local agencies aren’t just prepared for improved security, but will address budget deficits by consolidating redundant tools and reducing the massive costs associated with legacy ingest models.

From there, implementing AI-driven security solutions will help leaders execute a "whole of state" cybersecurity strategy and achieve modernized SOC performance. At a time when threats are growing more aggressive and resources remain constrained, following this roadmap is not just prudent policy, it’s a necessity.

Dave Stroth is Area VP of U.S. SLED at Elastic.

]]>

‘No time to waste’ in prepping governments for AI cyber threats, top Dem lawmaker says

Chris Teale — Wed, 13 May 2026 13:00:00 -0400

The U.S. Senate’s top Democrat called on the Department of Homeland Security last week to better coordinate its response to artificial intelligence-driven cyber threats with state, local, tribal and territorial governments.

Sen. Chuck Schumer, the New York Democrat who serves as Senate Minority Leader, said in a letter to Homeland Security Secretary Markwayne Mullin that the world is “coming to grips” with the fact that AI systems will soon be better than humans at finding software vulnerabilities. Schumer’s letter came after Anthropic announced last month that its Claude Mythos Preview model is “strikingly capable” at finding cybersecurity vulnerabilities.

Schumer called on Mullin and DHS to work closely with other units of government to prepare them properly for those cyber threats from AI. He noted the threats that states, localities and others face, including to their critical infrastructure, and urged the federal government to do more to protect them. AI could be capable of hacking such systems within a year, he said.

“As AI continues its rapid development — including important cybersecurity advances as well as dangerous new hacking tools — it is imperative that all levels of our government have access to this technology so they can prepare before it’s too late. We must beat cyber criminals in the race to defend our most critical systems from AI-enabled hacking or attacks,” Schumer said in a statement accompanying the letter. “There is no excuse for the Department of Homeland Security’s delay in bolstering state and local government cybersecurity capabilities. We must begin this process now — before there are any major disruptions to hospitals or energy grids — or worse.”

In his letter, Schumer asked Mullin to provide information on how DHS will coordinate with SLTT governments and the private sector to conduct risk assessments of critical infrastructure, and share information about vulnerability discovery and response. He also asked Mullin how DHS will work with other governments to provide remediation solutions, facilitate rapid vulnerability patching, offer access to modern testing and evaluation, and advise governments on identifying top AI talent and training to prepare the next generation of tech workers.

Schumer’s letter noted that those questions come on the heels of the federal government pulling funding for the Multi-State Information Sharing and Analysis Center, which he noted was designated in 2010 as the “primary source” for those functions and more. Since the Cybersecurity and Infrastructure Security Agency announced it had pulled funding for MS-ISAC, the center has moved to a membership model.

For their part, officials in President Donald Trump’s administration have promised more information sharing, especially after the release of the National Cyber Strategy in early March. In a previous public appearance, White House National Cyber Director Sean Cairncross said agencies — including CISA as well as the Department of Justice and Federal Bureau of Investigation — were “looking for ways to streamline information sharing from the [U.S. government] side.”

“Often how we know things is super sensitive,” he continued. “What we know is less so. We want to figure out how to communicate that in a helpful, actionable way, as we work through that on the interagency side, with partners on the state and local side.”

Schumer, however, said the decision to cut funding to the MS-ISAC was a poor one given how AI has shifted the threat landscape.

“Given the monumental changes quickly coming to cybersecurity as the result of frontier AI, and the need for organizations to be able to perceive and contextualize risks earlier than ever before, there could not be a worse time to undercut proven, longstanding MS-ISAC processes, procedures, and resources for sharing cyberthreat intelligence with SLTTs,” the letter said.

Schumer asked for a plan for “coordinating our nation’s response to frontier AI-enabled hacking” by July 1, as well as a nominee to lead CISA.

“AI is changing the cyber battlefield fast — and we cannot let hackers get there first,” Schumer said in a statement. “Hospitals, power grids, water systems, schools, elections, and emergency services cannot be left exposed while criminal gangs and state-backed hackers race to exploit new AI tools. DHS must immediately help states and localities find and fix vulnerabilities before Americans are hit with outages, disruptions, and attacks that could put lives and livelihoods at risk. This is a race between cyber defenders and AI-enabled hackers — and with communities across the country at risk, there is no time to waste.”

]]>

Senator warns CISA election security pullback could leave midterms vulnerable

David DiMolfetta — Thu, 07 May 2026 11:00:00 -0400

Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., is demanding answers from the Department of Homeland Security over what he says is a sharp decline in federal election security support ahead of the 2026 midterms, warning that cuts to the Cybersecurity and Infrastructure Security Agency could leave states more exposed to cyber threats and foreign interference.

In a letter sent Wednesday to DHS Secretary Markwayne Mullin, Warner said state and local officials have reported that CISA is no longer providing the same level of election security training, intelligence sharing and cybersecurity assistance it offered in prior election cycles.

The letter adds to growing criticism over the Trump administration’s handling of CISA and its election security mission, which has faced deep staffing reductions enacted over the last year.

“While the states are taking valiant and expensive measures to protect their elections, it is impossible for states to independently obtain intelligence, subject-matter expertise, and real-time incident reporting, and information at the scale and speed required to protect state elections from physical and cyber threats,” Warner wrote.

After this story was published, a DHS spokesperson said that, under President Joe Biden, CISA “was focused on censorship, branding, and electioneering instead of defending America’s critical infrastructure.”

Under President Donald Trump, the spokesperson said the agency is “committed to delivering timely, actionable cyber threat intelligence, supporting federal, state, and local partners, and defending against both nation-state and criminal cyber threats.”

“CISA’s mission is ensuring state and local election officials are cognizant of and utilize the most capable and timely threat intelligence, expertise, resources they need to defend against risks, and identify critical infrastructure security needs to maintain electoral functions,” the spokesperson added.

Efforts under the Trump administration to scale back CISA and its election security resources have strained relationships with state and local officials and have raised concerns that jurisdictions may be far less prepared to counter threats in November, officials in Michigan and Georgia said late last month.

The administration’s fiscal 2027 budget proposal would eliminate the agency’s election security program funding, including information-sharing efforts and election security advisor positions.

Warner’s letter also cited testimony delivered last week by the head of U.S. Cyber Command and the National Security Agency, who said that foreign adversaries are expected to target the 2026 elections.

The senator asked DHS to explain what CISA is doing to warn state and local officials about malign influence campaigns and cyber threats targeting election infrastructure. He also requested records of election-related training, cybersecurity reviews, incident responses and outreach efforts that have been conducted by the agency since January 2025.

He also asked DHS whether any CISA personnel were involved in an FBI raid tied to election systems in Fulton County, Georgia — where Director of National Intelligence Tulsi Gabbard was publicly seen alongside federal officials — or in her office’s seizure and testing of voting machines in Puerto Rico.

The letter comes as the future of CISA’s election security role has become increasingly uncertain. Republican lawmakers and many Trump allies have long criticized the agency’s election-related activities, particularly after CISA publicly pushed back on false claims surrounding the 2020 election.

Editor's note: This article has been updated to include a statement from CISA.

]]>

CISA unveils CI Fortify to help secure critical infrastructure during conflicts

David DiMolfetta — Wed, 06 May 2026 12:00:00 -0400

The Cybersecurity and Infrastructure Security Agency announced the release of its CI Fortify project on Tuesday, aiming to help critical infrastructure owners and operators defend themselves against hackers and maintain continuity during a geopolitical conflict.

“For planning purposes, operators should assume that in a conflict scenario third-party connections — such as telecommunications, internet, vendors, service providers, and upstream dependencies — will be unreliable and that threat actors will have some access to the [operational technology] network,” a webpage describing the initiative says.

Per guidance, CISA wants critical infrastructure providers to focus on isolation and recovery planning objectives.

“We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors,” agency acting director Nick Andersen said in a prepared statement.

Critical infrastructure — like water treatment plants, financial institutions and electric grids — are a regular target for foreign hackers. U.S. officials have assessed for years that China is burrowing into non-military critical infrastructure networks, preparing to sabotage them should the U.S. enter into a major conflict with the nation, especially involving Chinese interests in Taiwan.

Hackers linked to China, Russia, Iran, North Korea and ransomware groups will continue to pose critical threats to U.S. networks and critical infrastructure, U.S. intelligence agencies assessed this year.

Amid the U.S.-Israel war against Iran, Tehran-backed hackers exploited and disrupted operational technology control systems embedded in multiple U.S. critical infrastructure sectors, targeting equipment manufactured by Rockwell Automation, according to a government advisory issued last month.

Last year, Australia, a Five Eyes partner, launched its own CI Fortify program.

]]>

State cyber officials’ confidence is down, survey finds

Chris Teale — Mon, 04 May 2026 13:00:00 -0400

PHILADELPHIA — State cybersecurity officials appear less confident they can protect themselves against threats to their systems and assets, according to a survey released last week.

The survey by the National Association of State Chief Information Officers and Deloitte found that just 26% of state chief information security officers say they are “extremely” or “very” confident that they can protect themselves from cyber threats. That’s a reduction from the 2022 edition of this survey, when 48% said they were confident of protecting themselves.

Experts put that dramatic drop in confidence down to the continued growth of artificial intelligence, which is already being exploited by bad actors and hackers connected to nation-states. And while AI’s defensive capabilities are already being used, keeping up with threat actors will be a constantly moving target.

“The thing with AI is that the fundamentals of cyber have not changed,” Kansas CISO John Godfrey said during a panel discussion at NASCIO’s Mid-Year Conference in Philadelphia last week. “The issue is really just about the speed by which we don't take action. Part of the challenge we have is that if we had a tech gap before, then that gap is growing even more to the extent to which we continue to face machine speed threats as humans. Part of the challenge here is how do we continue to evolve, adapt and improve our abilities to catch up with that level of velocity that we need?”

One aspect of CISOs’ work that has shifted in recent years is around metrics reporting, with 49% saying it is one of their state’s top cybersecurity priorities. That is a major jump from the 25% that said so in 2024 and 15% in 2022, and it’s a trend that NASCIO said shows that CISOs are being asked to track the effectiveness of cybersecurity spending, although that in itself is tricky. Metrics like incident response time and the click rate on a phishing email are two ways CISOs can show a return on the investment, NASCIO said.

However, the financial aspect of cybersecurity professionals’ roles appears to be weighing heavily, as 16%of CISOs reported their budget had been cut, compared to zero who reported such reductions in 2024. And while the majority said their cybersecurity budgets had either stayed stable or increased — with 10% of those surveyed reporting an increase of 10% or more — the report said the findings “paint a grim picture.”

NASCIO said the funding challenges could be blamed on several factors, including the growing pressure on states’ general funds; the expiration of one-time federal funding from COVID-19 and the years immediately following; and reduced federal support from the likes of the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center.

The group also pointed to continuing uncertainty around the future of the State and Local Cybersecurity Grant Program, which has received a reauthorization vote in the House, but is yet to receive one in the Senate and still lacks additional appropriations.

NASCIO Director of Government Affairs Alex Whitaker said during a briefing at the conference that the group has requested an appropriation of $300 million for the program in FY 2027, although he acknowledged being “reluctant” to offer a specific dollar amount for an effort that will take years and need billions of dollars.

“I also view it as a starting point,” Whitaker said. “SLCGP is not a silver bullet. It is addressing some low hanging fruit in cybersecurity, but it's something that I think that hopefully we can build on to make sure that folks in Congress understand that states need more support on this, local governments as well.”

CISOs’ jobs are likely to get more complex, too. The vast majority (94%) said they are involved in developing policies for their state’s use of generative AI, while 84% are responsible for forming strategy on the technology’s use.

Meanwhile, the growth of whole-of-state cybersecurity strategies is also presenting headaches for state CISOs. Just over 60% said they are “not very confident” in the ability of their local governments and higher education institutions to secure public data, a significant rise from 2022’s figure of 35%.

It won’t be easy, observers warned, given the budgetary concerns states face.

“This is where the resource crunch becomes most acute,” Tim Miller, global field chief technology officer and chief cybersecurity strategist at software company Dataminr, wrote in a blog post. “States are being asked to extend protection downward — to county governments, school districts, municipalities that have no dedicated security staff — with budgets that are, in many cases, flat or declining.”

With a whole-of-state strategy requiring more information sharing, a shared response to threats and better coordination, the finding suggests CISOs are concerned about the cybersecurity postures of other governmental units and keen to adopt a whole-of-state approach.

“Government and industry partnership is essential to navigating the modern, AI-enabled cyber threat landscape — as the report underscores, a whole-of-state approach becomes a force multiplier when supported by an open platform that integrates data from any source, and enables real-time threat detection, investigation and response across diverse environments,” Bobby Suber, senior manager for solutions architecture for state, local and education at tech company Elastic, said in an email.

]]>

The new leadership playbook: What public sector CISOs need now

Eric Trexler — Wed, 22 Apr 2026 10:00:00 -0400

Public sector chief information security officers are doing a different job than they were even a few years ago. While the mission is the same: protect services, protect citizens, protect trust; the threat is not.

Attackers are running automated factories. Artificial intelligence is exponentially speeding up recon, weaponizing stolen data, generating convincing lures and adapting on the fly. If your defense still depends on manual triage, ticket queues and stitched together tools, you are defending at human speed against machine speed. This is always a losing proposition.

Quantum makes this more urgent. Post quantum is not a “later” problem. The danger is already here: harvest now, decrypt later. Adversaries can collect encrypted traffic and stolen data today, then decrypt it when quantum capability matures. That is why migration needs to happen now; waiting only intensifies risk. Crypto is embedded everywhere: identity, PKI, VPNs, TLS, software updates, vendor services. If you do not start planning and inventorying now, you will not be ready when the deadline arrives. Current cryptography will be broken in the next two years.

Adversarial AI is not just more phishing. It is precision targeting, deepfake enabled social engineering, automated vulnerability discovery and malware that learns your environment. This changes what “defensible” looks like. You will not close the gap by adding more point products and more people. You have to change how you lead, how you communicate and how you operate.

Start with talent. Stop hiring for narrow credentials and perfect resumes. Hire for mission, aptitude and speed to learn. Build pipelines through training, rotations and mentorship. Then protect your team from burnout. The fastest way to lose your best people is to make them the glue that holds 20 tools together. The best way to lose your job is to rely on those same tools to defend the organization. Use automation and AI to cut noise, correlate signals and accelerate response so your experts can focus on judgment and action.

Speak mission, not metrics. Vulnerability counts but mean-time-to-respond only moves leadership when it’s connected to outcomes. You have to translate cyber risk into service risk. When systems go down, what happens to 911 dispatch, student enrollment, benefits processing, payroll, hospital operations, water systems, and public trust? Make the impact concrete, then be consistent. Brief leadership regularly on threat trends, response readiness, and progress. Trust is built before the crisis, not during it.

Make cybersecurity a team sport. Every employee, every contractor and every agency function is part of the attack surface. Build a culture where reporting is fast and safe. When people fear blame, they hide mistakes. When they hide mistakes, you learn too late. Run real exercises with cross functional leaders. Practice decisions under pressure. Fix gaps without finger pointing. Make security part of the solution, not an inhibitor to the business.

Now, the hard truth on technology. Public sector organizations cannot afford years of integration work while adversaries iterate weekly. Tool sprawl slows you down. Disconnected systems create blind spots. Manual workflows create delay.

You need real time action across endpoint, network, cloud, identity and data. That requires a mature cyber platform built to correlate, automate and act, not a pile of products that you hope your teams can cobble together one day.

AI must be part of defense. Not a bolt-on chatbot, not a pilot in a corner. Truly integrated AI reduces noise, prioritizes what matters and drives action at machine speed is now table stakes. It takes big budgets and massive research and development to make this work well and keep up with the adversary. Ask your OEMs how much they’re investing in R&D each year.

Post quantum readiness is also an opportunity to lead. Inventory where quantum vulnerable cryptography lives today. Prioritize long life data and high impact services. Pressure-test your vendors. Build a phased plan and start executing. Migration takes years and waiting only guarantees disruption.

The bottom line is simple. AI has changed the threat faster than humans can keep up. Quantum risk is already driving harvest now behavior. Slow integrations and manual response will not win.

Lead with purpose. Build teams that learn fast. Speak in mission outcomes. Create shared accountability. Move now on post quantum. Invest in mature cyber platforms that turn signals into action at the speed of the fight.

The stakes are national. The window is closing. Are you leading like it?

Eric Trexler is senior vice president for U.S. public sector at Palo Alto Networks.

]]>

Pro-Iran hackers appear to ramp up critical infrastructure cyberattacks

Chris Teale — Fri, 17 Apr 2026 13:00:00 -0400

Cyberattacks against critical infrastructure from groups sympathetic to Iran appear to be ticking up, as the federal government warns hackers may look to exploit other vulnerabilities.

Last week, pro-Iranian hacking group Ababil of Minab claimed responsibility for a hack on the Los Angeles County Metropolitan Transportation Authority, known as LA Metro. The cyberattack it experienced last month forced the transit agency to shut down access to some of its network after its security team found unauthorized activity, although LA Metro said bus and rail service was unaffected.

The hacking group published claims on Telegram that they said showed them accessing LA Metro’s internal systems. Tim Miller, field chief technology officer for public sector at Dataminr, an artificial intelligence-backed platform that helps leaders track events, threats and risks in real time, said in a blog post that the group is an “emerging” one “with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage.”

“What can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure,” Miller continued.

Other experts tracking such events are similarly cautious about whether the group is responsible for the LA Metro hack. A spokesperson for the Multi-State Information Sharing and Analysis Center, which has warned previously of attacks on critical infrastructure from pro-Iran hackers, said in an email “there is no clear evidence that the claim is legitimate.”

Even though reports are unconfirmed, it makes for a worrying time for state and local governments, as well as critical infrastructure operators, who have been waiting with bated breath to see if groups sympathetic to Iran would launch attacks on these shores to retaliate against the ongoing war there.

"The threat of cyber-attack from Iran is real,” Andrew Chipman, governance, risk and compliance manager at cybersecurity company ProCircular, said in an email. “At this time, we expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime. If Iran is able to build back their regime, we may see direct retaliation from Iran in the form of cyber-attacks against highly visible targets. History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters. However, any critical infrastructure is a potential target.”

The alleged Iran-backed hack in Los Angeles came days before a warning from the Cybersecurity and Infrastructure Security Agency and a slew of other federal agencies earlier this month that various operational technology devices used in critical infrastructure, including programmable logic controllers, have been exploited by bad actors linked to Iran.

The agencies said those efforts, which have at times “resulted in operational disruption and financial loss,” have been designed to “cause disruptive effects within the United States.” CISA and its fellow agencies said the targets have included government services and facilities, water and wastewater systems and energy.

“Iran using cyberattacks to probe and impact American utilities should come as no surprise,” Lt. Gen. Ross Coffman (Ret.), president of artificial intelligence company Forward Edge-AI, said in an email. “Iran is using its long-range targeting tools to fight in every domain possible. We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government's cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank.”

Ababil of Minab warned that their “forthcoming actions will exact sterner pain,” although Miller said in the blog post that those pronouncements should be “treated as unverified rhetoric until corroborated by additional intelligence.” Chipman said some form of escalation could happen.

“Iran is not currently in a position to wage large scale cyber warfare against the United States or its allies, but hacktivists and proxy attackers are plentiful — expect attacks to come and prepare appropriately," he said.

]]>

How Iranian hackers pose a threat to US critical infrastructure

William Akoto, The Conversation — Thu, 02 Apr 2026 12:00:00 -0400

This article was originally published by The Conversation.

Michigan may be more than 6,000 miles away from the war in Iran, but, virtually speaking, it’s well within striking distance.

An Iran-linked group calling itself Handala claimed responsibility for a cyberattack on Portage, Michigan-based medical device maker Stryker Corp., carried out on March 11, 2026. Handala said the attack was in retaliation for events related to the conflict in Iran.

The cyberattack affected Stryker’s internal Microsoft software system, disrupting the company’s order processing, manufacturing and shipping.

As a scholar who researches cyber conflict, I’ve found that in periods of geopolitical tension such as the current U.S./Israel-Iran war, cyber operations often sit right next to missiles and airstrikes as a tool that states and state-linked groups use to inflict damage, probe weaknesses and signal resolve to their enemies.

The Stryker case is notable because it shows how quickly a regional conflict can translate into disruption for organizations far from the battlefield. It also illustrates the vulnerabilities of U.S. organizations, including those involved in critical infrastructure.

Modern critical infrastructure does not only involve the obvious big targets like power plants or water utilities. It also relies on suppliers and service providers that sit one or two links upstream – such as managed information technology providers, cloud and data center operators and specialized parts suppliers – that keep everything from hospitals to transit systems running.

This is one reason U.S. officials emphasize critical infrastructure as a whole-of-society problem, not a niche government issue. The Cybersecurity and Infrastructure Security Agency’s “Shields Up” guidance is written for exactly this reality: a world where geopolitical shocks can threaten organizations that did not think they were part of the battlefield.

Cyber Operations Are Often About Options

When people imagine cyber warfare, many often picture dramatic outcomes. The lights go out. The water turns toxic. The trains stop. Those scenarios are real risks. But they are not the only objective, and often not the main one. The real strategic value is access.

Cyber access is like a set of keys. If you can get into a network quietly, stay there and learn how it works, you create options for later. You can steal information, map dependencies and position yourself to cause disruption. You can keep the option to strike in your pocket, so that in a crisis, you can cause or credibly threaten to cause harm.

That is why U.S. agencies took the China-linked Volt Typhoon group’s hacking activity so seriously. In joint advisories, U.S. officials described a campaign that compromised the information technology systems of organizations across multiple critical infrastructure sectors and used so-called living-off-the-land techniques that can blend into normal administrative activity.

This is an important point. A lot of state-linked cyber activity is not designed to create immediate, visible chaos. It is designed to build leverage.

How State-Sponsored Cyberattacks Typically Work

Most state-backed cyber operations, including those carried out by the United States, follow a common sequence.

First, the attackers gain initial access through techniques such as phishing, exploiting known vulnerabilities or abusing weak remote access. Once inside, attackers try to learn where the valuable data and sensitive systems are. They seek higher privileges and move laterally, often using legitimate administrative tools to blend in.

That stealthy maneuvering is one reason campaigns like Volt Typhoon raised alarms. Defenders can have a hard time distinguishing an intruder from a normal administrator in a busy environment, especially when the intruder is deliberately trying to make their actions look like ordinary activity.

The attackers then establish persistence, meaning they can sustain their access. If the goal is leverage, the attackers want to survive defenders’ cleanup efforts after they discover they’ve been hacked. That can mean gaining multiple footholds, altering authentication settings or gaining access via third parties.

Finally, they choose the effects they want to have. Consider the “Shamoon” attack in 2012 in Saudi Arabia. After gaining access, the attackers used malware to wipe data on thousands of computers at oil giant Saudi Aramco, disrupting business operations.

But not every intrusion ends in destruction. Sometimes it ends with data theft, where the prize is information rather than causing downtime. An example is the 2015 breach of the U.S. Office of Personnel Management, in which attackers stole sensitive personnel data. Other times, the point is disruption designed to send a message such as the cyberattack on Sony Pictures in 2014, when hackers sought to keep the company from releasing the comedy film “The Interview.”

What Defenses Does the US Have?

The U.S. has a growing defense ecosystem, but it is not a single shield you can switch on. The Cybersecurity and Infrastructure Security Agency encourages organizations to heighten their cybersecurity vigilance during periods of elevated geopolitical risk. The agency, along with the FBI, the National Security Agency and international partners, also publishes advisories with indicators and recommended mitigations when they see active campaigns.

Because critical infrastructure is mostly privately owned, federal defense also depends on partnership. For instance, the Cybersecurity and Infrastructure Security Agency’s Joint Cyber Defense Collaborative is designed to support coordinated public-private planning and information sharing around major cyber risks.

Congress has also pushed the private sector toward reporting incidents more quickly. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 sets reporting timelines that include reporting cyber incidents within 72 hours and ransomware payments within 24 hours after payment. The Cybersecurity and Infrastructure Security Agency has been implementing these requirements through ongoing rulemaking.

These are meaningful steps, but they do not erase the basic constraints: uneven resources, uneven incentives and the reality that many targets sit outside direct federal control.

Lessons From the Stryker Hack

The Stryker episode is a reminder that cyber operations are now a routine tool that state-linked actors can use to project power during international crises. They can aim at theft, disruption or signaling. Sometimes they hit government networks, and other times they hit private companies that sit inside essential supply chains.

Either way, the consequences can be felt far from the conflict itself.

In cyber conflict, the quiet part – gaining access, establishing persistence and preparing for deployment – typically comes first. The visible disruption often gets headlines, but it is the hidden positioning that sets the stage for offensive cyber operations in a crisis.

Wars today are not only fought with missiles and airstrikes you can see in the sky. They are also fought with what you cannot see moving through computer networks.

William Akoto is Assistant Professor of Global Security, American University

]]>

Why small municipalities have become cybercriminals' favorite prey

Alton Henley — Fri, 27 Mar 2026 10:00:00 -0400

The call came at 6:47 a.m. on a Tuesday. The public works director couldn't log in. Neither could anyone in finance. By the time the city manager arrived, the message on every screen was clear: the city's entire network was encrypted, and the attackers wanted $350,000 in Bitcoin.

This wasn't a major metropolitan area with a dedicated cybersecurity team. It was a community of 12,000 people with an IT department of one. The city had no incident response plan, no cyber insurance and backups that hadn't been tested in over a year.

Stories like this play out thousands of times each year across America's small municipalities. While headlines focus on attacks against major cities and Fortune 500 companies, criminal organizations have quietly discovered that small local governments offer something even better: essential services under political pressure to pay, defended by IT teams stretched impossibly thin.

The Math That Works Against Us

The United States has roughly 35,000 local governments. The vast majority serve populations under 50,000, and most have IT departments of one to three people, if they have dedicated IT staff at all.

Ransomware operators have done the math. Attacking a large enterprise means facing security operations centers and incident response teams. Attacking a small municipality means facing a single IT generalist who spent the morning fixing a printer jam.

The pressure dynamics favor attackers too. When a municipality gets hit, residents lose access to essential services: water billing systems go dark, permit applications stall, court records become inaccessible. The calculus shifts toward paying, simply to make the crisis stop

Anatomy of an Incident

Initial access usually comes through one of three doors: a phishing email that tricks an employee into revealing credentials, a compromised vendor connection, or an exposed system that hasn't received recent security updates.

Once inside, attackers spend days or weeks exploring the network, identifying valuable systems, locating backups and escalating their privileges. In flat networks with limited monitoring, this activity goes undetected. By the time the ransomware detonates, attackers have already positioned themselves to cause maximum damage.

The decision of whether to pay is agonizing. Paying rewards criminal behavior and offers no guarantee of recovery. But not paying means potentially months of recovery work and costs that often exceed the ransom amount many times over. There's no good option, only less-bad ones.

A Realistic Defensive Framework

Enterprise security advice typically assumes resources that small municipalities don't have. A more realistic approach is what I call the "pick three" framework: focus intensively on three priorities that deliver the highest return for limited investment.

Priority One: Multi-Factor Authentication Everywhere You Can

Multi-factor authentication requires users to prove their identity with something beyond a password, typically a code from a phone app. This single measure defeats the vast majority of credential-based attacks.

Start with email and remote access systems. Most cloud email providers include MFA at no additional cost; it just needs to be enabled. Expect resistance from staff who find it inconvenient. Frame it as non-negotiable, like wearing seatbelts.

Priority Two: Backups That Actually Work

Many municipalities believe they have functioning backups until an incident reveals otherwise. Common failures include backups that haven't run successfully in months, backup systems connected to the same network as production systems (and therefore encrypted alongside them), and backups that no one has ever tested restoring from.

Effective backup strategy requires regular testing, isolation from the primary network, and sufficient retention to recover from attacks that went undetected for weeks. Schedule quarterly restoration tests and treat failures as urgent issues.

Priority Three: One Relationship Before the Crisis

When an incident occurs, having an established relationship with someone who can help is invaluable. That might be with the Multi-State Information Sharing and Analysis Center, a state-level cybersecurity office, or an incident response firm.

MS-ISAC deserves particular mention because its services are free to local governments and include 24/7 incident response support. If your municipality isn't already a member, joining should be this week's task.

The Manager's Role

City and county managers often assume cybersecurity is a technical problem that should be delegated to IT. This assumption is dangerous. Cybersecurity is fundamentally a risk management challenge requiring executive attention that only managers can provide.

IT staff can identify what needs to be done. They cannot, on their own, compel behavioral changes from other departments, allocate budget, or set policy about acceptable risk levels.

Practical steps managers can take include adding cybersecurity as a regular agenda item, requiring annual briefings on security posture, including security requirements in vendor contracts, and establishing clear incident response authority before an incident occurs.

Looking Ahead

The threat environment for small municipalities will likely worsen before it improves. But individual municipalities can significantly improve their odds. The "pick three" framework addresses the gaps that attackers most commonly exploit. None requires massive budgets or specialized expertise. All require sustained attention and organizational will.

The municipality that received the ransom demand at 6:47 a.m. eventually recovered without paying.

It took eleven weeks and cost far more than the ransom in overtime, consulting fees, and degraded services. The manager who led that recovery always emphasizes the same point: everything they did after the attack would have been easier, faster, and cheaper if they had done a few things differently before it.

Alton Henley is Dean of Business and Hospitality at Montgomery College with expertise in digital transformation for small municipalities. He serves on the advisory board of KC7, a nonprofit providing free cybersecurity training. Contact: alton.henley@montgomerycollege.edu

]]>

New Texas Cyber Command looks to ‘bind the state together’

Chris Teale — Mon, 16 Mar 2026 13:00:00 -0400

A unified Texas cybersecurity effort went into effect in September, and already those in charge have plenty of work to do.

Gov. Greg Abbott signed a law establishing the Texas Cyber Command in June, with the new body officially launching in September and assuming many of the cybersecurity roles previously held by the state’s Department of Information Resources, known as DIR. It’s housed at the University of Texas at San Antonio.

The coming months promise to be busy, too. Ret. Admiral TJ White, the cyber command’s first chief, said by law it is mandated to establish an information-sharing and analysis center, a threat intelligence center, a digital forensics lab and an incident response unit. White said cyber command will be a “down and in” organization focused proactively on threat intelligence, incident response and day-to-day operations, as well as an “up and out” organization with an events management, public engagement and outreach arm.

It’s “a single entity to try to bind the state together, to work with partners like [Texas Department of Public Safety], Texas Department of Emergency Management, Health and Human Services, the state [chief information officer] and so on,” White said during a session at last week’s Billington State and Local Cybersecurity Summit in Washington, D.C.

Abbott prioritized the establishing of a cyber command early last year and quickly passed legislation to do just that. That effort came on the heels of several incidents in 2019, when municipalities, governments and businesses in the state were hacked, then it took days to understand what happened and weeks to mobilize response. While it took six years to make the cyber command a reality, White said the final law is well written and should be an example for others to try and emulate in the cyber realm.

“In the context of this law, the legislature and the governor have set a very high bar, which is great,” he said. “They have put resources and built it against the mission, which is great. They have given Texas Cyber Command an opportunity to do some things nontraditionally, in an effort to hopefully move faster, which is great. They put in place some capabilities for cost recovery so that we can actually fund over time to get the agility, speed, scale and mass to support cybersecurity across the state.”

White said there is already plenty of good work to build on in cybersecurity across Texas, especially in state government. He noted the growth of regional security operations centers, housed at various state colleges and universities, as one area where the state has led the way, and said more could come in the future.

And he said the new cyber command can build on the good work already done by DIR and other agencies, especially in its contracting and procurement, which can help the new body spend its money wisely.

“How do I work with other state agencies and departments to take more coherent advantage of those contracting vehicles, not fighting for their resources?” White said. “They can do that on their own. I don't want their resources. I just hope that what we can do together is spend those resources more effectively.”

Cyber command also will prioritize building relationships all across the state in a bid to properly leverage the intelligence being gathered on cyber threats, White said. And part of his effort atop the agency will be to “raise the level of awareness and attention across Texas” for cybersecurity, White said. It’s not something that state leaders can do once and then forget about, but is something that needs constant care and attention, he said.

“A colleague of mine recently observed that cybersecurity is something that you do; it's not something that you have,” White said. “And I've thought about that a little bit. I just don't do it for one year, take the proceeds, go to the bank and watch the compounding interest grow forever. You actually have to be a proactive manager of your portfolio… Pay yourself first in cybersecurity; you cannot rest on your laurels.”

White said he will also need to be confirmed into the post on a permanent basis by the Texas Senate, which he said will hopefully happen next year during its legislative session. And he pledged to always be working to “earn, build and keep the trust of Texas.”

]]>

Stryker hack could set stage for more pro-Iran cyber sabotage

David DiMolfetta — Mon, 16 Mar 2026 11:00:00 -0400

Cybersecurity experts say the recent hack of medical technology giant Stryker may be an early indicator of wider, pro-Iran cyber sabotage activity.

Pro-Iran and pro-Palestinian hacking group Handala claimed responsibility for the cyberattack, which saw the hacking collective apparently deploy wiper malware targeting Microsoft InTune management services installed on employees’ phones, including their personal devices.

Pro-Iran hacking groups frequently target systems in the U.S. and Israel, as seen in late 2023 when a group defaced water treatment systems in Pennsylvania that utilized Israel-made Unitronics equipment. Stryker acquired the Israeli medical technology company OrthoSpace in 2019 and holds significant contracts with the departments of Defense and Veterans Affairs.

The Unit 42 threat intelligence arm of Palo Alto Networks is “tracking an increased risk of wiper attacks related to the conflict with Iran, including multiple related incidents impacting organizations in Israel and the U.S.,” the company said in a blog post last week.

“The reported wiper attack … may represent a similar dynamic, an early signal of activity that could expand beyond a single target,” said Justin Kohler, a former Air Force analyst and chief product officer at SpecterOps. “Organizations need to assume that attackers will gain a foothold and focus on proactively shutting down the attack paths adversaries rely on to escalate privileges, move laterally and expand their impact.”

A wiper-style attack on a company like Stryker is dangerous because “it targets operational continuity rather than just data theft. In the healthcare ecosystem, outages affecting device manufacturers or support systems can ripple across hospitals, supply chains and patient care environments,” said Ensar Seker, chief information security officer at SOCRadar.

The hack has challenged notions that direct physical targeting of apparent Iran state-funded cyberwarfare infrastructure would reduce the likelihood of any successful hacking attempts tied to the war. Pro-Iran hacking groups, until recently, have typically made overstated, unverifiable or false claims about their wartime activities.

“Organizations should take this as a reminder that destructive cyber operations are no longer limited to nation-state military targets,” Seker added.

The Cybersecurity and Infrastructure Security Agency said Thursday it is investigating the Stryker incident. The war, which broke out Feb. 28, was expected to test the strength of U.S. cyberdefenses.

California Rep. Eric Swalwell, the top Democrat on the House Homeland Security Committee’s cybersecurity panel, told reporters Thursday that his team was in touch with Stryker and evaluating how they’re working with federal responders, as well as how the hack may have impacted others that rely on the company’s devices.

“We want to understand from CISA … what is the vulnerability status right now for companies in the United States because of Iran’s capabilities?” he said, referring to workforce reduction mechanisms put in place over the last year within the Department of Homeland Security cyber agency that have shed around a third of its staff.

Complicating matters is an ongoing DHS shutdown, which has further reduced the number of working employees at CISA. Those employees are also not getting paid while the shutdown continues.

]]>

Experts warn of coming ‘reprioritization’ for cyber funding

Chris Teale — Thu, 12 Mar 2026 13:00:00 -0400

In the months since the House passed legislation to reauthorize the State and Local Cybersecurity Grant Program in November and with companion legislation still pending in the Senate, some state and local leaders appear skeptical that it will be replenished and are looking for alternatives.

New funding for the program remains to be seen, as its initial $1 billion has been quickly exhausted by cash-strapped states looking to protect themselves from cyber threats.

Christine Serrano Glassner, chief of external affairs at the Cybersecurity and Infrastructure Security Agency, said the end of grant funding means states will have to engage in “reprioritization” of their cyber budgets and find new funding sources.

“We know that the funding is not going to be reupped on the state and local grant program at this point,” she said during a panel discussion at the Billington State and Local Cybersecurity Summit this week in Washington, D.C. “[States] know that they're never not asking for more help. It's got to be more about what resources are out there, what free resources and tools do they need to be aware of and start using. Reprioritization of their own budgets [for] what really matters.”

The $1 billion across four years has been spent on a variety of cyber efforts, including endpoint detection, multifactor authentication, security operations and other shared services. And a key tenet of the grant program, which was included in the 2021 infrastructure law, required states to have a cybersecurity planning committee and strategy in place.

But while lawmakers have voted to reauthorize the program, they have yet to fund additional years, although several groups have made various suggestions. A joint letter the Alliance for Digital Innovation, Better Identity Coalition, Cybersecurity Coalition, ITI and TechNet sent to lawmakers in September suggested establishing a stable funding stream of $4.5 billion over two years, noting that the “cost of inaction” would be even higher if Congress does not invest now in a national strategy.

However, in financially constrained times, it can be difficult for states to invest in cybersecurity when they have so many other priorities to fund.

“Are we going to support medical resources for families or feeding families? It's really tough to weigh that against cybersecurity or privacy infrastructure,” said Nevada Chief Information Officer Timothy Galluzi. “Obviously, having a crisis changes things a little bit, but it shouldn't take a crisis to motivate folks to invest in infrastructure and cybersecurity.”

It means, then, that cybersecurity professionals must be good at telling their stories and showing the difference their work makes. Too often, said Virginia Chief Information Security Officer Michael Watson, government cybersecurity leaders “get good” and then “get quiet” as their hard work has kept them out of the headlines. Then, they need to explain why continual investment is necessary, he said.

“If you're not telling your story, if you're not telling the story of cybersecurity and why it's important for your municipality, for your organization, they're not going to hear you,” Galluzi said. “They're not going to listen to you, and they're going to fund the other effort or the other priority.”

In addition, speakers said there need to be new ways to track metrics of success in cybersecurity that are more focused on outcomes. The old ways of tracking patches and the number of IT tickets that have been handled are “meaningless,” said Orange County, California CISO Andrew Alipanah. Instead, tracking how many critical assets are covered and to what extent, is much more effective.

“These are things that are meaningful and they have to follow directly from your strategic security plan,” Alipanah said. “It's one of the easiest ways to get funding, because you can actually show it to your policymakers and funding sources.”

These new approaches, and changing procurement to be more challenge- or outcome-focused, would be massive shifts in policy but would be more proactive, experts said. It would be a sea change compared to the past, when governments would only invest in cybersecurity after a major incident shut down their systems.

“Why don't you just fund the cybersecurity side of the house properly from the beginning, so that you don't have to jump through hoops and organize and reappropriate funds into an area that is obviously the forefront of all your data, all your infrastructure, all your people, all your [personally identifiable information] and all your [Health Insurance Portability and Accountability Act] data,” Jared Pane, senior director of public sector business for field engineering at data company Elastic, said in an interview at the summit. “Yet you're only going to throw a minimum amount of funding and a minimal amount of money towards that.”

Serrano Glassner, who herself was a local elected official in New Jersey — including a spell as mayor of Mendham Borough — until she resigned to take a post in the new Trump administration, said some tough choices are ahead in cybersecurity budgeting.

“We have to look within and say what is really important and what do we need to prioritize,” she said.

]]>

Feds pledge beefed up information-sharing amid new cyber strategy

Chris Teale — Wed, 11 Mar 2026 10:00:00 -0400

Federal cybersecurity officials pledged to work more with states and localities on information-sharing, protecting critical infrastructure and workforce development, days after the release of a major cyber strategy.

White House National Cyber Director Sean Cairncross said during the Billington State and Local Cybersecurity Summit in Washington, D.C. this week that President Donald Trump’s administration wants an information-sharing framework with state and local government and the private sector that “moves at speed and is actionable.”

His statements come hot on the heels of the Trump administration releasing its National Cyber Strategy on Friday.

And while Cairncross said that the Cybersecurity and Infrastructure Security Agency, FBI and Department of Justice already do a “tremendous job in responding and assisting with that response,” more work lies ahead.

“We're looking for ways to streamline information sharing from the [U.S. government] side,” Cairncross said. “Often how we know things is super sensitive. What we know is less so. We want to figure out how to communicate that in a helpful, actionable way, as we work through that on the interagency side, with partners on the state and local side.”

Cairncross said the federal government will soon begin a pilot program with law enforcement agencies to explore how to better share information.

And an executive order Trump signed in addition to releasing the cyber strategy urges the Secretary of Homeland Security and CISA director to work with the National Cybersecurity Center to “provide training, technical assistance, and resilience building” to state, local, Tribal and territorial governments, “including to expand defensive capacity, share threat intelligence, and harden SLTT partners’ critical infrastructure systems against cybercrime exploitation by [Transnational Criminal Organizations].”

The announcement comes months after federal funding expired for the Multi-State Information Sharing and Analysis Center, and the organization began its new life with a paid membership model. Carlos Kizzee, senior vice president for stakeholder engagement at the nonprofit Center for Internet Security, which houses the MS-ISAC, said last month that more than 3,000 organizations have signed up and 24 states are members in some form.

But the Trump administration said there is more to come in intergovernmental cooperation. The National Cyber Strategy pledges to “galvanize the role” of state, local, Tribal and territorial governments “as a complement to — not a substitute for — our national cybersecurity efforts.”

“To be honest, as we look towards the last administration and how they approached the Office of the National Cyber Director, they really lost sight of the opportunity of being able to work with our SLTT partners and truly the amazing people, leadership and experiences that come from the state and local level within cyber, and part of that is thinking about the broader context of expertise that comes from the state and local level,” said Monroe Molesky, director for state affairs at the White House Office of the National Cyber Director.

Critical infrastructure is one area where the federal government is looking to reset its relationship with states and localities, officials said on stage. Cairncross said when water, power, pipelines, telecoms and the like faced cyberattacks, the federal government used to come in afterwards as an auditor to tell system operators where they fell short. That must change, he said.

“This is not a regulatory compliance exercise,” Cairncross said. “If you were whacked by a foreign adversary, the United States government should not turn around and hand you a compliance list and say it's your fault because you didn't do these things. You should be working together, because it's the job of the [U.S. government] to defend the country from foreign adversaries and transnational criminal organizations.”

The pledge comes as hostilities in Iran have some experts worried about hacktivists linked to the country retaliating by attacking critical infrastructure on these shores, as they have elsewhere in the Middle East. Better securing systems and harmonizing regulations should be the federal government’s focus, speakers said, as well as hacking back themselves.

“We want to make sure that, on your worst day when you're dealing with a cyber incident, that you're thinking about how to keep critical systems online, how to ensure that vital services are flowing to the people that need them most,” said Seth McKinnis, deputy assistant national cyber director for critical infrastructure at the White House Office of the National Cyber Director.

Workforce development will also be crucial, speakers said, as governments at all levels confront vacancies in the public sector and a need to get people in place. Cairncross promised a cyber academy at the federal level that he said will build a “patriotic cyber force,” and find ways for some jobs in cyber to not require a four-year degree.

Similar work will be done at the state level, said Brandon Dues, ONCD’s deputy assistant national cyber director for cyber workforce, including working with states to “scale up those best practices” on workforce development and replicate them elsewhere and removing duplicative efforts.

“The federal government can’t and should not do this alone,” Dues said.

]]>

Iran-linked hacktivists could target governments, experts warn

Chris Teale — Wed, 04 Mar 2026 10:00:00 -0500

Further escalating hostilities in Iran could leave state and local governments in the crosshairs of hacktivists aligned with the regime as they look to retaliate in cyberspace, experts warned this week.

While internet traffic in Iran itself has dropped precipitously since the U.S. and Israel began their bombing campaign over the weekend, observers with the Multi-State Information Sharing and Analysis Center warned that groups aligned with the Iranian regime in other countries may strike vulnerable targets, including government websites, financial services and the energy sectors.

Randy Rose, MS-ISAC’s vice president for security operations and intelligence, said this could at first take the form of “low-level cyber activity” like denial-of-service attacks, website defacement and malicious code injections. And TJ Sayers, MS-ISAC’s senior director of threat intelligence, said those efforts are all part of those hackers’ plans in the event that the regime fell.

“What we are seeing, and this is largely happening from outside of Iran, is hacktivist organizations are basically mobilizing to try to start targeting domestic U.S. and allied networks,” Sayers said during a webinar hosted by MS-ISAC and the Center for Internet Security. “This is largely based upon prior guidance that they've received from Iran, that if a red line was crossed, like the killing of the Supreme Leader [Ayatollah Ali Khamenei], that they should carry out operations like this, and in some cases, they're even operating autonomously.”

Rose said any cyberattacks would come as part of an “invisible war” waged over the “cyber domain” for the past decade. And there have already been some apparent Iran-linked skirmishes in cyberspace, as a U.S. port was targeted with a DDoS attack by the DieNet group, while the Fatimiyoun Cyber Team, known as FaD Team, claimed to have injected code and released personally identifiable information from a township in the U.S.

Sayers warned governments to stay vigilant, as it appears, based on their observations, that hacking groups are starting to cooperate, rather than work autonomously.

“The hacktivist groups are largely operating independently, but we are starting to see some coalescence of these hacktivist groups to form somewhat of a collective, which would give them a little bit more robust targeting capabilities and kind of help unify their targeting efforts,” he said.

Another worry for U.S. state and local governments could be the potential targeting of physical infrastructure many rely on, including data centers. Two Amazon Web Services data centers were reportedly hit by Iranian drone strikes in the United Arab Emirates, leading to disruptions in various digital and financial services in the region. Those attacks and others in the Middle East led Recorded Future’s Insikt Group to conclude in a blog post that if hostilities in Iran escalate further, “the likelihood of state-sponsored destructive cyber operations against critical infrastructure increases significantly.”

“The targeting profile for the near term includes Israeli media outlets, telecom providers, and SMBs, with US and Gulf organizations in the escalation path,” the blog post continued. Recorded Future also warned that critical infrastructure could be under more threat if hacktivists “shift” their target to it.

And some state and local governments may face supply chain issues in the coming weeks, especially if their technology is Israeli-made, Sayers said. Disruptions in the Strait of Hormuz could spark higher energy prices and result in delays of equipment arriving, he added.

One other aspect for governments to monitor is Iran’s efforts to spread disinformation and social media manipulation to try to undermine public opinion on the conflict. And with new technologies available to hackers, including artificial intelligence, Rose warned that those efforts could take on a new dimension.

“Historically, Iran has been a capable [information operations] actor,” he said. “[Right] now, as they're absorbing kinetic losses from conventional warfare, they are pivoting their resources. We're not seeing a ton of information operations right now, but we anticipate those narratives targeting Western public support for the conflict, amplification of imagery, particularly AI-generated deepfake imagery and attempts to fracture the US-Israel coalition, are likely to spike in the coming weeks.”

]]>

Leaders sound the alarm for physical and cyber attacks ahead of summer World Cup

Chris Teale — Fri, 27 Feb 2026 13:00:00 -0500

State and local leaders warned this week that without more federal funding and better information sharing, this summer’s FIFA World Cup is at risk of being struck by a catastrophic event.

Eleven U.S. cities will host matches alongside others in Canada and Mexico for the 48-team soccer tournament. But at a House hearing this week, some local leaders said cities are vulnerable to attack, whether that be a physical one or a cyberattack, and need more help from the federal government, including financially.

Those worries have been most stark in Foxborough, Massachusetts, where local leaders there say they cannot grant games to be hosted at Gillette Stadium in the town an entertainment license without a commitment from FIFA or a higher level of government to cover the expected $7.8 million in costs.

“States and host cities — who are already laying out huge sums of their own taxpayer dollars and have dedicated untold local resources for these events — are getting worried — and rightfully so,” Rep. Bennie Thompson, a Mississippi Democrat and the ranking member on the House Homeland Security Committee, which held the hearing, said in his opening statement. “Time is running out to finalize security preparations.”

Finances are weighing especially heavily on states and localities set to host games, or collaborate with neighbors who will host them. Multiple witnesses bemoaned the reduction in funds available from the Department of Homeland Security’s State Homeland Security Grant Program, Emergency Management Preparedness Grant and Urban Area Security Initiative, and they warned that, given the funding shortfalls created, they would have no choice but to cut back.

Those leaders also called for the release of funds from the $625 million FIFA World Cup Grant Program, which was created by Congress under the One Big Beautiful Bill Act to support various security efforts like cybersecurity, training, readiness and information sharing and analysis. That grant program, administered by the Federal Emergency Management Agency, has been temporarily halted due to the DHS shutdown as FEMA is now focusing only on “bare-minimum life-saving operations.”

“While we would welcome working with the Department of Homeland Security to reimagine grant distribution in the interest of being more efficient; this sudden reduction has left us with no choice but to decrease capabilities,” said Travis Nelson, deputy chief of staff and homeland security advisor for Maryland Gov. Wes Moore, in written testimony. “Due to the upcoming special events, maintaining the service level of previous years will be extremely challenging.”

“The FIFA funding would be critical for our staffing and our mutual aid partners to come in and assist,” Joseph Mabin, deputy chief of the Kansas City, Missouri Police Department, said during the hearing. “We just don’t have enough officers within my own department to cover all the threats.”

Ray Martinez, chief operating officer of the 2026 FIFA World Cup Miami Host Committee, warned that events like Fan Fests and others might be cancelled within 30 days without federal funds. He said during the hearing that agencies “are very anxious,” and without that money it “could be catastrophic for planning and coordination.”

The ability for agencies to share information on threats is also one aspect that is keeping some state and local officials up at night, with the World Cup just months away. Mike Sena, president of the National Fusion Center Association, said threat reporting generally “remains fragmented,” especially as tips and leads can be gathered by agencies at various levels, businesses, venue security and the public, but there is no single place through which to consolidate those tips and share them.

The World Cup highlights those challenges “in very real ways,” he said, adding that delayed or canceled grant funding further undermines the readiness of those information sharing systems.

“In some host regions, state and local law enforcement agencies are facing significant security responsibilities without clear coordination or operational alignment across all partners involved in the sprawling events from practice locations, team hotels, to official and unofficial events for fans,” Sena continued in written testimony. “As a result, local agencies are not as connected as they should be for planning, staffing, coordination, and real time information sharing for a complex, multi-jurisdictional event.”

Meanwhile, Sena warned that the systems used by DHS and the Federal Bureau of Investigation are not fully interoperable with state and local systems.

“Agencies are often working from partial information, and critical data does not always reach the right analysts or decision makers in time, which means that front-line personnel who are best positioned to recognize, report, and respond to potential threats are less aware,” he said.

While speakers highlighted various successes, including the administration’s focus on countering illegal drones, adding capabilities like better hazmat, bomb disposal and other teams, as well as conducting tabletop exercises and other training initiatives, a lot of work lies ahead, with less time in which to get it done.

“Before the first whistle blows later this year, we want to ensure that information flows faster than threats, that partnerships are stronger than vulnerabilities, and that everyone experiences a safe and secure World Cup,” said Mabin.

]]>

Rethinking how state and local cyber teams are built and supported

Eric Trexler — Fri, 27 Feb 2026 10:00:00 -0500

Across every level of government, teams are battling a surge of cyberattacks, including ransomware, data breaches and operational disruptions, all of which are detrimental to public agencies and missions.

Data on last year from Unit 42 revealed an astonishing 86% of such incidents involve operational disruption, ranging from lengthy service outages to lasting reputational damage. In other words, these incidents have real-world consequences; when a school, hospital, or local government office is disrupted, citizens feel the effects.

But many state and local governments are fighting these battles with one hand tied behind their backs. Budgets are tight, legacy technology is prominent, and competition for cyber talent is fierce.

To stay ahead, the conversation must move beyond identifying the “cyber talent gap” and instead focus on addressing how we build, support and empower teams and leverage technology to defend critical public infrastructure.

Breaking the Mold: Expanding the Cyber Talent Pipeline

Traditional employment criteria like four-year degrees and prior government experience are shrinking the talent pool at the exact moment we need to expand it. When so many agencies compete for the same small group of cyber professionals, costs rise, progress stalls and risks grow.

Forward-thinking organizations are broadening the funnel, recruiting veterans, mid-career professionals seeking a new purpose, community college graduates, and candidates with adjacent technical or analytical skills. Skills-based hiring is no longer just a buzzword, it’s a necessity.

Community colleges, technical schools and government agencies can help lead this shift. Delivering hands-on curriculum, inclusive lab access, and role-based certifications, programs equip students with practical skills for public sector careers. Digital learning and instructor-led training options are designed to meet learners where they are, whether they’re just starting out or upskilling mid-career.

This approach reflects a larger shift toward hiring for capability and potential, not just pedigree. As Office of Personnel Management Director Scott Kupor recently put it, “We have a real, acute shortage of people who have what I would call very cutting-edge, modern tech skills.” The numbers back him up, according to the Pew Research Center, fewer than 9% of the federal workforce is under 30, compared to nearly 23% of the overall U.S. workforce. Kupor and others are right to push for skills-based hiring. We should test candidates for what they can do, not just where they’ve been.

Best Practices for Building Robust Pipelines

Community colleges and technical schools have already emerged as vital partners in delivering targeted training directly to public sector placements. Additional public-private collaborations, including workforce-ready cybersecurity academies, are also providing students with the tools and hands-on experience needed to hit the ground running.

You don’t have to look far for examples. In the Washington, D.C. region, the Office of the Chief Technology Officer and the Office of the State Superintendent of Education recently brought more than 50 Advanced Technical Center students together to explore real-world opportunities in public service tech. Likewise, Virginia’s CyberSlam 2025 event convened nearly 500 high school students at George Mason University for hands-on activities and industry insights.

Alongside new recruitment, successful agencies are investing in their existing staff and encouraging cross-training, mentorship, and continual learning. By upskilling IT professionals to tackle cyber challenges, organizations both fill immediate gaps and boost retention by making employees feel valued.

But this only works if we foster a collaborative, mission-driven culture. Every agency leader has a role in making security a priority across departments. When mission, recognition, and resilience become part of an agency’s DNA, teams are ready to rise to the challenge together.

Empowering Small Teams with Smart Technology

Most agencies will never have the cyber headcount of a Fortune 500 company (they can’t hire enough talent either), but that doesn’t mean they can’t punch above their weight. Technology is the force multiplier. With investments in automation and AI, small teams can expedite routine monitoring and response times while freeing up talent to focus on the toughest problems.

Those platforms can help agencies automate threat detection and incident response, and in doing so, reduce the burden on limited staff, improving mean time to remediation and enabling teams to focus on what matters most. Agencies also receive unified visibility across endpoints, networks and clouds, helping close the gaps that attackers often exploit.

The 2024 ISC2 Cybersecurity Workforce Study found 67% of organizations reported a staffing shortage, and 90% said their teams face notable skills gaps, with over half noting these shortages pose a significant risk. AI expertise is among the most pressing gaps. Despite these challenges, however, most professionals believe AI and automation will greatly strengthen their organizations’ security posture. It’s not about technology replacing people; it’s about helping them do more with less.

Strengthening Partnerships for the Long Haul

Finally, we need to think beyond our agency walls. Public-private partnerships are essential for sharing threat intelligence, best practices and resources.

The future of state and local cybersecurity isn’t just about budgets or the latest tech. It’s about people — how we find them, how we train them, how we leverage them, and how we empower them to protect our communities.

Agencies willing to think differently about talent, invest in smarter tools, and lead with purpose will be best positioned to defend the public in the digital age. The stakes couldn’t be higher, and the opportunity couldn’t be greater. Now is the time to act.

Eric Trexler is senior vice president for public sector at Palo Alto Networks.

]]>

‘It’s not over’: Cyber info-sharing center begins ‘next chapters’ after losing federal funding

Chris Teale — Tue, 24 Feb 2026 13:00:00 -0500

Since its shift to a paid model, a cybersecurity information-sharing center already has two dozen states with some form of membership and more than 3,000 individual organizations signed up, a key leader said last week.

The Multi-State Information Sharing and Analysis Center, whose federal funding run out last September after being cut by the Trump administration, now has 16 states and territories — Alaska, California, Connecticut, Kansas, Maine, Mississippi, New Jersey, New York, New Mexico, Oregon, Puerto Rico, Rhode Island, Tennessee, Texas, Vermont and Washington, D.C. — who are dues-paying members or in the final stages of completing that membership, while another eight states — Delaware, Hawaii, Minnesota, Missouri, North Carolina, Oklahoma, Pennsylvania and South Carolina — have paid for services for all state agencies only.

In addition, around 3,000 single government organizations have joined, said Carlos Kizzee, senior vice president for stakeholder engagement at the nonprofit Center for Internet Security, which houses the MS-ISAC. While 2025 was dogged by uncertainty amid the “drastic reduction” in funding, Kizzee said better days are ahead for the two-decade-old center.

“It is a long story, but it's not over,” Kizzee said during the Technology Innovation Forum at the National Association of Counties’ legislative conference in Washington, D.C. last week. “We suffered a drastic reduction in funding in 2025 and that brought about a tremendous amount of change that we have gone through…. We are still moving forward, and we have an interesting future ahead of us. And the next chapters, I think, are going to be great.”

The MS-ISAC has existed since the early 2000s and started receiving federal financial support in 2005 for its efforts to share threat information, respond to incidents and provide various services, including a security operations center at no cost to its members. But the future of those services was thrown into doubt last year after the Cybersecurity and Infrastructure Security Agency announced it had ended a $10 million partnership with CIS. The move prompted some soul-searching at MS-ISAC and an eventual decision to move to a paid membership model.

In addition to the paid model, Kizzee said governmental organizations with an annual operating budget of less than $25 million are eligible to receive membership for free for their first year under a hardship waiver. And he said the CIS executive committee introduced a program called MS-ISAC Connect that will allow any organization, regardless of their dues status, to connect with peers, attend events and access any data that the center generates, all for free.

“We have over 18,000 members who never had to pay anything before,” Kizzee said. “We cannot just let them go. There has to be a process to maintain relationships and collaboration, whether you're an MS-ISAC dues-paying member or not.”

With many states and organizations not dues-paying members, however, the MS-ISAC could face an uncertain future, even as states deal with the kind of crippling cyberattack that harmed Nevada last year. Previously, the MS-ISAC would provide all manner of services to members impacted by a cyberattack, and Kizzee said that would continue in this new dues-paying system.

For those not paying dues, he said the organization is “struggling with the passion and empathy” they feel about potentially removing those services from them. MS-ISAC Connect could help fill those gaps, Kizzee said, and he pledged that the organization would not abandon anyone. The details are still being worked out, he said.

“The desire is that we will provide an initial capability, initial connectivity for any organization, whether a member or not,” Kizzee said. “We're still now funding legacy services, but I would like to say that we would love there to be a mechanism where, when needed, we will be able to give additional insight and assistance.”

CIS will also continue to provide various services for free to state, local, tribal and territorial governments, Kizzee said, including on security best practices and when to implement various cybersecurity controls.

“Our citizens are important enough that it is ludicrous to stop programs that are working and supporting you with no notice to you and to expect that you will not become a target of threat actors who would choose to exploit the absence of protections and defense mechanisms that you depend on,” he said.

Kizzee promised that, regardless of what happens next, the MS-ISAC and CIS will still be there for local governments that have relied on their services for decades.

“I'm really proud to be a part of a company, an organization that cares enough that when the ground is shifting under your feet, you know we're still going to be here, and we're still going to be your strategic partner in your security,” he said.

]]>

The shifting cybersecurity mandate for states

Claire Bailey — Mon, 23 Feb 2026 10:00:00 -0500

Cybersecurity has long been one of the few issues to unite policymakers across party lines. No matter the political climate, protecting citizens, critical systems and digital infrastructure is a shared priority.

Yet as cyber risks grow more complex, the governance and funding structure behind them have become increasingly tenuous, creating uncertainty for the state and local leaders responsible for defending front-line systems. To keep pace with fast moving threats, states now need authority, resources, and tools to act quickly and consistently across their environments. That requires sustained, predictable funding that allows them to plan, build capacity and maintain readiness over time.

Over the past year, major federal funding shifts and strategic realignments have produced ripple effects that states are now being forced to absorb. The initial expiration of the Cybersecurity Information Sharing Act of 2015, which provided liability protections and privacy safeguards for sharing threat intelligence, along with the end of the State and Local Cybersecurity Grant Program on Oct. 1, 2025, represent another compounding challenge in how the nation approaches cyber readiness.

Congress began 2026 with bipartisan efforts to create more sustainable funding, with a short term approach to continue funding for the Technology Modernization Fund and explore pathways to extend the SLCGP and related information sharing funding resources. Short-term measures help, but they do not replace the need for multi-year appropriations that let states plan beyond annual federal cycles.

Government programs are foundational to cybersecurity across the country, and while their recent extensions provide relief, predictable multi-year support is essential to sustain information sharing and uplift under resourced communities. Without these protections and financial backstops, state and local governments face a choice: stand up their own frameworks, or assemble stopgaps that are often duplicative, fragmented and less coordinated, risking missed signals. In this environment, the old saying that you are only as strong as your weakest link has never been more true.

Meanwhile, leaders are navigating constrained budgets, compressed planning cycles, ongoing attacks and a growing transfer of responsibilities once shouldered by the federal government. For IT and security teams already stretched thin and juggling competing priorities, this is no small feat, especially as cyber threats become more sophisticated. Manual, labor intensive approaches are no longer sufficient, and smaller, resource constrained jurisdictions rely on more automated operations to keep pace. Government cyber teams must operate at the speed of modern threats. Federal funding changes reshape the operational, financial and strategic posture of public sector cybersecurity, making consistency more important than ever.

The policy question is straightforward, will we fund cyber as critical infrastructure with consistent, outcomes based investments, or will we continue to rely on episodic grants that force agencies to rebuild the basics every budget cycle.

A Cog in the National Cybersecurity Machine

States, cities and counties are more than administrative districts; they are critical nodes in the national cybersecurity ecosystem. Local governments, schools, utilities and public safety networks are often key targets for cyber threat actors, including nation‑state adversaries and sophisticated criminal groups.

Recent incidents in 2025, including coordinated ransomware attacks that disrupted courts and public safety services in Durant, Oklahoma, Lorain County, Ohio, and Puerto Rico’s Justice Department, along with continued targeting of K‑12 districts and universities nationwide, demonstrate how quickly local compromises can escalate into broader operational consequences.

These entities are frequently the point of entry and the first responders who translate national guidance into action on the ground. Because these front-line systems carry national consequences when compromised, steady funding for their defense is a national imperative, not just a local obligation.

Despite this, federal policy is moving toward a reduced central role. Reduced federal support and fee-based models create affordability gaps that limit access to threat intelligence and response capacity for smaller jurisdictions. Multi-year, predictable funding is the lever that ensures universal participation and keeps shared visibility intact across jurisdictions.

Without the information‑sharing community and its coordination mechanisms, threat intelligence quickly becomes uneven and varies dramatically by budget size. Readiness hinges on four elements: strong intelligence, automated detection, coordinated response, and a unified picture of risk. Targeting funding to these elements, with clear performance measures, translates directly into faster detection and remediation.

For instance, many potentially damaging incidents have been remediated before data theft or ransomware activation thanks to timely threat information shared by federal entities such as the Multi-State Information Sharing and Analysis Center, the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, and other strategic partners. That intelligence was then passed to state-level incident response teams, which confirmed, mitigated and remediated the threats, reducing what could have been major cybersecurity incidents to brief maintenance activities. These outcomes depend on consistent funding for information sharing and response capacity across all jurisdictions.

With reduced federal support and uncertainty around key protections and grants, states are now expected to extend resilience to counties, local governments, schools and critical infrastructure while also building trust, visibility and sustainable funding models. This expansion of responsibility must be matched by reliable, multi-year resources, otherwise mandates outpace means and risk accumulates at the edges.

The Path Forward? A Shared Responsibility

Maryland’s vulnerability disclosure program is a useful model, and its core lesson is practical, continuous discovery and remediation only work when funding is consistent. States can tailor approaches, but sustained investment is the decisive factor in resilience, not one off pilots.

Some states have larger economies, and thus larger budgets to fund intelligence sharing models and whole of state cyber operations without federal involvement. Not all states have that luxury. Without state to state coordination and ideally federal governance, the result could be a patchwork of uneven protections, where wealthier states develop robust programs while others lag.

Cyber adversaries only need one weak entry point, and fragmentation becomes a strategic risk. This is why congressional efforts to reauthorize and stabilize state cybersecurity funding are so important, since volatility undermines readiness while predictable support enables planning, workforce development and measurable outcomes.

A durable model pairs a federal baseline with state matching, delivers multi-year appropriations, and ties funding to simple outcome metrics such as mean time to detect, mean time to remediate and percentage of assets covered.

The ideal path forward is a broader program funded by each state, supported by a dedicated federal cyber program scaled to state size and available resource capacity, with aligned federal and state interoperable governance and interoperability standards. This model aligns with how energy, transportation and public health are managed, and cybersecurity should be no different. Shared services, pooled procurement and common platforms reduce total cost of ownership for smaller jurisdictions, and sustained funding allows them to participate on equal footing.

Such a model would include baseline federal guidelines and interoperability standards building upon the MS-ISAC interoperability model for vulnerability disclosure programs, intelligence sharing and reporting, and a unified national clearinghouse for anonymized threat intelligence, ensuring that all states, regardless of means, benefit from collective insights and ensure successful remediation, harnessing the power of intelligent automation with the confidence to patch critical systems autonomously. Shared services models, like those used for emergency management or election security, would ensure equitable access. Policy should also incentivize cross-sector sharing, reward measurable interstate and local collaboration and align public-private playbooks for response, remediation and ultimately risk reduction from the smallest of US governments to the largest.

Although such a model would require bipartisan cooperation and resources to coordinate across all government levels, this is not a matter of political standing or economic advantage. It’s not about big government or small government. It’s about smart government and recognizing that cybersecurity is now a form of national defense across all levels of government and critical infrastructure. Offense succeeds only when the entire ecosystem, federal, state, local and private, is prepared, connected and operating from a common picture of mission and risk.

A Moment of Reckoning and Opportunity

The cybersecurity mandate for government is shifting quickly and decisively. While current cuts and the ongoing threat of expiration of federal protections and funding present immediate challenges, they create a long-overdue inflection point for cyber security modernization.

States now have an opportunity to build modern, data-driven cyber programs, strengthen collaboration across state lines, and advance a new federal-state partnership model that is more agile and equitable. This is the moment to lock in multi-year, outcomes-based funding that professionalizes cyber security across all levels of government, stabilizes the workforce and standardizes capabilities at scale.

But this must happen with urgency. Cybersecurity is only as strong as its weakest link, and under-resourced state and local environments must be uplifted to close critical gaps.

If we fail to collaborate across all levels of government and the public and private sectors, the nation’s cyber resilience will face greater risk of outages, data theft and potentially life threatening disruptions. Conversely, if we embrace shared responsibility, modern governance and equitable funding models, we can strengthen cyber defenses for every community, not just those with the largest budgets.

We need to treat cybersecurity as the critical infrastructure it is, and fund it for the long term, because the safety of every community depends on it.

Claire Bailey is public sector CIO at Tanium.

]]>

After North Carolina cyberattacks, IT officials warn General Assembly of poor preparedness

Brandon Kingdollar, NC Newsline — Fri, 06 Feb 2026 11:00:00 -0500

This story was originally published by NC Newsline.

Weeks after cyberattacks targeted North Carolina government services during the winter storms that buffeted the state, IT officials warned North Carolina lawmakers that the state is underprepared for digital threats — in part because of recent legislative actions.

The state is the target of more than 10 billion attempted cyberattacks every month, N.C. Chief Information Security Officer Bernice Russell-Bond told the Joint Legislative Oversight Committee on Information Technology on Thursday. That includes attempts to breach government websites, unauthorized network scans, and viruses and malware that could paralyze entire agencies.

“We are a major target for cyber criminals. We are seeing a lot more activity,” Russell-Bond said.

Russell-Bond cited an attack on Nevada’s government last September that took down the state’s Department of Motor Vehicles systems, Health and Human Services public aid services and critical state law enforcement tools. Some systems, she said, were not fully restored until three months later.

“We’re going to constantly need to have support to ensure that we can recover from the different attacks that we know we’re going to get if we can’t prevent them,” Russell-Bond said.

North Carolina IT Secretary Teena Piccione said the recent exemption of many state agencies from the Department of Information Technology’s policies and practices creates vulnerabilities for cyber criminals to target.

Prior to 2025, only the General Assembly, the state courts, and the University of North Carolina system were exempted from the N.C. Department of IT’s policies and procurement process. The General Assembly vastly expanded those exclusions last year, passing legislation that added exemptions for the State Auditor’s office, the Department of the State Treasurer, the State Board of Elections, and the State Highway Patrol.

Piccione conceded that the exemptions arose from a lack of confidence in the department in the past. But the result, she said, is a higher risk of a successful attack.

“That means our visibility wanes across the state, and we don’t have resources embedded in the exempt places where we could see and/or protect,” Piccione said. “Cyber isn’t red, cyber isn’t blue, cyber is purple. It comes for all of us.”

Committee members expressed concern, even those who had voted for the exemptions.

“That, in my opinion, is a huge problem, because they’re not using the same resources,” said Sen. Steve Jarvis (R-Davidson), the committee’s vice chair. “We’re not watching together. We’re not working as a team. What reason would any agency even request to be exempt?”

“Who’s not working with you?” Sen. Jim Burgin (R-Harnett) asked regarding the procurement process. “You’re trying to help people buy stuff. I know they want to buy their own stuff and they don’t want people to tell them what to buy. So, can you send us a list?”

Jarvis and Burgin were among the 30 Republican senators who voted to enact the bill exempting the State Auditor’s Office last July over Gov. Josh Stein’s veto. Other exemptions were added in the October budget bill, which passed the Senate unanimously.

Russell-Bond said another difficulty is funding. North Carolina earmarks less recurring funding for cybersecurity than any other state, causing chronic uncertainty for those who rely on the department’s services.

“A lot of counties may have some hesitation with some of our offerings because it’s, ‘Well, what are you going to do next year? If you don’t get your budget, who’s gonna cover that for us in the future?’” Russell-Bond said. “If we don’t have the budget, we don’t come through.”

NC Newsline is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. NC Newsline maintains editorial independence. Contact Editor Laura Leslie for questions: info@ncnewsline.com.

]]>

Virginia to consider joining states creating volunteer cyber civilian corps

Nathaniel Cline, Virginia Mercury — Mon, 26 Jan 2026 11:00:00 -0500

This story was originally published by Virginia Mercury.

A proposal to create a volunteer cybersecurity incident response team, investigating and troubleshooting threats targeting digital systems around the commonwealth, will be considered again in this year’s General Assembly session.

The legislation, carried by Del. Michael Feggans, D-Virginia Beach, would authorize the Virginia Information Technologies Agency to select people to serve as Virginia Cyber Civilian Corps volunteers and corps advisors, and to deploy such volunteers across the commonwealth to provide rapid-response assistance under the direction of VITA upon request from a client, or government agency, affected by a cybersecurity incident.

The proposal would also create an advisory board within VITA to review and make recommendations regarding the creation and administration of the corps.

This comes as public data suggests cyber attacks are increasing. In many cases, reporting lags and transparency vary due to reputational or security concerns.

“The problem today is that localities are ‘soft targets’ these days,” said Tijay Chung, an associate professor in the computer science department at Virginia Tech. “Hackers have shifted (their) focus from hard and corporate targets to schools, hospitals or municipalities.”

He said House Bill 83 is a smart idea and that hackers are aware that local governments don’t have the budgets for a state-of-the-art security system or dedicated 24/7 monitoring teams.

“That’s why these days hackers, in my opinion, think that (attacking) localities are easy targets — low risk, high reward,” Chung added.

In 2024, Feggans introduced a similar proposal, which cleared the General Assembly during his first term. However, former Gov. Glenn Youngkin vetoed the bill. Youngkin believed creating a civilian cybersecurity corps is premature, costly and legally unclear under Virginia’s current cybersecurity setup.

According to the Department of Planning and Budget, an estimated $410,000 is projected for the Virginia Information Technology Agency to create and fund an advisory board for the Virginia Cyber Civilian Corps. Funds would also be allocated to the Virginia State Police for fingerprinting volunteers.

Feggans’ interest in introducing the legislation stems from his time as a cybersecurity intern for former Gov. Terry McAuliffe’s administration and their research on potential legislation. He also saw the success of similar proposals in other states like Ohio, Michigan and Wisconsin.

“This wasn’t just something that came up out of the blue,” Feggans said at the start of the General Assembly session. “It’s a model showing that we can increase our cybersecurity resources without adding a large bill to the state. We’ve seen cyber attacks happen in Virginia, and we just need to continue to increase our intellectual abilities to be able to assist in that, and this is my way to address our cybersecurity resources within the state.”

In December, Campbell County was targeted by a cyberattack on its emergency notification system, OnSolve CodeRed, for weather and emergency alerts.

The county says the system has been decommissioned. An initial investigation found that an organized cybercriminal group damaged the CodeRED platform. The group may have removed subscriber data and posted some of it online.

Chung said lawmakers will need to consider vetting volunteer experts in their implementation plan.

Chung said that having a certification does not necessarily mean you can stop an active ransomware attack.

“You really have to have real experience. Conversely, some of the best white hat hackers may not have a formal degree. VITA needs to balance bureaucracy with actual technical capability.”

If Feggans’ bill is to have any success in passing to the Senate, it will have to clear the House of Delegates before crossover on Feb. 18. Gov. Abigail Spanberger would be responsible for signing the legislation.

GET THE MORNING HEADLINES.

Virginia Mercury is part of States Newsroom, a nonprofit news network supported by grants and a coalition of donors as a 501c(3) public charity. Virginia Mercury maintains editorial independence. Contact Editor Samantha Willis for questions: info@virginiamercury.com.

]]>

Election officials say trust with CISA is broken — and may not come back

Jessica Huseman, Votebeat — Fri, 16 Jan 2026 11:00:00 -0500

This article was originally published by Votebeat, a nonprofit news organization covering local election administration and voting access.

When the U.S. Department of Homeland Security first declared in January 2017 that election systems were “critical infrastructure,” alarmed state election officials pushed back quickly and loudly, fearing the move could lead to a federal takeover of elections.

DHS’s designation came during the final days of the Obama administration, as federal officials scrambled to respond to evidence of Russian interference with the 2016 election.

Denise Merrill, a Connecticut Democrat who was then president of the National Association of Secretaries of State, helped lead the opposition.

“The U.S. Department of Homeland Security has no authority to interfere with elections, even in the name of national security,” NASS said in a February 2017 bipartisan resolution urging the new administration to rescind the designation.

But the designation stuck and, Merrill said, something unexpected happened. As President Donald Trump’s first term progressed, states began to buy in. The designation elevated elections into a national security category that brought federal cybersecurity resources and intelligence sharing on threats. It also meant closer coordination between agencies, states, and the federal government that states couldn’t replicate on their own.

Officials at DHS’s cyber arm, the Cybersecurity and Infrastructure Security Agency, created in 2018, emphasized that states remained in control, and over time, election officials came to trust the partnership enough not only to accept help, but to defend it publicly.

Now, Merrill and others say, that trust is gone — perhaps for good.

Election officials, private election vendors, and security experts describe a dual breakdown: renewed alarm that the Trump administration is seeking tighter federal control over elections, and a simultaneous retreat by CISA from the hands-on support states had come to depend on.

“It took us years,” she said in a recent interview with Votebeat. “It’s like so many things that are being torn down — it will take us generations to replace it, if at all.”

With federal support receding, states are improvising. A coordinated national communication system once run through CISA has been replaced by a patchwork of informal phone calls, email lists, and association meetings. Some information still flows through a nonprofit tied to the critical infrastructure designation, but only for election offices and associations that pay for membership.

Election offices in places like California have turned to state agencies for cybersecurity and other services, trading CISA’s standardized approach for looser, less uniform processes. In some states, like Pennsylvania, budgets have been stretched to pay for scans and assessments from private companies or nonprofits; in others, gaps remain.

In an email, a CISA spokesman said that CISA has now “refocused on its core mission” and continues to provide “the most capable and timely threat intelligence, expertise and resources” election officials need. The spokesperson did not immediately respond when asked which services the agency still provides.

“Any claims that CISA is not communicating with our state and local partners is false,” said the spokesperson. “However, CISA will not be functioning the way it was during the Biden Administration when it was performing duties outside of its statutory authority – to include electioneering and censorship.”

‘Critical Infrastructure’: From Backlash To Buy-In

The backlash to the “critical infrastructure” designation in 2017 was bipartisan and swift. NASS warned that it was “legally and historically unprecedented” and raised concerns about federal authority and control. State officials worried the designation could open the door to new mandates, reporting requirements, or federal involvement in polling place security.

A document from the U.S. Election Assistance Commission cataloged dozens of unresolved questions from election administrators nationwide, including whether DHS would have a greater role in administering elections or dictating physical security standards.

DHS and CISA officials tried to calm the fears. Chris Krebs, CISA’s first director, and Matt Masterson, then the agency’s top election security official, emphasized that the federal role would be voluntary, responsive, and driven by state needs.

CISA showed up — repeatedly — at conferences, trainings, and briefings, positioning itself as a convener rather than a regulator. It brought private companies like Microsoft and Facebook directly to election officials to share intelligence about foreign interference. It offered cybersecurity scans, simulations to game out responses to potential threats, and physical security assessments, all on request.

Matt Crane, now executive director of the Colorado County Clerks Association, was the clerk in Arapahoe County when DHS first adopted the critical infrastructure designation for elections. He said he was initially concerned that CISA would go too far. What won him over, he said, were the boundaries Krebs and Masterson set.

“They did a great job drawing clear lines in the sand,” Crane said. By the time his term ended, his views had shifted so dramatically that he went to work for CISA as a contractor, helping counties access its services.

By late 2018, participation in federal election security programs had grown rapidly. All 50 states joined the Election Infrastructure Information Sharing and Analysis Center, or EI-ISAC, and CISA became embedded in election planning nationwide.

A State-Federal Partnership Unravels

That model appears to have broken down.

Weeks into Trump’s second term, NASS warned his homeland security secretary, Kristi Noem, that the federal election security partnership built since 2017 was unraveling, and highlighting the role played by federal support for the EI-ISAC, which the group said, helps election officials defend against “sophisticated cyber threat actors including nation-state and cybercriminal groups.”

ISACs are voluntary information-sharing groups within each area designated as critical infrastructure that are meant to help organizations spot and respond to security threats. The elections version was created after the 2017 designation and is run by the nonprofit Center for Internet Security to support election offices specifically, while the Multi-State ISAC, also managed by the group, serves state and local governments more broadly.

Weeks after NASS’s letter, CISA halted roughly $10 million in annual funding for the two information-sharing groups, citing a need to focus on “mission critical areas.” State officials and vendors warned the move would weaken information sharing on threats and slow coordinated responses to cyber and physical threats.

Election technology companies have since begun pulling back from sharing sensitive information with CISA. Votebeat spoke to three technology companies that confirmed this, though none would speak publicly for fear of reprisal. Some fear data on vulnerabilities could be exposed or used against them in a more politicized environment — concerns that echo, but invert, those raised in 2017.

“If you share information, you don’t know if it’s going to stay confidential,” Crane said. “Why would a vendor ever share a vulnerability?”

Gabriel Sterling, the former chief operating officer of Georgia’s secretary of state office and now a Republican candidate for the job, said he has long been skeptical of CISA — particularly its approach to disclosing vulnerabilities.

Even so, Sterling draws a sharp distinction between the current moment and the Krebs-Masterson era. “They focused on what they could do well and how they could make systems more resilient,” he said. “Now, I have no idea what the goal is. I don’t think anyone really understands the mission. I don’t think they even understand the mission.”

The uncertainty has been compounded by a leadership vacuum at CISA. Nearly a year into Trump’s second term, the agency still lacks a Senate-confirmed director after the nomination of Sean Plankey, a longtime security official who has worked at the Department of Energy and the National Security Council, stalled amid bipartisan objections. Trump this week renominated Plankey.

Trump has continued to attack the agency’s past work. He has repeatedly attacked Krebs, the former director, for defending the integrity of the 2020 election, which Trump falsely claims to have won. In early 2025, Trump ordered an investigation into Krebs and the security firm he now owns, apparent retribution for Krebs’ statement that the 2020 election was the “most secure” in U.S. history.

Republicans have also spent years criticizing CISA over its work against election misinformation, arguing the agency overstepped its role by coordinating with state and local officials and social media companies.

This has unfolded alongside a broader shift in how the second Trump administration is approaching elections, said Merrill, who left office in 2022. Justice Department efforts to require states to send full, unredacted voter lists to the federal government — something many states have now done — are, she said, a warning sign that federal involvement in how states run elections could expand far beyond technical support.

“I don’t know how you would ever go back to the federal government just helping states with security — which is obviously a very positive thing to do,” she said.

Looking Toward the Midterms

The November 2025 elections offered an early glimpse of what this new landscape looks like. For the first time in years, CISA did not stand up its Election Day situation room — a centralized hub for monitoring and communicating about threats nationwide.

In December, Gene Dodaro, departing comptroller general of the U.S. Government Accountability Office, warned senators that federal cybersecurity efforts were not receiving enough attention given the potential threat. He expressed concern that CISA can’t provide the assistance state and local election officials had come to expect heading into the midterms.

Paul Lux, chair of EI-ISAC and the supervisor of elections in Okaloosa County, Florida, told Votebeat that a now-membership-based EI-ISAC, run by the nonprofit Center for Internet Security, is working to rebuild communication infrastructure, and hopes to make arrangements with smaller jurisdictions that cannot afford the fees.

It plans to restart the situation room for this year’s primaries using private vendors, “making sure all the nuts and bolts are tightened” before Election Day in November, said Lux.

Some cooperation with the federal government will likely persist, albeit in narrower forms. Ryan Macias, an election security expert who has also contracted for CISA, said that if CISA were to again offer direct services, states could engage selectively — allowing isolated cyber scans or physical security assessments without broadly sharing sensitive vulnerabilities, which would be more like what other critical infrastructure sectors currently do.

Many jurisdictions, he noted, also benefited from years of basic cybersecurity hygiene training and can carry that forward on their own. In Georgia, for example, Sterling said much of the state’s scanning and assessment work flows through the Georgia Emergency Management Agency rather than CISA.

Lux said he believes the federal government is needed, and that another federal agency — one with a more independent leadership body, like the U.S. Election Assistance Commission, which has a bipartisan set of commissioners nominated by congressional leadership — might have more success.

Local and state offices, he said, can’t “be expected to battle malicious foreign actors without the resources and assistance of the federal government.”

Jessica Huseman is Votebeat’s editorial director and is based in Dallas. Contact Jessica at jhuseman@votebeat.org.

Votebeat is a nonprofit news organization covering local election integrity and voting access. Sign up for their newsletters here.

]]>

House explores grid cybersecurity boosts amid growing threats

Chris Teale — Wed, 14 Jan 2026 13:00:00 -0500

Several bills before Congress would reauthorize or bolster various programs designed to strengthen the nation’s electric grid against cyber threats and help cash-strapped public utilities bolster their defenses.

A subcommittee of the House Energy and Commerce Committee considered various pieces of legislation at a hearing this week, including one to reauthorize the Rural and Municipal Utility Advanced Cybersecurity Program, known as RMUC, and another that would require state energy offices to include more data on vulnerabilities in their state energy security plans.

The Defense Intelligence Agency warned this year in its Worldwide Threat Assessment that the grid is an attractive target for cyberattacks, especially from adversarial nation-states looking to wreak havoc and cause major disruption to critical infrastructure. And lawmakers warned that, without Congress taking action to help utilities that struggle under the weight of insufficient staff and money, those vulnerabilities will only get deeper.

“Addressing cyber and physical threats is no easy task,” Rep. Bob Latta, an Ohio Republican who chairs the Energy Subcommittee that held the hearing, said during his opening statement. “The avenues for malicious activity only widen as digitization, communications, and linkages of gas pipelines, new generating resources, and transmission take root to meet energy demands. The interconnected nature of our energy systems requires constant intelligence sharing, clear visibility into threat landscapes, and sufficient resources to fill gaps in security protections for rural and small utility service territories.”

The RMUC has proven to be popular since its inclusion in the 2021 infrastructure law. Initially authorized with $250 million over five years, the program helps co-operative, municipal and small investor-owned utilities harden their systems, provide training, respond to and recover from cyberattacks.

In written testimony before the subcommittee, Nathaniel Melby, vice president and chief information officer at the Dairyland Power Cooperative in La Crosse, Wisconsin, said the program “bridges the rural resource gap, ensuring that the security posture in rural America is as robust and formidable as anywhere else in the nation.”

But while Melby said reauthorization is a necessary step, he criticized the Department of Energy for not yet releasing $80 million in grants that it announced last fall under the program for more than 400 electric co-ops.

“These investments will ensure that we no longer see pockets of strength, but substantial cybersecurity improvement across our member co-ops’ systems and infrastructure,” said Melby, who also appeared before the subcommittee on behalf of the National Rural Electric Cooperative Association.

He said that the program can be run better, too, including by moving more quickly with implementation and funding awards, while also giving more flexibility to allow electric cooperatives to compete not just for grant money but also technical assistance. Melby said the program’s “promise” is “undeniable.”

Administration officials who appeared before the subcommittee showed a willingness to work with states and localities on cybersecurity preparedness.

“Sophisticated attacks on rural utilities illustrate the critical need for DOE to accelerate improvements in cyber readiness while also closing the rural resources gap,” Alex Fitzsimmons, acting undersecretary of energy and director of Energy’s Office of Cybersecurity, Energy Security and Emergency Response, said in written testimony.

More work lies ahead, however, especially when it comes to information sharing. One pending bill, the Energy Threat Analysis Center Act, looks to reauthorize Energy’s threat information-sharing hub. Scott Aaronson, senior vice president for energy security and industry operations at the Edison Electric Institute, testified that the ETAC has “repeatedly proven its value.” He said that giving it extra legal authority to allow for “candid discussion of extremely sensitive security and operational topics” would build on its good work so far.

Meanwhile, witnesses also supported requiring more information in state energy plans around supply chain security and threats to local distribution utilities .

“Close coordination among industry and government partners at all levels is imperative to deterring attacks and preparing for emergency situations,” said Adrienne Lotto, senior vice president of grid security, technical and operations services at the American Public Power Association, in written testimony.

Fitzsimmons said President Donald Trump’s administration is “committed” to having state, local, tribal and territorial governments “play a more active and significant role in energy resilience and preparedness.” He said this will help them “mitigate risks posed to the electric grid by empowering them to fully assess, review, and respond to risks from cyber and physical attacks, severe weather, and other vulnerabilities.”

A vote on the legislation is expected soon.

]]>