_Gang_Liu_Alamy.jpg?disable=upscale&width=1200&height=630&fit=crop "State Cyber Leaders Beg Congress for More Funding, Support")
As states grapple with sophisticated attackers, they are on their own to deliver answers. At the same time, they face harrowing budget and resource cuts.
Attackers have access to tools and services to help them craft sophisticated attacks and ransomware gangs are becoming more relentless with their extortion demands – following through on data leak promises. Despite the threat pile on, states are receiving less federal help than ever.
The problem came to a head earlier this month during the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing titled, “State and Local Cybersecurity: Escalating Threats, Federal Partnership, and the Resilience of America’s Communities.” Security leaders for the states of Tennessee, Florida, and New York urged lawmakers at the hearing to restore funding to the Cybersecurity and Infrastructure Security Agency (CISA) and the Information Sharing Analysis Center (ISAC) ecosystem, particularly the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The MS-ISAC is now a subscription model rather than free, which complicates the relationship between different levels of governments. Over the past year, the administration downsized CISA’s staff, resources, and funding as well.
When Colin Ahern, New York’s director of security and intelligence, took the stand he called the hearing “urgent” and begged the federal government “to be a partner to all 50 states.”
State leaders and CISOs also called on Congress to reauthorize and enhance the State and Local Cybersecurity Grant Program (SLCGP), which witness Kristin Darby, chief information officer for the state of Tennessee, described as “one of the most effective tools available to strengthen our collective defense.”
States require more tools because as Darby highlighted, rapid AI growth accelerated attack scale and speed, threat actors increasingly rely on supply chain compromise, and exploitation of identity systems, cloud environment, and zero-days peaked.
On the other hand, states face severe budget, staff, and resource cuts.
“The federal government’s actions over the past year have led to the breakdown in trust with state and local officials, particularly with respect to election cybersecurity,” Darby said during the testimony.
Federal Cutbacks Affect Everyone
When states need more help, it causes a trickle-down effect. Municipalities and small business are always running up against a lack of resources because of tightening municipal budgets, tightening state, and federal budgets, explains MassCyberCenter director John Petrozzelli. Faced with those shortages, it then becomes a matter of how do they prioritize resources?
When you layer on cyber threats, it becomes even more dangerous, Petrozzelli tells Dark Reading. He’s observed increasing risks across the identity surface, from credential stealing and threat actors’ breaking into user accounts. It’s continuing to grow but that has been aided by AI, he warns.
“And then you have the AI tools that are on the market and tools that have been corrupted by state actors like China or Russia to use against critical infrastructure,” he says.
Many federally funded services are still available to municipalities like CISA’s vulnerability and web application scanning, says Petrozzelli, adding that municipalities can sign up for free. But he echoed one significant change that the Committee hearing looked to address as well.
“The change is there’s a cost to be a member of MS-ISAC and MS-ISAC isn’t a federal entity, but they were funded by CISA,” Petrozzelli says.
How To Prioritize Cyber With Limited Funding
As federal funding wanes, states are forced to take action on their own. Collaboration is a big component of what MassCyberCenter aims to do. Training programs are one prime example. MassCyberCenter tries to point municipalities and small businesses in the right direction, “especially if there’s a person who does something better than we do.” MassCyberCenter is a state-level initiative that focuses on workforce development for public and private entities, as well as boosting public cybersecurity awareness.
One source Petrozzelli points to is the Massachusetts Executive Office of Technology Services and Security (EOTSS) which provides KnowBe4 training. That means free cybersecurity awareness training and phishing tests for municipalities or school systems. MassCyberCenter and the Office of Consumer Affairs and Business Regulation also published a joint data breach report to provide residents with feedback on data breach trends. It showed how crucial it is for organizations to patch vulnerabilities on internet-facing devices.
The center offers grants, mentorship programs, and a state-funded security operations center (SOC) that includes managed endpoint detection and response around the clock, vulnerability assessment, Active Directory, and software and asset inventory.
“If someone signs up for our SOC, they get MS-ISAC membership and they get another program, malicious domain blocking and reporting plus,” he says. “Someone with limited funding doesn’t have to prioritize, ‘Am I going to put money in this membership or this soc’?”
