Chase Fopiano remembers a time when hackers were the kind of thing only Hollywood made movies about — faceless criminals tapping away in neon-lit basements, targeting banks or Silicon Valley giants, never quaint police stations in sun-bleached South Florida. For most of his early career as a police officer, the notion of cyberattackers going after law enforcement seemed almost laughable; after all, who’d be dumb enough to poke the very people who chase down crime? That illusion, like so many old assumptions in the digital age, has been shattered.
By around 2015, as networks grew ever more tangled with our daily lives and enterprising hackers got bold, Fopiano and his colleagues started paging through IT forensics instead of mugshots. Today, cat-and-mouse has gone digital: law enforcement agencies themselves — supposedly the cyber enforcers — find themselves tantalizingly soft targets for a diverse new crowd of cybercriminals. “A lot of those attempts are toward government or even police, especially because they know we’re not as prepared as we should be,” says Fopiano, now running cybersecurity for a regional security task force in Florida. And he’s not alone. From the U.S. Secret Service on down to Mayberry’s mainframe, government agencies dodge an endless hailstorm of digital threats daily.
Across the American landscape, from Midwestern courtrooms to rural health clinics, the same problem keeps surfacing: state and local governments, the custodians of our most sensitive data and critical services, are sitting ducks in an increasingly sophisticated cyber battleground.
It’s not just ransomware locking files for payment. Foreign actors sniff around voting machines. Teenagers on a power trip test their exploits on city databases. Even cartels and terrorist groups are reportedly elbowing into cybercrime. The broadening cast of offenders is matched only by the breadth of targets: emergency services, healthcare portals, school districts, water treatment facilities, and just about any server with a .gov domain in its email signature.
Yet, as the cyber battlefield expands, the federal government’s strategic pivot is sending shockwaves through these local fortresses — many of which are more medieval hamlets than digital citadels.
At first blush, this sounds almost empowering: let each state tailor defenses to its own unique digital terrain! But there’s a catch. The baton pass from Washington comes with a conspicuous slimming of federal resources — including sunsetting a major cybersecurity grant program and trimming the ranks of the very agency, CISA, charged with defending the homeland’s digital front lines.
The clock is ticking. The State and Local Cybersecurity Grant Program, a $1 billion initiative launched just two years ago, is set to expire by September with no renewal in sight. The Cybersecurity and Infrastructure Security Agency (CISA), the federal nerve center coordinating much of the national digital defense, faces a potential cut of about 1,300 jobs. As federal dollars dry up, the workforce shrinks, leaving states and counties to scrounge spare change from already-stretched budgets.
A recent voluntary self-assessment — the Nationwide Cybersecurity Review — offered a sobering snapshot. Of the 48 states that participated in 2023, fewer than half (only 22) reached or surpassed the recommended minimum cyber-preparedness levels. Put simply: most aren’t ready for prime time.
This shouldn’t be surprising, according to Samir Jain at the Center for Democracy & Technology. He points out that the pipeline of skilled IT pros — especially those willing to work for modest government wages in small towns — simply doesn’t exist. “The notion that the federal government could just withdraw and expect states and localities to step in is just not realistic,” Jain warns.
Even when cyber threats make the A-list at legislative sessions, they’re fighting for table scraps. Local law enforcement budgets are chronically squeezed between the headline-grabbing (patrol cars, body armor, guns) and the invisible (firewalls, two-factor logins, cyber forensics). No politician was ever re-elected for upgrading the county’s SIEM appliance.
With this digital gold rush came a mad scramble for IT staff, systems integration, and cyber hygiene that lagged far behind; especially outside big cities, it’s been more of a patchwork than a plan. For many county IT officers, the “team” defending against a nation-state attack might be two overworked people and an ancient Dell desktop.
And then there’s the staffing crisis: nationwide, cybersecurity pros are in such high demand that six-figure Silicon Valley salaries are the norm. Small-town governments struggle to hire — if they can afford it — against such odds. No wonder front-line defense sometimes looks more like Mayberry than a Mission Impossible set.
The bold 2021 Infrastructure Investment and Jobs Act earmarked $1 billion for the State and Local Cybersecurity Grant Program. It was designed to help states develop training programs, add multi-factor authentication, assess vulnerabilities, and, crucially, bolster defenses against a new era of digital threats. In its first year, $279 million went to states and another $18 million to Native American tribes — progress by any metric.
Yet fast-forward to 2024, and the program is disappeared from next year’s blueprints. CISA’s own future looks uncertain as staff trims loom. The pressure is mounting for Congress to step in and reauthorize both the grant program and CISA’s staffing — but as with all DC debates, the clock ticks on, and confidence is thin on the ground.
In the meantime, key programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC) have already lost crucial federal funding, narrowing the pipeline for intelligence, threat sharing, and rapid response.
This year alone, 33 states have either adopted resolutions or passed new cybersecurity laws. The approaches are as varied as a late-night cable lineup:
The philosophy is straightforward: with fragmented resources and patchwork defenses, only a coordinated, all-hands-on-deck approach can hope to make a dent in the tidal wave of threats. As Alabama State Rep. Mike Shaw explains (with pragmatic Midwestern wisdom), “The federal government is really big, and it’s really hard to come up with a one-size-fits-all solution for things like cybersecurity, data privacy and technology in general. So, in some sense, it’s good that the states are coming up with their own.”
Counties, especially rural and small-to-midsize ones, face the toughest hill to climb. Rita Reynolds, CIO of the National Association of Counties, puts it bluntly: “Are counties prepared? I would say they’re not as prepared as they’d like to be. And in some cases, they are looking at how to strategically approach this now that resources are disappearing.”
These local agencies, already stretched thin, are tasked with implementing best-practice cyber protocols — multi-factor authentication, safe .gov web domains, up-to-the-minute vulnerability scanning — often on shoestring budgets and ancient hardware. Sophisticated threat actors know this, and like lions at a watering hole, they target the slowest antelope.
In an ideal world, perhaps. But in the messy world of American politics — with midwestern states facing tornado-induced power grid failures, while coastal cities fret about Chinese hacking of hospitals — that autonomy can look suspiciously like abandonment.
As New Mexico State Senator Michael Padilla, a longtime champion of tech modernization, boasts, “I think New Mexico is in a very good position because what we decided to do by creating that [cybersecurity] office is to ensure that any transactions that occur with state government here have to meet a minimum set of security standards.”
It’s a glimpse at what could be if policy, leadership, and resources align. But such stories are the exception, not the rule.
A breach is no longer just about a few files going missing. The wrong attack, at the wrong time, in the wrong location could be catastrophic: an emergency room unable to access records, a city’s water supply tampered with, a day when the lights literally go out.
It’s telling that cyberattacks now routinely shutter entire government agencies, send officials scrambling for pens and paper, or push personal data onto the sale racks of the dark web. The threats are evolving far faster than the defenses.
What’s needed isn’t just money (though, let’s be clear, money helps), but a new mindset: one that sees digital defenses as part of emergency preparedness, public health, and critical infrastructure on par with bridges and roads.
Without that, the U.S. risks turning its most essential services into low-hanging fruit for the entire spectrum of cyber malefactors — from hobbyists with a grudge, to ransomware gangs, to enemies of democracy itself.
Will Congress see the strategic folly of leaving counties to their own devices? Could a new generation of lawmakers, shaped by headline-grabbing hacks, finally treat cyber resilience as a kitchen-table issue? Or will the patchwork patch itself, with states innovating in the absence of federal leadership?
Until then, the nation’s cyber sentinels — from big city IT directors to small-town sheriffs tasked with cyber response — will continue to patch and pray. They’ll fight an invisible war with tools often a generation old, up against adversaries who never sleep.
The cautionary tale of America’s cyber disunity is being written with each new breach and every datacenter unplugged by ransomware. The question isn’t whether the threats will keep coming. It’s who will be left to answer the call — or, as increasingly the case, who will be left to pick up the pieces when the digital alarm bells ring.
In this brave new world of state-led cybersecurity, let’s just hope the hackers don’t read the news.
Source: Oklahoma Voice Trump is shifting cybersecurity to the states, but many aren’t prepared • Oklahoma Voice
By around 2015, as networks grew ever more tangled with our daily lives and enterprising hackers got bold, Fopiano and his colleagues started paging through IT forensics instead of mugshots. Today, cat-and-mouse has gone digital: law enforcement agencies themselves — supposedly the cyber enforcers — find themselves tantalizingly soft targets for a diverse new crowd of cybercriminals. “A lot of those attempts are toward government or even police, especially because they know we’re not as prepared as we should be,” says Fopiano, now running cybersecurity for a regional security task force in Florida. And he’s not alone. From the U.S. Secret Service on down to Mayberry’s mainframe, government agencies dodge an endless hailstorm of digital threats daily.
A Nation’s Digital Achilles’ Heel
Across the American landscape, from Midwestern courtrooms to rural health clinics, the same problem keeps surfacing: state and local governments, the custodians of our most sensitive data and critical services, are sitting ducks in an increasingly sophisticated cyber battleground.It’s not just ransomware locking files for payment. Foreign actors sniff around voting machines. Teenagers on a power trip test their exploits on city databases. Even cartels and terrorist groups are reportedly elbowing into cybercrime. The broadening cast of offenders is matched only by the breadth of targets: emergency services, healthcare portals, school districts, water treatment facilities, and just about any server with a .gov domain in its email signature.
Yet, as the cyber battlefield expands, the federal government’s strategic pivot is sending shockwaves through these local fortresses — many of which are more medieval hamlets than digital citadels.
Washington’s Surprising Hand-Off
Enter President Donald Trump’s latest executive order: a sweeping move that shifts some cybersecurity responsibility out of federal hands and into the laps of state and local governments. The message? Buckle up, governors and county clerks — this is your rodeo now.At first blush, this sounds almost empowering: let each state tailor defenses to its own unique digital terrain! But there’s a catch. The baton pass from Washington comes with a conspicuous slimming of federal resources — including sunsetting a major cybersecurity grant program and trimming the ranks of the very agency, CISA, charged with defending the homeland’s digital front lines.
The clock is ticking. The State and Local Cybersecurity Grant Program, a $1 billion initiative launched just two years ago, is set to expire by September with no renewal in sight. The Cybersecurity and Infrastructure Security Agency (CISA), the federal nerve center coordinating much of the national digital defense, faces a potential cut of about 1,300 jobs. As federal dollars dry up, the workforce shrinks, leaving states and counties to scrounge spare change from already-stretched budgets.
Are the States Ready? Spoiler: Most Are Not
For the uninitiated, it might sound like states have been champing at the bit for this lack of federal oversight. But a peek behind the curtains tells a less rosy tale.A recent voluntary self-assessment — the Nationwide Cybersecurity Review — offered a sobering snapshot. Of the 48 states that participated in 2023, fewer than half (only 22) reached or surpassed the recommended minimum cyber-preparedness levels. Put simply: most aren’t ready for prime time.
This shouldn’t be surprising, according to Samir Jain at the Center for Democracy & Technology. He points out that the pipeline of skilled IT pros — especially those willing to work for modest government wages in small towns — simply doesn’t exist. “The notion that the federal government could just withdraw and expect states and localities to step in is just not realistic,” Jain warns.
Even when cyber threats make the A-list at legislative sessions, they’re fighting for table scraps. Local law enforcement budgets are chronically squeezed between the headline-grabbing (patrol cars, body armor, guns) and the invisible (firewalls, two-factor logins, cyber forensics). No politician was ever re-elected for upgrading the county’s SIEM appliance.
The Human Cost: When Portals Crash and Data Leaks
The bleak stats aren’t just bureaucratic hand-wringing. They’re real-world vulnerabilities. Consider just a few recent horror stories:- In December, a devastating cyberattack forced Rhode Island to shutter its portal for Medicaid and SNAP benefits — lifelines for thousands of low-income residents. As their digital safety net went dark, personal data (including Social Security numbers and bank details) surfaced on the dark web’s digital chop shops.
- In February, a “sophisticated cyberattack” hit the Virginia Attorney General’s office, forcing staff to dust off paper court filings in a scramble to keep the justice system rolling.
- More recently, hackers breached the Fall River School District in Massachusetts, triggering a frantic investigation into whether student or staff personal data was compromised.
How Did We Get Here? The Great Digital Gold Rush
Why are local agencies so vulnerable? It’s partly a story of unexpected digital transformation. Over the last two decades, government services have sprinted into the online world: drivers’ licenses, welfare checks, voting records, water bills — all now swirling around the cloud.With this digital gold rush came a mad scramble for IT staff, systems integration, and cyber hygiene that lagged far behind; especially outside big cities, it’s been more of a patchwork than a plan. For many county IT officers, the “team” defending against a nation-state attack might be two overworked people and an ancient Dell desktop.
And then there’s the staffing crisis: nationwide, cybersecurity pros are in such high demand that six-figure Silicon Valley salaries are the norm. Small-town governments struggle to hire — if they can afford it — against such odds. No wonder front-line defense sometimes looks more like Mayberry than a Mission Impossible set.
Federal Retreat: The Suits Hit the Brakes
None of this would be so critical if federal support remained strong. But politics, priorities, and philosophical shifts have combined for a palpable retreat.The bold 2021 Infrastructure Investment and Jobs Act earmarked $1 billion for the State and Local Cybersecurity Grant Program. It was designed to help states develop training programs, add multi-factor authentication, assess vulnerabilities, and, crucially, bolster defenses against a new era of digital threats. In its first year, $279 million went to states and another $18 million to Native American tribes — progress by any metric.
Yet fast-forward to 2024, and the program is disappeared from next year’s blueprints. CISA’s own future looks uncertain as staff trims loom. The pressure is mounting for Congress to step in and reauthorize both the grant program and CISA’s staffing — but as with all DC debates, the clock ticks on, and confidence is thin on the ground.
In the meantime, key programs like the Multi-State Information Sharing and Analysis Center (MS-ISAC) have already lost crucial federal funding, narrowing the pipeline for intelligence, threat sharing, and rapid response.
When the Cavalry Fades, the States Improvise
So, what do states do when Washington shrugs and wallets snap shut? Across the country, statehouses spring into legislative action, filling the policy vacuum with a scrambled patchwork of solutions — some creative, some desperate.This year alone, 33 states have either adopted resolutions or passed new cybersecurity laws. The approaches are as varied as a late-night cable lineup:
- Critical Infrastructure Protection: Florida, Louisiana, West Virginia, and others established stricter penalties for cyber-tampering with crucial systems — power grids, water plants, government networks. The logic? Make the risk steeper, maybe keep some criminals at bay.
- Election Security: Minnesota and Washington mandated new digital defenses around election administration — a topical concern after several high-profile foreign hacking attempts in recent cycles.
- Healthcare Hardening: States like Connecticut and Florida are rolling out requirements for hospitals to shore up their cyber walls, sometimes tying funding to meaningful safeguards.
- Third-Party Audits: South Dakota dropped $7 million on an outside company to assess local government vulnerabilities — an acknowledgment that specialized help is needed, even at a premium.
Centralized Defenses: Herding IT Cats
Some states are looking inward and upward, creating or centralizing state-level cybersecurity offices. Arkansas is birthing a new statewide cybersecurity office empowered to monitor networks and coordinate response. In Alabama, lawmakers want to move IT pros out of their scattered home agencies and into a single, specialized shop focused exclusively on cybersecurity.The philosophy is straightforward: with fragmented resources and patchwork defenses, only a coordinated, all-hands-on-deck approach can hope to make a dent in the tidal wave of threats. As Alabama State Rep. Mike Shaw explains (with pragmatic Midwestern wisdom), “The federal government is really big, and it’s really hard to come up with a one-size-fits-all solution for things like cybersecurity, data privacy and technology in general. So, in some sense, it’s good that the states are coming up with their own.”
But What About the Locals?
It’s hard not to sympathize with city and county governments, though, as they’re the ones stuck with the least cash and the most on-the-ground impact when things go wrong.Counties, especially rural and small-to-midsize ones, face the toughest hill to climb. Rita Reynolds, CIO of the National Association of Counties, puts it bluntly: “Are counties prepared? I would say they’re not as prepared as they’d like to be. And in some cases, they are looking at how to strategically approach this now that resources are disappearing.”
These local agencies, already stretched thin, are tasked with implementing best-practice cyber protocols — multi-factor authentication, safe .gov web domains, up-to-the-minute vulnerability scanning — often on shoestring budgets and ancient hardware. Sophisticated threat actors know this, and like lions at a watering hole, they target the slowest antelope.
The Blame Game: Should States Celebrate Autonomy?
The Trump administration’s position is that shifting responsibility is about local empowerment. Let those closest to the problem judge their unique risk and build fit-for-purpose defenses. CISA spokesperson Jared Auchey called it an opportunity for states to make “risk-informed decisions and investments” with federal backing for information sharing, if not checks.In an ideal world, perhaps. But in the messy world of American politics — with midwestern states facing tornado-induced power grid failures, while coastal cities fret about Chinese hacking of hospitals — that autonomy can look suspiciously like abandonment.
Silver Linings and Sighs of Relief
Not all the news is grim. A few states, like New Mexico, have taken the initiative to centralize their cybersecurity approach and set mandatory baselines for data safety. Sanctions and upskilling, new funds appropriated, and even regular stress-testing of emergency response protocols have paid off.As New Mexico State Senator Michael Padilla, a longtime champion of tech modernization, boasts, “I think New Mexico is in a very good position because what we decided to do by creating that [cybersecurity] office is to ensure that any transactions that occur with state government here have to meet a minimum set of security standards.”
It’s a glimpse at what could be if policy, leadership, and resources align. But such stories are the exception, not the rule.
What’s at Stake? The Next Attack Is Only a Click Away
The ongoing decentralization of America’s cybersecurity defense comes at a pivotal moment. Municipal government networks — once little more than Windows 95 desktops and dial-up routers — are now the nervous system for everything from disaster response to election result reporting, from hospital records to unemployment benefits.A breach is no longer just about a few files going missing. The wrong attack, at the wrong time, in the wrong location could be catastrophic: an emergency room unable to access records, a city’s water supply tampered with, a day when the lights literally go out.
It’s telling that cyberattacks now routinely shutter entire government agencies, send officials scrambling for pens and paper, or push personal data onto the sale racks of the dark web. The threats are evolving far faster than the defenses.
The Real Cost: Security as a Shared Endeavor
If there’s a lesson to be drawn from the recent policy pivot, it’s that cybersecurity isn’t a state-vs-federal game — it’s a shared responsibility that transcends party lines, legislative calendars, and budget cycles.What’s needed isn’t just money (though, let’s be clear, money helps), but a new mindset: one that sees digital defenses as part of emergency preparedness, public health, and critical infrastructure on par with bridges and roads.
Without that, the U.S. risks turning its most essential services into low-hanging fruit for the entire spectrum of cyber malefactors — from hobbyists with a grudge, to ransomware gangs, to enemies of democracy itself.
The Future: Will the Cavalry Return, or Is Every State on Its Own?
As the September expiration looms for key federal cybersecurity programs, everyone from county commissioners to state CIOs is watching Washington for a sign — any sign — that renewed support is coming.Will Congress see the strategic folly of leaving counties to their own devices? Could a new generation of lawmakers, shaped by headline-grabbing hacks, finally treat cyber resilience as a kitchen-table issue? Or will the patchwork patch itself, with states innovating in the absence of federal leadership?
Until then, the nation’s cyber sentinels — from big city IT directors to small-town sheriffs tasked with cyber response — will continue to patch and pray. They’ll fight an invisible war with tools often a generation old, up against adversaries who never sleep.
The cautionary tale of America’s cyber disunity is being written with each new breach and every datacenter unplugged by ransomware. The question isn’t whether the threats will keep coming. It’s who will be left to answer the call — or, as increasingly the case, who will be left to pick up the pieces when the digital alarm bells ring.
In this brave new world of state-led cybersecurity, let’s just hope the hackers don’t read the news.
Source: Oklahoma Voice Trump is shifting cybersecurity to the states, but many aren’t prepared • Oklahoma Voice
Last edited:
