Federal programs designed to aid in protecting critical infrastructure operated by state and local governments have wilted during the first six months of Donald Trump\u2019s second presidency, and technology officials have noticed.<\/p>\n\n\n\n
Numerous state and local officials shared with StateScoop a belief that they will need to be more self-reliant in the years ahead, as keystone cyber programs are abandoned or scaled back, and as they receive fewer communications from the Cybersecurity and Infrastructure Security Agency, the federal cyber bureau that has in recent years served as a uniquely valuable coordinator of the nation\u2019s sprawling IT defense efforts.<\/p>\n\n\n\n
Of particular concern for many state and local technology officials are recent federal cuts to the Multi-State Information Sharing and Analysis Center, a group that for more than 20 years has shared critical cybersecurity intelligence across state lines and provided threat monitoring services and other resources at free or heavily discounted rates. Five associations representing state and local governments last week wrote a letter<\/a> to congressional appropriations leaders urging them to reinstate the MS-ISAC’s funding.<\/p>\n\n\n\n \u201cEvery day, we use MS-ISAC\u2019s services to protect the private data of citizens and the operation of hundreds of thousands of public schools, hospitals, utilities, law enforcement, courts, and other essential critical infrastructure across the country,\u201d they wrote.<\/p>\n\n\n\n Officials have said they’re concerned by the dwindling interest in Washington to support a group that provides timely intelligence and preventative services, particularly when it would be expensive, difficult and time-consuming to recreate those services elsewhere. The group prides itself on offering its roughly 19,000 members \u201cshared services, real-time intelligence, and enterprise-grade threat detection at scale,\u201d according to a report it recently published.<\/p>\n\n\n\n After losing about $8.5 million<\/a> in federal funding last March, the MS-ISAC\u2019s operator, the Upstate New York nonprofit Center for Internet Security, began providing about $1 million<\/a> each month in emergency funding so it could continue serving its members. But that funding may stop at the end of September when the center switches to a subscription model<\/a>, charging states according to their IT operating budgets. Its cooperative agreement with the Department of Homeland Security is also set to expire at the end of September, the end of the fiscal year, and the Department of Homeland Security hasn’t said publicly whether the group’s funding or agreement will be renewed.<\/p>\n\n\n\n \u201cMy reading of the tea leaves is that that is not a high probability,\u201d Chris Gergen, North Dakota\u2019s chief information security officer, said of MS-ISAC odds of seeing its funding renewed. \u201cIf that happens, my perspective is that we are going to see a growing reliance on state cyber programs and state-driven initiatives to really help some of those underfunded and underserved entities.”<\/p>\n\n\n\n Last February<\/a>, the Center for Internet Security\u2019s Elections Infrastructure ISAC lost its federal funding, along with its cooperative agreement with the federal government, leading to its closure. The EI-ISAC is still advertised on CISA\u2019s website<\/a>, accompanied by a warning that it\u2019s an archived page that \u201cmay not reflect current policy or programs.\u201d DHS officials have repeatedly pointed out to StateScoop that the EI-ISAC is not prohibited from operating. But many states are barred from accepting help with elections from any group that does not have a cooperative agreement with the federal government, a legal trend that took off after the 2016 election.<\/p>\n\n\n\n With every program it has diminished or position it has eliminated, CISA has maintained that cuts have amounted only to reconciling newly unearthed redundancies. In an emailed statement, Marci McCarthy, CISA\u2019s director of public affairs, responded to a belief imparted by a growing number of officials that they can no longer rely<\/a> on the federal government for the same level of cybersecurity support they\u2019ve received under previous administrations.<\/p>\n\n\n\n \u201cCISA has not wavered in our support to state and local partners and our commitment to them will not change,\u201d McCarthy\u2019s statement read. \u201cWe deliver a full suite of cyber and physical security capabilities at no cost. Our regional teams work directly with officials on the ground across the country to assess risks, strengthen defenses, and enhance resilience. CISA team members provide the right support to state and local partners in real time to help them anticipate emerging threat and sustain secure operations.\u201d<\/p>\n\n\n\n Rob Beach, who serves as the chief technology officer for Cocoa, Florida, a small coastal city a forty minute drive east from Orlando, said that although he still “absolutely” considers CISA a \u201cvalued partner,\u201d he lamented that the nation\u2019s critical infrastructure \u2014 schools, hospitals, water treatment facilities and public safety offices \u2014 are increasingly being left to defend against attacks on their own.<\/p>\n\n\n\n \u201cThe majority of this nation\u2019s critical infrastructure is run by local governments,\u201d said Beach, who sits on MS-ISAC\u2019s executive committee. \u201cThis isn\u2019t a local government problem. This is a national security problem and it requires federal-level attention.\u201d<\/p>\n\n\n\n A new MS-ISAC report<\/a> paints the decline in federal cybersecurity supports \u2014 in the form of funding, program subsidies and services provided directly by federal agencies \u2014 as a potentially costly gamble. The DOGE phenomenon kicked off by Elon Musk that fetishizes the leanest possible operations precipitated widespread cuts throughout the federal government that have led to many harmful outcomes, ranging from deep cuts to medical research to reductions of key personnel<\/a> at emergency management agencies, which may have impaired their ability to support several recent disasters. Analysts now warn that cuts to cybersecurity could prove disastrous if additional cyberattacks are allowed through. Single events of sufficient size, such as last year\u2019s Crowdstrike outage<\/a>, caused by a faulty update, or the Change Healthcare<\/a> ransomware attack, have each cost the nation billions of dollars in lost productivity and recovery expenses.<\/p>\n\n\n\n Terry Loftus, the chief information officer for the San Diego County Office of Education and chair of MS-ISAC\u2019s executive committee, said there\u2019s seldom a meaningful distinction between the federal government\u2019s cybersecurity efforts and those of the rest of government. He pointed to the elimination<\/a> of the Department of Education\u2019s Office of Educational Technology last March as one of numerous ill-conceived cuts by the Trump administration that has showcased the blurry boundaries of cybersecurity.<\/p>\n\n\n\n \u201cThat\u2019s where the only cybersecurity folks talking about these things at a national level existed,\u201d he said. \u201cThat is all gone. It really puts us in a difficult spot.\u201d<\/p>\n\n\n\n Loftus said that outside of the nation\u2019s largest school districts, most schools have scant funding or expertise to adequately manage their IT defenses. Recent surveys conducted by the MS-ISAC show that 22% of state, local, territorial and tribal governments have zero dollars dedicated only to cybersecurity. Forty-two percent operate with less than $100,000 annually for cybersecurity. Smaller organizations tend to be less prepared; seventy percent of jurisdictions of fewer 10,000 people don\u2019t have a multiyear cybersecurity plan.<\/p>\n\n\n\n Ensuring that the smallest, least-resourced offices get help defending their systems is a niche that MS-ISAC has, over the years, filled with gusto. The group\u2019s new report boasts that it delivers \u201centerprise-grade capabilities to even the smallest jurisdictions,\u201d a feat accomplished through its industry connections, the bulk-pricing discounts it gets for services thanks to the group\u2019s wide (and steadily growing) membership and \u2014 critically \u2014 support from the federal government. <\/p>\n\n\n\n The United States government isn’t a monolith, but MS-ISAC has done its best to afford its far-flung members the defensive advantages of scale and sophistication as if it were. And, CISA notwithstanding, it’s often the only game in town. One recent survey of the group’s members, Loftus said, showed that more than 80% believe they would be unable to find affordable alternatives to MS-ISAC services, should they disappear.<\/p>\n\n\n\n The MS-ISAC is still operating, but with its support enervated, and with CISA and other federal agencies shrinking, many technology officials are now sketching out contingency plans. But who else could fill MS-ISAC\u2019s and CISA\u2019s roles as national coordinators? Loftus said that before Trump 2.0, CISA sometimes handed off cyber matters related to state or local government to the MS-ISAC, but that he no longer knows how state and local issues will be handled, particularly as CISA\u2019s own staffing levels shrink.<\/p>\n\n\n\n Derek Tisler, a counsel at the Brennan Center for Justice, a Washington think tank, said state and local officials are especially concerned about how they will secure their elections infrastructure.<\/p>\n\n\n\n \u201cOne of the biggest gaps that came up over and over is that the federal government both served as and supported information-sharing networks that were incredibly important for being able to see and anticipate challenges that are taking place outside of your borders,\u201d Tisler said. \u201cThis is something a lot of state officials have come to realize \u2014 that they may not be able to rely on the federal government for as much information anymore.\u201d<\/p>\n\n\n\n State and local officials had come to treasure the EI-ISAC and MS-ISAC for their ability to aggregate large amounts of information on network traffic from around the country and feed back the most salient bits to the agencies that might need them. And as membership organizations, ISACs are viewed by some, local governments especially, as less intimidating than federal agencies that might provide similar types of support.<\/p>\n\n\n\n When protecting elections, Tisler said, a friendly organization like the EI-ISAC, that could provide a nationwide view of threats, was invaluable. He said this structure is especially effective because nation-state actors don\u2019t necessarily think in terms of particular cities or counties \u2014 they\u2019re just going after infrastructure, and that means the nation\u2019s 10,000 election officials truly have a common cause. And with a group like the EI-ISAC to bind them together, they were no longer fighting alone.<\/p>\n\n\n\n \u201cMany election officials have no full-time staff to rely on,\u201d Tisler said. \u201cThey may even be in a part-time position in more rural areas. They don\u2019t have the time or capacity to be seeking out these services.\u201d<\/p>\n\n\n\n Or as Beach, the tech chief in Cocoa put it: \u201cWe\u2019re trying to fight nation-state actors on municipal budgets.\u201d<\/p>\n\n\n\n \u201cI don\u2019t think the adversaries are cutting their budgets. I think they\u2019re ramping up actually. We\u2019re seeing a lot of activity from these foreign states, especially the Big Four,\u201d Beach added, pointing to China, Iran, North Korea and Russia.<\/p>\n\n\n\n A recent report<\/a> by the Brennan Center and the R Street Institute, another Washington think tank, suggests that state and regional security operations centers could be the ones to pick up the slack dropped by the federal government. The most prominent is North Dakota\u2019s Joint Cyber Security Operations Center, which started in 2019 when North Dakota banded with Montana and South Dakota. The group now includes 15 states. Gergen, the North Dakota CISO who helped stand up the center, said the other member states prefer to remain anonymous.<\/p>\n\n\n\n The JCSOC isn\u2019t a building or a legal entity, Gergen said, but an agreement. His state\u2019s IT security division employs several dozen full-time employees and many of them spend a \u201csmall portion\u201d of their time working on the center. That work, he said, equates to sharing threat intelligence across state lines and, in the event that a crisis hits one of the member states, “effectively” providing staffing support.<\/p>\n\n\n\n Gergen said he \u201csaw the value in MS-ISAC.\u201d But he also saw shortcomings that motivated the creation of his group.<\/p>\n\n\n\n \u201cA lot of the threat intelligence sharing would bubble up from states to MS-ISAC,\u201d he said. \u201cIt would get anonymized and then it would get shared back out, which was fine \u2026 but it didn\u2019t really open up avenues to know the state or the people that were behind the intelligence being shared, if you wanted more context and wanted more information.\u201d<\/p>\n\n\n\n He named other shortcomings, like the Center for Internet Security\u2019s policy of only sharing the parts of its Nationwide Cybersecurity Review that apply to each organization it\u2019s shared with. For North Dakota\u2019s CISO this is of unique interest because his network is widely used across the state \u2014 by cities, counties, school districts, universities, the state\u2019s 911 system, its elections infrastructure and public radio network. He\u2019s responsible for securing more than a quarter million endpoints, so he conducts his own statewide cyber assessments to understand who needs help.<\/p>\n\n\n\n Some states included in North Dakota’s JCSOC have set up automated sharing of threat information. This means states can get notices from across state lines in real time \u2014 faster, Gergen said, than they get it through the MS-ISAC, which anonymizes its data before sharing.<\/p>\n\n\n\n \u201cWe\u2019ve had a number of incidences where states have been under attack and have brought live [tactics, techniques and procedures] to that group, like [indicators of compromise], whether it be IP addresses or whether it be queries that they ran in their environment, have been able to share that with us or we\u2019ve been able to share it with them that have then resulted in uncovering additional intrusions in some other state networks,\u201d he said.<\/p>\n\n\n\n Gergen predicted that as the federal government continues to pull back cybersecurity support, JCSOC members will be interested in how their group might fill the gaps.<\/p>\n\n\n\n But even despite the MS-ISAC\u2019s flaws, he said, the JCSOC was never intended to replace it, and that he still considers it a valuable tool to be used in conjunction with other resources. (He also expressed disappointment that new rules<\/a> included in the State and Local Cybersecurity Grant Program, a $1 billion pot of funds designed to bolster local governments’ cybersecurity, prohibit spending on MS-ISAC services.)<\/p>\n\n\n\n And as for additional states joining the JCSOC, North Dakota’s not necessarily looking for new members.<\/p>\n\n\n\n \u201cWe\u2019ve hit a size that we\u2019re probably comfortable with,\u201d Gergen said.<\/p>\n\n\n\n Both the Brennan Center and the Center for Internet Security recommend state and regional SOCs work in conjunction with the MS-ISAC. Such an organizational model mirrors the \u201cdefense in depth\u201d strategy long favored by IT security professionals that arranges redundant fortifications to avoid single points of failure that can be exploited by bad actors.<\/p>\n\n\n\n Under this conception of the group, the MS-ISAC could only be replaced by something just like it. Numerous people interviewed for this story said that recreating the MS-ISAC from scratch would be laborious, costly and pointless, since it already exists.<\/p>\n\n\n\n \u201c[We\u2019re seeing] a shifting perspective of pushing cybersecurity responsibility back onto the states and the local government entities,\u201d Gergen said. \u201cCollaboration has always been important to me and important to our program here, but I think it\u2019s going to become all the more important as we continue to see this responsibility shift down to the lower levels.\u201d<\/p>\n\n\n\n\u2018CISA has not wavered\u2019<\/h3>\n\n\n\n
\u2018A difficult spot\u2019<\/h3>\n\n\n\n
\u2018Trying to fight\u2019<\/h3>\n\n\n\n
A comfortable size<\/h3>\n\n\n\n
\u2018No longer there\u2019<\/h3>\n\n\n\n