By Grace Menna, Public Interest Cybersecurity Fellow, UC Berkeley Center for Long-Term Cybersecurity (CLTC) and Sarah Powazek, Program Director of Public Interest Cybersecurity, UC Berkeley Center for Long-Term Cybersecurity (CLTC)
As federal cybersecurity priorities shift, both through a recent Executive Order and a wave of departures at CISA, the nation’s foremost cyber defense agency, more and more is expected and required of state and local governments.
States and communities have already been shouldering sizable cybersecurity responsibility for decades. While states are unprepared to shoulder the entire federal cybersecurity agenda, they are poised to create lasting regional cyber resilience through innovative cyber volunteering programs and partnerships with nonprofits, academia, and industry. These programs can and should fill an essential gap in state cybersecurity capacity, but more investment and coordination are needed to extend their impact.
Regardless of the whims of Washington, states and communities have always been the first line of defense for the small organizations that uphold our public life. While the federal government has typically handled many key cybersecurity responsibilities, including diplomacy, sanctions, law enforcement, agenda-setting, regulation, and grants, the government is the only entity that can focus primarily on threats to national security. With growing threats from nation-states, criminals, and other actors, and inherent, mounting insecurities embedded in the technology underpinning today’s critical infrastructure, the government, with limited time and resources, can be forced to prioritize those entities it views as the most essential. As a result, many community organizations, such as schools, small or rural utilities, faith-based institutions, and nonprofits that provide critical yet highly localized community services, simply don’t meet the national security threshold. The federal cavalry has never been able to prioritize helping an elementary school recover from a ransomware attack.
And while the federal government is pulling back, states are more active than ever; they are passing cybersecurity legislation at breakneck speed, with over 77 bills introduced just this year. States like New York are leading the charge by creating minimum standards for water utilities, with $2.5 million in implementation funding attached. States like Texas and Louisiana are funding regional security operations centers (SOCs), and Indiana has partnered with Indiana University and Purdue to provide risk assessments for hundreds of local governments.
Notably, states and communities have rallied cyber volunteers to serve the least-resourced organizations. One of the best investments that industry leaders, nonprofits, and individual cyber volunteers can make in the coming years is to help states double down on creating a cyber safety net where any organization can receive affordable cybersecurity services.
This piece is part of an Aspen Digital series of perspectives on the evolving space of intergovernmental cyber policy, including challenges and best practices for building state, local, tribal and territorial capacity and how governments can collaborate effectively.
The views represented herein are those of the author(s) and do not necessarily reflect the views of the Aspen Institute, its programs, staff, volunteers, participants, or its trustees.