State, local cyber personnel should be treated as ‘front line’ defending critical infrastructure
State and local cybersecurity personnel are the backbone of protecting critical infrastructure in the U.S., and as such, should be treated like military personnel and members of the “front line” defense by the government, a retired navy admiral said Tuesday.
“From my perspective, the state and local cybersecurity officials are the front line — they ought to be treated like the front line. You know, when you’re the front line in the U.S. military, you get food, you get ammo, you get water, you get air support,” retired Rear Adm. Mark Montgomery said during Scoop News Group’s virtual Cybersecurity Modernization Summit. “The government should be doing a better job helping our soldiers on the front line. In this case, the cybersecurity soldiers are on the front line defending our water power utilities, our state and local databases, judicial information.”
Montgomery, who’s retired from the Navy and serves as senior director at the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, said critical infrastructure like water treatment facilities and transportation systems need more support doing the “blocking and tackling” that allows state, local governments to perform their duties safely.
State and local infrastructure needs more resources for protection, he said, because it often doesn’t have access to capital to cover the costs of an incident such as a ransomware attack. Some cyberattacks can cost agencies millions of dollars.
“Most states and localities don’t like remain flush year round and spend money when they feel like it,” Montgomery said. “They have very tight budgets, and they have to adhere to them and generally, there’s — if anything — there’s a scrimping and a cutting because of an unexpected cost, not a spending in a spree because of a windfall.”
State and local cyber funding initiatives have helped some, Montgomery said, including the State and Local Cybersecurity Grant Program administered by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, but more could be done to help.
However, the work to improve how efficiently states and local governments counter threats to critical infrastructure, he said, has nothing to do with big cuts.
“It does not augur well that there appears to be like a chainsaw being taken to CISA [and the Office of Management and Budget], versus a scalpel. If you didn’t like what they were doing with elections and disinformation, scalpel out the like 2 or 3 million out of 2.9 billion that was being spent on it,” Montgomery said. “Don’t show up with a chainsaw and be joined by your bros from the DOGE who are just randomly taking chainsaws to things. They should be treating CISA and cybersecurity like a national security issue that it is.”
Instead, Montgomery said those leading the federal government should consider that state and local cyber operations are under duress — not necessarily from attacks carried out by China-backed threat actors like Salt Typhoon — but from ordinary cybercriminals launching cyberattacks designed to extort money.
And when it comes to critical utilities that are known to have cyber vulnerabilities, strategy is key Montgomery said.
“This is a game of checkers,” Montgomery continued. “We got to get our stuff together and and do a better job resourcing and supporting the critical infrastructures and the state and local utilities as they fight the good fight.”
