CISA says it’s not abandoning the states. Cyber officials aren’t so sure

Federal programs designed to aid in protecting critical infrastructure operated by state and local governments have wilted during the first six months of Donald Trump’s second presidency, and technology officials have noticed.

Numerous state and local officials shared with StateScoop a belief that they will need to be more self-reliant in the years ahead, as keystone cyber programs are abandoned or scaled back, and as they receive fewer communications from the Cybersecurity and Infrastructure Security Agency, the federal cyber bureau that has in recent years served as a uniquely valuable coordinator of the nation’s sprawling IT defense efforts.

Of particular concern for many state and local technology officials are recent federal cuts to the Multi-State Information Sharing and Analysis Center, a group that for more than 20 years has shared critical cybersecurity intelligence across state lines and provided threat monitoring services and other resources at free or heavily discounted rates. Five associations representing state and local governments last week wrote a letter to congressional appropriations leaders urging them to reinstate the MS-ISAC’s funding.

“Every day, we use MS-ISAC’s services to protect the private data of citizens and the operation of hundreds of thousands of public schools, hospitals, utilities, law enforcement, courts, and other essential critical infrastructure across the country,” they wrote.

Officials have said they’re concerned by the dwindling interest in Washington to support a group that provides timely intelligence and preventative services, particularly when it would be expensive, difficult and time-consuming to recreate those services elsewhere. The group prides itself on offering its roughly 19,000 members “shared services, real-time intelligence, and enterprise-grade threat detection at scale,” according to a report it recently published.

After losing about $8.5 million in federal funding last March, the MS-ISAC’s operator, the Upstate New York nonprofit Center for Internet Security, began providing about $1 million each month in emergency funding so it could continue serving its members. But that funding may stop at the end of September when the center switches to a subscription model, charging states according to their IT operating budgets. Its cooperative agreement with the Department of Homeland Security is also set to expire at the end of September, the of the fiscal year, and the Department of Homeland Security hasn’t said publicly whether the group’s funding or agreement will be renewed.

“My reading of the tea leaves is that that is not a high probability,” Chris Gergen, North Dakota’s chief information security officer, said of MS-ISAC odds of seeing its funding renewed. “If that happens, my perspective is that we are going to see a growing reliance on state cyber programs and state-driven initiatives to really help some of those underfunded and underserved entities.”

‘CISA has not wavered’

Last February, the Center for Internet Security’s Elections Infrastructure ISAC lost its federal funding, along with its cooperative agreement with the federal government, leading to its closure. The EI-ISAC is still advertised on CISA’s website, accompanied by a warning that it’s an archived page that “may not reflect current policy or programs.” DHS officials have repeatedly pointed out to StateScoop that the EI-ISAC is not prohibited from operating. But many states are barred from accepting help with elections from any group that does not have a cooperative agreement with the federal government, a legal trend that took off after the 2016 election.

With every program it has diminished or position it has eliminated, CISA has maintained that cuts have amounted only to reconciling newly unearthed redundancies. In an emailed statement, Marci McCarthy, CISA’s director of public affairs, responded to a belief imparted by a growing number of officials that they can no longer rely on the federal government for the same level of cybersecurity support they’ve received under previous administrations.

“CISA has not wavered in our support to state and local partners and our commitment to them will not change,” McCarthy’s statement read. “We deliver a full suite of cyber and physical security capabilities at no cost. Our regional teams work directly with officials on the ground across the country to assess risks, strengthen defenses, and enhance resilience. CISA team members provide the right support to state and local partners in real time to help them anticipate emerging threat and sustain secure operations.”

Rob Beach, who serves as the chief technology officer for Cocoa, Florida, a small coastal city a forty minute drive east from Orlando, said that although he still “absolutely” considers CISA a “valued partner,” he lamented that the nation’s critical infrastructure — schools, hospitals, water treatment facilities and public safety offices — are increasingly being left to defend against attacks on their own.

“The majority of this nation’s critical infrastructure is run by local governments,” said Beach, who sits on MS-ISAC’s executive committee. “This isn’t a local government problem. This is a national security problem and it requires federal-level attention.”

‘A difficult spot’

A new MS-ISAC report paints the decline in federal cybersecurity supports — in the form of funding, program subsidies and services provided directly by federal agencies — as a potentially costly gamble. The DOGE phenomenon kicked off by Elon Musk that fetishizes the leanest possible operations precipitated widespread cuts throughout the federal government that have led to many harmful outcomes, ranging from deep cuts to medical research to reductions of key personnel at emergency management agencies, which may have impaired their ability to support several recent disasters. Analysts now warn that cuts to cybersecurity could prove disastrous if additional cyberattacks are allowed through. Single events of sufficient size, such as last year’s Crowdstrike outage or the Change Healthcare ransomware attack, have each cost the nation billions of dollars in lost productivity and recovery expenses.

Terry Loftus, the chief information officer for the San Diego County Office of Education and chair of MS-ISAC’s executive committee, said there’s seldom a meaningful distinction between the federal government’s cybersecurity efforts and those of the rest of government. He pointed to the elimination of the Department of Education’s Office of Educational Technology last March as one of numerous ill-conceived cuts by the Trump administration that has showcased the blurry boundaries of cybersecurity.

“That’s where the only cybersecurity folks talking about these things at a national level existed,” he said. “That is all gone. It really puts us in a difficult spot.”

Loftis said that outside of the nation’s largest school districts, most schools have scant funding or expertise to adequately manage their IT defenses. Recent surveys conducted by the MS-ISAC show that 22% of state, local, territorial and tribal governments have zero dollars dedicated only to cybersecurity. Forty-two percent operate with less than $100,000 annually for cybersecurity. Smaller organizations tend to be less prepared; seventy percent of jurisdictions of fewer 10,000 people don’t have a multiyear cybersecurity plan.

Ensuring that the smallest, least-resourced offices get help defending their systems is a niche that MS-ISAC has, over the years, filled with gusto. The group’s new report boasts that it delivers “enterprise-grade capabilities to even the smallest jurisdictions,” a feat accomplished through its industry connections, the bulk-pricing discounts it gets for services thanks to the group’s wide (and steadily growing) membership and — critically — support from the federal government.

The United States government isn’t a monolith, but MS-ISAC has done its best to afford its far-flung members the defensive advantages of scale and sophistication as if it were. And, CISA notwithstanding, it’s often the only game in town. One recent survey of the group’s members, Loftus said, showed that more than 80% believe they would be unable to find affordable alternatives to MS-ISAC services, should they disappear.

‘Trying to fight’

The MS-ISAC is still operating, but with its support enervated, and with CISA and other federal agencies shrinking, many technology officials are now sketching out contingency plans. But who else could fill MS-ISAC’s and CISA’s roles as national coordinators? Loftis said that before Trump 2.0, CISA sometimes handed off cyber matters related to state or local government to the MS-ISAC, but that he no longer knows how state and local issues will be handled, particularly as CISA’s own staffing levels shrink.

Derek Tisler, a counsel at the Brennan Center for Justice, a Washington think tank, said state and local officials are especially concerned about how they will secure their elections infrastructure.

“One of the biggest gaps that came up over and over is that the federal government both served as and supported information-sharing networks that were incredibly important for being able to see and anticipate challenges that are taking place outside of your borders,” Tisler said. “This is something a lot of state officials have come to realize — that they may not be able to rely on the federal government for as much information anymore.”

State and local officials had come to treasure the EI-ISAC and MS-ISAC for their ability to aggregate large amounts of information on network traffic from around the country and feed back the most salient bits to the agencies that might need them. And as membership organizations, ISACs are viewed by some, local governments especially, as less intimidating than federal agencies that might provide similar types of support.

When protecting elections, Tisler said, a friendly organization like the EI-ISAC, that could provide a nationwide view of threats, was invaluable. He said this structure is especially effective because nation-state actors don’t necessarily think in terms of particular cities or counties — they’re just going after infrastructure, and that means the nation’s 10,000 election officials truly have a common cause. And with a group like the EI-ISAC to bind them together, they were no longer fighting alone.

“Many election officials have no full-time staff to rely on,” Tisler said. “They may even be in a part-time position in more rural areas. They don’t have the time or capacity to be seeking out these services.”

Or as Beach, the tech chief in Cocoa put it: “We’re trying to fight nation-state actors on municipal budgets.”

“I don’t think the adversaries are cutting their budgets. I think they’re ramping up actually. We’re seeing a lot of activity from these foreign states, especially the Big Four,” Beach added, pointing to China, Iran, North Korea and Russia.

A comfortable size

A recent report by the Brennan Center and the R Street Institute, another Washington think tank, suggests that state and regional security operations centers could be the ones to pick up the slack dropped by the federal government. The most prominent is North Dakota’s Joint Cyber Security Operations Center, which started in 2019 when North Dakota banded with Montana and South Dakota. The group now includes 15 states. Gergen, the North Dakota CISO who helped stand up the center, said the other member states prefer to remain anonymous.

The JCSOC isn’t a building or a legal entity, Gergen said, but an agreement. His state’s IT security division employs several dozen full-time employees and many of them spend a “small portion” of their time working on the center. That work, he said, equates to sharing threat intelligence across state lines and, in the event that a crisis hits one of the member states, “effectively” providing staffing support.

Gergen said he “saw the value in MS-ISAC.” But he also saw shortcomings that motivated the creation of his group.

“A lot of the threat intelligence sharing would bubble up from states to MS-ISAC,” he said. “It would get anonymized and then it would get shared back out, which was fine … but it didn’t really open up avenues to know the state or the people that were behind the intelligence being shared, if you wanted more context and wanted more information.”

He named other shortcomings, like the Center for Internet Security’s policy of only sharing the parts of its Nationwide Cybersecurity Review that apply to each organization it’s shared with. For North Dakota’s CISO this is of unique interest because his network is widely used across the state — by cities, counties, school districts, universities, the state’s 911 system, its elections infrastructure and public radio network. He’s responsible for securing more than a quarter million endpoints, so he conducts his own statewide cyber assessments to understand who needs help.

Some states included in North Dakota’s JCSOC have set up automated sharing of threat information. This means states can get notices from across state lines in real time — faster, Gergen said, than they get it through the MS-ISAC, which anonymizes its data before sharing.

“We’ve had a number of incidences where states have been under attack and have brought live [tactics, techniques and procedures] to that group, like [indicators of compromise], whether it be IP addresses or whether it be queries that they ran in their environment, have been able to share that with us or we’ve been able to share it with them that have then resulted in uncovering additional intrusions in some other state networks,” he said.

Gergen predicted that as the federal government continues to pull back cybersecurity support, JCSOC members will be interested in how their group might fill the gaps.

But even despite the MS-ISAC’s flaws, he said, the JCSOC was never intended to replace it, and that he still considers it a valuable tool to be used in conjunction with other resources. (He also expressed disappointment that new rules included in the State and Local Cybersecurity Grant Program, a $1 billion pot of funds designed to bolster local governments’ cybersecurity, prohibit spending on MS-ISAC services.)

And as for additional states joining the JCSOC, North Dakota’s not necessarily looking for new members.

“We’ve hit a size that we’re probably comfortable with,” Gergen said.

Both the Brennan Center and the Center for Internet Security recommend state and regional SOCs work in conjunction with the MS-ISAC. Such an organizational model mirrors the “defense in depth” strategy long favored by IT security professionals that arranges redundant fortifications to avoid single points of failure that can be exploited by bad actors.

Under this conception of the group, the MS-ISAC could only be replaced by something just like it. Numerous people interviewed for this story said that recreating the MS-ISAC from scratch would be laborious, costly and pointless, since it already exists.

“[We’re seeing] a shifting perspective of pushing cybersecurity responsibility back onto the states and the local government entities,” Gergen said. “Collaboration has always been important to me and important to our program here, but I think it’s going to become all the more important as we continue to see this responsibility shift down to the lower levels.”

‘No longer there’

In yet another reduction of CISA’s capabilities, the agency’s Joint Cyber Defense Collaborative recently saw its number of contactors reduced from more than 100 to just 10.

“JCDC is the primary group that provides these spaces and places for collaboration and sharing and so forth,” said Loftus, the MS-ISAC chair. “And this is the main way that we interact, as MS-ISAC, with CISA.”

Even before those cuts, Loftus said, he’d begun to see the writing on the wall. He noticed that cuts to CISA’s Integrated Operations Division had resulted in less frequent support. CISA staff who’d traveled to regional events and local government offices to provide advice are simply “no longer there,” he said.

“Events and meetings and things in the last six months where CISA had committed to attending and engage with this community, they withdrew from and did not send anyone,” he said. “We have very clearly seen in many different ways where they have pulled back or not had the staff or given the approval to engage with [state, local, territorial and tribal] organizations like they had previously.”

Beach, the Cocoa tech chief, said CISA’s absence was felt last month at a district meeting of the Florida Local Government Information Systems Association, which aims to equip local officials and critical infrastructure operators around the state with the resources they need to secure their systems.

“Last year we had two cyber advisers from CISA, which was great,” Beach said. “One focused on the capabilities, one more focused on the law enforcement side, but we had two. This year we have zero. We no longer have a cyber adviser here.”