State cyber officials are losing confidence as challenges mount

If you ask a state chief information security officer about their expectations for the near future, you’re unlikely to hear an entirely happy story. Between the rising use of AI by threat actors and fewer resources at hand to support cyberdefense efforts, the outlook is grim. The number of state CISOs who described themselves as “extremely” or “very” confident in their ability to secure the government’s data has plummeted, from 48% in 2022, down to 22% this year.

Biennial survey results collected by the IT firm Deloitte and the National Association of State CIOs, the group that monitors, convenes and advocates for states’ top technology officials, show that there are other reasons to be wary. One unnamed CISO quoted in a report published Monday affirmed that AI has accelerated sophisticated cyberattacks aimed at the public sector such that they now occur at “a blistering pace.” Yet cybersecurity leaders from all 50 states (along with Washington, D.C., and the Virgin Islands) generally reported flagging budgetary support to repel those attacks.

Less than a quarter of state cyber leaders reported significant (6% or greater) budget increases, down from 40% two years ago. And “perhaps more concerning,” the authors of the new report wrote, is the marked rise in cuts to cyber budgets: Sixteen percent reported decreases in funding, compared to 0% in 2024. And when asked about the top barriers to performing their jobs of protecting the public’s data, insufficient funding made the top three, next to managing old infrastructure and the increasing sophistication of threats leveled at their organizations.

NASCIO remarks that “state CISOs have a slightly different set of future concerns than in previous years.” Concerns of malware and state-sponsored espionage are receding to make room for worries about potential third-party security breaches and phishing attacks, which with the help of artificial intelligence tools no longer arrive as obvious scams riddled with poor grammar, but plausible correspondence that sometimes trick even security-minded public employees who’ve momentarily lowered their guards.

Bryce Bailey, Nebraska’s CISO, shared in an email a belief that any shift in confidence among state cybersecurity leaders is “understandable”: “The threat environment has evolved significantly and our teams are facing challenges that are both real and growing. AI-enabled attacks, aging infrastructure, and increasingly sophisticated adversaries demand our full attention.”

The report notes that AI is “expanding the capabilities of malicious actors,” in the form of AI-powered ransomware-as-a-service marketplaces and automated agents that can quickly spot security holes and launch “adaptive attacks.” States, too, are adopting AI, leading many CISOs to worry too about the security threats coming from inside their organizations. “Vendors auto-enabling AI features in products already leveraged by our customers causes major concern for data protection, privacy and risk,” one unnamed state CISO told the researchers.

Another state CISO cited a perennial concern: the ability of government to keep pace with rapidly advancing technology, but noted that AI has supercharged the problem. Generative AI, the unnamed official told researchers, “is advancing faster than existing governance structures can adapt, creating growing uncertainty around security, privacy and ethical use. Vendors are increasingly embedding AI capabilities into products and services without sufficient transparency or state-level control, effectively inflicting AI on operational environments before comprehensive risk assessments or policy frameworks can be applied.”

Nearly all state cybersecurity outfits, too, are adopting generative AI or plan to use it in the near future. Twenty-three states reported that they’re already using it to enhance their cybersecurity operations and 21 said they plan to do so within the next 12 months. Only one state reported plans not to use generative AI to support their cybersecurity; the rest are planning slower deployments.

A growing number of states — 73% this year — are centralizing their cybersecurity operations, rather than leaving them federated, and running statewide security operations centers, in part to bolster so-called “whole-of-state” cybersecurity strategies that are designed to close security gaps in small and under-resourced organizations — schools, utilities, nonprofits and even private companies — that might otherwise continue on unsupported. Eighty-eight percent of states reported already operating enterprisewide SOCs. Each state shared distinct ideas of how the organizations will, over the next two to four years, support efforts at providing training, intelligence-sharing and defensive services.

If cybersecurity professionals are willing at times to frame their positions as sitting on the right side of a virtual battle between good and evil, such statewide efforts need not be entirely altruistic. Authors of the new report speculate that a “stronger whole-of-state orientation could help municipalities defend against cyber threats that could also affect state systems.” Bailey, the Nebraska cyber chief, said that despite all the challenges, he’s “not standing still,” but “making deliberate, fiscally responsible investments in technology, talent and intergovernmental partnerships.”