Beyond the Beltway

From ransomware attacks on schools and hospitals to state-sponsored hacking of water utilities, state and local governments and the equities under their care have increasingly become targets for cyberattacks from both cybercriminals and advanced nation-state actors. 

At the same time as these threats are increasing, the federal government has begun to adjust course in its approach to support for preventing and responding to cyber incidents. In March, President Trump signed an Executive Order putting a greater emphasis on the roles of states and localities to prepare for disasters, including cyber attacks, signaling a shift in responsibility from the federal government. There is also uncertainty as to whether two major cybersecurity laws which govern information sharing and grant programs to local governments will be reauthorized this year by Congress. 

Amidst these changes in the threat and policy landscape, more discussion and action is needed to support effective cybersecurity at the state and local levels. To address this gap, this month, Aspen Digital hosted its first in a series of convenings with stakeholders and policy experts on evolving roles in state, local, tribal, and territorial cybersecurity efforts. 

Through this event and our broader policy discussions, we have identified three core areas where clarification and action is needed:

1. Sustaining federal support for states’ cybersecurity efforts in key strategy areas
2. Identifying and sharing robust and effective resourcing models
3. Elevating cybersecurity as a priority outside of Washington

Sustaining Federal Support in Cybersecurity 

A critical first step is articulating clearly what responsibilities and capabilities should remain within the federal government, and which can be better addressed by state and local governments. In some areas, regional and local action might be more effective than top-down support. However, there are both legal and practical limitations on what local governments can accomplish to effectively protect their communities from cyberattacks. For example, there is broad agreement that the federal government’s role remains foundational in understanding and countering nation-state threats. Cyber incidents increasingly originate from adversaries like China and Russia, as seen in last year’s revelations around the Volt and Salt Typhoon campaigns targeting critical infrastructure. In these and many other cases, federal agencies are best positioned to analyze the threat landscape, counter adversaries, and share targeted and actionable threat data. Participants noted that while information sharing around the threat posed by these actors has improved, it still needs to be faster, more digestible, and more accessible for local governments and critical infrastructure operators. 

Identifying Effective Resourcing Models

Most state, local, tribal, and territorial governments do not have the proper resourcing to effectively address rising cybersecurity threats. Furthermore, within these governments there is a divide between large cities and states with well-resourced cybersecurity programs and smaller municipalities and regions who lack the funding and/or workforce to dedicate to cybersecurity. This divergence may only be amplified by lessened federal support, creating a two-tiered system of cyber defense across America and leaving millions vulnerable. This is particularly true for rural communities.

Various programs and models exist to solve this gap, including the State and Local Cybersecurity Grant Program, which needs to be reauthorized by Congress this year. There are also opportunities to highlight and scale shared-service models rather than reinvent the wheel jurisdiction by jurisdiction. With such a complex map of overlapping responsibilities at the state, local, tribal, and territorial levels, shared services can ensure resources go further, avoid duplication, and increase resilience in underserved areas. All of these approaches should focus on how to ensure funding includes small municipalities, counties, and rural communities, which often lack the influence or visibility to compete for limited funds.

Elevating Cybersecurity as a Priority 

Finally, a core challenge remains that cybersecurity still doesn’t command the attention it deserves at the state and local level. Cybersecurity competes for resources against other important priorities, and threats to our water utilities or power grids may feel like sci-fi thrillers when compared to other issues constituents feel on a daily basis. But cyber threats are real, and governments need to see them as part of their broader mission to build safe, prosperous, and more resilient communities, particularly if the federal government begins to take a step back from its role here. We should not let cybersecurity be framed as a losing battle, where scammers and attackers run unchecked. We can also do more to frame cybersecurity not only as a national security challenge, which many see as Washington’s domain, but as something that also impacts local service delivery and the basic needs of constituents. This shift also can’t just be limited to government IT departments, and must include everyone from police chiefs to school superintendents.

Moving Forward

As our dialogues and policy workshops continue, Aspen Digital will explore the evolving space of intergovernmental cyber policy, identify challenges and best practices for building local capacity, and build consensus on how different levels of government can collaborate effectively. In the coming months, and leading up to the 10th annual Aspen Cyber Summit this fall, our team will highlight additional perspectives and bring together experts across governments, critical infrastructure organizations, private industry, and civil society. 

Ensuring that all communities are equipped to meet today’s cyber threats requires sustained collaboration, clear policy direction, and equitable access to resources across every level of government. We remain committed to fostering these conversations and advancing solutions that strengthen our collective cybersecurity resilience.