State and local agencies are some of the most attractive and vulnerable targets for cyber criminals. In 2023, malware attacks increased by 148%, and ransomware incidents increased by 51%. These agencies are targeted because they hold valuable personal data on citizens and control critical services--yet their security efforts have historically been underfunded and under-resourced. However, the tide may be changing.
A report on the ransomware experiences of state and local government in 2024 showed a dramatic decrease in the number of those organizations that were impacted this year. The report found ransomware attacks impacting 34% of state and local governments, marking a sharp decrease from the 69% affected in 2023. Let's take a look at some of the trends and activities that are fueling the improvement in state and local cybersecurity.
Zero Trust
Zero trust is a modern approach to cybersecurity that assumes that threats can come from both outside and inside the network. It requires strict identity verification and access controls for every user, device, and application trying to connect to resources. Federal agencies have received mandates to migrate toward zero-trust approaches and have largely met the associated milestones and deadlines. While sweeping mandates for states do not exist today, many state governments are already prioritizing zero-trust efforts based on the success the federal government has had in making the shift and making systems more secure.
Florida was an early mover on zero-trust mandates, encouraging the implementation in a bill that was signed into law in 2022. California agencies were given a May 2023 deadline to show they could be assessed at the "initial" maturity stage of the Cybersecurity and Infrastructure Security Agency (CISA) Zero Trust Maturity Model Version 2.0.
Funding
In addition to being a model for cybersecurity, the federal government also provided tangible support to states to more fully fund cybersecurity efforts. The State and Local Cybersecurity Grant Program, initiated under the 2021 infrastructure law, made over $1 billion available to state and local agencies.
Washington State already offered a number of shared services that localities could utilize for cybersecurity, so they passed the funding directly to local governments to use to fill the gaps not supported by state security services. The state has allocated funds ranging from $1.3 million to $1,200 to 252 different projects across the state.
New York State used the federal money to expand their shared services offerings. Localities were already benefiting from state-deployed services for endpoint detection-response tools, so the state wanted to build on that process to help provide a similar service for multi-factor authentication. New York also used funds to improve the cybersecurity knowledge of the workforce across the state via a variety of training courses and scholarships.
Private Sector Support
Vendors and non-profit associations are stepping up to fill the resource gap of state and local cybersecurity. A CISA program, K-12 Education Technology Secure by Design Pledge, allows vendors to attest to the security levels of their solutions, giving K-12 technology buyers a vetted list of solutions to choose from.
The Multi-State Information Sharing and Analysis Center (MS-ISAC) offers free round-the-clock monitoring from its security operations center, as well as cybersecurity webinars, reports and alerts, and other tools and data. For example, the group's Malicious Domain Blocking and Reporting service, designed in collaboration with CISA and a software company, is provided at no cost to state, local, tribal, and territorial government members of the MS-ISAC.
For more about the cybersecurity efforts by state and local organizations, check out these resources.
- CyberThreats 2024: Combatting The Evolving Threat Landscape (Day One) (December 18, 2024; webcast) - The means and methods of launching cyber attacks against government agencies and critical infrastructure industries at all levels continue to proliferate rapidly. This event will review the current cyberthreat landscape, as well as outline approaches to earn support for modernization efforts and reduce the use of legacy systems that pose greater security risks.
- Government Cybersecurity Roadshow California (January 21, 2025; Sacramento, CA) - This program will offer key insights into leadership, innovation, and cybersecurity, covering topics from risk assessment to effective management.
- Sunshine Cyber Conference 2025 (February 24-25, 2025; Tampa, FL) - Hosted by the Florida Center for Cybersecurity at the University of South Florida, this event brings together stakeholders from industry, all levels of government, military, law enforcement, and academia to share information, network, explore ideas, and learn about the latest in cybersecurity best practices.
- Federal Grants: Numerous Programs Provide Cybersecurity Support to State, Local, Tribal, and Territorial Government (white paper) - This paper details how existing federal funding could be used to help state, local, tribal, and territorial governments improve their cybersecurity via 27 different grant programs managed by eight federal agencies.
- MS-ISAC Cybersecurity Enhancement and Incident Response (white paper) - This report is intended to aid members of state, local, tribal, and territorial entities in effectively implementing an incident response plan, serving as a resource for enhancing their cybersecurity programs.
- Three Key Technology Advancements Enabling Law Enforcement Modernization (white paper) - The wealth of available digital data is both an asset and a challenge for law enforcement. It provides challenges for understaffed teams that often rely on manual processes to review these valuable assets. Fortunately, law enforcement has the ability to fight technology with technology, implementing foundational architectures--including cloud, artificial intelligence, and edge solutions--to better utilize digital evidence with current staffing.
More information on state and local cybersecurity can be found on GovEvents and GovWhitePapers.
