As the federal government scales back support for public-sector cybersecurity, and services from MS-ISAC poised to end this fall, states and local governments move to defend themselves.
When a group of states created the Multi-State Information Sharing and Analysis Center (MS-ISAC) nearly 25 years ago, the goal was to coordinate and strengthen cybersecurity, both for state agencies as well as their local governments.
This was in the aftermath of 9/11, a time when much of the nation was focused on security as the Internet was rapidly becoming more important. So states started to take cybersecurity seriously. Very seriously.
The MS-ISAC was born as an informal network in 2003 within New York state government. By 2005, the U.S. Department of Homeland Security (DHS) had started contributing funds to it, said John Gilligan, the current president and CEO of the Center for Internet Security, the nonprofit group that now houses the MS-ISAC.
In 2021, the relationship with DHS was codified by Congress’ State and Local Government Cybersecurity Act. Federal funding increased, as did the MS-ISAC’s services and reach. The group collected $27 million last year of DHS’ more than $100 billion total budget, or .025 percent. With this money, it provides free cybersecurity resources to roughly 19,000 members spread throughout the U.S. public sector.
But this may be about to change. President Donald Trump’s One Big Beautiful Bill Act, passed by Congress at the time of this writing, aims to zero out funding for MS-ISAC.
Gilligan said this would essentially end the MS-ISAC as it has functioned for more than two decades. In simple terms, the free services would almost entirely go away. Agencies across state, local, territorial and tribal governments would no longer have free threat intelligence, a 24/7 assistance line, a collaborative network of peers to access, or any number of other cyber resources.
As it stands, the MS-ISAC’s free services will be turned off on Oct. 1.
And Gilligan — a clear and deliberately spoken man who has held high-level tech positions for the U.S. Air Force and the U.S. Department of Energy — said the end result would be “significant operational degradation of our cyber capabilities across this nation.”
The defunding of the MS-ISAC is part of a broader federal effort to shift cybersecurity leadership and responsibility to the states. Specifically, in March President Trump signed an executive order titled “Achieving Efficiency Through State and Local Preparedness.”
The relevant section of that order read: “Citizens are the immediate beneficiaries of sound local decisions and investments designed to address risks, including cyber attacks, wildfires, hurricanes and space weather. When states are empowered to make smart infrastructure choices, taxpayers benefit.”
Indeed, states are continuing to develop their own cybersecurity defenses, with prominent new efforts underway this year everywhere from Texas to Nevada to New Jersey. Many approaches involve states taking an increased leadership role and lending direct support to localities.
MS-ISAC’s FUTURE UNCERTAIN
For some public officials and experts in cybersecurity, however, the question is now whether state cybersecurity can replace the MS-ISAC.
To understand what is at stake, one must understand what the MS-ISAC provides. This list includes cyber threat intelligence, incident response, information sharing, training, collaboration, working groups, real-time indicator feeds and a 24/7 security operations center.
Absent an organization like the MS-ISAC, there’s some question that we’re unintentionally leaving state and local organizations out there fighting nation-states without the proper equipment.
But the tangible impact of the group is perhaps better illustrated by the story of public officials like Boulder County, Colo., CISO Ben Edelen. Before working for the county, Edelen served in the same position for the city of Boulder, where he stood up the jurisdiction’s first cybersecurity program in 2015.
“One of the early things I did when building that program was join the MS-ISAC,” Edelen recalled. “… and I’ve benefited tremendously, my city has benefited tremendously, and the cybersecurity leadership of the state of Colorado has benefited from the MS-ISAC.”
Edelen used MS-ISAC resources to do everything from learn how to maneuver within government to write cybersecurity policy so that the work could be codified in Boulder.
The MS-ISAC also paired him with a mentor, an experienced public-sector cyber practitioner whom he could go to for advice. Effective cybersecurity often hinges on personal relationships — who to call, who to trust, whose advice to take — and Edelen said mentorship coordinated by a known group was invaluable.
Perhaps most important was that the MS-ISAC’s resources were free.
“I benefited tremendously because as a new cybersecurity leader, I didn’t know what to buy,” he said, “and I had to be cost effective with public money.”
Of the roughly 4,000 local governments and special districts spread throughout Colorado, Edelen estimates that maybe 100 are fully cyber ready. Many do not have dedicated IT staff, let alone cybersecurity staff. And so a public-sector-specific set of free resources is vital to those smaller, often rural jurisdictions. In government, having to purchase things often means going through an elaborate decision-making process and managing limited funds. This is especially true for small organizations.
“The tremendous value of delivering access to all these tools at no cost provides all those little organizations a super easy method to ask for help if they run into a cyber issue,” Edelen said, “or to begin taking cybersecurity more seriously.”
Another thing that Edelen and others like him stress is that private-sector offerings are often ill-equipped for public-sector cyber needs. To ask states and local governments to purchase protections — rather than funding it through federal allocation — may not be efficient.
Terry Loftus, CIO for the San Diego County Office of Education and chair of MS-ISAC’s executive committee, said this is all very important because state, local, tribal and education agencies are “where critical infrastructure lives.” Things like water, schools, libraries and emergency response — all of which have become bigger targets for cyber criminals in recent years.
“With the broad cuts and the shift to states, states don’t, generally speaking, have the resources to compensate and fill the gaps,” Loftus said. “Even if they did, they can’t do it immediately.”
There is also concern among groups who represent county governments. Rita Reynolds is CIO and managing director of technology programs for the National Association of Counties, and she said her organization recently conducted a cybersecurity survey of its membership, finding that 78 percent of respondents are using MS-ISAC services in some capacity.
As such, the group is advocating for continued funding of the MS-ISAC, with Reynolds specifically noting that smaller to midsize counties may suffer because they lack funds to buy commercial cybersecurity products to replace its services.
With all of this in mind, Gilligan and others with MS-ISAC argue that the relatively small amount of federal funding is the most efficient way to strengthen and shift cybersecurity to states, which is one of the stated goals of the cut.
At the simplest level, however, Gilligan said funding the MS-ISAC is actually the most efficient way to save state and local governments money, because it focuses the spending of billions of dollars into one resource, rather than a splintered and weaker network.
“Absent an organization like the MS-ISAC,” Gilligan said, “there’s some question that we’re unintentionally leaving state and local organizations out there fighting nation-states without the proper equipment.”
STATES TAKING THE LEAD
With or without the MS-ISAC, however, states continue to strengthen their own cybersecurity protections.
New Jersey’s cybersecurity operations are housed within the state’s Office of Homeland Security and Preparedness, unlike the vast majority of states, which fold cyber in with the IT shop. New Jersey CISO Michael Geraghty said this creates an imperative for the state to provide cyber leadership to its cities, counties and private sector.
For their part, they already provide assistance such as 24/7 network monitoring and response, having in the last year blocked more than 180 attempted ransomware attacks throughout New Jersey.
Geraghty, however, said that while the state is equipped to lead on cyber, it would also like to see federal funds continue to be directed toward securing all levels of government.
“That entire ecosystem we’d like to see stay intact and continue to grow,” Geraghty said, “so that we can handle the emerging threats that are impacting all of us together.”
Meanwhile, Texas recently approved the new Texas Cyber Command, which will be headquartered in San Antonio. Passed by the Legislature and signed by the governor, that entity has a list of clear leadership goals that includes anticipating cyber threats, promoting cybersecurity awareness, conducting pre-attack coordination, responding to attacks when they do occur, and providing subject matter experts for post-attack investigations and recovery, among other functions. The Texas Cyber Command will be funded through a $135 million state allocation.
“Its ultimate mission is to prevent and protect against cyber breaches,” said Texas Gov. Greg Abbott in a release announcing the command’s creation. “Working together with the Texas Cyber Command, Texas will be on the path to be a national leader in cybersecurity.”
In June, Nevada passed legislation to consolidate its own statewide cybersecurity work and leadership. Before the passage of a new bill, Nevada had state-level cyber defense agencies located within both its Office of Information Security as well as in its Department of Public Safety. The new bill essentially combines them, lending a focus that will benefit the entire state’s cybersecurity posture, said Adam Miller, deputy director of the newly established Office of Information Security and Cyber Defense.
“Now that we’re merging,” Miller said, “we’re going to be full throttle ahead to make sure we’re providing support to our partners from a cyber intelligence standpoint.”
Miller also said that the state maintains a great relationship with the federal government around cybersecurity, often acting as a bridge between its many small rural agencies and federal groups like the FBI or the Cybersecurity and Infrastructure Security Agency.
A lot of the work Miller and other Nevada cybersecurity officials do is similar to what the MS-ISAC provides its members, just localized to Nevada, including building relationships, sharing threat analysis and offering guidance to smaller agencies.
“For Nevada it’s a top-down approach,” Miller said. “The governor has an interest in strengthening cybersecurity at the top, and our CIO Timothy Galluzi works [hard] to make sure the state is investing in the right cybersecurity tools and putting the right policies in place.”
