The House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection gathered last week for what should've been a routine oversight hearing. Instead, it exposed something far more uncomfortable: the federal government is actively walking away from states just as attackers are getting smarter.
The subcommittee's topic line read like a mission statement from another era — "State and Local Cybersecurity: Escalating Threats, Federal Partnership, and the Resilience of America's Communities." But the testimony that followed told a different story entirely. One where states are being asked to hold the line against increasingly sophisticated ransomware groups and AI-enabled threats while their own budgets shrink and federal support evaporates.
Kristin Darby from Tennessee, Colin Ahern from New York, and representatives from Florida took the stand. They didn't mince words. What they described was a system in reverse: threats escalating, resources contracting, and trust fraying at both ends.
This isn't a hypothetical scenario. It's happening now, in real time, and the people testifying know exactly what's at stake. When a state CISO has to stand in front of Congress and explain that their municipality can't afford basic security training, something has gone fundamentally wrong with the social contract around digital infrastructure. These aren't abstract policy debates — they're people who've responded to ransomware attacks on water utilities, election systems, and hospital networks. They know what happens when the lights go out.
The Threat Landscape Hasn't Slowed Down
Here's what state CISOs are watching in real time: attackers are weaponizing AI tools for spear-phishing campaigns, supply chain compromises, and identity exploitation at a scale that didn't exist two years ago.
Ransomware gangs, which used to make empty threats about leaking data, are now following through with alarming frequency. Zero-day exploits are being deployed against state systems more often than ever before. Cloud environments — those supposed fortresses of security that every CIO swore would solve everything — are showing vulnerabilities that attackers exploit with increasing precision.
And then there's identity. Identity system compromise is on the rise, and AI tools are making it easier than ever for attackers to impersonate legitimate users, bypass multi-factor authentication, and move laterally through networks that were designed for a completely different era.
Colin Ahern put it bluntly during the hearing. He called the situation "urgent" and pressed Congress to "be a partner to all 50 states." Not some states. All fifty.
The problem isn't that states aren't trying. They're running threat detection programs, investing in training, building incident response plans. It's that they're fighting a war with one hand tied behind their backs — and the other hand is holding a budget that shrinks every fiscal year. Meanwhile, attackers are funding their operations through ransom payments, extortion, and increasingly sophisticated business model innovations that make them more resilient than ever. The asymmetry is staggering.
Threat actors are also building covert infrastructure at scale — from botnets that hijack thousands of legacy routers into proxy networks to ransomware-as-a-service platforms that lower the barrier to entry for opportunistic criminals. For context on how attackers are weaponizing compromised hardware, see our coverage of the AryStinger botnet that turned 4,000+ D-Link routers into a silent proxy network.
What Happened to Federal Support
Over the past year, the administration downsized CISA's staff, resources, and funding. The move wasn't subtle. It was a deliberate contraction of the federal cybersecurity posture at a moment when states needed it most.
Then came the MS-ISAC transition. The Multi-State Information Sharing and Analysis Center used to be a free, federally-funded service that states relied on for threat intelligence, vulnerability notifications, and incident response support. Now it's a subscription model.
That might sound like a minor administrative change if you're reading about it from the comfort of a well-staffed security operations center. For states already stretched thin, it's anything but.
Kristin Darby captured the mood perfectly. She noted that federal actions have led to a "breakdown in trust with state and local officials, particularly with respect to election cybersecurity." Election cybersecurity. The systems that keep democracy functioning. That's not a line you hear every day in a congressional hearing, and it shouldn't be.
When the federal government pulls back, states don't just lose funding. They lose confidence. They lose the sense that there's a partner watching their back. And trust, once broken, is harder to rebuild than any budget line item. The CISOs testifying weren't just asking for money — they were asking for a partner again.
States Are on Their Own — But Not Giving Up
Here's the brutal reality: states are facing harrowing budget and resource cuts at the exact moment attackers have access to tools and services that make them more dangerous than ever.
John Petrozzelli, director of MassCyberCenter in Massachusetts, described the situation on the ground with refreshing honesty. Municipalities run up against limited resources and must prioritize cybersecurity among competing needs — education, infrastructure, public safety, the list goes on. You can't exactly tell a school board that cybersecurity has to come before textbooks.
But here's where it gets interesting. States aren't just sitting around waiting for federal help. They're getting creative.
Massachusetts, through its EOTSS program, provides free KnowBe4 training for municipalities and school systems. That's baseline awareness training — the kind of thing that stops a huge percentage of phishing attacks before they become incidents. It's not glamorous, but it works.
MassCyberCenter itself offers a state-funded SOC with managed EDR, vulnerability assessment, and Active Directory monitoring. And here's the clever part: they bundle MS-ISAC membership with SOC sign-up. Why? Because it makes cybersecurity easier to prioritize when the budget line item covers more ground. Smart packaging turns a hard sell into a no-brainer.
It's a workaround. A patch. But it's also a model that other states could replicate if they had the political will and the budget flexibility. The problem is that innovation like this requires both, and neither is guaranteed. Smaller states without Massachusetts' tax base face an even steeper climb — one that may not be surmountable without federal help.
For security teams evaluating managed detection options under tight budgets, our analysis of Wazuh Cloud covers how a managed SIEM approach can reduce operational overhead and let smaller teams punch above their weight.
The Grant Program That Keeps Getting Cut
The State and Local Cybersecurity Grant Program (SLCGP) was supposed to be the bridge. Federal money flowing to states that needed it most — money for staffing, tools, training, the whole stack. It was one of the few pieces of legislation that actually acknowledged that cybersecurity is a shared responsibility.
But grant programs don't survive political headwinds. Funding gets reduced. Programs get delayed. States that counted on that support have to scramble when the money doesn't arrive.
The testimony made one thing clear: states need the SLCGP back. Not as a handout. As an investment.
Every dollar spent on state cybersecurity infrastructure saves multiples in incident response costs, recovery time, and potential data breach liabilities. It's not charity. It's risk management at the federal level — the kind that should make sense to any CFO, Democrat or Republican. The math is simple: prevention costs less than reaction.
But risk management requires foresight. And right now, the federal government seems to be operating on a different calendar than the one attackers are using. While Congress debates, ransomware groups are consolidating. While committees hold hearings, states are losing staff to the private sector where salaries actually keep pace with inflation. The talent drain is real, and it's accelerating.
What This Means for the Next 12 Months
Let's be honest about where things stand.
The threat landscape isn't getting less dangerous. AI tools are making attacks faster, cheaper, and harder to detect. Ransomware groups have proven they'll follow through on their threats — and they're getting better at it. Identity systems are under siege from every direction.
Meanwhile, states are being asked to do more with less. Federal support has contracted. Trust has eroded. And the people testifying before Congress know exactly what happens when states fall behind. They've seen it. They've responded to the incidents.
The good news? States are adapting. They're bundling services. They're sharing resources. They're finding workarounds that make the math work even when the budget doesn't. Massachusetts is leading the way, but there are likely similar programs forming in other states right now.
But workarounds aren't strategies. They're stopgaps. And stopgaps only hold for so long.
What states need — what the country needs — is a renewed federal partnership. One that recognizes cybersecurity isn't a state issue or a federal issue. It's a national security issue. The attackers don't care about jurisdiction. They'll hit whatever target is soft, and states are often the softest.
The hearing was a wake-up call. The question is whether Congress will listen — and whether the states can hold the line until they do.