President Donald Trump wants to push state and local entities to take more ownership of their cybersecurity, but his administration is simultaneously dismantling the resources that state and local entities need to secure their systems.
On Aug. 1, the Department of Homeland Security released the latest notice of a funding opportunity for more than $91 million for the State and Local Cybersecurity Grant Program. The notice, however, bans recipients from using the money to pay for services provided by the Multi-State Information and Analysis Center, the very organization from which most state and local governments get their cybersecurity support.
State, Local, Tribal, and Territorial governments play a vital role in keeping America’s communities healthy, safe, and secure. They provide essential services, such as keeping electricity and water running, operating primary and secondary schools, and managing port authorities and other local critical infrastructure. These governments, however, are “the most vulnerable and least mature cyber entities,” according to the federal government’s cyber agency, the Cybersecurity and Infrastructure Agency.
For the past two decades, SLTT entities have relied on the MS-ISAC for low and no-cost cybersecurity services. More than 18,000 entities across the country have benefitted from the MS-ISAC’s threat intelligence, detection and response capabilities, educational webinars, self-assessment resources, and weekly threat reports. Last year alone, the MS-ISAC detected, prevented, or remediated nearly 60,000 cyberattacks.
And yet, earlier this year, CISA cut more than $8 million in funding for the MS-ISAC, amounting to more than 50% of its remaining annual budget. CISA justified its decision by saying that the MS-ISAC offers duplicative services to those provided by CISA itself. The MS-ISAC’s members disagree. Eighty-three percent of member entities said that it would be difficult for them to find alternatives if the MS-ISAC’s services were to cease, and 95% — over 17,000 entities providing critical services — said that their cybersecurity would suffer if they lost these services.
Facing the loss of half of its remaining operating budget for the year, the MS-ISAC’s parent nonprofit organization self-funded the effort for a short time as it prepared to switch to a fee-based membership model so that it could continue providing essential services. While other information and analysis centers rely on member dues, the MS-ISAC historically has been able to provide free membership due to federal funding support, recognizing that SLTT governments cannot raise rates to cover increased cybersecurity costs.
These budgetary constraints are why Congress created the SLCGP three years ago to provide state and local governments with $1 billion to invest in local cybersecurity. To receive a grant, states need to develop an approved cybersecurity plan, and then they can use the funding to build community cyber resilience and pay for resources they otherwise cannot afford.
DHS’s latest grant announcement, however, blocks states from using the funds to pay for MS-ISAC membership or any of the low-cost services it provides. In the epitome of Washington arrogance, the notice feigns to know better than SLTT entities where they should get cybersecurity support and reveals an animosity toward an organization that is vital to the security of local communities.
State and local governmental organizations are worried. In a letter to House and Senate appropriations leadership, the U.S. Conference of Mayors, National Association of Counties, National Association of State Chief Information Officers, National League of Cities, and Major County Sheriffs of America warned that losing the MS-ISAC services would “create significant vulnerabilities for rural and small communities” and make state and local governments “more susceptible to cyberattacks.” Without federal funding for the MS-ISAC, communities “will be left to combat foreign cyber and multidimensional threats on their own.”
FOR QUID PRO QUO TRUMP, IT’S PAY-TO-PLAY IN CHINA
DHS should immediately remove the restriction on using SLCGP funds for MS-ISAC membership and services. Congress should also restore federal funding for MS-ISAC through the normal appropriations process. CISA must rebuild its tattered relationship with MS-ISAC — the very organization that ensures that state and local entities receive CISA cybersecurity advisories.
Trump is right to prioritize the importance of state and local government in building America’s cybersecurity. To implement the president’s vision of secure communities, his administration should support the programs that provide free or low-cost services to the entities that need them most.
Retired Rear Admiral Mark Montgomery is a senior fellow and the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. Follow Mark on X @MarkCMontgomery.
Sophie McDowall is a research associate at CCTI.
