Dwindling federal cyber support for critical infrastructure raises alarms
As the U.S. government prepares to decrease its cybersecurity support for critical infrastructure operators, the organizations that defend those networks are preparing for more vulnerabilities, more hacks and more damage.
President Donald Trump’s quest to reduce the federal role in infrastructure cyber resilience — part of his broader push to shrink the government and slash the services it offers — will exacerbate already alarming cybersecurity weaknesses throughout the nation’s hospitals, ports, railways and other vital systems, according to industry leaders and cyber experts.
Trump’s chaotic government overhaul has already undermined essential partnerships between infrastructure operators and federal agencies, as Cybersecurity Dive reported recently. Now, the Trump administration’s proposed budget cuts and its plan to make states more responsible for infrastructure protection threaten to further degrade the country’s readiness to withstand digital threats like China-backed cyberattacks and criminal ransomware sprees.
If federal agencies do step back as Trump envisions, infrastructure operators may need to scramble for expensive new sources of cybersecurity advice and assistance. And while the impact will be felt across the critical infrastructure landscape, it will land especially hard on small operators like rural hospitals and water facilities.
“Government-backed services have been a lifeline” for these operators, said Grant Geyer, chief strategy officer at the industrial cybersecurity firm Claroty. “Without them, these small, vital providers are essentially left to fend for themselves in an increasingly dark cyber wilderness.”
A ‘ludicrous’ shift
Over the past six months, budget cuts have pushed tens of thousands of federal workers out of their jobs and ended many contracts that supported vital government functions. The Cybersecurity and Infrastructure Security Agency (CISA), the government’s lead cyber defense agency, lost one-third of its workforce. And the program and personnel cuts that have already occurred are a harbinger of more to come as the Trump administration pursues a strategy of pushing critical infrastructure security responsibilities to state and local governments.
In March, Trump signed an executive order that effectively froze former President Joe Biden’s critical infrastructure partnership strategy and directed Sector Risk Management Agencies (SRMAs) — which provide security support and guidance to various industries — to revise their infrastructure protection strategies. And in May, the administration proposed a budget that would slash the CISA teams that liaise with and coordinate government support for infrastructure operators.
“It feels like that whole [partnership] program could be in jeopardy,” said Errol Weiss, the chief security officer at the Health Information Sharing and Analysis Center.
Industry figures and cyber experts said Trump’s planned budget cuts could decimate agencies’ ability to help operators by offering free services such as vulnerability scans, sending experts to assess their systems and developing highly tailored guidance and recommendations for them. The result would likely be more weaknesses in critical infrastructure for hackers to exploit.
The cuts would also “make it harder for the SRMAs to maintain relationships with their sectors, conduct oversight, or create effective policies,” said Michael Daniel, the president of the Cyber Threat Alliance, an information sharing coalition, and the White House cyber adviser to President Barack Obama.
In addition, the cuts’ disproportionate impact on small, rural infrastructure operators would exacerbate existing preparedness gaps between well-funded and poorly funded organizations.
The White House wants states to take over some of the work from the federal government. “Preparedness is most effectively owned and managed at the State, local, and even individual levels, supported by a competent, accessible, and efficient Federal Government,” Trump said in his March executive order.
But cash-strapped state and local governments already struggle to help safeguard infrastructure, as the aftermaths of many natural disasters illustrate, and they would likely have a very difficult time assuming these major new cybersecurity responsibilities.
Trump’s burden-shifting plan, experts said, would be disastrous for critical infrastructure.
“The idea [of] pushing the responsibility for cybersecurity to the states,” Weiss said, “is ludicrous.”
State and local governments “were not built and are not prepared to take on nation-state actors” in cyberspace, said Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security.
CISA aid imperiled
Over the years, CISA has developed and refined a catalog of free security services for critical infrastructure operators. The agency hunts for threats on companies’ networks, performs “cyber hygiene” scans of their internet-facing assets, assesses their defensive practices, helps them understand their third-party risks and helps them plan and execute cyberattack simulation exercises to understand their shortcomings. CISA is even testing ways to include infrastructure operators in free security programs initially limited to other federal agencies, such as protective DNS.
These free tools and services are a linchpin of CISA’s role as the federal government’s lead critical infrastructure defense force. And for small water utilities, rural hospitals and other financially challenged infrastructure providers, the ability to freely access help that would normally be too expensive has been transformational.
But with all of Trump’s cuts, operators are worried that the free help won’t last much longer. Trump’s proposed CISA budget would cut funding for vulnerability assessments, training sessions and shared services like security operations centers. The administration has already ended threat-hunting contracts and reduced threat hunters’ resources.
Experts warn of dire consequences if the cybersecurity aid disappears.
CISA’s services “are essential for under-resourced critical infrastructure operators facing advanced foreign threats,” said Victor Atkins, global director of security and risk strategy services for industrial cybersecurity at the consulting firm 1898 & Co.
The agency’s “great free services” are so popular that there are waiting lists to access some of them, according to John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.
If CISA were to significantly scale back these offerings, Atkins said, “utilities’ defenses would be weakened precisely when they need them the most.”
The White House may see infrastructure cybersecurity as an area in which states can pick up some of the slack from Washington, but, Daniel said, “it is not realistic to think that states can pick up the missions and activities that CISA is shedding,” because “the budget pressures the states will face from reductions in federal funding in other areas will preclude significant investments in cybersecurity.”
CISA declined to commit to maintaining the breadth and depth of services that it currently provides. “We support critical infrastructure operators across the country through robust cybersecurity services every day, and our commitment to this mission has not changed,” agency spokesperson Marci McCarthy said in a statement. “Operational collaboration means we work side-by-side with our partners to provide tailored services and support that they need to help them defend against the evolving threats they face daily.”
Reduced support could have cascading effects, given the interconnected nature of many infrastructure sectors. Daniel noted that U.S. military bases rely on water from local utilities, many of which have been discovered using default passwords and vulnerable equipment. “If a system gets hacked,” said a water industry representative who requested anonymity to speak freely, “that could have dire consequences for national security.”
Agencies on diverging paths
CISA isn’t the only agency offering important services and other assistance to infrastructure providers. SRMAs like the Environmental Protection Agency (water), the Department of Health and Human Services (healthcare), the Department of Energy (energy) and the Transportation Security Administration (pipelines, railroads and aviation) also issue guidance, conduct site visits and provide technical support.
These agencies are also sending mixed messages about the future of their aid.
An EPA spokesperson said the agency “intends to continue its free cybersecurity services” because they “align with the Administration’s goal to strengthen the capabilities of state and local governments as well as water systems to build resilience.” One of these services, a program that proactively scans utilities’ computer networks for vulnerabilities, “has resulted in over 400 mitigations” since Oct. 1, the spokesperson said. In its fiscal year 2026 budget proposal, the EPA is requesting $10 million for a competitive water cybersecurity grant program for states.
The TSA did not respond to a request for comment about its commitment to cyber support. But the agency’s proposed budget envisions an additional 21 employees and $5.4 million for its work overseeing and supporting the security of transportation infrastructure.
The situation looks different at other SRMAs.
HHS has downgraded the status of the division that handles its critical infrastructure support, and industry representatives said they were worried about the status of the department’s once-troubled but now more-promising Health Sector Cybersecurity Coordination Center. An HHS spokesperson said cybersecurity was a “key priority” for the critical infrastructure division, which continues to “collaborate with internal and external partners to update our risk analysis tools.”
At DOE, meanwhile, the Trump administration wants to cut the Office of Cybersecurity, Energy Security, and Emergency Response (CESER)’s budget by 25%, despite acknowledging that cyber and physical threats “are converging to create a complex and persistent threat landscape.” A DOE spokesperson told Cybersecurity Dive that CESER “continues to work with our state and local partners to secure our energy system” but declined to address concerns about service reductions.
A human safety issue
The growing signals from the U.S. government that it will reduce its support for critical infrastructure couldn’t come at a worse time, experts and industry leaders said. Threats from foreign government adversaries and cybercriminals are increasing, with artificial intelligence turbocharging hackers’ abilities and digitization creating new vulnerabilities in operational technology. Infrastructure entities say they have never faced a more perilous cybersecurity environment.
The healthcare sector offers a stark example of these challenges. “We’re already seeing how bad it can get because of the ransomware that is still beating up hospitals on a regular basis,” Weiss said. These attacks are disrupting patient care, said a healthcare industry representative who requested anonymity to speak freely, arguing that “more than ever, cyber safety is patient safety.”
Given these trends, experts say the government should deepen its investments in critical infrastructure security, not scale them back.
“At a time when CISA, the NSA, and the FBI are warning that adversaries like [Russia] and China are actively targeting cyber-physical systems in critical infrastructure,” Geyer said, “pulling support from the very entities that keep our hospitals running and our water flowing would be dangerously short-sighted.”
Source link
