Republican lawmakers on the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection warned that state and local governments are facing a rapidly intensifying cyber threat landscape as ransomware gangs, nation-state actors, and AI-enabled attacks increasingly target public infrastructure and essential services. Lawmakers and witnesses also raised concerns that many municipalities, schools, emergency services, and transportation systems continue to operate with limited cybersecurity staffing, aging infrastructure, and uneven access to federal support programs despite mounting operational risks.
During a recent hearing chaired by Andy Ogles, officials highlighted concerns that local agencies are being forced to defend against more sophisticated cyber campaigns while federal support programs and resources face uncertainty, particularly around the future of the State and Local Cybersecurity Grant Program (SLCGP).
Witnesses at the House hearing included Kristin Darby, chief information officer for the State of Tennessee; Colin Ahern, director of security and intelligence for the State of New York; Warren Sponholtz, chief information officer for the State of Florida; and Samir Jain, vice president of policy at the Center for Democracy & Technology, who testified on escalating cyber threats facing state and local governments. They also looked into the need for continued federal cybersecurity support and coordination.
The hearing also underscored how artificial intelligence is reshaping offensive and defensive cyber operations. Witnesses and lawmakers noted that state and local governments are increasingly adopting AI to improve threat detection and incident response, while adversaries are simultaneously using the technology to automate phishing campaigns, identify vulnerabilities faster, and scale cyber operations with fewer resources.
The witnesses argued that continued federal coordination, funding, and information sharing through agencies, such as the Cybersecurity and Infrastructure Security Agency (CISA), remain essential to protecting schools, municipalities, transportation systems, and other community services from escalating cyber risks.
“The core problem is a mismatch that Congress has an obligation to address. State and local governments are expected to defend against the same adversaries our Intelligence Community tracks, including China, Russia, and Iran, but with budgets and workforces that bear no comparison to what those nation-states deploy against us,” Ogles said in his opening statement at the hearing. “A county government in rural America may not have a single dedicated cybersecurity professional. And yet that county holds sensitive data on its residents, runs systems that deliver essential services, and sits inside a network of American infrastructure that our adversaries are actively working to disrupt.”
To their credit, Ogles noted that states have not been waiting for Washington to figure this out. “Today, we will hear about whole-of-state cybersecurity strategies that push resources and expertise down to counties and municipalities that could not otherwise afford them. We will hear about information-sharing programs that give smaller jurisdictions access to threat intelligence they could never build on their own. We will hear about workforce programs developed with universities and community colleges to train the next generation of defenders. These are real solutions, and they deserve real support from Congress.”
“But state efforts can only go so far without federal support. Congress recognized that in 2021, when it created the State and Local Cybersecurity Grant Program and put one billion dollars behind it over four years. The premise was simple,” he added. “A small town faces the same threats as a large city, and a rural county is not exempt from Chinese or Russian cyber actors just because it has a limited IT budget. That program helped communities that could not otherwise help themselves.”
Unless Congress acts, Ogles reminded that the program expires this September. “We should not let that happen, and we certainly should not let it happen at a moment when the threat is growing ever worse. That is why I am committed to enacting the PILLAR Act, which we passed and we sent to the Senate Homeland Security Committee.”
Ogles highlighted that reauthorization alone is not enough, though. “We have four years of program history now, and we owe it to taxpayers to ask whether the money is being spent well, whether the structure is right, and whether the outcomes match the investment. Today is an opportunity to get honest answers from the people who have actually run these programs.”
Darby wrote in her testimony that state and local governments are being targeted at an unprecedented rate by both criminal organizations and nation-state actors. The threat landscape is being shaped by the rapid growth of AI-enabled cyberattacks, accelerating both the scale and speed of adversary operations. Researchers are also observing increased reliance on supply chain compromises, including the integration of AI into widely used software tools, alongside the expansion of ransomware ecosystems and initial access broker activity. At the same time, attackers are increasingly exploiting identity systems, cloud environments, and zero-day vulnerabilities.
“The reality is that adversaries no longer need weeks or months to exploit vulnerabilities,” she observed. “They can now move laterally across systems in minutes or seconds.”
At the same time, she outlined that many local governments have little to no dedicated cybersecurity staff, operate with constrained budgets, and depend on shared services or managed providers. “In Tennessee, we have worked with local governments that were relying on part-time personnel or shared resources to manage critical systems supporting emergency services and public infrastructure. This creates an asymmetric environment where highly sophisticated attackers target the least-resourced defenders.”
Based on Tennessee’s experience, Darby recommended continued congressional funding for the SLCGP to sustain cybersecurity improvements across states and municipalities. The recommendations also called for more predictable long-term funding, lower and more stable cost-sharing requirements to reduce barriers for rural and resource-constrained communities, and simplified program administration that maintains governance while reducing reporting burdens.
Darby additionally urged expanded federal cybersecurity support services through the CISA, improved real-time threat intelligence sharing for emerging threats and zero-day vulnerabilities, and broader program coverage for AI-enabled systems and operational technology risks. The recommendations also proposed creating a rapid-response federal cybersecurity funding mechanism capable of supporting urgent remediation efforts and accelerating state responses to active cyber threats and newly discovered vulnerabilities.
Ahern recognized that, from the imminent expiration of the SLCGP, shrinking of the CISA, and the lack of a Senate-confirmed CISA director, to the cancellation of funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC), tools designed to keep our communities safe are being dismantled.
“A functional partnership between federal, state and local governments, and the private sector is essential to reverse this trend. This partnership must be built on three key pillars,” according to Ahern. “First, we need a Federal Government capable of detecting, mitigating, and responding to cyberattacks and deterring and punishing attackers across the operational spectrum. Second, we require robust collaboration with state and local governments and the private sector that facilitate rapid information exchange and operational coordination. Third, we need a private sector capable of defending its own systems and preventing attacks from originating within its infrastructure.”
He urged Congress to fully reauthorize and expand funding for the SLCGP through the PILLAR Act, warning that many cybersecurity initiatives supporting municipalities, utilities, schools, and local governments could collapse without sustained federal investment. Recommendations included reducing cost-share requirements for smaller jurisdictions, stabilizing multi-year funding, expanding access to MS-ISAC services, and improving federal-state coordination through a stronger and better-resourced CISA.
The testimony also called for broader state access to frontier AI cybersecurity capabilities, restoration of federal threat intelligence and assessment programs, and a national framework for AI safety and cyber incident reporting. Additional recommendations focused on modernizing cybercrime prosecution laws, strengthening oversight of cloud providers and cryptocurrency platforms used in cybercrime, and expanding federal disruption authorities to target ransomware groups, fraud operations, and nation-state cyber actors operating on U.S.-based infrastructure.
Sponholtz wrote that threat intelligence has become a core component of Florida’s cybersecurity strategy, drawing data from federal agencies, law enforcement, multistate partnerships, cybersecurity vendors, incident response operations, and criminal marketplace monitoring. He emphasized that intelligence is only effective when it is timely and operationally relevant, giving agencies and local governments clear guidance on active threats, exposed systems, and required response actions. Shared telemetry between participating entities also allows Florida to correlate suspicious activity across agencies, schools, utilities, and local governments, turning separate organizations into a statewide distributed sensor network capable of generating faster and more actionable warnings.
He described the federal government as an essential cybersecurity partner, particularly through intelligence sharing, automated threat indicators, vulnerability guidance, and incident coordination that provide national visibility individual states cannot replicate. He noted that the partnership has become increasingly important as cyber threats have evolved beyond isolated ransomware incidents into a more industrialized criminal ecosystem, with growing attacks targeting schools, hospitals, utilities, public safety systems, and critical infrastructure alongside rising nation-state cyber activity focused on operational disruption.
Providing lessons for state and local cybersecurity based on Florida’s experience leads to several lessons. First, shared services work when they are paired with trust and clear governance. Second, telemetry sharing is essential for speed and correlation, but it must be built through partnership, not mandate alone. Third, critical infrastructure protection requires both IT and operational technology expertise. Fourth, smaller governments need procurement support as much as they need funding. Fifth, incident response is strongest when relationships and exercises happen before the emergency.
In his testimony, Center for Democracy & Technology’s Jain made four main points. “First, cyber attacks on state and local governments can cause significant real-world harm by exposing sensitive personal information and disrupting critical services. Second, AI is poised to exacerbate the structural challenges that SLTT governments have long faced in defending these systems. Third, the federal government’s retreat from its traditional supporting role has already produced concrete harms and threatens to produce many more. Fourth, the federal government should act now to restore funding and capabilities, strengthen information sharing, and reaffirm the shared responsibility that has defined federal–state cybersecurity cooperation.”
Providing recommended steps forward, Jain wrote, “The federal government plays a unique and important role in supporting state and local cybersecurity for at least three reasons. First, much of the data held by SLTT agencies is collected in response to federal mandates. If the federal government requires SLTTs to collect sensitive information, it bears a corresponding responsibility to help ensure that data is protected.”
Secondly, he mentioned that the federal government is uniquely positioned to maximize the value of taxpayer dollars spent on cybersecurity. Cybersecurity is an area in which resource and information sharing produce dramatically better outcomes than independent state-by-state efforts; foundational federal support avoids duplication and improves shared threat awareness. Third, states are increasingly the target of nation-state attacks, which they are ill-equipped to handle given the asymmetry of resources and expertise, and which raise national security concerns that the federal government alone can fully address.
Jain also pitched that Congress should restore the funding, programs, and institutional capacity that have made federal–state cybersecurity cooperation work, while modernizing those tools to address the unique risks posed by advanced AI. “It should reaffirm the federal government’s commitment to information sharing with SLTT partners, conduct rigorous oversight of agencies whose retrenchment has left systems and data exposed, and ensure that incident reporting and public accountability keep pace with the threats. None of this requires inventing new institutions. It requires renewing the sense of shared responsibility that has defined federal–state cooperation on cybersecurity.”
